Cisco Prime LMS 4 1 Admin Ug

Administration of Cisco Prime LAN Management Solution 4.
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-20721-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Administration of Cisco Prime LAN Management Solution 4.1 1998 - 2011 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
xxiii xxiii xxiii xxiv xxvi
Audience
Document Conventions Product Documentation
Obtaining Documentation and Submitting a Service Request Notices

xxvii
OpenSSL/Open SSL Project i-xxvii License Issues i-xxvii

1
CHAPTER
Overview of Administration How the guide is organized? Administration Tasks

1-3
1-1 1-2
Understanding the System Dashboard 1-7 Cisco Prime Product Updates 1-7 Critical Message Window 1-8 Device Credentials and AAA Information Log Space Usage 1-10 Process Status 1-11 System Backup Status 1-11 User Login Information 1-12 Job Information Status 1-12 Audit Trail Information 1-13 Job Approval 1-14 Syslog Collectors Information 1-15 Supported Device Finder Portlet 1-16 VRF Collector Summary 1-19 Collection Summary Portlet 1-19
2
1-9
CHAPTER
Setting up Security
2-1
Managing Security in Single-Server Mode 2-1 Setting up Browser-Server Security 2-2 Enabling Browser-Server Security From the LMS Server
2-3
Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01
-iii
Chapter
Disabling Browser-Server Security From the LMS Server 2-3 Setting up Local User Policy 2-4 Setting up Local Users 2-6 About User Accounts 2-6 Understanding Security Levels 2-7 Importing and Exporting Local Users 2-7 Importing Local Users Using CLI 2-8 Importing Users From ACS 2-9 Adding and Modifying a Local User 2-9 Adding Local Users Using CLI 2-11 Assigning Roles on NDG Basis 2-13 Modifying Your Profile 2-13 Creating Self Signed Certificates 2-14 Creating a Self Signed Certificate From the User Interface 2-15 Working With Third Party Security Certificates 2-16 Managing Security in Multi-Server Mode 2-16 Setting up Peer Server Account 2-17 Setting up System Identity Account 2-18 Setting up Peer Server Certificate 2-19 Enabling Single Sign-On 2-20 Single Sign-On Setup 2-20 Navigating Through the Single Sign-On Domain Changing the Single Sign-On Mode 2-22
2-21
Setting up the Authentication Mode 2-24 Authentication Using Login Modules - Overview 2-24 Setting the Login Module to Pluggable Authentication Modules Managing Roles
2-36
2-26
Managing Cisco.com Connection 2-39 Setting up Cisco.com User Account Setting Up the Proxy Server 2-40
3
2-40
CHAPTER
Administering LMS Server Using Daemon Manager
3-1 3-2
Managing Processes 3-3 LMS Back-end Processes 3-6 Server Back-end Processes 3-7 Inventory, Config and Image Management Processes 3-11 Network Topology, Layer 2 Services and User Tracking Processes 3-14 IPSLA Performance Management Processes and Dependency Processes 3-15
Administration of Cisco Prime LAN Management Solution 4.1
-iv
OL-20721-01
Chapter
Device Performance Management Module Processes Fault Management Processes 3-16
3-15
Backing Up Data 3-19 Scheduling a Backup 3-20 Restoring Data 3-21 Changing the Database Password 3-23 Effects of Backup-Restore on DCR 3-25 Master-Slave Configuration Prerequisites and Restore Operations Effects of Backup-Restore on Groups 3-28 Licensing Cisco Prime LMS Collecting Server Information Collecting Self Test Information Messaging Online Users Managing Resources
3-34 3-34 3-35 3-37 3-42 3-44 3-29 3-31
3-27
Configuring a Default SMTP Server

3-31
3-34
Modifying System Preferences Configuring Log Files Rotation
Configuring Disk Space Threshold Limit Configuring TFTP

4
3-44
Effects of Third Party Backup Utility and Virus Scanner
CHAPTER
Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery
4-1
4-1
Configuring Device Selector 4-5 Selecting Devices for Device Management Tasks 4-7 Searching Devices 4-8 Performing Simple Search 4-8 Performing Advanced Search 4-9 Device Selector Settings 4-11 Understanding Device Groups 4-11 Customizing Device Grouping 4-13 Customizing Display Order of Device Groups 4-15 Administering Device and Credential Repository 4-16 Changing DCR Mode 4-16 Configuring Device Polling 4-19 Configuring Device Polling Settings 4-19 Deleting Unreachable Devices from DCR 4-21 Configuring User Defined Fields 4-21
-v
Chapter
Adding User Defined Fields 4-22 Renaming User Defined Fields 4-22 Deleting User Defined Fields 4-23 Configuring Default Credentials 4-23 Using Default Credentials 4-23 Important Notes on Default Credentials 4-24 Default Credentials Behavior in Multi-Server Setup Configuring Default Credential Sets 4-25 Configuring Default Credential Set Policy 4-28
5
4-24
CHAPTER
Managing Groups
5-1 5-2 5-3
Groups - Components and Basic Concepts
Groups in Single-Server and Multi-Server Setup Groups in Single Server Scenario 5-3 Groups in Multi-Server Scenario 5-4
Device Group Administration 5-4 Creating Groups 5-6 Specifying Group Properties 5-7 Defining Group Rules 5-8 System Defined Attributes 5-13 Assigning Group Membership 5-16 Viewing Group Details 5-17 Modifying Group Details 5-18 Refreshing Groups 5-19 Deleting Groups 5-20 Exporting Groups 5-20 Sample Export Groups Output File 5-21 Exporting Groups From User Interface 5-21 Importing Groups 5-22 Important Notes on Importing Groups 5-23 Importing Groups From User Interface 5-23 Overview of Subnet Based Groups 5-24 Accessing Subnet Based Groups 5-24 Understanding Subnet Based Groups 5-25 Creating Groups Based on Subnet 5-25 DCR Mode Changes and Group Behavior 5-25 Unregistering a Slave 5-27 Behavior of IP Address Range Based Device Groups in Multi-Server Setup Port and Module Group Administration
5-28
5-27
-vi
OL-20721-01
Chapter
Creating Port and Module Groups 5-29 Entering the Port and Module Group Properties Details 5-30 Selecting Group Source 5-30 Defining Rule Expression for Port or Module Groups 5-32 Understanding the Summary 5-40 Viewing Port and Module Group Details 5-40 Editing Port and Module Groups 5-42 Deleting Port and Module Groups 5-43 Working with Fault System-defined Groups LMS System-defined Groups 5-44 Fault System Defined Groups 5-45 Working with Customizable Groups
5-46 5-44
Managing Fault Groups 5-47 Editing and Creating Fault Groups 5-48 Editing a Fault Group 5-49 Creating a Fault Group 5-52 Understanding Rules 5-55 Finalizing Fault Group Membership 5-58 Viewing the Fault Group Summary 5-59 Viewing Fault Group Details 5-59 Viewing Fault Membership Details 5-60 Refreshing Fault Membership 5-61 Deleting Fault Groups 5-62 Understanding Collector Group Rules 5-62 IPSLA Collector Group Administration Process 5-65 Understanding IPSLA Collector Group Administration
5-66
Working with User-Defined Collector Groups 5-67 Creating and Modifying User-Defined Collector Groups 5-67 Setting Collector Group Properties 5-67 Defining Collector Group Rules 5-69 Assigning Collector Group Membership 5-71 Viewing the Collector Group Summary 5-72 Deleting User-Defined Collector Groups 5-73 Viewing User-Defined Collector Groups 5-73 Viewing Collector Group Details 5-73 Viewing Membership Details 5-74 Refreshing User-Defined Collector Group Membership 5-75 Operation-Based Collector Groups (System-Defined)
5-76
-vii
Chapter
CHAPTER
Administering Data Collection Scheduling Data Collection
6-1 6-1
Modifying Data Collection SNMP Timeouts and Retries

6-3 6-4
Data Collection Critical Device Poller

7
CHAPTER
User Tracking and Dynamic Updates
7-1
Understanding User Tracking 7-1 Using User Tracking 7-2 Accessing UT Data 7-2 Various Acquisitions in User Tracking
7-3
Using User Tracking Administration 7-4 Viewing User Tracking Acquisition Information 7-6 Configuring User Tracking Acquisition Actions 7-7 Using User and Host Acquisition 7-8 Modifying UT Acquisition Settings 7-8 Configuring Rogue MAC List 7-16 Modifying UT Acquisition Schedule 7-19 Modifying Ping Sweep Options 7-20 Configuring UT Subnet Acquisition 7-21 Deleting User Tracking Purge Policy Details 7-22 Configuring UT Acquisition in Trunk for End Host Discovery Importing Information on End Host Users 7-24 Understanding Dynamic Updates 7-24 MAC User-Host Information Collector (MACUHIC) Process User Tracking Manager (UTManager) Process 7-26 UTLite 7-26 Viewing Dynamic Updates Process Status 7-27 Enabling SNMP Traps on Switch Ports 7-27 SNMP MAC Notification Listener 7-29 Configuring SNMP Trap Listener 7-30 HPOV as Primary Listener 7-30 LMS Fault Monitor Module as Primary Listener 7-32 Configuring Dynamic User Tracking 7-33 Using User Tracking Utility 7-35 Understanding UTU 7-35 Hardware and Software Requirements for UTU Downloading UTU 7-36 Installing UTU 7-37 Installing UTU in Silent Mode 7-37
7-23
7-26
7-36
-viii
OL-20721-01
Chapter
Installing UTU in Normal Mode 7-38 Accessing UTU 7-39 Configuring UTU 7-40 Searching for Users, Hosts or IP Phones Using UTU Uninstalling UTU 7-46 Upgrading to UTU 2.0 7-46 Re-installing UTU 2.0 7-47
8
7-41
CHAPTER
Administering Collection Settings
8-1
Using the Inventory Job Browser 8-2 Viewing Job Details 8-6 Creating and Editing an Inventory Collection or Polling Job 8-7 Stopping, Cancelling or Deleting an Inventory Collection or Polling Job Inventory Collection Settings Secondary Credentials
8-10 8-9
8-9
Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System Changing the Schedule for System Inventory Collection or Polling 8-11 Changing the Schedule for PSIRT/EOX System 8-12
8-11
PSIRT or End-of-Sale or End-of-Life Data Administration 8-14 Changing the Data Source for PSIRT/EOS/EOL Reports 8-14 Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com 8-15 Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location Administering VRF Lite 8-17 Using VRF Lite Collector Settings 8-17 Scheduling VRF Lite Collector 8-18 Modifying VRF Lite SNMP Timeouts and Retries
8-15
8-19 8-20
Modifying Fault Management SNMP Timeout and Retries
Configuring Fault Management Rediscovery Schedules 8-21 Suspending and Resuming a Rediscovery Schedule 8-21 Adding and Modifying a Rediscovery Schedule 8-22 Configuring Event Forensics
8-23 8-24
Fault Monitoring Device Administration Device Management Functions

8-25
Performance Management SNMP Timeouts and Retry Settings IPSLA Application Settings 8-27 Copying IPSLA Configuration to Running-Config Managed Source Interface Setting 8-28 Setting Up Archive Management
8-29 8-28
8-26
-ix
Chapter
Preparing to Use the Archive Management 8-29 Entering Device Credentials 8-29 Modifying Device Configurations 8-31 Enabling rcp 8-31 Enabling scp 8-32 Enabling https 8-32 Configuring Devices to Send Syslogs 8-32 Modifying Device Security 8-33 Router Commands 8-33 Switches Commands 8-34 Content NetworkingContent Service Switch Commands 8-34 Content NetworkingContent Engine Commands 8-34 Cisco Interfaces and ModulesNetwork Analysis Modules 8-34 Security and VPNPIX Devices 8-35 Moving the Configuration Archive Directory 8-35 Enabling and Disabling the Shadow Directory 8-36 Configuring Exclude Commands 8-37 Configuring Fetch Settings 8-39 Understanding Configuration Retrieval and Archival 8-39 Schedule Periodic Configuration File Archival 8-39 Schedule Periodic Configuration Polling 8-40 Manual Updates (Sync Archive function) 8-40 Using Version Summary 8-40 Timestamps of Configuration Files 8-41 How Running Configuration is Archived 8-41 Change Audit Logging 8-42 Defining the Configuration Collection Settings
8-42
Configuring Transport Protocols 8-45 Requirements to Use the Supported Protocols 8-45 Supported Protocols for Configuration Management Applications Defining the Protocol Order 8-48 Overview: Common Syslog Collector
8-49 8-50
8-48
Viewing Status and Subscribing to a Common Syslog Collector Viewing Common Syslog Collector Status 8-50 Subscribing to a Common Syslog Collector 8-51 Testing Syslog Collector Subscription 8-52 Understanding the Syslog Collector Properties File 8-54 Timezone List Used By Syslog Collector 8-57
-x
OL-20721-01
Chapter
CHAPTER
Monitoring and Troubleshooting Settings Loading MIB Files Configuring NAM

9-2 9-4
9-1 9-1
Configuring Fault Poller Settings For Topology
Configuring RMON 9-5 Modifying the Parameters 9-6 Enabling RMON on All Ports in Selected Devices 9-7 Enabling RMON on Selected Ports in Selected Devices Disabling RMON 9-8 Configuring Topology Settings 9-8 Viewing Restricted Topology 9-9
10
9-7
CHAPTER
Notification and Action Settings Customizing LMS Events

10-5
10-1 10-2
Understanding Notifications and Subscriptions
Configuring Event Sets and Notification Groups for Subscriptions 10-6 Configuring Event Sets 10-6 Configuring Fault Notification Groups 10-7 Setting Up a Fault Notification Group as Static or Dynamic 10-8 Managing Fault SNMP Trap Notifications 10-9 Adding an SNMP Trap Notification Subscription 10-10 Editing an SNMP Trap Notification Subscription 10-11 Suspending an SNMP Trap Notification Subscription 10-12 Resuming an SNMP Trap Notification Subscription 10-12 Deleting an SNMP Trap Notification Subscription 10-13 Managing Fault E-Mail Configurations 10-13 Managing Fault E-Mail Notification Subscriptions 10-13 Adding and Editing an E-Mail Notification Subscription Managing Fault E-Mail Subject Customization 10-16 Managing Fault Syslog Notifications 10-17 Adding a Syslog Notification Subscription 10-18 Editing a Syslog Notification Subscription 10-20 Suspending a Syslog Notification Subscription 10-21 Resuming a Syslog Notification Subscription 10-21 Deleting a Syslog Notification Subscription 10-21 Configuring Fault SNMP Trap Receiving and Forwarding 10-22 Enabling Devices to Send Traps to LMS 10-22 Enabling Cisco IOS-Based Devices to Send Traps to LMS 10-23
10-14
-xi
Chapter
Enabling Catalyst Devices to Send SNMP Traps to LMS 10-23 Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs Updating the SNMP Trap Receiving Port 10-24 Configuring SNMP Trap Forwarding 10-25 Performance SNMP Trap Notification Groups Creating a Trap Receiver Group 10-26 Editing a Trap Receiver Group 10-28 Deleting a Trap Receiver Group 10-29 Filtering Trap Receiver Groups 10-30 Performance Syslog Notification Groups 10-31 Creating a Syslog Receiver Group 10-32 Editing a Syslog Receiver Group 10-33 Deleting a Syslog Receiver Group 10-34 Filtering Syslog Receiver Groups 10-35 Defining Automated Actions 10-36 Creating an Automated Action 10-37 Editing an Automated Action 10-39 Guidelines for Writing Automated Script 10-41 Enabling or Disabling an Automated Action 10-41 Exporting or Importing an Automated Action 10-42 Deleting an Automated Action 10-42 Automated Action: An Example 10-43 Verifying the Automated Action 10-44 Defining Syslog Message Filters 10-45 Creating a Filter 10-46 Editing a Filter 10-46 Enabling or Disabling a Filter 10-47 Exporting or Importing a Filter 10-47 Deleting a Filter 10-48 Inventory and Config Collection Failure Notification 10-48 Configuring Trap Notification Messages 10-50 Examples for Collection Failure Notification 10-50 Fields in a Trap Notification Message 10-51 IPSLA Syslog Configuration
11
10-51 10-25
10-24
CHAPTER
Administering Change Audit and Software Management Setting Up Preferences

11-2 11-2 11-3
11-1
Performing Change Audit Tasks Performing Maintenance Tasks
-xii
OL-20721-01
Chapter
Setting the Purge Policy 11-4 Performing a Forced Purge 11-5 Config Change Filter 11-7 Defining Exception Periods 11-7 Creating an Exception Period 11-8 Enabling and Disabling an Exception Period Editing an Exception Period 11-9 Deleting an Exception Period 11-9
11-8
Defining Change Audit Automated Actions 11-10 Understanding the Automated Action Window 11-10 Creating an Automated Action 11-11 Editing an Automated Action 11-13 Enabling and Disabling an Automated Action 11-13 Exporting and Importing an Automated Action 11-14 Deleting an Automated Action 11-14 Software Management Administration Tasks 11-15 Viewing/Editing Preferences 11-15 Selecting and Ordering Protocol Order 11-19 How Recommendation Filters Work for an IOS Image Setting Change Report Filters
12
11-22
11-20
CHAPTER
Managing Jobs
12-1 12-1
Using Job Browser
Configuring Default Job Policies 12-5 Defining the Default Job Policies 12-6 Configuring NetShow Job Policies 12-11 Defining Default Job Policies 12-12 Purging Configuration Management Jobs Defining Protocol Order 12-14 Masking Credentials 12-15 Job Approval Workflow 12-16 Specifying Approver Details 12-16 Creating and Editing Approver Lists 12-17 Assigning Approver Lists 12-18 Setting Up Job Approval 12-18 Approving and Rejecting Jobs 12-20 Using Device Selector
12-23
12-13
Enabling Approval and Approving Jobs Using Job Approval
12-15
-xiii
Chapter
Using Simple Search
12-25
Using Advanced Search 12-26 Using the All Tab 12-30 Using the Search Results Tab 12-32 Using the Selection Tab 12-32 Editing Device Attributes 12-33 Attribute Error Report 12-36 Device Attributes Export File Format 12-36
13
CHAPTER
Working With Software Center
13-1
Performing Software Updates 13-2 Viewing the List of Installed Applications and Packages Selecting Software Updates 13-3 Downloading Software Updates 13-4 Performing Device Update 13-4 Viewing Package Map 13-5 Viewing Device Map 13-5 Checking for Updates 13-6 Deleting Packages 13-7 Scheduling Device Package Downloads Scheduled Job Event Log
13-10 13-9 13-8
13-2
Using the Software Center CLI Utility 13-10 Querying Updates on the LMS Server 13-11 Installing Device Packages 13-12 Uninstalling Device Packages 13-12 Downloading Software Updates 13-13 Downloading Device Updates 13-13 Listing Dependent Device Packages 13-14 Listing Device Packages Version 13-15
14
CHAPTER
Discrepancies and Best Practices Deviations Interpreting Discrepancies 14-2 Trunking Related Discrepancies 14-2 Trunk Negotiation Across VTP Boundary Native VLANs Mismatch 14-4 Trunk VLANs Mismatch 14-4
14-1 14-1
Understanding Discrepancies and Best Practices Deviations
14-3
-xiv
OL-20721-01
Chapter
Trunk VLAN Protocol Mismatch 14-4 VLAN-VTP Related Discrepancies 14-5 VTP Disconnected Domain 14-5 No VTP Server in Domain with at least One VTP Client Link Related Discrepancies 14-6 Link Duplex Mismatch 14-6 Link Speed Mismatch 14-8 Link Trunk/NonTrunk Mismatch 14-9 Port Related Discrepancy 14-10 Port is in Error Disabled State 14-10 Device Related Discrepancy 14-11 Devices With Duplicate SysName 14-11 Spanning Tree Related Discrepancy 14-11 Port Fast Enabled on Trunk Port 14-11 Interpreting Best Practices Deviations 14-12 Channel Ports Related Best Practices Deviations 14-13 Non-channel Port in Desirable Mode 14-13 Channel Port in Auto Mode 14-14 Spanning Tree Related Best Practices Deviations 14-15 BPDU Filter Disabled on Access Ports 14-16 BPDU-Guard Disabled on Access Ports 14-17 BackboneFast Disabled in Switch 14-18 UplinkFast not Enabled 14-20 Loop Guard and Port Fast Enabled on Ports 14-22 Trunk Ports Related Best Practices Deviations 14-23 Non-trunk Ports in Desirable Mode 14-23 Trunk Ports in Auto Mode 14-25 VLAN Related Best Practices Deviations 14-25 VLAN Index Conflict 14-26 VLAN Name Conflict 14-26 Link Ports Related Best Practice Deviation 14-26 UDLD Disabled on Link Ports 14-27 Access Ports Related Best Practice Deviation 14-28 CDP Enabled on Access Ports 14-28 Cisco Catalyst 6000 Devices Related Best Practice Deviation High Availability not Operational 14-29 Customizing Discrepancies Reporting and Syslog Generation
14-5
14-29
14-30
-xv
Chapter
CHAPTER
15
Report Setting
15-1 15-1
Specifying User Tracking Report Purge Policy Specifying Domain Name Display Set Report Publish Location
16
15-2 15-2
CHAPTER
Purge Settings
16-1 16-1 16-2
Purging Reports Jobs and Archived Reports
Purging VRF Management Reports Jobs and Archived Reports Purging Configurations from the Configuration Archive Syslog Administrative Tasks 16-4 Setting the Syslog Backup Policy Setting the Syslog Purge Policy 16-6 Performing a Syslog Forced Purge
16-5 16-2
16-7
Purging Configuration Management Jobs 16-8 Scheduling a Configuration Management Purge Job 16-10 Enabling a Configuration Management Purge Job 16-11 Disabling a Configuration Management Purge Job 16-11 Performing an Immediate Purge for Configuration Management Jobs Performance Purge Jobs Performance Purge Data
16-12 16-14 16-17
16-12
View Performance Purge Details IPSLA Data Purging Settings
16-18 16-20
Configuring the Daily Fault History Purging Schedule

17
CHAPTER
Debugging Options
17-1 17-1
Configuring Discovery Logging
Maintaining Log Files 17-2 Maintaining Log Files on Solaris/Soft Appliance 17-3 Maintaining Log Files on Windows 17-3 About Cisco Prime Common Services Log Files 17-4 Viewing and Maintaining LMS Log File Details 17-6 Fault Management Log Files 17-8 Performance Debugging Settings 17-9 IPSLA Debugging Settings 17-11 Config and Image Management Debugging Settings Configuring Logging
17-17 17-18 17-13
Fault Debugging Settings
-xvi
OL-20721-01
Chapter
Setting Debugging Options for Topology and User Tracking 17-20 Setting up Debugging Options for Data Collection 17-20 Setting up Debugging Options for Network Reports 17-23 Setting Debugging Options for Device Groups 17-24 Setting Debugging Options for Topology 17-24 Debugging Options for User Tracking Server 17-25 Debugging Dynamic Updates 17-26 Debugging Options for User Tracking Reports 17-29 Debugging Options for Dynamic User Tracking Console 17-29 Debugging Options for CiscoView 17-30 Setting VRF Lite Debugging Options 17-30 VRF Lite Server Debugging Settings 17-31 VRF Lite Collector Debugging Settings 17-32 VRF Lite Client Debugging Settings 17-33 VRF Lite Utility Debugging Settings 17-33
18
CHAPTER
Understanding LMS Tasks
18-1
Understanding Admin Tasks 18-1 Understanding System Tasks 18-2 Understanding Trust Management Tasks Understanding Network Tasks 18-8 Understanding Collection Tasks 18-13
18-7
Understanding Report Tasks 18-17 Understanding Fault and Event Report Tasks 18-18 Understanding Report Archives Tasks 18-19 Understanding Report Designer Tasks 18-19 Understanding Inventory Report Tasks 18-20 Understanding Audit Report Tasks 18-20 Understanding Technology Report Tasks 18-21 Understanding Performance Report Tasks 18-21 Understanding System Report Tasks 18-23 Understanding Switch Port Report Tasks 18-24 Understanding Configuration Tasks 18-25 Understanding Configuration Archive Tasks 18-25 Understanding Configuration Tools Tasks 18-26 Understanding ConfigCLI Tasks 18-28 Understanding Configuration Workflows Tasks 18-29 Understanding Configuration Job Browsers Tasks 18-30 Understanding Compliance Tasks 18-30
-xvii
Chapter
Understanding Monitor Tasks 18-31 Understanding Performance Settings Tasks 18-31 Understanding Fault Settings Tasks 18-33 Understanding Threshold Settings Tasks 18-33 Understanding Troubleshooting Tools Tasks 18-34 Understanding Monitoring Tools Tasks 18-35 Understanding Inventory Tasks 18-36 Understanding Group Management Tasks 18-36 Understanding Job Browsers Tasks 18-37 Understanding Device Administration Tasks 18-37 Understanding Inventory Tools Tasks 18-38 Understanding Work Center Tasks 18-38 Understanding Smart Install Tasks 18-39 Understanding Auto Smartports Tasks 18-39 Understanding Identity Tasks 18-39 Understanding EnergyWise Tasks 18-40
19
CHAPTER
Solaris Patches
19-1
19-1 19-1
Required and Recommended Solaris Patches
CHAPTER
20
About Java Plug-ins
20-1 20-1 20-2 20-3
Installing or Uninstalling the Java Plug-in Installation of Java Plug-in on Windows
Installation of Java Plug-in on Solaris/Soft Appliance

A
APPENDIX
Setting Up Local Users Through CLI A-2 Adding Local Users A-2 Importing Local Users A-3 Importing Users From ACS A-4 Changing Cisco Prime User Password Through CLI Managing Processes Through CLI A-5 Viewing Process Details Through CLI A-5 Viewing Brief Details of Processes A-6 Viewing Processes Statistics A-7 Starting a Process A-7 Stopping a Process A-7 Working With Third Party Security Certificates
A-8 A-4
-xviii
OL-20721-01
Chapter
Uploading Third Party Security Certificates to LMS Server A-8 Using the SSL Utility Script to Upload Third Party Security Certificates
A-12
Setting up Browser-Server Security A-13 Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms A-13 Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms A-14 Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms A-14 Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms A-15 Backing up Data Using CLI
A-16
Using LMS Server Hostname Change Scripts A-16 Running the Hostname Change Script A-19 Using DCR Features Through CLI A-21 Viewing the Current DCR Mode Using CLI Viewing Device Details A-22 Changing DCR Mode Using CLI A-22
A-21
Using Group Administration Features Through CLI Exporting Groups Through CLI A-24 Importing Groups Through CLI A-25 Deleting Stale Groups Using CLI
A-26
A-23
User Tracking Command Line Interface A-26 Exporting Switch Port Usage Report A-30 Using Lookup Analyzer Utility
A-31
Understanding UTLite A-33 Installing UTLite Script on Active Directory A-35 Installing UTLite Script on Windows A-36 Installing UTLite Script on NDS A-36 Uninstalling UTLite Scripts From Windows A-37 Uninstalling UTLite Scripts From Active Directory A-38 Uninstalling UTLite Scripts From NDS A-38 User Tracking Debugger Utility A-38 Understanding Debugger Utility A-38 Using Debugger Utility A-39 Configuring Switches to Send MAC Notifications to LMS Server Administration Command Line Interface A-40 SNMP Configuration on Devices A-42
A-39
-xix
Chapter
APPENDIX
Troubleshooting and FAQs
B-1
Troubleshooting Guidelines B-1 Troubleshooting User Tracking B-1 Troubleshooting the Cisco Prime LMS Server Verifying Server Status B-3 Troubleshooting Suggestions B-5
B-2
Frequently Asked Questions B-6 User Tracking FAQs B-7 VRF Lite FAQs B-9 Cisco Prime LMS Server FAQs B-14 General B-15 Security B-22 Software Center B-25 Event Distribution Services and Event System Services Backup and Restore B-27 Database B-28 Apache and Tomcat B-30 Fault Management FAQs B-36 Device Performance Management FAQs B-37 IPSLA Performance Management FAQs B-38
C
B-26
APPENDIX
Data Extraction Engine
C-1 C-1
Overview of Data Extraction Engine
The cmexport Command C-2 Running cmexport Command C-2 cmexport Arguments and Options C-3 Mandatory Arguments C-4 Optional Arguments C-4 Function-Specific Options C-5 Displaying Help C-5 Uses of cmexport C-5 cmexport User Tracking
C-6 C-9 C-12
cmexport Topology Command
cmexport Discrepancy Command cmexport Manpage C-14 Command Line Syntax C-14 Commands C-14 Arguments and Options C-15
-xx
OL-20721-01
Chapter
Mandatory Arguments C-15 Function-Specific Options C-16 Accessing Help C-16 DEE Developers Reference C-16 Schema for User Tracking Data C-17 User Tracking Schema for Switch Data C-18 User Tracking Schema for Phone Data C-19 User Tracking Schema for Subnet Data C-19 Schema for Topology Data C-20 Schema for Discrepancy Data C-21 Using Servlet to Export Data from LMS C-22
D
APPENDIX
General Security
D-1
Server Security D-2 ServerImposed Security D-2 Files, File Ownership, and Permissions D-2 Runtime D-3 Remote Connectivity D-4 Access to Systems Other Than the Cisco Prime LMS Server Access Control D-4 System Administrator-Imposed Security D-5 Connection Security D-5 Security Certificates D-5 Terms and Definitions D-6
E
D-4
APPENDIX
Overview of Dynamic Updates
E-1 E-2 E-2 E-3
Configuring Switches With MAC Notification Commands Device Operating System Version-Specific Commands
List of Commands to Enable MAC Notification Traps on Devices
-xxi
Preface
Administration in Cisco Prime LAN Management Solution (LMS) 4.1 groups all the activities and tasks that a user with Network or System Administrator privileges needs to perform. This preface details the related documents that support the Admin feature, and demonstrates the styles and conventions used in this guide. This preface contains:

Audience Document Conventions Product Documentation
Audience
This guide is for users who are skilled in network administration and management, and for network operators who use this guide to make configuration changes of devices using LMS. The network administrator or operator should be familiar with the following:

Basic Network Administration and Management Basic Solaris System Administration Basic Windows System Administration Basic Soft Appliance System Administration Basic LMS Administration
Document Conventions
Table 1 describes the conventions followed in the user guide.
Table 1 Conventions Used
Item Commands and keywords Variables for which you supply values Displayed session and system information Information you enter
Convention boldface font italic font

screen
font font
boldface screen
xxiii
Preface
Table 1
Conventions Used (continued)
Item Variables you enter Menu items and button names Selecting a menu item in paragraphs Selecting a menu item in tables
Convention
italic screen
font
boldface font Option > Network Preferences Option > Network Preferences
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.
Product Documentation
Note
We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates. Table 2 describes the product documentation that is available.
Table 2 Product Documentation
Document Title Administration of Cisco Prime LAN Management Solution 4.1 (this document)
Available Formats
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/admin/admin.html PDF version part of Cisco Prime LMS 4.1 Product DVD.
Context-sensitive online help Getting Started with Cisco Prime LAN Management Solution 4.1
Select an option from the navigation tree, then click Help.
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/getting_started/gsug.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/configuration_management/cmug.ht ml PDF version part of Cisco Prime LMS 4.1 Product DVD.
Configuration Management with Cisco Prime LAN Management Solution 4.1
xxiv
OL-20721-01
Preface
Table 2
Product Documentation (continued)
Document Title Monitoring and Troubleshooting with Cisco Prime LAN Management Solution 4.1
Available Formats
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/monitoring_troubleshooting/mntug. html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/inventory_mgmt/inventory.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/work_centers/wc.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/us er/guide/Reports/rptmgt_ug.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/in stall/guide/install.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/na vigation/guide/nav_guide.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/da tabase_schema4.1/guide/dbviews.html PDF version part of Cisco Prime LMS 4.1 Product DVD.
Inventory Management with Cisco PrimeLAN Management Solution 4.1
Technology Work Centers in Cisco Prime LAN Management Solution 4.1
Reports Management with Cisco PrimeLAN Management Solution 4.1
Installing and Migrating to Cisco Prime LAN Management Solution 4.1
Navigation Guide for Cisco Prime LAN Management Solution 4.1
Open Database Schema Support in Cisco Prime LAN Management Solution 4.1
xxv
Preface
Table 2
Product Documentation (continued)
Document Title Release Notes for Cisco Prime LAN Management Solution 4.1
Available Formats
On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/re lease/notes/lms40rel.html PDF version part of Cisco Prime LMS 4.1 Product DVD. On Cisco.com at http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.1/de vice_support/table/lms40sdt.html PDF version part of Cisco Prime LMS 4.1 Product DVD.
Supported Devices Table for Cisco Prime LAN Management Solution 4.1
Documentation Roadmap for Cisco Prime LAN Management Solution 4.1
Printed document part of Software kit
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
xxvi
OL-20721-01
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License:
Copyright 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. 2. 3.
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
4.
xxvii
Notices
5. 6.
Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. 2. 3.
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). The word cryptographic can be left out if the routines from the library being used are not cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com).
xxviii
OL-20721-01
Notices
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
xxix
CH A P T E R
Overview of Administration
This guide is intended for Local Area Network (LAN) administrators and management professionals who perform LAN configurations and monitor LAN performance. The Admin menu in the LMS 4.1 groups all the activities and tasks that a user with Network or System Administrator privileges can perform. This section explains:

How the guide is organized? Administration Tasks Understanding the System Dashboard
1-1
Chapter 1 How the guide is organized?
How the guide is organized?

The Administration user guide is organized as follows:
Table 1-1 Administration User Guide
Chapter
Description
Overview of Administration (This chapter) Provides information on the organization of Administration with Cisco Prime LMS user guide, and describes the System Dashboard portlets in LMS. Chapter 2, Setting up Security Describes the security mechanisms that help to prevent unauthenticated access to LMS server, Cisco Prime applications, and data. LMS provides features for managing security while operating in single-server and multi-server modes. Describes how to use administrative features to ensure that the server is performing properly. You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the Cisco Prime LMS Server. Chapter 4, Administering Discovery Describes how to configure discovery settings, and perform administrative tasks Settings and Device and Credential Repos- in DCR. itory Chapter 5, Managing Groups Describes how to use the Grouping feature in LMS. LMS 4.1 has a more robust device grouping which can support 600 device groups. The other grouping services that are available in LMS are:

Chapter 3, Administering LMS Server
Fault Group IPSLA Collector Group Port and Module Group
Chapter 6, Administering Data Collection Chapter 7, User Tracking and Dynamic Updates
Describes how to use Data Collection. Describes how to use User Tracking and Dynamic Updates. User Tracking allows you to track end stations. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.which
Chapter 8, Administering Collection Settings
Describes how to configure the various collection settings in LMS.
Chapter 9, Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform ing Settings to monitor and troubleshoot your network using LMS. Chapter 10, Notification and Action Settings Describes how to configure the the administrative tasks involved in setting up notification, syslog settings. You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs. Chapter 11, Administering Change Audit Describes how to perform Change Audit tasks and set your preference to and Software Management download images.
1-2
OL-20721-01
Chapter 1
Overview of Administration Administration Tasks
Table 1-1
Administration User Guide (continued)
Chapter Chapter 12, Managing Jobs Chapter 13, Working With Software Center Chapter 14, Discrepancies and Best Practices Deviations Chapter 15, Report Setting Chapter 16, Purge Settings Chapter 17, Debugging Options Chapter 18, Understanding LMS Tasks Appendix A, CLI Tools Appendix C, Data Extraction Engine
Description Describes how to manage jobs in LMS, and set up job approval for certain modules in LMS. Describes how to use the Software Center to check for software and device support updates, download them to their server file system along with the related dependent packages, and install the device updates. Describes how to use the Discrepancies Reporting module of LMS to view the discrepancies and best practices deviations in your network. Describes how to configure some settings for generating reports and set a report publish location. Describes how to configure the purge settings of all modules in LMS. Describes how to configure the debugging settings of all modules in LMS. You can also view the details of all the log files. Describes all LMS tasks. Describes all the CLI utilities that are available for the administrator in LMS 4.1. Describes how to export User Tracking, Topology, and Discrepancy application data using Data Extraction Engine
Appendix B, Troubleshooting and FAQs Provides troubleshooting and FAQs.
Appendix D, Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS. Security
Administration Tasks
The System Administration tasks are grouped into:

Authentication Mode Setup Backup Cisco.com Settings Debug Settings Group Management License Management Log Rotation Server Monitoring SMTP Default Server Device Management Functions Software Center System Preferences User Management
1-3
Chapter 1 Administration Tasks
The Network Administration tasks are grouped into:

Change Audit Settings Discovery Settings PSIRT, EOS and EOL Settings Configuration Job Settings Device Credential Settings Best Practises Deviation Settings Display Settings Monitor and Troubleshoot Notification and Action Settings Purge Settings Resource Browser Software Image Management Config Data Collection Fault Inventory Performance Syslog User Tracking VRF Lite Trust Management
Local Server Multi Server
The Collection Settings are grouped into:

Apart from the system administration and network administration tasks, you can also perform:
Job Management
Job Browser Job Approval
The two dashboards in the Admin menu are:

System Dashboard. For more information, see Understanding the System Dashboard Device Status Dashboard. This section is explained in the Inventory Online Help.
IPv6 Support in LMS
LMS providesIPv6 Support for the following features:
1-4
OL-20721-01
Chapter 1
Overview of Administration Administration Tasks
Application Common Services
IPv6 Supported Features The following features in Common Services supports IPv6:
Device Discovery Common Services Device Discovery allows you to discover devices from IPv6 networks, using CDP and Ping Sweep On IP Range Device Discovery modules.
DCR and Grouping Services DCR supports IPv6 and stores the expanded format of IPv6 Addresses that are discovered by the CDP and Ping Sweep On IP Range modules.
You can now create group rules based on IPv6 management addresses. LMS supports IPv6 Addressing scheme in following Device Discovery pages:

Seed Device Setting Page SNMP Settings Page Filter Settings Page
In the Device Troubleshooting home page, the existing IP Address field supports IPv6 Addresses. Inventory, Config and Image Management The following features/technologies in Inventory, Config and Image Management supports IPv6:

Assigning an IPv6 Address to a Layer 3 device or VLAN Retrieving software files from a device Distributing different versions of software to a device Scheduling retrieval of software from a device Retrieving configuration files from a device Distributing a new configuration to a device Distributing a historical configuration file to a device Scheduling distribution of configuration files to a device Provisioning Auto Smart Ports on ASP-capable devices Medianet Provisioning Identity on Identity-capable devices Configuring Syslogs
CiscoView
CiscoView allows you to enter an IPv6 Address of a device to display the device view for configuring and remote monitoring.
1-5
Chapter 1 Administration Tasks
Application Network Topology, Layer 2 Services and User Tracking
IPv6 Supported Features The following features in Network Topology, Layer 2 Services and User Tracking supports IPv6:
Data Collection The following tasks related to Data Collection are supported in the IPv6 environment:
SNMP Timeout and Retry configuration for IPv6 devices Viewing Data Collection Metrics and reports for IPv4/IPv6 devices Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks Device based debugging for IPv6 devices
Topology The following tasks related to Topology are supported in the IPv6 environment:
Setting an IPv6 Address as the preferred Management Address
from Topology view

Cross-launching Inventory, Config and Image Management and
CiscoView from Topology Services - Device Dashboard and Add to Critical Poller
Selecting IPv6 devices for Device Type Topology Filter
Network Topology, Layer 2 Services and User Tracking Reports IP Address fields in all these reports except User Tracking reports can now display IPv6 Addresses. You can sort the reports based on IP Addresses (IPv4 and IPv6). VLAN Configuration The following VLAN related configurations are supported in the IPv6 environment:
Configure VLAN Delete VLAN Create Private VLAN Delete Private VLAN Configure Port Assignment Configure Promiscuous Ports Create Trunk Modify Trunk Attributes
1-6
OL-20721-01
Chapter 1
Overview of Administration Understanding the System Dashboard
Understanding the System Dashboard

The System Dashboard has the following portlets:
Note
The data in these portlets does not appear based on any role-based authorization, both device-level or user-level authorization.

Cisco Prime Product Updates Critical Message Window Device Credentials and AAA Information Log Space Usage Process Status System Backup Status User Login Information Job Information Status Audit Trail Information Job Approval Syslog Collectors Information Supported Device Finder Portlet VRF Collector Summary Collection Summary Portlet
Cisco Prime Product Updates

You can view the recent updates and announcements of Cisco Prime products using Cisco Prime Product Updates.
1-7
Chapter 1 Understanding the System Dashboard
Critical Message Window

In the Critical Message Window portlet, you can view the alerts for Cisco Prime Drive Utilization, and for processes that are down. For details, see Utilizing Space in the Cisco Prime Drive. For instance, if the usage of the drive exceeds the specified limit, the alerts appear. You can click the help link to view the details, and can reduce drive utilization. You must configure the refresh time in the portlets. You can also get information about:
Authentication mode fallback Authentication mode from which the user fallbacks to the Cisco Prime Local module. This message appears when the user is in fallback mode.
License expiration Single Sign On (SSO) master unreachability, which is applicable only for a slave server.
Utilizing Space in the Cisco Prime Drive

You can use the space in Cisco Prime LMS drive in the following ways:

Delete the unwanted logs files from the NMSROOT directory. Use the log rotate functionality, to rotate the logs to other drives. Remove unwanted files from the NMSROOT drive.
Note
The Authentication modes appear in the Critical Message Window portlet (in red) if you do not have full privileges in the Device Credential and AAA Information portlet.
Table 1-2 lists the Critical Message Window portlet details.
1-8
OL-20721-01
Chapter 1
Table 1-2
Critical Message Window Portlet
Details CiscoWorks Drive Utilization
Description Displays the utilization of the drive for Windows, Solaris and Soft Appliance. For Windows: Drive is where the product is installed. For example, 'C' drive in case of "C/Program Files/CSCOpx" For Solaris/Soft Appliance: The portlet displays the File System utilization of the following: /opt - Product Installed location /var - Log file details location.
Processes xyz are down. For example:ESS, EssMonitor, Proxy and so on.
Displays the processes that are down. All the processes that are down are displayed in red in the portlet. However, when Fault processes such as DFMCTMStartup and Data Purge are down, they are not displayed in the Critical Message Window portlet.
Device Credentials and AAA Information

The Device Credentials and AAA Information portlet allows you to view the information about the device credentials, admin settings, security settings, and device polling status. The security settings enable you to view the security settings in LMS such as the Authentication mode, and Single sign-on configuration. Table 1-3 lists the Device Credentials and AAA Information portlet details.
Table 1-3 Device Credentials and AAA Information Portlet
Field Authentication Mode
Description Mode selected to authenticate the LMS server when logging into the LMS application. For example, TACACS+, MS Active Directory.

If the status is displayed in green, authentication is successful in the local or external server. The status is in red when you log into the Cisco Prime application in fallback mode.
Authorization Mode
Mode used to authorize the user after authentication. From LMS 4.1, only the Cisco Prime Local mode is used to authenticate users, and authorize them to access Cisco Prime LMS. ACS mode is not available. SSO mode, such as Stand alone, Master/Slave.
Single Sign On (SSO) Mode
1-9
Table 1-3
Device Credentials and AAA Information Portlet
Field No. of Devices DCR Mode
Description Number of devices. Click on the number to view the DCR Device Management page details. DCR mode such as Standalone, Master, Slave. For more information about DCR mode, see DCR Architecture in Inventory Management Online Help. For more information on changing the DCR mode, see Changing DCR Mode.
Device Polling Status
Device Polling Status
Status of the device polling. The status can be either enabled or disabled. If the status is enabled, then it displays the scheduled jobs along with the Job ID. For example Job ID: 1034.
Device Polling Frequency
Polling frequency of the devices. This frequency can be:

Every 6 hours Every 12 hours Daily Weekly Monthly
Total Unreachable Devices Next Polling Schedule
Total number of devices that are not reachable. Click the unreachable device link to view the report. Time at which the next polling is scheduled.
Log Space Usage

In Log Space Usage portlet, you can manage the reports on log file size. The Log Space Usage portlet also displays details of all log files, including the Tomcat and Apache log files. You must configure the refresh time in the portlets. Table 1-4 lists the Log Space Usage portlet details.
Table 1-4 Log Space Usage Portlet
Field Log File
Description Name of the log file such as syslog.log, EDS.log upm_base.log, and so on. The asterisk (*) displayed along with some log file name denotes that there are multiple files available.
Directory File Size
Displays the location of the logfile. For instance, var/adm/CSCOpx/log. Current size of the log file in kilo bytes.
1-10
OL-20721-01
Chapter 1
You can click the portlet name in the title bar of the portlet to navigate to Log File status report page (Reports > System > Status > Log File). For more information on the list of log files, see Maintaining Log Files.
Process Status
In Process Status portlet, you can manage all the activities or jobs. Table 1-5 lists the Process Status portlet details.
Table 1-5 Process Status Portlet
Field State No. of Process
Description Status of the process, such as Failed to start, Running normally and Shutdown. Number of processes in each state. You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page (Reports > System > Status > Process). You can click the link displayed in the portlet to start or stop the process.
System Backup Status

In the System Backup Status portlet, you can view the details such as the current backup schedule, last backup status, last backup location and the time when the last backup was completed. You should back up the database regularly so that you have a safe copy of the database. You cannot back up the database while restoring it. Whenever you perform a backup, all the databases of the installed applications are backed up. LMS provides a single backup and restore facility to back up and restore all applications installed on the LMS server. You cannot backup or restore individual portal databases without the LMS backup utility. See, Backing up Data Using CLI for more information on the backup utility. To schedule system backups at regular intervals, select Admin > System > Backup. Table 1-6 lists the System Backup Job Details portlet fields.
Table 1-6 System Backup Job Details Portlet
Field Backup Schedule
Description Date and time at which the backup was scheduled. You can click the link corresponding to the Backup Schedule to view/schedule the respective Backup Job details in LMS 4.1.
Last Backup Completed at Last Backup Status Last Backup Location
Date and time when the last backup was completed. Status of the last backup. Location of the last backup.
You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.
1-11
User Login Information

In the User Login Information portlet, you can view the information on users currently logged into LMS server. You must configure the refresh time in the portlets. Table 1-7 lists the User Login Information portlet details.
.
Table 1-7
User Login Information Portlet
Field No. of Logged-in Users
Description Number of users who have logged in. You can click the number of logged-in users to view the Who is Logged on Report page (also available from Reports > System > Users > Who is Logged On).
Users
Log-in details of all users and the number of sessions opened by each user.
Note
You can send broadcast messages to logged-in users by clicking the Send Message to all users link displayed in the User Login Information and the users will receive the message within 60 seconds by default.
You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report page. For more information on setting up local users, see Setting up Local Users.
Job Information Status

In the Job Information Status portlet, you can view the status of up to 20 jobs of the installed applications. You can click the portlet name in the title bar of the portlet to navigate to the Job Browser page. You must configure the refresh time in the portlets. Table 1-8 lists the Job Information Status portlet details.
Table 1-8 Job Information Status Portlet
Field Job ID
Description Unique ID assigned to the job by the system, when the job is created. The Job IDs are displayed in ID.No.of.Instances format in periodic jobs. For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job whose ID is 1002. When you click the Job ID, the job details, if available, are displayed.
Job Type
Type of the job. For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job.
1-12
OL-20721-01
Chapter 1
Table 1-8
Job Information Status Portlet (continued)
Field Status
Description Status of the scheduled jobs that are completed. The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected. The status of the succeeded jobs are displayed in green and the Failed, Crashed, Cancelled, and Rejected jobs are displayed in red.
Job Description Owner Scheduled At
Description of the job provided by the job creator. It can contain alphanumeric characters. Name of the user who created the job. Date and time at which the job is scheduled to run.
Audit Trail Information

In the Audit Trail Information portlet, you can view the details of the changes made to the LMS application by the user. You must configure the refresh time in the portlets. Table 1-9 lists the Audit Trail Information portlet details.
Table 1-9 Audit Trail Information Portlet
Field User Name
Description Name of the person who performed the change. This is the name entered when the person logged in. It can be the name under which the LMS application is running, or the name under which the Telnet connection is established.
Application Name Creation Time Description
Name of the LMS component involved in the network change. For example, Change Audit, Device Management, ICServer, NetConfig, and NetShow. Date and the time at which the changes were performed on the LMS server. Brief summary of the change that occurred on the LMS server. You can click the portlet name in the title bar to navigate directly to the Report Generator page.
1-13
Job Approval
In Job Approval portlet, you can view the list of all jobs. To configure Job Approval portlet, see Configuring the Job Approval portlet. Table 1-10 lists the Job Approval portlet details.
Table 1-10 Job Approval Portlet
Field Job ID
Description ID of the job that has been given for approval. The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so on, the job IDs are in the number x format. The x represents the number of instances of the job. For example, 1001.3, indicates that this is the third instance of the job ID 1001. Click the Job ID hyperlink to view the job details.
Job Description Job Schedule
Description of the job. Date and time for which the job is scheduled. The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it, the job is moved to its rejected state and will not run. For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other instances are also considered as approved. You are notified by e-mail, when a job approved by you is created. This portlet enforces the approval process by sending job requests through e-mail to people on the approved list. You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details page in LMS. In the Job Approval portlet, you can view the list of Job details. You can configure the Job Approval portlet to set the number of records to be displayed in the portlet, and refresh time both manually and automatically.
Configuring the Job Approval portlet
To configure the Job Approval portlet:

Step 1 Step 2 Step 3 Step 4
Click the Configuration icon. You can: Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Select the number of records to be displayed in the portlet from the Show Last Records drop-down list. Click Save to view the portlet with the configured settings.
1-14
OL-20721-01
Chapter 1
Syslog Collectors Information

Syslog Collectors Information portlet displays the list of remote Syslog collectors subscribed to the LMS servers. It contains the syslog collector information such as the name of the remote syslog, analyzer name, status and the number of packets received. Syslog Collector is a service to receive, filter and forward syslogs to one or more Syslog servers. In this way the collectors reduces traffic on the network as well as the processing load on the server. By default you can only view the remote Syslog analyzer name, status and the number of packets received. However, you can configure the portlet for you to view the other details in the portlet such as the number of packets that are filtered, invalid, dropped, or forwarded. Table 1-11 lists the Syslog Collectors Information portlet details.
Table 1-11 Syslog Collectors Information Portlet
Field Name Status Received
Description Host name or the IP address on which the collector is installed. Status of the Remote Syslog Collector. For example, whether it is connected. Number of packets received. To configure Syslog Collectors Information:
Step 1 Step 2
Move the mouse over the title bar of the Syslog Collector Click the configuration icon. You can:

Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to view the respective columns in the Syslog Collector portlet.
FilteredNumber of filtered messages. Filters are defined with the option Message Filters
option. See Defining Syslog Message Filters for more information.

InvalidNumber of invalid Syslog messages. DroppedNumber of Syslog messages dropped. ForwardedNumber of forwarded Syslog messages. Step 3
Click Save to view the portlet with the configured settings.
1-15
Supported Device Finder Portlet

The Supported Device Finder portlet enables you to view the details of the devices that are supported in various LMS applications. By default the Supported Device Finder portlet is added to the System View. This portlet enables you to:

Locate the supported devices in the LMS applications Get the latest updates on devices that are supported and those that will be supported in the upcoming releases. Raise a request through mail to support a new device that is not supported. IP Address Host Name Display Name Model Name SysObjectID
You can search the support of devices added to the DCR using the following search options:

To search using Supported Device Finder portlet:

Step 1
There are three scenarios when the device is not supported:
If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.
If the requested device is supported in later releases, and not available with your present installation, the following message appears:
Not supported in Installed version <<version number>>. Support available in version << version number>>
Note
If the device is not currently supported with your existing package, you can install the latest IDU from Cisco.com to get the device support. If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.
Step 2
Click the click here link and a popup box appears: The popup box has the following information:

OK button to raise a request for the unsupported device. Disclaimer: Please note that all efforts will be made to provide support to this request, however we are unable to commit to a time-line at this moment. Links to the latest device updates Link to the Supported Devices Table
Step 3
Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or Model name. The SysobjectID or the Model Name appears based on the entries made in the portlet.
1-16
OL-20721-01
Chapter 1
The default mail client is launched. The To field and Subject field has the following address and entries:

To field: lms-dev-supreq@external.cisco.com Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>
The body lists the application names.

Step 4 Step 5
Enter Yes against the respective application names for which device support is required. Click Send to send a request.
IP Address
You can use the IP Address option to search the devices that are supported in the LMS application. To search using the IP Address:
Step 1 Step 2
Select the IP Address from the drop-down list. Enter an IP Address in the IP Address field and click Submit. All applications are displayed, regardless of whether they are installed or not. The supported servers are also displayed.
If the requested device is supported in the later releases and you have not installed it, the following support details are displayed:
Supported in LMS 3.2. Click here to download
If the requested devices is in the roadmap of next recent releases, the following supported details message is displayed.
Support expected by Sept 08.
If the requested device is not supported in any release, the following supported details are displayed.
Click here to send a request to support team.
1-17
Host Name
You can use the Host Name option to search the devices that are supported in the LMS applications. To search using the Host Name:
Step 1 Step 2
Select the Host Name from the drop-down list. Enter a Host Name in the Host Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. The LMS applications are:

Inventory, Config and Image Management Network Topology, Layer 2 Services and User Tracking Fault Management IPSLA Performance Management Device Performance Management
For more information on the server supported details, see Step 2 of IP Address.
Display Name
You can use the Display Name option to search the devices that are supported in the LMS applications. To search using the Display Name:
Step 1 Step 2
Select the Display Name from the drop-down list. Enter a Display Name in the Display Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.
SysObjectID
You can use the SysObjectID option to search the devices that are supported in the LMS application. To search using the SysObjectID:
Step 1 Step 2
Select the SysObjectID from the drop-down list. Enter a SysObjectID in the SysObjectID field and click Submit. All LMS functions are displayed, regardless of whether they are installed or not. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.
1-18
OL-20721-01
Chapter 1
Model Name
You can use the Model Name option to search the devices that are supported in the LMS application. To search using the Model Name:
Step 1 Step 2
Select the Model Name from the drop-down list. Enter a Model Name in the Model Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.
Note
You can also use a wildcard search, (*), to search for the model name.
VRF Collector Summary

In the VRF Collector Summary portlet, you can view details of the VRF collection, number of VRFs discovered, number of VRF-supported and VRF-capable devices. Table 1-12 lists the VRF process summary portlet details.
Table 1-12 VRF Process Summary Portlet
Field VRF Collector Status
Description Status of the VRF Collector. The two states are:

RunningIndicates that the VRF collector is running. IdleIndicates that the VRF collector is not running.
VRF Collector Last Completion Time Total VRFs Discovered VRF Supported Devices [H/W and S/W Supported]
Indicates the time when the VRF collection is completed. Total number of VRFs discovered. Click the number to launch the Virtual Network Manager Report. Number of VRF-supported devices. These devices have both VRF-supported hardware and software. Click the number to launch the VRF Readiness report.
VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but S/W Update Required] these devices do not have the supported IOS image for VRF. Click the number to launch the VRF Readiness report.
Collection Summary Portlet

In the Collection Summary portlet, you can view details of the different collectors in LMS. Table 1-13 lists the Collection Summary portlet details.
1-19
Table 1-13
Collection Summary Portlet
Field Collector Name
Description Name of the Collector. The various collectors in LMS are:

Inventory Collection Config Archive EnergyWise Collection Device Discovery Fault Discovery Topology Data Collection UT Major Acquisition VRF Collection In Inventory Collection, Succedded will give the count of devices that were successfully inventory collected at least once. In Config Archive, partial success state devices will not be shown in Succeeded or Failed columns. In Inventory Collection, Failed will give the count of devices which are recently failed. A device which was previously successfully inventory collected and recently failed will have entry in the both column. We should not compare this with DCR device count.
Succeeded
Indicates if the respective collection has completed successfully.

Note
Failed
Indicates if the respective collection has failed.

Note
Last Completion Time Current Status
Indicates the time when the collection is completed. Status of the Collector. The two states are:

RunningIndicates that the collector is running. IdleIndicates that the collector is not running.
Schedule
Click the Schedule link next to the respective collector to launch the corresponding page. You can now schedule the collector.
1-20
OL-20721-01
Chapter 1
To configure this portlet:

Step 1 Step 2 Step 3 Step 4 Step 5
Move the mouse over the title bar of the Collection Summary Portlet. Click the configuration icon. Select the Auto Refresh check box. Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Click Save to view the portlet with the configured settings.
Note
The data in the above portlets is not populated based on device-level or user-level authorization. Role-based access control is not applicable to the portlets.
1-21
CH A P T E R
Setting up Security
LMS 4.1 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS applications, and data. LMS provides features for managing security while operating in single-server and multi-server modes. You can specify the user authentication mode using the Authentication Mode Setup. This section explains the following:

Managing Security in Single-Server Mode Managing Security in Multi-Server Mode Setting up the Authentication Mode Managing Roles Managing Cisco.com Connection
Managing Security in Single-Server Mode

You can configure the following in Single-Server mode:
Browser-Server Security Mode Setup: LMS 4.1 Server uses Secure Socket Layer encryption to provide secure access between the client browser and management server and also among the management server and the devices. You can enable or disable SSL depending on your need to use secure access between the client browser and management server. Local User Policy Setup: Set up username and password policies for local users using this option. Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a user, or view a users settings using this option. Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections between the client browser and the management server.
You can set up browser-server security, add and modify users, and create self signed certificate using the features that come under Single-Server Management in the Security Settings user interface. The Single-Server Management page displays the mode of server security and the information on self signed certificate.
2-1
Chapter 2 Managing Security in Single-Server Mode
Setting up Security
To open the Single-Server Management page:

Step 1
Select Admin > Trust Management > Local Server The Browser-Server Security Mode Setup page appears. Click Single-Server Management in TOC. The Single-Server Management page displays the mode of server security and the information on self signed certificate.
Step 2
This section contains the following:

Setting up Browser-Server Security Setting up Local User Policy Setting up Local Users Creating Self Signed Certificates
Setting up Browser-Server Security

LMS provides secure access between the client browser and management server. It does this using SSL (Secure Socket Layer). SSL encrypts the transmission channel between the client, and server. LMS provides secure access between the client browser, and management server. SSL is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys. You can enable SSL if you want to open the LMS application in secure mode. If you want to open the LMS application in non-secure mode (http), you can disable SSL. The login pages always open in SSL mode, irrespective of the Browser-Server security mode. LMS Server uses certificates for authenticating secure access between the client browser and the management server. To enable SSL from the client browser, you must have the necessary security certificates on your computer. See Creating Self Signed Certificates for more information. You can enable or disable the Browser Server Security using LMS Server GUI or Command Line Interface CLI. This section has the following:

Enabling Browser-Server Security From the LMS Server Disabling Browser-Server Security From the LMS Server
2-2
OL-20721-01
Chapter 2
Setting up Security Managing Security in Single-Server Mode
Enabling Browser-Server Security From the LMS Server

To enable Browser-Server Security:
Step 1
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup. The Browser-Server Security Mode Setup dialog box appears. Select the Enable option to enable SSL. Click Apply. Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI: On Windows:
a. b.
Enter net stop crmdmgtd Enter net start crmdmgtd Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start
On Solaris/Soft Appliance:
a. b. Step 6
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes:

The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to https mode with port number 443. The port numbers mentioned above are applicable for LMS Server running on Windows. On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a different port during LMS Server installation.
Disabling Browser-Server Security From the LMS Server

To disable Browser-Server Security:
Step 1
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup. The Browser-Server Security Mode Setup dialog box appears. Select the Disable option to disable SSL. Click Apply. Log out from your Cisco Prime session, and close all browser sessions.
Step 2 Step 3 Step 4
2-3
Setting up Security
Step 5
Restart the Daemon Manager from the LMS Server CLI: On Windows:
a. b.
Enter net stop crmdmgtd Enter net start crmdmgtd Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start
a. b. Step 6
Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes:

The URL should begin with http instead of https to indicate that connection is not secure. Change the port number suffix from 443 to 1741.
The port numbers mentioned above are applicable for LMS Server running on Windows. On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a different port during LMS Server installation.
Setting up Local User Policy

You can setup username and password policies for Cisco Prime local users in LMS. With the new local user policy, you can:

Start the local username with a number Include special characters in local username Specify the length of local username Specify the length of local user password Include at least characters from lowercase, uppercase, digits and special characters in password. Same as the username, or the username in reverse Have the same character repeated three times, in sequence A variant of the word Cisco
The password should not be:

You can apply only one local user policy at a time. You cannot define policies for each local user. The local user policy you set up applies to all users including the administrative users. The local usernames that begin with numbers and contain special characters are not subject to the security limitations of authentication and authorization in LMS Servers integrated with pluggable authentication modules such as Active Directory.
2-4
OL-20721-01
Chapter 2
To set up local user policies:

Step 1
Select Admin > System > User Management > Local User Policy Setup. The Local User Policy Setup page appears. Select Allow Special Characters in username to allow special characters in the username. You can include the following special characters in the username: Special Character ~ @ # _ ' / \ . space Description Tilde Commercial At character Number sign Underscore Apostrophe Hyphen Solidus or Leading slash Trailing slash Period Non-breaking space
Step 2
Note
You can add the special characters including hyphen and period in local username only when you have selected this check box. You cannot start a local username with special characters except _ (Underscore).
Step 3
Select Allow Username to start with numbers to allow the first character of a local username to be a numeral. You can enter any number between 0 to 9 in the username as the first character if you have enabled this option.
Step 4
Enter the minimum and maximum length of username of local users. The default minimum length is 5 characters and the default maximum length is 256 characters. You can enter any number between 1 and 256 in the minimum and maximum fields. Ensure that you do not enter a number in minimum username length field that is greater than the number in maximum username length field.
Step 5
Enter the minimum and maximum length of password of local users. The default minimum length is 5 characters and the default maximum length is 256 characters. You can enter any number between 1 and 256 in the minimum and maximum fields. Ensure that you do not enter a number in minimum password length field that is greater than the number in maximum password length field.
Step 6
Click Apply to save the changes.
2-5
Setting up Security
Setting up Local Users

Local User Setup feature helps you to:

Import users Export users Modify your profile Add a local user Edit user profiles Delete local users
You can also set up local users and reset Cisco Prime password through CLI. This section explains:

About User Accounts Understanding Security Levels Importing and Exporting Local Users Importing Local Users Using CLI Importing Users From ACS Adding and Modifying a Local User Adding Local Users Using CLI Assigning Roles on NDG Basis Modifying Your Profile
About User Accounts

Several Cisco Prime network management and application management operations are potentially disruptive to the network, or to the applications themselves, and must be protected. To prevent such operations from being used accidentally or maliciously, Cisco Prime uses a multi-level security system that allows access only to certain features, to users who can authenticate themselves at the appropriate level. LMS provides two predefined login IDs for which the password is specified during installation:
guestAfter authentication and authorization, user will have the default role. After a fresh installation, the default role is Help Desk. You can change the default roles, see Managing Roles for more information. adminThis login provides the user access to all CiscoWorks tasks.
However, as an administrator, you can create additional unique login IDs for users in your company.
Note
The LMS Server Administrator can set the passwords for admin and guest users during installation. Contact the LMS Server Administrator if you do not know the password for admin.
2-6
OL-20721-01
Chapter 2
Understanding Security Levels

System administrators determine user security levels when users are granted access to Cisco Prime. When users are granted logins to the Cisco Prime application, they are assigned one or more roles. A role is a collection of privileges that dictate the type of system access you have. A privilege is a task or operation defined within the application. The set of privileges assigned to you, defines your role and dictates how much and what type of system access you have. The user role or combination of roles, dictates the tasks that are presented to the users. For information on tasks that can be performed with each role, see Permissions Report (Reports > System > Users > Permission). See also About Cisco Prime Pluggable Authentication. Other roles are displayed, depending on your applications.
Importing and Exporting Local Users

You can import local users from the client. If you want to import local users to the local server from a remote LMS Server, you must first import the file from the remote server to the client and then use the import function from the LMS UI.
Note
When you import local users, if there are no roles associated with the users, the default role will be associated with them. You can also export the local users to an output file. You can import local users from the client through CLI. See, Importing Local Users Using CLI for more information. You can import local users from ACS through CLI. See, Importing Users From ACS for more information. Before you import users from the client, you must install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information.
2-7
Setting up Security
To import users from a remote server:

Step 1
Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. You can do one of the following:
Step 2
Import:
Click Import Users. You can import only files in the XML format. Click Browse and select a file from the client. Click Submit. To return to the Local User Setup page, click Cancel.
Export:
Select the users for whom you want to export information. If you want to select all the users,
you can check the check box next to the User field.
Click Export. The files exported are in XML format.
A message appears prompting you to open or save the LMSuserExport.xml file. This file is saved in the client. Click Cancel to return to the Local User Setup page.
Importing Local Users Using CLI

This feature allows you to import information about local users to the local server, from a remote LMS Server. You should have the privileges to import local users from the remote LMS Server through CLI. Before you import users from a remote server, you should install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information. To import users from a remote server, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Windows) Protocol Protocol of the remote LMS Server. The supported values are HTTP or HTTPS. Hostname Hostname or IP address of the remote LMS Server. Portnumber Port Number of the remote LMS Server. Username Remote LMS Server login Username. Password Remote LMS Server login Password.
where,
For example, enter the following command to import the local users from the remote LMS Server lmsdocpc: NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
2-8
OL-20721-01
Chapter 2
Importing Users From ACS

To import users from ACS through CLI, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on Windows) Filename Output of executing CSUtil.exe. Password Default password assigned to all the importing users.
where,

To execute CSUtil.exe follow the steps below:

Step 1 Step 2
Go to Start > Run in the ACS server. Enter services.msc in the Run command and click OK It will list all the services registered. Select CSAuth and right click to get the Stop option. Click Stop to stop the CSAuth service Execute the command <ACS install directory>/bin/CSUtil.exe -q -d <output file> from CLI. The output file which we got by running the CSUtil.exe should be given as the input while importing users.
Log Files
The information on the users added or imported into the LMS Server is stored in the following files, when you use the import local user CLI commands:

/var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance) NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS Server, number of duplicate users, error messages, and other information that you can use for troubleshooting.
Adding and Modifying a Local User

You can add more users into Cisco Prime as required. You can add only one user at a time through the user interface. See Adding Local Users Using CLI for adding bulk users. You can delete Stale Users From Cisco Prime LMS Portal. See Deleting Stale Users From LMS Portal for more details. To add or edit a user:
Step 1
Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Click Add or Edit.
Step 2
2-9
Setting up Security
The User Information dialog box appears with the following fields: Field Username Description Enter the username. The value is case-insensitive. You can control the length of the username, start the username with a number, or include special characters in the local username. To do this, you must set up the username and password policy in the Local User Policy Setup page. See Setting up Local User Policy for information. Password Enter the password. You can control the length of the password when you set up policies for local users. See Setting up Local User Policy for information. Verify Password E-mail Authorization Type Re-enter the password. Enter the e-mail ID. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Select the radio button corresponding to the authorization type. You can choose from:

Full AuthorizationSelect this radio button to enable full authorization to the user. Enable Task AuthorizationSelect this radio button to enable a role, and the privileges and tasks associated with the roles, to the user. After you select this option, you have to select the desired role from the list of Roles. This is applicable for all devices. Enable Device AuthorizationSelect this radio button to enable authorization to device groups. After you select this option, you have to:
Select the device group from the Device Group. Select the role you want to associate with the device group. The user
group can perform the tasks that are assigned to the chosen roles on the chosen device groups. Roles Select the check box corresponding to the role to specify the roles to be assigned to the user from the Roles pane. The user group can perform the tasks that are assigned to the chosen role on all devices and device groups. The following roles are available:

Help Desk Approver Network Operator Network Administrator System Administrator Super Admin
Network Level Login Credentials Username
Enter the network device login credentials for LMS to communicate with the network devices. Enter the username.
2-10
OL-20721-01
Chapter 2
Field Password Verify Password Enable Password Verify Password

Step 3
Description Enter the password. Re-enter the password. Enter the enable password. Re-enter the enable password.
Click OK. To return to the Local User Setup page, click Cancel.
Adding Local Users Using CLI

You can add bulk local users through CLI. This feature allows you to specify a file that has the information about the local users as an input. The input file you use should be a plain text file.
Note
You can use this CLI command for both system and user-defined roles. Each local user information should be represented in the following format in the text file: Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword where,

Username Local username. The local username is case-insensitive. Password Password for the local user account name. You can leave this field blank in the text file and enter the password in the command line when you run the CLI utility. Note that you should enter the password either in the command line or in the input text file. If you mention the password in both the places, the local user will be added with the password specified in the command line. On adding the user by giving password in the command line prompt, default role will be assigned to the user if the role is missing in the input file.
E-mail E-mail address of the local user. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Roles Roles to be assigned to the local user. You should assign one or more of the following roles to the user separated by comma.
Help Desk Approver System Administrator Network Administrator Network Operator Super Admin
DeviceUnameDevice login username DevicePasswordDevice login password DeviceEnPassword Device enable password.
2-11
Setting up Security
The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System Administrator:admin:roZes123:roZes
To add local users through CLI, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows) Filename Absolute path of the filename containing local users information. Password Common password for all user accounts specified in the input text file. This command line parameter is optional if you have specified the passwords for local users in the input text file. Note that you should enter the password either in the command line or in the input text file. If you specify this parameter, the local users are added to Cisco Prime only with this password irrespective of the password entries specified in the input text file.
where,

For example, enter the following command to add local users mentioned in the input file localuser.txt with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add C:\files\localuser.txt admin
Log Files
The user information added or imported into the LMS Server is stored in the following files, when you use the import local user CLI command:

/var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance) NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS Server, number of duplicate users, error messages and other information that you can use for troubleshooting.
Deleting Stale Users From LMS Portal
This section describes how to delete stale users from LMS Portal. When you delete the user names from Cisco Prime Common Services application, they are deleted only from the Common Services database and not from LMS Portal database. The usernames remain in LMS Portal as stale users.
2-12
OL-20721-01
Chapter 2
To delete stale users from LMS Portal:

Step 1
Go to the following link: http://server-name:portno/cwportal/c/portal/StaleUserDeletion. In the URL, enter a server name and launch the URL in the browser window. The Portal Stale User Deletion page is displayed. Click the Delete Stale Users button. The stale users are deleted from the Portal database.
Step 2
Step 3
Assigning Roles on NDG Basis

You can choose to assign any number of role and device group combinations for a selected user or user group to operate on Network Device Groups. You should note the following to assign roles on a NDG basis:
If you have assigned a Network Device Group to your AAA client (LMS Server and network devices), you must assign that device group to a role. You cannot have role and device group combinations assigned to a user without assigning the Network Device Group to your AAA client.
You can assign only one role to a user, to operate on an NDG. If a user requires privileges other than those associated with the current role, to operate on an NDG, a custom role should be created. All necessary privileges to enable the user to operate on the NDG should be given to this role. For example, if a user needs to have Approver and Network Operator privileges to operate on NDG1, you can create a new custom role with Network Operator and Approver privileges, and assign the role to the user to operate on NDG1.
You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen. To assign the proper role, the network access server (NAS) should be added to device groups other than DEFAULT.
Modifying Your Profile

To edit your profile:
Step 1
Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Click Modify My Profile to modify the credentials of the logged in user and the network device login credentials. Enter the user login details like username, password, and e-mail address. The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.
Step 2 Step 3
2-13
Setting up Security
Step 4
Enter the network device login credentials for LMS to communicate with the network devices. Enter the values for username, password, and enable password. Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.
Step 5
Creating Self Signed Certificates

Cisco Prime allows you to create security certificates that enable SSL communication between your client browser and management server. Self signed certificates are valid for five years from the date of creation. When the certificate expires, the browser prompts you to install the certificate again from the server where you have installed Cisco Prime.
Note
If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break. The peers need to re-import the certificate in this scenario. This section explains the following:

Creating a Self Signed Certificate From the User Interface Working With Third Party Security Certificates
2-14
OL-20721-01
Chapter 2
Creating a Self Signed Certificate From the User Interface

To create a certificate from the user interface:
Step 1
Select Admin > Trust Management > Local Server > Certificate Setup. The Certificate Setup page appears. Enter the values required for the fields described in the following table: Field Country Name State or Province City Organization Name Organization Unit Name Server Name Usage Notes Two character country code. Two character state or province code or the complete name of the state or province. Two character city or town code or the complete name of the city or town. Complete name of your organization or an abbreviation. Complete name of your department or an abbreviation. DNS name, IP Address, or hostname of the computer. Enter the server name with a proper and resolvable domain name. This is displayed on your certificate (whether self-signed or third party issued). Local host or 127.0.0.1 should not be given. Email Address E-mail address to which the mail has to be sent.
Step 2
Step 3
Click Apply to create the certificate. The process generates the following files:

server.keyPrivate key of the server. server.crtSelf- signed certificate of the server. server.pk8Private key of the server in PKCS#8 format. server.csrCertificate Signing Request (CSR) file.
You can use the CSR file to request a security certificate, if you want to use a third party security certificate. If the certificate is not a Self signed certificate, you cannot modify it. To return to the CiscoWorks home page, click Cancel.
2-15
Chapter 2 Managing Security in Multi-Server Mode
Setting up Security
Working With Third Party Security Certificates

Cisco Prime provides an option to use security certificates issued by third party certificate authorities (CAs). You may want to use this option in cases where your organizational policy prevents you from using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a particular CA. You can use these certificates to enable SSL when you need secure access between LMS Server and your client browser. You can upload Third Party Security Certificates using the SSL Utility Script. See Working With Third Party Security Certificates.
Managing Security in Multi-Server Mode

Communication among peer servers that are part of a multi-server domain has to be secure. In multi-server mode the server is configured as DCR Master/Slave or Single Sign-On Master/Slave. In a multi-server scenario, secure communication between peer LMS Servers is enabled using certificates and shared secrets. You must copy certificates between the LMS Servers. You should also generate a shared secret on one server, and configure it on the other servers that need to communicate with the server. The shared secret is tied to a particular Cisco Prime user (for authorization). You can configure the following in Multi-Server mode:

Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform certain tasks. These users should be set up to enable communication among multiple LMS Servers. System Identity Setup: Enables communication among multiple LMS Servers based on a trust model addressed by Certificates and shared secrets. System Identity setup should be used to create a trust user on slave or regular servers for communication to happen in multi-server scenarios. Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This allows LMS Servers to communicate with one another using SSL. Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple LMS Servers without authenticating to each server.
The Current Multi-Server Settings page displays the mode of server security and the information on self signed certificate. To open the Current Multi-Server Settings page:
Step 1 Step 2
Select Admin > Trust Management > Multi Server. Click Current Multi-Server Setting in TOC. The Current Multi-Server Settings page displays the Single Sign-On details.
2-16
OL-20721-01
Chapter 2
Setting up Security Managing Security in Multi-Server Mode
This section has the following information that helps you to understand better, the features that enable secure communication between peer servers in a multi-server domain: This section contains:

Setting up Peer Server Account Setting up System Identity Account Setting up Peer Server Certificate Enabling Single Sign-On
Setting up Peer Server Account

Peer Server Account Setup helps you create users who can login to LMS Servers and perform certain tasks. These users should be set up to enable communication among multiple LMS Servers. Users created using Peer Server Account Setup can authenticate processes running on remote LMS Servers. You can add a Peer Server user, edit user information and role, and delete a user. To add a Peer Server user:
Step 1
Select Admin > Trust Management > Multi Server > Peer Server Account Setup. The Peer Server Account Setup page appears. Click Add. The Peer Server Account Setup page appears. Enter the username in the Username field. Enter the password in the Password field. Re-enter the password in the Verify field. Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Step 2
To edit Peer Server user information:

Step 1 Step 2
Select Admin > Trust Management > Multi Server > Peer Server Account Setup. Click Edit. The Peer Server Account Setup page appears. Enter the password in the Password field. Re-enter the password in the Verify field. Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
2-17
Setting up Security
To delete a Peer Server user:

Step 1
Select Admin > Trust Management > Multi Server > Peer Server Account Setup. The Peer Server Account Setup page appears. Select the check box corresponding to the user you want to delete. Click Delete. The confirmation dialog box appears. Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Step 2 Step 3
Step 4
Setting up System Identity Account

Communication between multiple LMS Servers is enabled based on a trust model addressed by certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are part of a multi-server setup. This user enables communication among servers that are part of a domain. There can be only one System Identity User for each machine. The System Identity User you configure must be a Peer Server User. The System Identity User you create must be a local user with all privileges. You can either configure the System Identity User with the predefined Super Admin role or with a custom role created with all privileges. If you change the System Identity User later, you must ensure that you add the local user with all privileges in Cisco Prime. Cisco Prime installation program allows you to have the admin user configured as the default System Identity User. For the admin user to work as a System Identity User, the same password should be configured on all machines that are part of the domain, while installing Cisco Prime on the machines part of that domain. If this is done, the user admin serves the purpose of System Identity user. See Installing and Migrating to Cisco Prime LAN Management Solution 4.1 for details. If you create a System Identity User, the default System Identity User, admin, is replaced by the newly created user. While you create the System Identity User, LMS checks whether:

The user is a Local User with all privileges. If the user is not present, or if the user does not have all privileges, an error message appears. The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User.
For peer to peer communication to work in a multi-server domain, you have to configure the same System Identity User on all the machines that are part of the domain. For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on all the other servers, S2, S3, and S4, to enable communication between them. See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage of this features.
2-18
OL-20721-01
Chapter 2
To add a System Identity user:

Select Admin > Trust Management > Multi Server > System Identity Setup Enter the username in the Username field. Enter the password in the Password field. Re-enter the password in the Verify field. Click Apply. Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. The System Identity User password you specify in Master and Slave should be the same. We recommend that you have the same user name and password across Master and Slave.
Setting up Peer Server Certificate

You can add the certificate of another LMS Server into its trusted store. This will allow one LMS Server to communicate with another using SSL. If a LMS Server needs to communicate with another LMS Server, it must possess the certificate of the other server. You can add certificates of any number of peer LMS Servers to the trusted store of each server. You must add peer server certificates if LMS Servers are configured with Self-Signed Certificates. If the certificates have been signed by popular CAs such as Verisign, and GlobalSign. this is not compulsory. However we recommend that you add peer server certificates to avoid any possible problems with SSL communication. You can setup peer server certificates from the client browser and from a browser session on the server where LMS Server is installed. Ensure that there are no mismatches in the date and time settings between the servers. In case you find any date or time mismatch, you need to correct it before proceeding. If you change the date or time of the peer server, you must regenerate the self signed certificate of the peer server. To add peer LMS Server certificates:
Step 1
Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. The Peer Server Certificate page appears with a list of certificates imported from other servers. Click Add. Enter the IP address/hostname of peer LMS Server in the corresponding fields. If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address. Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the peer LMS Server is 443. Click OK. To return to the Peer Server Certificate page, click Cancel.
Step 2 Step 3
Step 4 Step 5
2-19
Setting up Security
To delete peer certificates:

Step 1 Step 2
Select the check box corresponding to the certificate you want to delete. Click Delete. The confirmation dialog box appears. Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.
Step 3
You can also view the details of the client certificates. For this, select the check box corresponding to the certificate and click View.
Enabling Single Sign-On

With Single Sign-On (SSO), you can use your browser session to transparently navigate to multiple LMS Servers without authenticating to each of them. Communication among multiple LMS Servers is enabled based on a trust model addressed by Certificates and shared secrets. This section explains:

Single Sign-On Setup Navigating Through the Single Sign-On Domain Changing the Single Sign-On Mode
Single Sign-On Setup

The following tasks need to be done initially:

One of the LMS Servers should be set up as the Authentication Server (AS). Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is maintained by the certificate management framework in LMS. Each LMS Server should setup a shared secret with the authentication server. The System Identity user password acts as a secret key for Single Sign-On.
The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server (RS) is called the Slave. You must perform the following tasks if the server is configured either as Master or as Slave:

Configure the System Identity User and password in both Master and Slave. The System Identity User name and password you specify in Master and Slave should be the same. Configure the Master Self Signed Certificate in Slave.
Single Sign-On uses System Identity user password as the secret key to provide confidentiality and authenticity between Master and Slave. We recommend that you have the same user name and password for both Master and Slave. The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise it would not be considered as a valid certificate.
2-20
OL-20721-01
Chapter 2
Single Sign-On is used only for authentication and not for authorization. In Single Sign-On, authentication always takes place from the Single Sign-On Master server (Authentication Server-AS). Hence, you need to provide the username and password as configured in Single Sign-On AS. Authorization happens at the respective servers. If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active Directory (AD), and AS is configured for Cisco Prime Local, then authentication happens as per the credentials in Cisco Prime Local (AS) and vice versa. For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is Cisco Prime Local: When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS) and you get authenticated according to the username and password configured in AD. However, authorization happens only in server B. The privileges for the logged in user in any server within the Single Sign-On domain will depend upon the user roles configured in that server. If the user is present only in the Single Sign-On Authentication Server and not in the Regular Server, then that user gets authenticated according to the credentials in the authentication server, but has only HelpDesk privileges in the Regular Server. We recommend that you:

Add the user across all servers within the Single Sign-On domain. Assign appropriate roles to the user, in each of the LMS Servers.
See Setting up System Identity Account for more information on how to set up System Identity User. Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. The System Identity User password you specify in Master and Slave should be the same. We recommend that you have the same user name and password across Master and Slave. To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it would not be considered as a valid certificate.
Navigating Through the Single Sign-On Domain

The Authentication Server and all Regular Servers that are configured on this Authentication Server forms an Single Sign-On domain. If you login to any of the servers that are part of the same Single Sign-On domain, you can launch any other server that is part of the domain. You can navigate through the Single Sign-On domain in two ways:

Registering Server Links Launching a New Browser Instance
Registering Server Links
You can register the links of the servers part of the Single Sign-On domain, in any of the servers, using the Link registration feature. The registered links will appear either under Third Party or Custom tools, depending on what you specify during registration. If you click on the registered link, it launches the page corresponding to the registered link.
2-21
Setting up Security
You must specify the URL, with the context while registering the server link. For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
In the above example, clicking on the registered link will launch the CiscoWorks home page of server ABC.
Launching a New Browser Instance
After logging into any of the servers that are part of the Single Sign-On domain, you can open a new browser instance from that server, and provide the URL of any other server of the Single Sign-On domain, to which you need to navigate.
Note
We recommend that you do not use the IP address of the servers that are part of Single Sign-On or localhost, while specifying the URL. For example, suppose ABC and XYZ are part of an Single Sign-On domain.
Login to ABC. Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser window. Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new browser instance. This launches the CiscoWorks home page of XYZ, directly.
Changing the Single Sign-On Mode

The LMS server can be configured for Single Sign-On. It can also be configured to be in Standalone mode (Normal mode, without Single Sign-On). When the server is configured for Single Sign-On, it can either be in:
Master modeThe Single Sign-On Authentication Server does the authentication and sends the result to the Regular Server. Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular servers. Login requests for all the Single Sign-On regular servers will be served from the Master.
Slave modeSingle Sign-On Regular server for which authentication is done at the Master. While logging into regular server, if the authentication server is not reachable, the following message appears:
SSO unreachable
2-22
OL-20721-01
Chapter 2
Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If the server is configured as an Single Sign-On Regular server (Slave), you should provide the following details:
Master server name The Master server name must be DNS resolvable. If you change the name of the Single Sign-On Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution to reflect in the Slave. If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master server, you must ensure that you enter either the fully qualified domain name or hostname of the Master consistently in all the Slave servers. Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave and hostname of the Master in another Single Sign-On Slave of the same Master server.
Login Port of the Master (443)
To change the Single Sign-On mode to Standalone:

Step 1
Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign-On mode. Select Standalone (Normal) radio button. Click Apply. To return to the CiscoWorks home page, click Cancel.
Step 2 Step 3
To change the Single Sign-On mode to Master:

Step 1
Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign On mode. Select the Master (SSO Authentication Server) radio button. Click Apply. To return to the CiscoWorks home page, click Cancel.
Step 2 Step 3
To change the SSO mode to Slave:

Step 1
Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign-On mode. Select the Slave (SSO Regular Server) radio button. Enter the Master server name and port number. If you select the Slave mode, ensure that you specify the Master server name and port. The default port is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.
Step 2 Step 3
2-23
Chapter 2 Setting up the Authentication Mode
Setting up Security
Step 4
Click Apply. It checks if:

The System Identity user password of the Slave matches that of the Master. The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common Name (CN) in the certificate matches with the Master server name. The Master is up and running on the specified port.
In case any of these checks fail, you are prompted to perform these steps before proceeding. To return to the CiscoWorks home page, click Cancel.
Setting up the Authentication Mode

Depending on your LMS Server platform (UNIX or Windows), different login modules that provide Authentication, Authorization, and Accounting services are available. This feature allows you to select login modules and set their options. The LMS Server provides mechanisms used to authenticate users for Cisco Prime applications. However, many network managers already have a means of authenticating users. To use your current authentication database for Cisco Prime authentication, you can select a login module (Kerberos, TACACS+, RADIUS, and others). This section contains the following topics:

Authentication Using Login Modules - Overview Setting the Login Module to Pluggable Authentication Modules
After you select and configure a login module, all authentication transactions are performed by that module. To assign a user to a different role, such as the System Admin role, you must configure the user locally. Such users must have the same user ID locally, as they have in the alternative authentication source. Users log in with the user ID and password associated with the current login module.
Authentication Using Login Modules - Overview

Cisco Prime login modules allow administrators to add new users using a source of authentication other than the native LMS Server mechanism (that is, the Cisco Prime Local login module). This section contains:

About Cisco Prime Pluggable Authentication Understanding Fallback Options Debugging
2-24
OL-20721-01
Chapter 2
Setting up Security Setting up the Authentication Mode
About Cisco Prime Pluggable Authentication
By default, Cisco Prime LMS uses LMS Server authentication (Cisco Prime Local) to authenticate users, and authorize them to access Cisco Prime LMS. After authentication, your authorization is based on the privileges that have been assigned to you. A privilege is a task or an operation defined within the application. The set of privileges assigned to you, defines your role. It dictates how much, and what type of system access you have. The LMS Server authorization scheme has the following default or predefined roles. You can also create user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing Roles for more information. The predefined roles are listed here in order from the least privileged to most privileged:

Help Desk Can access network status information only. Can access persisted data on the system and cannot perform any action on a device, or schedule a job that will reach the network. Approver Can approve all LMS tasks. Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network. Network Administrator Can perform all Network Operators tasks. Can perform tasks that result in a network configuration change. System Administrator Can perform all Cisco Prime system administration tasks. Super Admin Can perform all Cisco Prime operations including administration and approval tasks. By default, this role has full privileges.
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role). The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role).
Understanding Fallback Options
Fallback options allow you to access the software if the login module fails, or you accidentally lock yourself or others. There are three login module fallback options. These are available on all platforms. The following table gives you the details: Option Allow all Cisco Prime Local users to fallback to the Cisco Prime Local login. Only allow the following user to fallback to the Cisco Prime Local login if preceding login fails: username. Description All users can access Cisco Prime using the Local login if the current login module fails. Specified users can access Cisco Prime using the Local login if the current login module fails. Use commas between user names.
Allow no fallbacks to the Cisco Prime Local login. No access is allowed if the current login module fails.
2-25
Setting up Security
Debugging
Cisco Prime allows you to enable debugging on the current login module so that you have additional information in the log files that you can use for troubleshooting. Turn debugging on only when requested to do so by your customer service representative. Enabling debugging does not alter the behavior of the modules. Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the following locations:

NMSROOT/MDC/tomcat/logs/stdout.log (on Solaris/Soft Appliance) NMSROOT\MDC\tomcat\logs\stdout.log (on Windows)
where NMSROOT is the Cisco Prime installation directory.
Setting the Login Module to Pluggable Authentication Modules

The Login Module defines how authorization and authentication are performed and how the login modules are changed. This section explains the following:

Changing Login Module to Cisco Prime Local Changing Login Module to KerberosLogin Changing Login Module to Local Unix System Changing Login Module to Local NT System Changing Login Module to MS Active Directory Changing Login Module to RADIUS Changing Login Module to TACACS+
To set the login module:

Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. The Authentication Mode Setup page displays the current login module, and the available login modules. The available login modules are:

Step 2
Cisco Prime Local IBM SecureWay Directory KerberosLogin Local Unix System Local NT System MS Active Directory Netscape Directory RADIUS TACACS+
2-26
OL-20721-01
Chapter 2
The login username is case sensitive when you use the following login modules:
Step 3 Step 4
KerberosLogin Local Unix System Netscape Directory RADIUS (only on Solaris) TACACS+ (only on Solaris)
Select a login module. Click Change. The Login Module Options popup window appears. Enter the corresponding login module information. See the respective login module section for login module options. Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 5
Step 6
Changing Login Module to Cisco Prime Local
To change the login module to Cisco Prime Local:

Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the Cisco Prime Local radio button. Click Change. The Login Module Options popup window appears. Set the Debug option to False. Set it to True for debugging purposes, when requested by your customer service representative. Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 2 Step 3
Step 4
Step 5
Changing Login Module to KerberosLogin
Kerberos provides strong authentication for client-server applications by using secret-key cryptography. To change the Login Module to KerberosLogin:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the KerberosLogin radio button. Click Change. The Login Module Options popup window appears with the following details:
Step 2 Step 3
2-27
Setting up Security
Field Selected Login Module Description Debug
Description KerberosLogin Kerberos login module. Kerberos login module. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative.
Realm
The Kerberos realm name. Although the realm can be any ASCII string, the convention is to make it the same as your domain name, in upper-case letters. For example, SERVER.COM. The Kerberos Key Distribution Center. For example, my_kdc.server.com. Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
KDC Login fallback options
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Changing Login Module to Local Unix System
This option is available only on Unix systems. To change the login module to Local Unix System:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the Local Unix System radio button. Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Debug Description Local UNIX System. Cisco Prime native Solaris module. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 2 Step 3
Step 4
2-28
OL-20721-01
Chapter 2
Changing Login Module to Local NT System
This option is available only on Windows To change the login module to Local NT System:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select Local NT System radio button. Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Debug Description Local NT System. Cisco Prime native NT login module. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Domain Login fallback options Set to localhost. Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 2 Step 3
Step 4
Changing Login Module to MS Active Directory
The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP). Before a user logs in, the user account should be set up in the LDAP server. When you change the login module to MS Active Directory, you should configure any one of the following options to integrate LMS Server with Active Directory server for authentication services:
Distinguished Name (DN) A distinguished name is made up of three parts, Relative Distinguished Name Prefix (RDN-Prefix), User login, and Usersroot. You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to RDN-Prefix when the user logs into Cisco Prime. For example, a distinguished name could be represented as: cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and Usersroot is ou=org1 dc=embu, dc=cisco. A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
2-29
Setting up Security
You can specify more than one usersroot value. Each usersroot value should be separated by a semicolon.
User Principal Name (UPN) User principal name is composed of two parts, User login and User Principal Name Suffix (UPN-Suffix). The User Principal Name suffix configured in Cisco Prime is appended to the login name when the user logs into Cisco Prime. The second part of the UPN, the UPN suffix, identifies the domain in which the user account is located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name created by an administrator and used just for log in purposes. For example, a User Principal Name could be represented as user1@mydept.mycompany.com, where user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix.
Domain name You should configure the Active Directory domain name in Cisco Prime that contains a set of users which needs to be integrated, for a domain based authentication. For example, if you want the users of MyDomain domain in MS Active Directory server to be authenticated in LMS Server, you should specify MyDomain in this field. Each domain also has a pre-Windows 2000 domain name for use by computers running operating systems released earlier than Windows 2000 operating systems. Similarly each user account has a pre-Windows 2000 user login name. The user account in the DomainName\UserName format used to log into the operating systems released earlier than Windows 2000 operating systems is called Security Account Manager (SAM) account. You can also configure SAM account in the LDAP server and enter the same name in Cisco Prime when you change the login module to Microsoft Active Directory.
When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime attempts to authenticate the Active Directory server using the User Principal Name string. When both the Distinguished Name based authentication and the User Principal Name based authentication fails, LMS Server tries to authenticate using the Domain name. To change login module to MS Active Directory:
Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select MS Active Directory radio button. Click Change.
Step 2 Step 3
2-30
OL-20721-01
Chapter 2
The Login Module Options popup window appears with the following details: Field Selected Login Module Description Description Name of the login module (MS Active Directory) you have selected in the Authentication Mode setup page. Brief description about the login module you have selected. For the MS Active Directory login module, the description displayed is Cisco Prime MS Active Directory module. Server Usersroot Name of the LDAP server. Default set to ldap://ldap.company.com. User objects in MS Active Directory. Default set to cn=users, dc=servername, dc=company, dc=com. For example, if users in the Active Directory have ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN) strings, you should specify the same in this field to integrate the LMS Server with the MS Active Directory server. You can also enter multiple usersroot values separated by semicolon. For example, you can enter ou=myDept, dc=myCompany, dc=com; ou=Dept1, ou=Dept2, dc=myCompany, dc=com. When you integrate your LMS Server with MS Active server, you should configure this field for a Distinguished Name based authentication. If you are using Windows 2008 Active Directory, you have to provide the complete Usersroot information (including cn=Username). This is because Windows 2008 Active Directory implementation has disabled anonymous search requests. Otherwise, if your Active Directory Server allows anonymous binds, you need to specify only dc=servername, dc=company, dc=com. RDN-Prefix String prefixed with login username to form a Relative Distinguished Name (RDN). Default is set to cn=. For example when you have configured this field as cn= and log into the server as MyUser, the RDN formed is cn=MyUser. When you integrate your LMS Server with MS Active server, you must configure this field for a Distinguished Name based authentication. UPN-Suffix String suffixed with login username, usually the domain in which the user account is located to form a User Principal name. You should configure this field for a UPN based authentication. For example, if the UPN of Active Directory users who need to be integrated with Cisco Prime are user1@mydept.mycompany.com, user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you should mention @mydept.mycompany.com in this field.
2-31
Setting up Security
Field AD-Domain
Description Active Directory domain. You should configure this field for a domain based authentication. Users of the specified domain in MS Active Directory server are authenticated when you integrate the LMS Server with MS Active Directory server.
Debug
Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative.
Login fallback options
Set the option for fallback to the Cisco Prime Local module if the alternative service fails. You can set any of the following options:

Allow all Cisco Prime local users to fallback to the Cisco Prime Local login. Allow only the specified users to fallback to the Cisco Prime Local login. When you select this option, you should enter one or more Cisco Prime local usernames separated by commas. This is the default login fallback option. Do not allow any fallback to the Cisco Prime Local login.
Note
You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You cannot leave all the three fields blank.
Step 4
After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with an Active Directory username and the corresponding password. MS Active Directory server provides authentication services to LMS Server by the default simple authentication mechanism. To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Edit the Account Options of a user in the MS Active Directory Server and enable the Store password using reversible encryption option. Reset the password of the user to authenticate properly. Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is your Cisco Prime Installation directory. You must change the following line in the cam.properties file from:
#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
2-32
OL-20721-01
Chapter 2
If you want the secure authentication mechanism to fallback to simple authentication mechanism, you must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property. You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True
to
LDAP_FALLBACK_AUTHENTICATION_NEED=True
Step 4
Save the changes to the cam.properties file.
Note
You need not restart the Daemon Manager.
Digest-MD5 authentication supports only User Principal Name and Security Account Manager user accounts. You cannot log into LMS Server with the User login name. Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same name. For example, to assign the System Administrator privileges to a MS Active Directory users User1 and User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Changing Login Module to RADIUS
To change login module to RADIUS:

Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select the RADIUS radio button.
Step 2
2-33
Setting up Security
Step 3
Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Server Port Key Debug Description RADIUS. Cisco Prime RADIUS module. Set to module type servername, radius.company.com. Set to 1645. Attempt to override it only if your authentication server was configured with a non-default port. Enter the secret key. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Step 4
Changing Login Module to TACACS+
To change login module to TACACS+:

Step 1
Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Select TACACS+ radio button. Click Change. The Login Module Options popup window appears with the following details: Field Selected Login Module Description Server Port Description TACACS+. Cisco Prime TACACS+ login module. Set to module type tacacs.company.com Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port. Secondary Server Secondary Port Set to module type tacacs.company.com. This is the secondary fallback server. Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port.
Step 2 Step 3
2-34
OL-20721-01
Chapter 2
Field Tertiary Server Tertiary Port
Description Set to module type tacacs.company.com. This is the tertiary fallback server. Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port.
Key Debug
Enter the secret key. Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative.
Login fallback options
Set the option for fallback to the Cisco Prime Local module if the alternative service fails.
Note
The values True or False should not be entered in the Server, Secondary Server and Tertiary Server fields, the corresponding Port fields or the Key field.
Step 4
After you change the login module, you do not have to restart Cisco Prime. The user who logs in after the change, automatically uses the new module. Changes to the login module are logged in the following files:

NMSROOT/MDC/Tomcat/logs/stdout.log (On Solaris/Soft Appliance) NMSROOT\MDC\Tomcat\logs\stdout.log (On Windows)
where NMSROOT is your Cisco Prime Installation directory.
Resetting Login Module

To reset the login module of LMS Server to Cisco Prime local:
Step 1
Stop the Daemon Manager using:
net stop crmdmgtd
(On Windows) (On Solaris/Soft Appliance)
or
Step 2
/etc/init.d/dmgtd stop
Run the following script:
NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl (On Windows) or NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl (On Solaris/Soft Appliance)
where NMSROOT is your Cisco Prime Installation directory.
2-35
Chapter 2 Managing Roles
Setting up Security
Step 3
Start the Daemon Manager using:
net start crmdmgtd
(On Windows) (On Solaris/Soft Appliance)
or
/etc/init.d/dmgtd start
This resets the login module to Cisco Prime local mode.

Enter a username in the User ID field. Enter the corresponding password in the Password field. Click Login or press Enter. You are now logged into LMS Server.
Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A privilege is a task or an operation defined within the application. The set of privileges assigned to you, defines your role. The LMS authorization scheme provides you with the following system-defined roles.

Help Desk Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network. Approver Can approve all tasks. Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network. Network Administrator Can perform all Network Operators tasks. Can perform tasks that result in a network configuration change. System Administrator Can perform all Cisco Prime system administration tasks. Super Admin Can perform all Cisco Prime operations including the administration and approval tasks. This role has full privileges.
You can select a role and set it as the default role. After installing LMS 4.1, Help Desk will be the default role. If you do not want to use the system-defined roles, you can create custom roles and associate tasks to them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool, see, Removing Custom Roles Using CLI. To manage roles:
Step 1
Select Admin > System > User Management > Role Management Setup. The Role Management Setup Page appears with the available roles, their descriptions, and the default role.
Note
You cannot edit, delete, or export system-defined roles.
2-36
OL-20721-01
Chapter 2
Setting up Security Managing Roles
Step 2
You can do the following: Description Click Add to add user-defined roles. The Role Management Page appears. To add a role:
1. 2.
Button Add
Enter the role name and description. Select the tasks that have to be assigned to the new role. The task can be identified using the search option. The search uses the task name and the task description to perform a complete search. The search results and All tab contents are synchronized. Any selections made on search results will reflected in all tab. For more details see Searching LMS Tasks.
3.
Click OK to add the new role or click Cancel to return to the Role Management Setup Page.
For more information on the various tasks in LMS 4.1, see Understanding LMS Tasks. Edit Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit a role:
1. 2. 3.
Modify the role description if required. Select or deselect the check box corresponding to the required tasks. Click OK to save the changes, or click Cancel to return to the Role Management Setup Page. Select one or more user-defined roles and click Delete to delete the roles. Click OK to confirm or Cancel to return to the Role Management Setup Page.
Delete
To delete a role:
1. 2.
If the deleted role is assigned to any user, then it will remove the association of this role with the user. Copy You can use this option to modify a system-defined role. To copy a role:
1. 2. 3. 4.
Select a role from the roles and click Copy. The Role Management Page appears. Enter the role name and description. Select or deselect the check box corresponding to the tasks. Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.
Export
You can export roles only in the XML format. The file will be saved in the client. To export roles: Select the user-defined roles that you want to export and click Export. A message appears prompting you to open or save the LMSRoleExport.xml file.
2-37
Chapter 2 Managing Roles
Setting up Security
Button Import
Description You can import roles only in the XML format. To import roles:
1. 2. 3. 4.
Click Import. Click Browse and select a file from the client. Specify if you want to to overwrite, merge or backup the existing roles when you import roles: Click Submit to import the roles or Cancel to return to the Role Management Setup Page.
You can choose to:

OverwriteRoles with the same names will be overwritten. MergeRoles with the same names will be updated with details of the existing role and details of the imported role. BackupRoles with the same names will be overwritten. The existing role will be renamed as CopyOf<Role name>. Do not have any role assigned to them. Have logged in using an external authentication server, like PAM, and are not available in the local database.
Set as Default
Default role will be assigned to users who:

When multiple roles are set as default role, the user will be assigned with all the roles selected as default roles. If there is no default role configured, then authorization will fail for users who:

Do not have any role assigned to them. Have logged in using an external authentication server, like PAM, and are not available in the local database. Select a role from the roles listed in the Role Management Setup Page. Click Set as Default. The selected roles will be the default roles.
To set a default role:

1. 2.
Clear Default
Click Clear Default to clear the default role. After you clear the default role, authorization will fail for any user assigned without this role.
Note
After adding roles you must assign one or more roles to your users, select Admin > System > User Management > Local User Setup.
2-38
OL-20721-01
Chapter 2
Setting up Security Managing Cisco.com Connection
Searching LMS Tasks
To search the LMS tasks,

Step 1
Specify the exact task name or the first few characters of the task name in the search text box and click the search icon. The task name is case-insensitive. For example enter admin or *admin or admin* or *change* in the search text box.

admin will search for the task and task description that contains the exact term admin. *admin will search for the task and task description that ends with the term admin either in task name or description. admin* will search for the task and task description that begins with the term admin either in task name or description. *change* will search for the task and task description that contains the term change.
If there are no search results generated, then a pop-up window appears.
Note Step 2
You are not allowed to use any other wildcard character apart from *. Click the Search Results tab to see the corresponding search result. In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree will be in the expanded state. You will note that when you select or unselect a particular set of tasks in the Search Results tab, the same set of tasks will be automatically selected or unselected in the All tab.
Removing Custom Roles Using CLI
You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles. To do this: On Windows, run: NMSRoot\bin\ResetToFactoryRole.pl On Solaris/Soft Appliance, run: NMSRoot/bin/ResetToFactoryRole.pl
Managing Cisco.com Connection

Certain Software Center features require Cisco.com access. This means that Cisco Prime must be configured with a Cisco.com account, which is to be used when downloading new and updated packages. This section explains:

Setting up Cisco.com User Account Setting Up the Proxy Server
To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings > Connection Management. The Cisco.com Connection Management page displays the current Proxy Server settings.
2-39
Chapter 2 Managing Cisco.com Connection
Setting up Security
Setting up Cisco.com User Account

This feature lets you add and modify Cisco.com user login names and password. To set up Cisco.com login account:
Step 1 Step 2
Select Admin > System > Cisco.com Settings. Click User Account Setup in the TOC list. The User Account Setup page appears. Enter your Cisco.com Username, and Cisco.com Password. Re-enter the password in the Verify Password field. Click Apply.
Setting Up the Proxy Server

You can update the proxy server configuration using the Proxy Server set up option. To update your proxy server configuration:
Step 1 Step 2
Select Admin > System > Cisco.com Settings. Click Proxy Server Setup in the TOC list. The Proxy Server Setup page appears. Enter the Proxy Server host name or IP address, and the port number. Optionally, you can enter the Username and Password for accessing the proxy server. If you have entered your password, re-enter the same password in the Verify Password field. Click Apply.
Step 3
Step 4
2-40
OL-20721-01
CH A P T E R
Administering LMS Server

LMS includes several administrative features to ensure that the server is performing properly. You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the LMS Server.

Using Daemon Manager Managing Processes Backing Up Data Licensing Cisco Prime LMS Using Daemon Manager Managing Processes Backing Up Data Licensing Cisco Prime LMS Configuring a Default SMTP Server Collecting Server Information Collecting Self Test Information Messaging Online Users Managing Resources Collecting Server Information Collecting Self Test Information Messaging Online Users Managing Resources Modifying System Preferences Configuring Log Files Rotation Modifying System Preferences Configuring Disk Space Threshold Limit Effects of Third Party Backup Utility and Virus Scanner Configuring TFTP
This section has the following information:

3-1
Chapter 3 Using Daemon Manager
Using Daemon Manager

The Daemon Manager provides the following services:

Maintains the startup dependencies among processes. Starts and stops processes based on their dependency relationships. Restarts processes if an abnormal termination is detected. Monitors the status of processes.
The Daemon Manager is useful to applications that have long-running processes that must be monitored and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start transient jobs. Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you start the Daemon Manager. If the System resources are less than the resources required to install the application, the Daemon Manager restart displays warning messages that are logged into dmgtd.log. You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server when SSL is enabled in LMS.
Restarting Daemon Manager on Solaris/Soft Appliance
To restart Daemon Manager on Solaris/Soft Appliance:

Log in as root. Enter /etc/init.d/dmgtd stop to stop the Daemon Manager. Enter /etc/init.d/dmgtd start to start the Daemon Manager.
Restarting Daemon Manager on Windows
To restart Daemon Manager on Windows:

Go to the command prompt. Enter net stop crmdmgtd to stop the Daemon Manager. Enter net start crmdmgtd to start the Daemon Manager.
Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute before you start the Daemon Manager. If the System resources are less than the required resources to install the application, Daemon Manager restart displays warning messages that are logged into syslog.log.
3-2
OL-20721-01
Chapter 3
Administering LMS Server Managing Processes
Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The process management tools enable you to manage these backend processes to optimize or troubleshoot the LMS Server. You can do the following activities:

View the details of all processes Filter and show only processes of a specific state Start the processes Stop the processes
All mandatory processes are started when you start the system. See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS. You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for more information.
Note
Your role and privileges determine whether you can use this option. This section contains the following:

Process States Viewing Process Details Viewing Processes of a Specific State Starting a Process Stopping a Process
Process States
The state of the Cisco Prime backend processes fall under either one of the following categories: State Running normally Description Processes are started and are running normally. Sometimes, you find the state of a few processes as follows:
Program started - No mgt msgs received
This indicates that the processes are started automatically at boot and are running normally. Never started Failed to run Administratively shutdown Processes that cannot start automatically and are to be started by operator or administrator. Processes that failed to start because of an error in the system. Processes that are stopped by the system or by the administrator.
3-3
Chapter 3 Managing Processes
State Transient Terminated
Description Terminated transient processes. Processes that are created or started by Daemon Manager whenever required are called transient processes.
Waiting to Initialize
Viewing Process Details
Processes that are yet to run normally and are in initialization phase.
To view Process details:

Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. You can see the following information of a Cisco Prime process in the Process Management window: Column ProcessName Description Name of the process. Describes how the process is registered. See LMS Back-end Processes for more information on process description. For information on suite-specific processes, see the relevant Online help. You cannot view the details of Apache and Tomcat processes or restart them from the user interface. But you can view the details of these processes in Process Status report (Reports > System > Status > Process). ProcessState ProcessId ProcessRC ProcessSigNo ProcessStartTime ProcessStopTime Process status and a summary of the log file entries for the process. If the process fails, this column is highlighted in red. Unique number by which the operating system identifies each running program. Return code. 0 represents normal program operation. Any other number represents an error. See the error log for details. Signal number. 0 represents normal program operation. Any other number is the last signal delivered to the program before it terminated. Time and date on which the process was started. Time and date on which the process was stopped.
3-4
OL-20721-01
Chapter 3
Step 2
Click the ProcessName link of a process to view its details. The Process Details popup window appears with the following information: Column Process Path Flags Startup Dependencies Description Name of the process. File Location. Flags used to register the process with the Daemon Manager. Method used to start the process (manual or automatic). Other processes that are running, and that are required for this process to run.
Step 3
Click OK.
You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the updated information of the processes.
Viewing Processes of a Specific State
To view processes of a specific state:

Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Select a process state from the Show Only process state. You can select any one of the following process states:

Step 2
Never started Waiting to initialize Running normally Failed to run Transient terminated Administrator has shut down this server Program started No mgt msgs received
See Process States for description of each of these process states. The details of processes of the selected state appears.
3-5
Starting a Process
To start a process:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Select the check box corresponding to the process. Click Start.
Step 2 Step 3
Stopping a Process
To stop a process:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Select the check box corresponding to the process. Click Stop.
Step 2 Step 3
LMS Back-end Processes

The back-end processes in the LMS Server are required to manage application specific activities and jobs. Table 3-1 lists the back-end processes in LMS Server, their description and dependent processes. The new processes in LMS 4.1 are:

EnergyWise ConfigUtilityService On Solaris/Soft Appliancevar/adm/CSCOpx/log On WindowsNMSROOT\log, where NMSROOT is your Cisco Prime default installation directory.
Log files for most of the processes are located in the following locations:

You can also manage the Cisco Prime processes through CLI. You can perform the following activities through CLI:

Viewing Process Details Through CLI Viewing Brief Details of Processes Viewing Processes Statistics Starting a Process Stopping a Process
3-6
OL-20721-01
Chapter 3
This section contains:

Server Back-end Processes Inventory, Config and Image Management Processes Network Topology, Layer 2 Services and User Tracking Processes IPSLA Performance Management Processes and Dependency Processes Device Performance Management Module Processes Fault Management Processes
Server Back-end Processes

Table 3-1 lists the LMS 4.1 Server Back-end processes and their dependency processes.
Table 3-1 Cisco Prime LMS 4.1 Server Back-end Processes and their Descriptions
Process Name Apache
Description Apache web server used on both UNIX and Windows systems. This hosts the base CiscoWorks home page and all major applications. You cannot view the details of this process or restart this process from the user interface (from Process Management page).
Normal Process State
Dependent Process
Log Files NMSRoot\MDC\ Apache\logs (On Windows) /opt/CSCOpx/MDC/ Apache/logs (On Solaris/Soft Appliance)
Program started - TomcatMonitor No mgt msgs received
CmfDbEngine
Sybase database instance used by the base Cisco Prime framework.
Program started - None No mgt msgs received CmfDbEngine
NMSRoot/MDC/log/ daemons.log (On Solaris/Soft Appliance only) NMSRoot\log\ CmfDbMonitor.log (On Windows) /var/adm/CSCOpx/log /CmfDbMonitor.log (On Solaris/Soft Appliance)
CmfDbMonitor
Monitors the CmfDbEngine process and Running periodically checks for connectivity and normally SQL errors.
CMFOGSServer
Device grouping service in CS that provides grouping capability based on device attributes stored in DCRServer.
Program started - CmfDbMonitor, EssMonitor, No mgt msgs DCRServer received
NMSRoot\log\ CMFOGSServer.log (On Windows) /var/adm/CSCOpx/log /CMFOGSServer.log (On Solaris/Soft Appliance)
3-7
Table 3-1
Cisco Prime LMS 4.1 Server Back-end Processes and their Descriptions
Process Name CSDiscovery
Description Transient process created by Daemon Manager. This process initiates Device Discovery.
Normal Process State Transient Terminated
Dependent Process
Log Files NMSRoot\log\ CSDiscovery.log (On Windows) /var/adm/CSCOpx/log /CSDiscovery.log (On Solaris/Soft Appliance)
CSRegistryServer Registry Server for other CS processes Running such as DCRServer and CMFOGSServer normally and provides the backbone for inter-process communication for DCRServer and CMFOGSServer. Sometimes, the Tomcat process may start this process. In such cases, the process status is displayed as follows:
Administrator has shut down this server
NMSRoot\log\ CSRegistryServer.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
You can ignore this error message. DCRServer Device List and Credential Repository Server that provides the repository for shared device list and credentials to be used across applications. Running normally TomcatMonitor, CmfDbMonitor, EssMonitor NMSRoot\log\ DCRServer.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) Transient Terminated NMSRoot\log\ DCRDevicePoll.log (On Windows) /var/adm/CSCOpx/log /DCRDevicePoll.log (On Solaris/Soft Appliance) diskWatcher Monitors disk space availability on the LMS Server. See Configuring Disk Space Threshold Limit for more information. Running normally NMSRoot\log\ diskWatcher.log (On Windows) /var/adm/CSCOpx/log /diskWatcher.log (On Solaris/Soft Appliance)
DCRDevicePoll
Transient process created by Daemon Manager. This process initiates Device Polling.
3-8
OL-20721-01
Chapter 3
Table 3-1
Process Name EDS
Description
Dependent Process NameServiceMonitor
Log Files NMSRoot\log\ EDS.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Legacy Event Distribution engine. This Running is currently used by some applications to normally send and receive event messages.
EDS-GCF
EDS - Generic Consumer Framework process. It is an extension to EDS that allows Generic Event Consumers to provide a pluggable event interface.
Running normally
EDS, CmfDbMonitor
NMSRoot\log\ EDS-GCF.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) NMSRoot\log\ESS.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) NMSRoot\log\ EssMonitor.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) No log files
ESS
Program started - Event Services Software. The new engine that handles distribution of events No mgt msgs received between processes. This is slated to eventually replace EDS.
EssMonitor
Monitors ESS process to check if events Running normally related functionality works properly. This process shuts down automatically when the ESS process fails or does not function properly.
ESS
EventFramework
Event management bus, LMS uses this to Program started - EssMonitor facilitate event transmissions between No mgt msgs daemons. received Enables the rotation of log files function- Never started ality using logrot.
FDRewinder (Solaris/Soft Appliance Only) jrm
/var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance) NMSRoot\log\ jrm.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Job and Resource Manager. This allows scheduling of jobs to be run at specific times. It also allows locking and unlocking of resources.
Program started - CmfDbMonitor, No mgt msgs NameServicereceived Monitor, EDS, EssMonitor
3-9
Table 3-1
Process Name LicenseServer
Description
Dependent Process
Log Files NMSRoot\log\ LicenseServer.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Provides Licensing functionality for Program started - evaluation and file based licensing mech- No mgt msgs anisms. received
NameServiceMonitor
Name Service agent that monitors Running objects and messages and acts as a Normally gateway between the JacORB clients and the Name Server.
NameServer
NMSRoot\log\ NameServiceMonitor.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
NameServer
Object Request Broker for the JacORB framework used in Cisco Prime.
NMSRoot\log\ NameServer.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
Tomcat
Java servlet engine used on Windows, Solaris and Soft Appliance systems hosting applications based on the Cisco Prime desktop. You cannot view the details of this process or restart this process from the user interface (from Process Management page).
NMSRoot\MDC\ tomcat\logs\stdout.log (On Windows) /opt/CSCOpx/MDC/ tomcat/logs/stdout.log(On Solaris/Soft Appliance)
TomcatMonitor
Monitors the health of the Tomcat process and shuts down automatically when Tomcat fails or does not function properly.
Running normally
Tomcat
NMSRoot\log\ TomcatMonitor.log (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Appliance)
3-10
OL-20721-01
Chapter 3
Inventory, Config and Image Management Processes

Table 3-2 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes
Process Name RMEDbEngine
Dependency (Sequential) None
Log Information NA
Description System service: the database engine for Inventory, Config and Image Management applications. Configuration Management service performs the following tasks,
ConfigMgmtServer
EssentialsDM
dcmaservice.log
Collects the configuration for the LMS managed devices on request from jobs or user Interface. Archives new version if there is a difference between the fetched configuration and the latest configuration in archive. Parses the configuration based on configlet rules and generates differences between the configurations. Logs change record for every new version of archived running configuration. Detects config changes on the device and triggers configuration collection Caches the device and NetConfig template mapping information. Populates the database with NetShow system-defined command sets and NetShow commands by retaining them from device packages.
ConfigUtilityService EssentialsDM
cfgutilservice.log
ConfigUtilityService parses the archived configurations of the devices for assessing the technology readiness of the devices. It does config and CLI parsing. ConfigUtilService also performs OGS grouping attributes updates at the end of Inventory collection.
SyslogCollector
ESS
SyslogCollector.log
Filters and sends the syslog objects to various SyslogAnalyzer services subscribed to it.
3-11
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Process Name EssentialsDM
Dependency (Sequential) ESS DCRServer LMSDbEngine
Log Information
Description
EssentialsDM_Server.log It publishes a dummy Common Services Transport Mechanism (CSTM) service name to synchronize publishing of service names with CSTM. All other LMS services that publish service names with CSTM are made dependant on this service either directly or indirectly. After adding devices to LMS, this service triggers for Inventory and Configuration collection. System service that monitors the accessibility of the LMS database engine that helps to ensure that the system is not started until the database engine is ready.
EnergyWise
EssentialsDM ICServer
EnergyWise.log EnergyWiseUI.log EnergyWiseConfiguratio n.log EnergyWiseMonitoring.l og EnergyWiseCollection.lo g EnergyWiseNative.log EnergyWiseComplianceC heck.log EnergyWiseNativeCompl iance.log EnergyWise_Purge.log EnergyWiseNativePolicy. log
EnergyWise process provides services for:

EnergyWise endpoint and device collection EnergyWise monitoring EnergyWise compliance check Auto-push of EnergyWise policies on the devices.
CTMJrmServer
EssentialsDM jrm Tomcat
CTMJrmServer.log
This service is a proxy to the JRM service. This is used by LMS to connect to the JRM service. It hides all the direct interaction with JRM. Change Audit program that provides back-end database services for applications that want to log network changes and for Change Audit reports and Automated actions
ChangeAudit
EssentialsDM CTMJrmServer jrm
ChangeAudit.log
3-12
OL-20721-01
Chapter 3
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Process Name ICServer
Dependency (Sequential) ESS CTMJrmServer
Log Information IC_Server.log
Description This is a service that collects and stores Inventory information from the device using SNMP. It also detects changes that occurred between the last time Inventory was collected for a device, and the current Inventory collection.
SyslogAnalyzer
ESS EssentialsDM CTMJrmServer jrm
SyslogAnalyzer.log for Windows AnalyzerDebug.log for Solaris/Soft Appliance
It takes the filter definition from the user and sends it to the various Syslog Collectors it is subscribed to. Receives the syslogs from the Syslog collector and inserts them into the database and also takes automated actions from the user. Port and Module group administration service. This is used for managing Port and Module groups. System service: Database engine for Topology and Identity Services. System service: Collects device information for Topology and Identity Services. System service: Receives and processes SNMP traps for Dynamic UT System service: Receives and processes the UTLITE data UTMajor Acquisition is a transient process. System service: Collects end hosts information. System service: Queries external system for Dynamic UT
PMCOGSServer
LMSOGSServer
PMCOGSServer.log
ANIDbEngine ANIServer MACUHIC UTLITE
None EDS ANIDbEngine EssMonitor ANIDbEngine EssMonitor ANIDbEngine
None ani.log macuhic.log utlite.log ut.log utm.log
UTMajorAcquisition ANIServer UTManager EssMonitor ANIDbEngine DCRServer VNMServer ANIDbEngine
Vnmserver.log
System service: Handles VRF Lite Services like configuration, VRF Lite collector job scheduling System service: Collects information from Wlse Device
WlseUHIC
ANIDbEngine
wlseuhic.log
If you stop or restart any of these processes you must stop and restart their dependency processes. See Table 3-2 for the list of dependent processes. You can stop and restart the process using Admin > System > Server Monitoring > Processes.
3-13
Network Topology, Layer 2 Services and User Tracking Processes

Table 3-3 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-3 Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes
Process Name ANIDbEngine ANIServer MACUHIC UTLITE UTMajorAcquisition
Dependency (Sequential) None EDS ANIDbEngine EssMonitor ANIDbEngine EssMonitor ANIDbEngine ANIServer
Log Information None ani.log macuhic.log utlite.log ut.log
Description System service: Database engine for Topology and Identity Services. System service: Collects device information for Topology and Identity Services. System service: Receives and processes SNMP traps for Dynamic UT System service: Receives and processes the UTLITE data UTMajor Acquisition is a transient process. System service: Collects end hosts information. System service: Queries external system for Dynamic UT
UTManager
EssMonitor ANIDbEngine DCRServer
utm.log
VNMServer
ANIDbEngine
Vnmserver.log
System service: Handles VRF Lite Services like configuration, VRF Lite collector job scheduling System service: Collects information from Wlse Device
WlseUHIC
ANIDbEngine
wlseuhic.log
3-14
OL-20721-01
Chapter 3
IPSLA Performance Management Processes and Dependency Processes

Table 3-4 lists the LMS 4.1 Performance Management processes and their dependency processes.
Table 3-4 LMS 4.1 IPSLA Performance Management Process and the Dependency Processes
Process Name IPMProcess
Description Provides core function of managing IPSLA Performance Management Devices, Collectors and Operations in LMS.
Dependency (Sequential) DCRServer, IpmDbEngine jrm CmfDbMonitor, EssMonitor, DCRServer, IpmDbEngine NA
Default State Program Started
Log Files ipmserver.log,dmgtd.log
IPMOGSServer IPSLA Performance Management group administration service. This is used for managing IPSLA Performance Management collector groups. It is also used for IPSLA Performance Management Collector selector. IpmDbEngine IPSLA Performance Management Database Engine service. It is used for managing and storing IPSLA Performance Management related information on the database
Program Started
IPMOGSServer.log, IPMOGSClient.log
Program Started
dmgtd.log
Device Performance Management Module Processes

Table 3-5 gives a description of key processes in Device Performance Management module.
Table 3-5 Key Processes in LMS 4.1 Device Performance Management Module
Process Name UPMDbEngine
Description
Dependent Process
Default State Started
Log Files None
None This is the Device Performance Management database engine process. If this process is down, you will not be able to access Device Performance Management module of LMS, and polling, threshold monitoring, and trendwatch monitoring will fail.
3-15
Table 3-5
Key Processes in LMS 4.1 Device Performance Management Module
Process Name
Description
Dependent Process UPMDbEngine
Default State Started
Log Files UPMDbMonitor.log upm_process.log
UPMDbMonitor Responsible for monitoring the UPMDbEngine process. UPMProcess
DCRServer, Started Responsible for the Polling UPMDbMonitor engine, Threshold monitoring and Poller Management features of LMS. If this process is down, poller management, threshold management, trendwatch management will fail.
Fault Management Processes

Table 3-6 provides a complete list of Fault Management-related Cisco Prime processes. Logs for most of these processes are provided in Table 17-2.
Table 3-6 Fault Management Related Processes
Name AdapterServer/ AdapterServer 1 DataPurge
Description Event adapter takes events from backend servers.
Dependency None
Default State Log Files Program Started adapterServer.log, adapterServer1.log , daemons.log
Data PurgeStarts as scheduled in the GUI and jrm purges the Fault History database.
Administrato DPS.log, daemons.log r has shut down this server
3-16
OL-20721-01
Chapter 3
Table 3-6
Fault Management Related Processes (continued)
Name DfmBroker
Description
Dependency
Default State Log Files Program Started brstart.log
Fault Management Broker maintains a registry None about Fault Management domain managers, that register the following information with the broker when its initialization is complete:

Application name of the domain manager Hostname on which the domain manager is running TCP port at which the HTTP server is listening
When a client needs to connect to the domain manager, it first connects to the broker to determine the hostname and TCP port the HTTP service of that server is listening. It then disconnects from the broker and establishes a connection to the domain manager. The DfmBroker log file is located at NMSROOT/objects/smarts/local/logs/brstart.log . DFMLogServer Controls Fault Management logs. None None Program Started Program Started DfmLogService.lo g, daemons.log MultiProcLogger.l og, daemons.log DFMOGSServer.l og DFM.log, DFM1.log
DFMMultiProcLog Handles processes with multiple threads. ger DFMOGSServer Fault Grouping Service Server evaluates group membership. Infrastructure device domain manager, a program that provides backend services for Fault Management. Services include SNMP data retrieval and event analysis. The DfmServer log is NMSROOT/objects/smarts/logs/DFM.log. If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log. DFMCTMStartup Handles interprocess communication.
CmfDbEngine, Program ESS, DCRServer, Started TISServer DfmBroker Running Normally
DfmServer/DfmSe rver 1
None
Administrato DFMCTMStartup. log, daemons.log r has shut down this server Program Started Running Normally Program Started EPM.log EPM.log daemons.log
EPMDbEngine EPMServer FHDbEngine
Event Promulgation Module (EPM) database engineRepository for the EPM module. Sends events to notification services. Fault History database engineRepository for alerts and events.
None EPMDbEngine None
3-17
Table 3-6
Fault Management Related Processes (continued)
Name FHPurgeTask FHServer
Description Fault History purge task. Fault History server, a program that runs backend services for Fault History. Provides inventory and device information to the Detailed Device View (DDV); updates the DDV with events. Provides inventory and device information to the Detailed Device View (DDV); updates the DDV with events. Synchronizes voice device inventory with infrastructure device inventory. Handles all inventory events, such as adding and deleting devices. Inventory database engineRepository for devices. Notification Server monitors alerts and sends notifications based on subscriptions.
Dependency None EPMServer, EPMDbEngine, FHDBEngine InventoryCollect or Inventory Collector 1 ESS, TISServer, DFMOGSServer
Default State Log Files Transient terminated Running Normally Program Started Program Started Running Normally/Pr ogram Started Program Started Running Normally FHCollector.log, FHUI.log FHServer.log
Interactor
Interactor.log
Interactor 1
Interactor1.log
InventoryCollector / InventoryCollector 1 INVDbEngine NOSServer
InventoryCollector .log, InventoryCollector 1.log daemons.log nos.log
None EPMDbEngine, EPMServer, INVDbEngine, DFMOGSServer DFMOGSServer INVDbEngine EssMonitor
PTMServer PMServer
Polling and thresholds server. PMServer is used for the Partition Manager funtionality for the Fault Management module of LMS. When you add a device to the Fault Management module, it is always added to the default partition 0. All the debug logs related to PMServer can be found at NMSROOT/log/dfmLogs/PM
Running Normally Running Normally
PTMServer.log PMServer.log (For Windows) daemons.log (For Solaris/Soft Appliance)
TISServer
Inventory server.
EssMonitor, INVDbEngine
Program Started
TISServer.log
3-18
OL-20721-01
Chapter 3
Administering LMS Server Backing Up Data
Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges to use this option. You cannot back up the database while restoring the database. LMS uses multiple databases to store client application data. These databases are backed up whenever you perform a backup. Backup requires enough storage space on the target location for the backup to start. If your current license count is lower than your earlier license count, and you restore the data now, devices that exceed the current licence count will be moved to Suspended state.
Caution
You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes, storing the backup data in this location may corrupt the Cisco Prime installation. This section explains:

Scheduling a Backup Restoring Data Changing the Database Password Effects of Backup-Restore on DCR Master-Slave Configuration Prerequisites and Restore Operations Effects of Backup-Restore on Groups
3-19
Chapter 3 Backing Up Data
Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up Data Using CLI for more information. To schedule a backup:
Step 1
Select Admin > System > Backup. The Backup Job page appears. Enter the appropriate information in the following fields: Field Backup Directory Description Location of the backup directory. We recommend that your target location be on a different partition than the Cisco Prime installation location. The backup directory should not contain any special character. Maximum number of backups to be stored in the backup directory. From the lists, select the time period between which you want the backup to occur. Use a 24-hour format. Enter a valid e-mail ID in this field. You can enter multiple e-mail IDs separated by commas. The system uses the e-mail ID or e-mail IDs to notify you the following:

Step 2
Generations Time E-mail
New backup schedules. Status of immediate or scheduled backup jobs upon their completion. Cancelled backup schedules.
Warning
There may be a problem in sending e-mails when you have enabled virus scanner in the Cisco Prime LMS Server.
Frequency
Select the backup schedule:

Immediately - The database is backed up immediately. Daily - The database is backed up every day at the time specified. Weekly - The database is backed up once a week on the day and time specified. Select a day from the Day of week list. Monthly - The database is backed up once a month on the day and time specified. Select a day from the Day of month list.
You cannot schedule more than one backup at a time. The new schedule overwrites the previous schedule, if any.
3-20
OL-20721-01
Chapter 3
Step 3
Click Apply. The Schedule Backup message verifies your schedule and provides the location of backup log files. Examine the log file at the following location to verify backup status: On Solaris/Soft Appliance: /var/adm/CSCOpx/log/dbbackup.log On Windows: NMSROOT\log\dbbackup.log You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job. The Remove button appears only if you have scheduled any backup.
Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from versions 3.1, 3.2. The restore framework checks the version of the archive.

If the archive is of the current version, then the restore from current version is run. If the backup archive is of an older version, the backup data is converted to LMS format, if needed, and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and restart Cisco Prime while restoring data. In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is restored on the same machine A, or on a different machine B. Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data of such tasks. For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.
Caution
Restoring the database from a backup permanently replaces your database with the backed up version. The list of applications in a backup archive should match the list of applications installed on the LMS Server where you want to restore the data. You should not continue the restore when there is a mismatch, as it may cause problems in the functionality of Cisco Prime applications. This section explains the following:

Restoring Data On Solaris/Soft Appliance Restoring Data On Windows
3-21
Restoring Data On Solaris/Soft Appliance
To restore the data on Solaris/Soft Appliance:

Step 1 Step 2
Log in as the superuser, and enter the root password. Stop all processes by entering:
Step 3
Restore the database by entering: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h]
[-t temporary directory]The restore framework uses a temporary directory to extract the content of backup archive. By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData. You can customize this, by using this t option, where you can specify your own temp directory. This is to avoid overloading NMSROOT
[-gen generationNumber]Optional. By default, it is the latest generation. If generations 1 through 5 exist, then 5 will be the latest. [-d backup directory]Required. Which backup directory to use. [-h]Provides help. When used with -d <backup directory> syntax, shows correct syntax along with available suites and generations.
To restore the most recent version, enter: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl -d backup directory For example, -d /var/backup
Step 4
Examine the log file in the following location to verify that the database was restored by entering:
/var/adm/CSCOpx/log/restorebackup.log
Step 5
Restart the system:

Restoring Data On Windows
To restore the data on Windows, make sure you have the correct permissions, and do the following:
Step 1
Stop all processes by entering the following at the command line:

net stop crmdmgtd
Step 2
Restore the database by entering: NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h] where NMSROOT is the Cisco Prime installation directory. See the previous section for command option descriptions. To restore the most recent version, enter the following command: NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory
3-22
OL-20721-01
Chapter 3
Step 3
Examine the log file in the following location to verify that the database was restored by entering: NMSROOT\log\restorebackup.log Restart the system by entering:
net start crmdmgtd
Step 4
Note
For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.1 in Installing and Migrating to Cisco Prime LAN Management Solution 4.1
Changing the Database Password

You must enter the database password while installing Cisco Prime. If you do not enter the password, Cisco Prime generates the password at random. However, we recommend that you change the password periodically to ensure system security.
Caution
You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data. This section explains the following:

Changing Password on Solaris/Soft Appliance Changing Password on Windows Formats Available for Changing the Database Password
Changing Password on Solaris/Soft Appliance
To change the password on Solaris/Soft Appliance:

Step 1 Step 2
Log in as the superuser, and enter the root password. Stop all processes by entering:
Step 3
Change to the installation directory by entering:

cd
NMSROOT/bin
NMSROOT is your default Cisco Prime installation directory.

Step 4
Enter the following command to list the different formats available for changing the database password: NMSROOT/bin/perl dbpasswd.pl When prompted, enter the new password and verify it by re-entering it. The password can contain a maximum of 30 characters. Start all processes by entering:
Step 5
Step 6
3-23
Changing Password on Windows
To change the password on Windows:

Step 1 Step 2
At the command line, make sure you have the correct permissions. Stop all processes by entering:
net stop crmdmgtd
Step 3
Change to the Installation Directory by entering:

cd
NMSROOT\bin
NMSROOT is your default Cisco Prime installation directory.

Step 4
Enter the following command to list the different formats available for changing the database password: NMSROOT\bin\perl dbpasswd.pl When prompted, enter the new password and verify it by re-entering it. The password can contain a maximum of 30 characters. Start all processes by entering:
net start crmdmgtd
Step 5
Step 6
Formats Available for Changing the Database Password
The different formats available and the commands for changing the database passwords on Windows, Solaris and Soft Appliance platforms are tabulated below: Format Format 1 detects the available datasource names and databases and prompts you to enter and confirm the passwords for each of them. It also allows you to encrypt the password. Format 2 allows you to list all the databases and datasource names (DSNs) available in the server. Command On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl all On Windows: NMSROOT\bin\perl dbpasswd.pl all On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl listdsn On Windows: NMSROOT\bin\perl dbpasswd.pl listdsn Format3 allows you to change the database password. On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource Format 4 allows you to change the database password for a specific DSN. It also allows you to enter a new password in the command line using the npwd option. On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
3-24
OL-20721-01
Chapter 3
Format Format 5 allows you to encrypt the existing database password.
Command On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes
Format 6 allows you to change the database password for a specific DSN. Format 6.0 also:

On Solaris/Soft Appliance: NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password

encryption=yes
Allows you to enter a new password in the command line using the npwd option.
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password Allows you to encrypt the password using the encryption=yes encryption option.
Effects of Backup-Restore on DCR

Data changes are a normal part of any restore from a backup. However, because Device and Credential Repository (DCR) is a distributed system with varying modes, it is also possible for any restored DCR to:
Change modes. For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from which the backup was taken (source machine), and the machine on which the data was restored (target machine).
Change Master/Slave relationships. For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed, the Slave will attempt to use Master A.
For detailed information on DCR, see Managing Device and Credentials in Inventory Management with CiscoWorks LAN Management Solution 4.1 . The following scenarios helps you understand the implications of Restore operations on DCR.

Restoring Data From a DCR Standalone Restoring Data From S1 on S1 Restoring Data From S1 to M1 Restoring Data From S1 on M2 Restoring Data From M1 on M1 Restoring Data From M1 to M2
3-25
Restoring Data From a DCR Standalone
If you restore the data backed up from a machine in the Standalone mode, on any machine whose working mode is either Standalone, Master, or Slave, the end mode will be Standalone. Let X be a machine in Standalone mode. If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to Standalone mode. Further scenarios can be better explained based on the following DCR set up. Let us assume there are two DCR domains.

For Domain 1, you have M1 as Master, and S1, and S2 as Slaves. For Domain 2, you have M2 as Master, and S3, and S4 as Slaves.
Restoring Data From S1 on S1
Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1 will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1 is available. However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize after the restore on S1. The changes that have taken place after the backup was taken from S1 will be reflected in S1, even if S1b is restored on S1. In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1 is down.
Restoring Data From S1 to M1
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to Standalone mode. At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices. Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However, after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent than the data on M1.
Restoring Data From S1 on M2
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master in the DCR Domain 2 in our example. After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3, and S4, which were Slaves of M2, will switch to the Standalone mode.
Restoring Data From M1 on M1
Suppose you take a back up from M1. After the backup you would be performing several operations that would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example. Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that on the Master.
3-26
OL-20721-01
Chapter 3
To avoid this, you must perform the Restore operation in the following sequence:
Step 1 Step 2
Back up data from the slaves, S1 and S2. Backup data from the Master, M1. This is to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2. Stop Daemon Manager on all three machines. Restore data on the Master, M1. Restart Daemon Manager on M1. Restore data on S1, and S2 after the Master is up and stable, Restart Daemon Manager on S1, and S2.
This ensures that Master has more recent data than the Slaves.
Note
To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take a back up of all machines at the same time.
Restoring Data From M1 to M2
Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2. S3, and S4 which were Slaves of M2, will switch to Standalone mode.
Master-Slave Configuration Prerequisites and Restore Operations

DCR Master-Slave setup requires you to perform certain tasks prior to Master-Slave configuration, to enable proper, and secure communication between them. This involves copying certificates, and setting up a valid system identity user. For details, see Master-Slave Configuration Prerequisites. Restore operations can affect Master-Slave relationships because they may modify these pre-configured parameters. For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server. Suppose you take a backup from S1, and restore the backed up data, say S1b on X. Now, X has to be in Slave mode. Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1, and S1 will have the certificate of M1. After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not present on M1, X will not be able to have M1 as its Master. So you have to ensure that the certificates of the peer machines are in place, before you do a Restore. Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer Server Account user configuration might get affected by Restore operations. For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user. You take a backup from S1. After you take the backup, say you change the Peer Server User and System Identity User to Bob.
3-27
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This will upset the Master-Slave relationship. During restore you are prompted to confirm whether you need to overwrite the SSL certificate. SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it on another, you should be careful not to overwrite the SSL certificate. However, if you backup data from a machine and restore it to the same machine, you may overwrite the SSL certificate.
Effects of Backup-Restore on Groups

Backup-Restore operations have an implication on the way Groups will be displayed in the LMS. The changes in Groups behavior is discussed in relation with the Device and Credential Repository (DCR) mode changes explained in Effects of Backup-Restore on DCR. If you perform a backup on machine A and restore the backed up data, say Ab, on the same machine, the system-defined groups, and the user-defined groups created after the data backup will be removed. The following scenarios helps you understand the implications of Restore operations on Groups.

Restoring Data From a DCR Standalone Restoring Data From S1 on S1 Restoring Data From S1 on M1 Restoring Data From S1 on M2 Restoring Data From M1 on M2
Restoring Data From a DCR Standalone
The following scenarios have to be considered:
Restore data from a Standalone machine A to another Standalone machine B: The provider group name will change accordingly. That is, the provider group CS @A will become CS@B.
Restore data from a Standalone machine A to a Master M: The Master will switch to Standalone mode. The provider group name will be updated accordingly. The Slave groups will be removed from the Master. Only the groups pertaining to LMS and the applications installed in the Standalone machine will be visible. All dependent Slaves of M will become Standalone.
Restore data from a Standalone machine A to a Slave S: The Slave will switch to Standalone mode. The provider group name is updated accordingly. The groups pertaining to other Slaves in the domain, and the Master of S, will be removed from S. The groups UI will be enabled.
The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.
3-28
OL-20721-01
Chapter 3
Administering LMS Server Licensing Cisco Prime LMS
Restoring Data From S1 on S1
No impact on CS groups. There may be applications installed on S1. Say you create 10 groups in the Applications before you backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore, the 10 groups you created after backup will not be present. This loss of newly added groups also propagates to other Slaves in the domain.
After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other Slaves of M1 will switch to Standalone mode.
After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of M2 (before restore) will now switch to Standalone mode.
Restoring Data From M1 on M2
Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be deleted from M2. In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated in the target machine.
Licensing Cisco Prime LMS

You must register your software and obtain a product license before you start using an application. You can obtain a product license and license your application, view details of your current software license, or update to a new license from the Licensing page. LMS will authenticate and perform the license check. You can have an LMS license or a Monitor and Troubleshoot license. If your current license count is lower than your earlier license count, and you restore the data now, devices that exceed the current licence count will be moved to Suspended state. This section explains:

Obtaining a License for Cisco Prime LMS Licensing the Application Viewing License Information Updating Licenses Transferring Files to Soft Appliance Server Licensing Incremental SKUs
3-29
Chapter 3 Licensing Cisco Prime LMS
Obtaining a License for Cisco Prime LMS
To obtain a product license for your Cisco Prime applications, register your software at one of the following websites. You will need to provide the Product Authorization Key (PAK), which is printed on a label affixed to the Bundle sub-box. If you are a registered user of Cisco.com, use this website: http://www.cisco.com/go/license If you are not a registered user of Cisco.com, use this website: http://www.cisco.com/go/license/public The product license will be sent to the e-mail address you provide during registration. Retain this license with your Cisco Prime software records.
Licensing the Application
After you obtain the product license, perform these steps to license your software:
Step 1 Step 2
Copy the new license file to the LMS Server, with read permission for casuser/casusers. Select Admin > System > License Management. The License Information page appears. The License Information page displays the name, version, size, status and expiration date of the license.
Click Update. Enter the path to the new license file in the License field, or click Browse to locate the new file. Click OK. The system verifies whether the license file is valid, and updates the license. The updated licensing information appears in the License Information page. Otherwise an error message is displayed. To return to the License Information page, click Cancel.
Viewing License Information
To view details of your current software license, select Admin > System > License Management to open the License Information page. The license name, license version, size (device limit for the licensed application), status of the license, and the expiration date of the license appear under License Information. The license version shows the major version of the application.
Updating Licenses
You can view details of your current software license, or update to a new license from the License page. To update to a new license from the Licensing page:
Step 1
Select Admin > System > License Management. The License Information page displays the license name, license version, status of the license, and the expiration date of the license.
Step 2
Click Update.
3-30
OL-20721-01
Chapter 3
Administering LMS Server Licensing Cisco Prime LMS
Step 3 Step 4
Enter the path to the new license file in the License field, or click Browse to locate the new file. Click OK. The system verifies whether the license file is valid, and updates the license. The updated licensing information appears in the License Information page. Otherwise, an error message is displayed. To return to the License Information page, click Cancel.
Transferring Files to Soft Appliance Server
To transfer files to the Soft Appliance server:

Step 1 Step 2
Log into the Soft Appliance server through the command line, using a SSH client/console access. To log into the server, you have to use the sysadmin account that was created at the time of installation. To log into the shell:
a. b.
Enter the command shell. Enter the shell password.
Note
By default, shell will be enabled with sysadmin password. If you want to change the shell password, use the command shell_enable in sysadmin mode.
Step 3
Transfer the files using the following FTP, SFTP or SCP commands: FTP command To log into FTP server use the below command:
ftp -i -n FTP_SERVER_IP_ADDRESS ftp> user USER_NAME PASSWORD
Ensure that the file to be retrieved is available in the FTP server. To retrieve the file use the below command:
ftp>get FILE_NAME
Note
Ensure that you provide the appropriate path to the navigate to the folder where the file is located.
SFTP command To log into the SFTP server use the below command:
sftp user@SFTP_IP_ADDRESS:PATH
Ensure that the file to be retrieved is available in the SFTP server To retrieve the file use the below command:
sftp>get FILE_NAME
Note
Ensure that you provide the appropriate path to the navigate to the folder where the file is located.
3-31
Chapter 3 Configuring a Default SMTP Server
SCP command Ensure that the file to be retrieved is available in the SCP server
scp [[user@]from-host:]source-file [[user@]to-host:][destination-file]
Step 4
Change the owner and group name of the transferred file by using the below command:
chown casuser:casusers FILE_NAME
Licensing Incremental SKUs
Incremental SKUs are introduced in LMS 4.1. You must have the LMS 4.1 base media kit to order the incremental licenses. The following are the available incremental licenses (SKUs) for LMS 4.1 users, who have opted to order the physical Product DVD kit (Physical software and Software claim certificate paper with PAK): Available Licenses (SKU) in LMS 4.1 L-LMS-4.1-50-ADD (only for Windows) L-LMS-4.1-200-ADD L-LMS-4.1-500-ADD L-LMS-4.1-1K-ADD L-LMS-4.1-2.5K-ADD L-LMS-4.1-5K-ADD Permitted number of Devices in LMS 4.1 Incremental license for 50 devices Incremental license for 200 devices Incremental license for 500 devices Incremental license for 1000 devices Incremental license for 2,500 devices Incremental license for 5,000 devices
L-LMS-4.1-100-ADD (only for Windows) Incremental license for 100 devices
Configuring a Default SMTP Server

This SMTP server is used by default when you add or edit subscriptions for e-mail notifications or send e-mail notifications from the Alerts and Activities display. LMS also provides a facility for specifying a default SMTP server. Specifying a default server here will override the setting used by LMS.
Select Admin > System > SMTP Default Server. Enter a fully qualified SMTP server name. Click Apply.
Collecting Server Information

This feature helps you to get the required information about the server. The information about the server includes system information, environment, configuration, logs, web server information, device and credentials administration information, and grouping services information. You can use the collected server information for troubleshooting.
3-32
OL-20721-01
Chapter 3
Administering LMS Server Collecting Server Information
For example, when you have chosen to collect the grouping services information about the server, the following details will be collected and stored:

Status of LMS grouping server. The status values are Running, and Not Running. List of groups created in the LMS grouping server. Content of the registry and properties files associated with LMS. Status of the grouping server installed on same Cisco Prime Server. The status values are Running, and Not Running. List of groups created in the LMS grouping server. Content of the properties files associated with other applications. Error encountered if the grouping servers are not running or if they are not reachable.
You can look into this collected information to find out the errors with grouping servers and debug them. You can also collect server information using CLI. See Collecting Server Information Using CLI To collect the server information:
Step 1
Select Admin > System > Server Monitoring > Collect Server Information. The Collect Server Information page appears. Click Create to collect the current server information. The Collect Server Information popup dialog box appears with a list of options. The available options are:

Step 2
System Information Displays the server type, operating system version, installation date of operating system, and other system information. Event Logs Displays the logs of events in the LMS Server. Cisco Prime Registry Displays the registry entries of Cisco Prime components installed in the server. Tomcat Log Files Displays the log files corresponding to the application server. Grouping Service Displays the information of grouping servers and the groups created in the grouping server. Application Registry Details Displays the information of applications registered with CiscoWorks home page. Device Credentials Admin Information Displays the details of DCR mode, status of DCR Master, number of devices in DCR and the contents of DCR configuration files. ODBC Configuration Displays the information about the configuration of database connection in the LMS Server. Product Log Files Displays the contents of log files of all Cisco Prime components. Environment Variables Displays the list of environmental variables set up in the LMS Server. Process Status Displays the name of processes, current state of the process, process ID, start and finish time of the process, and other information. Network Configuration Displays information about the various configurations in a network. Memory and Harddrive Status Displays details of free space and total space of memory and hard disk drives in the LMS Server. JRE Registry Displays information about the Java Runtime Environment registry files.
3-33
Chapter 3 Collecting Server Information
Step 3
Select the check boxes corresponding to the options you need. You can use the All check box to select or deselect all the available options. By default all the check boxes are selected. Click OK. The server information for the selected components is collected. Collecting server information may take longer if more components are selected. To return to the Collect Server Information page, click Cancel. You can click Refresh in the Collect Server Information page to see the latest status.
Step 4
To view the collected information:

Step 1
Select Admin > System > Server Monitoring > Collect Server Information. The Collect Server Information page appears. Click Server Information at the date time link to view the collected server information. The popup window displays the server information collected. View server information by clicking the corresponding link in the Table of Contents.
Step 2
Step 3
To delete the collected server information:

Step 1
Select Admin > System > Server Monitoring > Collect Server Information The Collect Server Information page appears. Select the corresponding check box of the server information you want to delete. Click Delete.
Step 2 Step 3
Collecting Server Information Using CLI
You can also collect server information using CLI. Enter the following command:
NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows)
or
NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance)
where NMSROOT is the directory where you installed Cisco Prime.
3-34
OL-20721-01
Chapter 3
Administering LMS Server Collecting Self Test Information
Collecting Self Test Information

You can view self test reports using this option. Self test feature helps to test certain basic functions of the server.
Select Admin > System > Server Monitoring > Selftest. Click Create to perform a self test and to view the report. Click the Self Test Information at date time link. A popup window displays the selftest information report.
To delete a Self Test Information report, select the check box and click Delete.
Messaging Online Users

You can use the Notify User feature in LMS to broadcast messages to online users. You can post messages to users with active Cisco Prime browsers. By default, the messages will be received within 60 seconds. You can also change this polling interval. To send a broadcast message:
Step 1
Select Admin > System > User Management > Notify Users. The Notify Users page lists all the users currently logged in. Enter the message in the Message field and click Send. The Status field displays the status of the message.
Step 2
Note
If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every visit to the page.
Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can access the Resource browser page. The Refresh icon in the Resource browser is available for all users.
Note
The System Identity user must configure all the Resource management related tasks. The Browse Resources and Free Resources tasks should be enabled.
3-35
Chapter 3 Modifying System Preferences
To view Resource details:

Step 1
Select Admin > Network > Resource Browser. The Resource Browser page displays the following details: Item Resource Job ID / Owner Time Locked Expire Time Description Name of the resource currently locked. Number assigned to this task at creation time. Identifies all related locked resources, and user who locked the resource. Time this lock was established. Lock expiration time.
To free locked resources:

Step 1
Select Admin > Network > Resource Browser. The Resource Browser page appears. Check the check box corresponding to the Job ID. Click Free Resources. All users (except those with Help Desk and Approver role) can perform the Free Resource operation in the Resource browser. To view updated resources, click Refresh.
Step 2 Step 3
Modifying System Preferences

You can configure system-wide information on the LMS Server using the System Preferences option. It is a way to centrally locate information that is used by Cisco Prime applications. Field SMTP Server Administrator E-mail ID Description System-wide name of the SMTP server used by Cisco Prime applications to deliver reports. The default server name is localhost. Cisco Prime Administrator e-mail ID. This e-mail address is used as the From Address in all mails sent from LMS Server. There is no default e-mail ID. Enable E-mail Attachment Allows you to enable e-mail attachments in the mails sent from LMS Server. This option helps you to attach PDF or CSV reports with the e-mail after the scheduled jobs have completed. This option is disabled by default.
3-36
OL-20721-01
Chapter 3
Administering LMS Server Modifying System Preferences
Field Maximum Attachment Size RCP User
Description Maximum size of the e-mail attachments that are allowed to be sent from LMS Server. You can specify the attachment size in KB or MB. Name used by network device when it connects to LMS Server to run rcp. User account must exist on UNIX systems, and should also be configured on devices as local user in the ip rcmd configuration command. The default RCP username is cwuser.
SCP User
Name used by network device when it connects to LMS Server to run SCP. The username you have entered here is used for authorization while transferring software images using SCP protocol. You must specify a user name that has SSH authorization on a Solaris system. SCP uses this authorization for transferring the software images. This field is available only if Cisco Prime LMS applications are installed on the LMS Server.
SCP Password
Enter the password for SCP User in this field. The password you have entered here is used for authentication while transferring software images using SCP protocol. You must specify a user name that has SSH authentication on a Solaris system. SCP uses this authentication for transferring the software images. This field is available only if Cisco Prime LMS applications are installed on the LMS Server.
SCP Verify Password Re-enter the SCP password in this field. This field is available only if Cisco Prime LMS applications are installed on the LMS Server. Enable crmlogger DNS resolution Enable the Domain Name Service Resolution for the crmlog service using this field. Note that enabling the DNS Resolution for the crmlog service will slow down the Syslog performance. The crmlog service will stop and start when you enable or disable the Domain Name Service Resolution for crmlog service. If the crmlog registry does not contain the CrmDnsResolution parameter, it will be created automatically when you enable the service. This field is available only on Windows systems.
3-37
Chapter 3 Configuring Log Files Rotation
To edit system preferences:

Step 1
Select Admin > System > System Preferences. The System Preferences page appears. Enter the following information:

Step 2
SMTP Server Administrator E-mail ID Maximum Attachment Size RCP User
Caution Step 3 Step 4
Set this information carefully. If you introduce errors, users may not be able to log in. Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution for the crmlog service, on a Windows system. Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the LMS Server:

SCP User SCP Password SCP Verify Password
Step 5
Click Apply after making the changes. To cancel the changes, click Cancel.
Configuring Log Files Rotation

Log files can expand and fill up disk space. Log files rotation helps you manage the log files more efficiently. See Maintaining Log Files for an overview of maintaining the log files in LMS Server. Logrot is a log rotation program that enables you to control the size growth of the log files. It helps you to:

Rotate log files while Cisco Prime is running. Optionally archive and compress rotated logs. Rotate log files only when they have reached a particular size.
Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI. The following log files are maintained by the log rotation program:

Daemon Manager Web server log files Configuring Log Files Rotation Settings From the User Interface Configuring Log Files For Rotation From the User Interface Scheduling Log Files Rotation
This section explains:

3-38
OL-20721-01
Chapter 3
Administering LMS Server Configuring Log Files Rotation
Configuring Logrot Utility Running Logrot Script Viewing the Scheduled Logrot Job
Configuring Log Files Rotation Settings From the User Interface
To configure log files rotation from the user interface:

Step 1
Select Admin > System > Log Rotation. The Log Rotation page appears. Set your backup directory in the Backup Directory field. This backup directory stores the rotated log files. You can also use the Browse button to select a directory from the file browser. The default directory is:

Step 2
NMSROOT\log on Windows systems /var/adm/CSCOpx/log on Solaris/Soft Appliance systems
If you do not set a backup directory, each log file will be rotated in its current directory.
Step 3
Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log rotation starts. This is optional.
Configuring Log Files For Rotation From the User Interface
To add the log files for rotation:

Step 1
Select Admin > System > Log Rotation. The Log Rotation page appears. Click Add to add the log files you wish to rotate. The Configure Logrot page appears. Enter the name of the log file in the Select Log File field. You can enter only one log file at a time. You should specify log file using its fully-qualified path. If the log files do not exist in the path you have specified, this will not be considered for rotation. You can also click Browse to select a log file name from the file system. Enter the maximum file size in the Maximum Logrot Size field. The log file will not be rotated until this size is reached. You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log rotation is 4096 MB.
Step 2
Step 3
Step 4
Step 5
Select a file compression type from Compression Format. The supported formats are:

ZUNIX compression (on Solaris/Soft Appliance only) gzGNU gzip bz2bzip2 (on Solaris/Soft Appliance only)
3-39
Step 6
Specify the number of backups in the No of Backups field. If you do not want to keep any archives, enter 0 (the default) for this option. Click Apply to save the changes. To return to the Log Rotation page, click Cancel.
Step 7
To edit the log files that you have configured for rotation:
Step 1
Select Admin > System > Log Rotation. The Log Rotation page appears. Select a record from the list of log files displayed. Click Edit. The Edit Logrot page appears. Edit the name of the log file. The rotated log files will be stored with the new name you have edited. Edit the log file size, compression type or number of archive revisions. Click Apply to save the changes. To return to the Log Rotation page, click Cancel.
Step 2 Step 3
Scheduling Log Files Rotation
To schedule log files rotation:

Step 1
Select Admin > System > Log Rotation. The Log Rotation page appears. Click Schedule. The Schedule Logrot appears. Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should start. You should specify the time in 24-hour format.
Step 2
Step 3
3-40
OL-20721-01
Chapter 3
Administering LMS Server Configuring Log Files Rotation
Step 4
Select a periodic or immediate backup schedule in the Frequency field. The available schedule frequencies are:

ImmediateLog rotation job runs immediately. DailyLog rotation job runs every day at the time specified. WeeklyLog rotation job runs once a week on the day and time specified. Select a day from the Day of Week list. MonthlyLog rotation job runs once a month on the day and time specified. Select a day from the Day of Month list.
Step 5
Click Apply to save the changes. You can remove a schedule at any time. Click Remove to delete the scheduled job. The Remove button is enabled only if you have scheduled a log rotation. To return to the Log Rotation page, click Cancel.
Configuring Logrot Utility
Logrot should be installed on the same machine where you have installed LMS. To configure the Logrot script:
Step 1
Enter:

NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows) Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance) Edit variables. Edit log files. Quit and save changes. Quit without saving change.
The Logrot configuration menu appears. You have the following options:
Step 2
Select Edit variables to set your Backup Directory. If you do not set a backup directory, each log will be rotated in its current directory. Select Edit log files to add log files you wish Logrot to rotate. You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log file does not exist in that path, the default log file path for your operating system will be added during rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).
Step 3
Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default) for this option. Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in kilobytes (KB). The default is 1024 KB or 1 MB. Specify the file compression type to be used. It can be:

ZUNIX compression (on Solaris/Soft Appliance only) gzGNU gzip bz2bzip2 (on Solaris/Soft Appliance only)
When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a certain pattern.
3-41
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that match the pattern *.log. You can also specify the special pattern, *, which means delete all logfiles in the configuration.
Running Logrot Script
To run the Logrot Script enter:
On Windows: Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl On Solaris/Soft Appliance: Run /opt/CSCOpx/bin/logrot.pl
You can schedule log rotation so that the utility works on a specified time and day. The following command line flags are accepted:

-v -s
option to get verbose messages. option shuts down dmgtd before rotating logs.
Caution
The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.

-c -h
option reruns the configuration tool. option displays the help.
Viewing the Scheduled Logrot Job
You can view the scheduled jobs log file to troubleshoot the logrot utility. To look at the scheduled logrot job:

On Windows, use the command: crontab.cmd On Solaris, use the command:

crontab -l <UserName>
Example: To view the job scheduled to run as root user, use the command:
crontab -l root
To view the job scheduled to run as casuser, use the command:

crontab -l casuser
On Soft Appliance, use the command:

crontab -lu <UserName>
Example: To view the job scheduled to run as root user, use the command:
crontab -lu root
To view the job scheduled to run as casuser, use the command:
3-42
OL-20721-01
Chapter 3
Administering LMS Server Configuring Disk Space Threshold Limit
crontab -lu casuser
Configuring Disk Space Threshold Limit

DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file. Disk space information is calculated for the following directories on LMS Server:

Cisco Prime Installation directory (on both platforms) /var directory (on Solaris/Soft Appliance platform only) /tmp directory (on Solaris/Soft Appliance platform only)
The process calculates the disk space availability of the LMS Server directories at a regular interval of approximately one hour. In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes and in the last 15 minutes of an approximate one hour time interval. This process also alerts you when the disk space is less than the threshold level you have configured in the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert messages through e-mail if you have configured your e-mail ID along with threshold level. This process records the alert information in the system log files. The alert information is recorded in diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and daemons.log files in Solaris machines. To configure the disk space threshold limit:
Step 1
Select Admin > System > Server Monitoring > DiskWatcher Configuration. The DiskWatcher Configuration page appears. Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk space in the Cisco Prime Installation directory. This is mandatory. You should enter the threshold value in units of MB or GB. Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in Solaris file systems. This is mandatory. You should enter the threshold value in units of MB or GB.
Step 2
Step 3
Note Step 4
This field is available only on Solaris systems.
Enter a valid e-mail in the E-mail ID field. You can enter multiple e-mail addresses separated by commas. The system uses the e-mail addresses to notify about the disk space availability when the disk space is less than the threshold limit you have configured. There may be a problem in sending e-mails if you have enabled virus scanner in the LMS Server.
3-43
Chapter 3 Configuring Disk Space Threshold Limit
Step 5
Click Apply to save the changes or click Cancel to reset the values.
3-44
OL-20721-01
Chapter 3
Administering LMS Server Effects of Third Party Backup Utility and Virus Scanner
Effects of Third Party Backup Utility and Virus Scanner

Sometimes, the LMS 4.1 database fails to run and throws the following Sybase Assertion error message:
*** ERROR *** Assertion failed: 100909 (9.0.0.1383). 100909 is the Assertion ID.
The following are the scenarios where Assertion Error might appear:
If you use any third-party backup software to back up a live, running database, the Assertion Error might be thrown. This is because some of the database pages that have been modified will be in the database server cache, so the database file will be in an inconsistent state.
If you use any anti-virus software. The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O operations, which contribute to the good performance of Adaptive Server Anywhere. However, anti-virus software might detect this as a potential problem and quarantine the file. This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption by interfering with the normal functions of the database. Poor performance can also occur if the anti-virus software is checking all I/O operations performed by the database server.
We recommend that you do not use third-party backup software for backing up a running database. We also recommend that you configure your anti-virus software so that it must not scan the NMSROOT/databases directory. NMSROOT is the directory where you have installed Cisco Prime.
Configuring TFTP
This applies only to Solaris. The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP (Transmission Control Protocol) Wrappers. If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the jobs requiring TFTP may fail. To ensure that TFTP works properly, check the following configuration files:

If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the command is not there in the file at all, add it as in.tftpd:ALL If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any changes
Note
The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon under its control. It provides logging support, returns messages to connections, and permits a daemon to accept only internal connections.
3-45
Chapter 3 Configuring TFTP
Displaying LMS Server Name With Browser Title
Displaying LMS Server name with browser title helps you to identify the server from which the application window is launched especially in a multi-server setup and Single Sign-On based setup. You can enable or disable the option of displaying the LMS Server name along with the browser title. When you choose to display the server name in the browser title, the browser window displays the title in the following format: Hostname - ApplicationWindowTitle where,
Hostname is the name of the LMS Server ApplicationWindowTitle is the title of application window launched from LMS Server.
Note
By default, the option of displaying the LMS Server name with the application window title in the browser is enabled. For example, if the name of your LMS Server is lmsdocultra, then the title of the CiscoWorks home page is displayed as lmsdocultra - CiscoWorks. If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra - LMS Home. You can also enable or disable the display of server name with the browser title by changing the configurations in a properties file. Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:

Enable or disable the option of displaying server name with browser title. Change the format of display from Hostname - ApplicationWindowTitle to ApplicationWindowTitle - Hostname and vice versa. Replace hyphen (-) with any other delimiter except empty spaces. Trim the spaces between the Hostname, delimiter and Application window title.
3-46
OL-20721-01
CH A P T E R
Administering Discovery Settings and Device and Credential Repository

You can configure discovery settings, and perform some administrative tasks in DCR. This section contains:

Scheduling Device Discovery Configuring Device Selector Administering Device and Credential Repository
For details on configuring discovery logging, see Configuring Discovery Logging.
Scheduling Device Discovery

You can schedule one or more Device Discovery jobs. The optimum Device Discovery schedule depends on the size of network and changes in the network. Before you schedule a Device Discovery job, read the following:

Only one Device Discovery job can run at a time. When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each other. Otherwise, one of the Device Discovery jobs may fail. You should configure the Device Discovery settings before you schedule a Device Discovery job. Otherwise, the system displays an error message when you try add a schedule. However, you can edit the Device Discovery settings for the scheduled job later. Add a Device Discovery schedule. See Adding Device Discovery Schedule for details. Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details. Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details. Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for details. Start device discovery. See Starting Device Discovery for details.
From the Discovery Schedule page, you can:

4-1
Chapter 4 Scheduling Device Discovery
Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs for details. View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing Discovery Settings for Selected Discovery Schedule for details. Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery Settings for Selected Discovery Schedule for details.
Adding Device Discovery Schedule
To add a Device Discovery schedule:

Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Click Add. The Add Discovery Schedule popup window appears. The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add button if you have not configured Device Discovery Settings. The Add button is disabled on a fresh installation of LMS in LMS Server. Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should start. You should specify the time in 24-hour format. Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern field. Enter a description in the Job Description field. This is optional. You cannot edit the description entered in this field later. Click Schedule. The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the email address you have configured in the Discovery Settings wizard.
Step 2
Step 3
Step 4 Step 5
Step 6
4-2
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery
Editing Device Discovery Schedule
To edit a Device Discovery schedule:

Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Device Discovery schedule from the list. Click Edit. The Edit Discovery Schedule popup window appears. Edit the values in the Hour and Min drop-down list, if required. Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern field. Click Schedule to save the changes.
Step 2 Step 3
Deleting Device Discovery Schedule
To delete a Device Discovery schedule:

Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Device Discovery schedule from the list. Click Delete. The Delete Confirmation dialog box appears. Click OK. The selected Device Discovery schedule is deleted from the list of schedules.
Step 2 Step 3
Step 4
Caution
Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the Device Discovery job is running, deleting the schedule will stop the job first and then will remove it.
4-3
Chapter 4 Scheduling Device Discovery
Starting Device Discovery
To start immediate discovery for scheduled job:

Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a job from the list. Click Start Discovery. A popup window appears with the information on the immediate jobID. The Start Discovery button will be disabled before setting any jobs or if a discovery is already running. Click OK. The Device Discovery summary screen appears. You can view the status of the job in Job Browser page (Admin > Jobs > Browser).
Step 2 Step 3
Step 4
Viewing the Status of Device Discovery Schedules
You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status of Device Discovery jobs. To do so:
Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Click the link provided at the bottom of the page. The Job Browser page displays the Device Discovery jobs.
Step 2
Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs
Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the settings for scheduled jobs later and maintain different settings for different jobs. To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for Selected Discovery Schedule. To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected Discovery Schedule.
4-4
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Configuring Device Selector
Viewing Discovery Settings for Selected Discovery Schedule
You can view the Discovery settings used to create the selected Discovery Schedule job. To do so:
Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Discovery schedule from the list. Click View Settings. The View Discovery Settings dialog box appears. Click OK to return to the Discovery Schedule page after you have view the schedule.
Step 2 Step 3
Step 4
Editing Discovery Settings for Selected Discovery Schedule
You can edit the Discovery Settings used to create the selected Discovery Schedule job. To do so:
Step 1
Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Select a Discovery schedule from the list. Click Edit Settings. The Module Settings page of Discovery Settings wizard appears. Edit the required module settings and click Next. The Seed Devices Settings page appears. Edit the required seed devices settings and click Next. If you do not want to proceed further, click Finish. The SNMP Settings page appears. Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish. The Filter Settings page appears. Edit the Filter settings and click Next. If you do not want to proceed further, click Finish. The Global Settings page appears. Edit the Global settings and click Next. If you do not want to proceed further, click Finish. The Discovery Settings Summary page appears. Click Finish to return to Discovery Schedule page.
Step 2 Step 3
Step 7
Step 8
Step 9
Configuring Device Selector

The improved Device Selector allows you to search the devices in DCR. It helps to locate the devices and perform the various device management tasks quickly. With this improved Device Selector, you need not remember the device type or application group hierarchy to locate the devices. The devices are categorized under Device Type based groups, User Defined groups, Subnet Based groups, or under All Groups.
4-5
Chapter 4 Configuring Device Selector
You can define the settings of the Device Selector pane to customize the display of devices and the order of display. You can customize the top level groups, sub-groups and the list of devices displayed under each group using the Group Customization option. The Group Ordering option allows you to specify the order of display in which the groups are seen in the Device Selector pane. See Device Selector Settings for more information. The Device Selector Settings are specific to each user. You can search for devices using a Simple search or an Advanced search. See Searching Devices for more information. Tool tips are also provided for devices that contain long names so that you do not have to scroll horizontally to see the complete device name. The Device Selector is used to select devices to perform various device management tasks. The device selector lists all devices in a group. The Display Name of the devices entered when you have added the devices in DCR is displayed as the device name in the Device Selector pane. The Device Selector contains the following components: Component Name Search Input Description Enter your search expression in this text field. You can enter a single device name or multiple device names in this field. You can enter the following as search inputs for searching multiple devices:

Comma separated list of full device names Device names with wildcard characters, (?) and (*), to search for multiple devices matching the text string entered in this input field. The wildcard character ? matches a single character in a device name and the wildcard character * matches multiple characters in a device name.
Combination of comma separated list of device names, and device names with wildcard characters.
See Performing Simple Search for more information. Search Advanced Search All Use this icon to perform a Simple search of devices, after you have entered your search input. See Performing Simple Search for more information. Use this icon to perform an Advanced search of devices. See Performing Advanced Search for more information. This tab lists all the top-level device groups and the device names under each group in a hierarchical format (tree view). The top-level device groups include:

All Devices Device Type Groups Subnet Groups User Defined Groups
See Understanding Device Groups for more information on types of device groups.
4-6
OL-20721-01
Chapter 4
Component Name Search Results
Description This tab displays all the Simple or Advanced search results and you can select all devices, clear all devices, or select a few devices from the list. The Simple search results are based on the display name of the devices added to DCR. The Advanced search results are based on the grouping attributes of the grouping services server.
Selection
This tab lists all the devices that you have selected in the All or Search Results tab or through a combination of both. You can also use this tab to deselect the devices you have already selected. You can perform more than one search and can accumulate your selection of devices.
The Device Selector displays the number of devices selected by you at the bottom. When you click the link provided, it launches the Selection Tab. Tool tips are also provided for devices that contain long names so that you do not have to scroll horizontally to see the complete device name. This section contains the following information:

Selecting Devices for Device Management Tasks Searching Devices Device Selector Settings
Selecting Devices for Device Management Tasks

You can select devices to perform various device management tasks such as editing device credentials and viewing device credentials, using any of these methods:

Selecting Devices From All Tab Selecting Devices From Search Results Combination of Selection From All Tab and Search Results
Selecting Devices From All Tab
The All tab lists the top-level device groups and the device names under each group in a hierarchical format (tree view). You can select the devices from the tree view. The Selection tab shows the flat list of selected devices from the All tab. You should expand the nodes of the top-level device groups and sub groups to see the list of devices within a group and select the devices you want. We recommend that you do not expand all and leave all the multiple group nodes open. This may affect the performance of the device selector.
4-7
Selecting Devices From Search Results
You can perform a Simple Search or an Advanced Search, and the search results are displayed under the Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab and the All tab, display the devices you have selected from the Search Results tab.
Note
You can perform more than one search and can accumulate your selection of devices.
Combination of Selection From All Tab and Search Results
You can select the devices from the All tab and add more devices to the Selection list from the Simple or Advanced search results in the Search Results tab. The Selection tab displays the accumulated list from both All and Search Results tabs. You can enter another search criteria and select more devices. The selected devices are accumulated in the Selection tab.
Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an Advanced search. In both cases, you do not need to remember the name of the devices and the groups in which the devices are grouped.
Note
The search string is not case sensitive in LMS. This section contains the following:

Performing Simple Search Performing Advanced Search
Performing Simple Search

You can enter your search criteria in the Search Input field and search for the devices using the Search icon. The search results are based on the display name of the devices added in DCR. Note the following points when you perform a Simple search.

You can enter a comma separated list of device names to search for multiple devices. You can use the wildcard characters, * and ?, to search for multiple devices that match the text string entered in this input field. Multiple wildcard characters are allowed in a search string. You can use the combination of comma separated list of device names and wildcard characters in the device names to search for multiple devices. If you are not using the wildcard characters, make sure that you enter the full device name. Device names starting with device2 and with only one character after device2 Device names ending with .cisco1 Device names containing the text string device10
For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:

4-8
OL-20721-01
Chapter 4
Performing Advanced Search

Use the Advanced Search icon to open the Advanced Search popup window and specify a set of rules for performing an Advanced search. The advanced search is based on the grouping attributes of the application's grouping server. You can create a rule in the Advanced Search dialog box by either:
Using Expressions Using Rule Text Fields
or
You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule you have created using the Clear button.
Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression contains:

Device Type Object type used for forming a group. All expressions start with the string Device Variables Device attributes used to form a device group. The list of variables for advanced search are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress, MDFId, Model, Series, SystemObjectID, and the user-defined data, if any. The list of device attributes are different across Cisco Prime modules. The Advanced Search window in the Device Selector of Cisco Prime applications displays the respective device attributes as variables.
Operators Various operators to be used with the rule. The list of operators includes equals, contains, startswith, and endswith. The list of operators changes dynamically with the value of the variable selected. For the ManagementIpAddress variable, you can select the range operator other than the standard list of operators. The range operator enables you to search for devices of the specified range of IP Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.
Value Value of the variable. The value field changes dynamically with the value of the variable and operator selected, and this may be a text field or a list box.
After you define the rule settings, click Add Expression to add the rule expression. You can also enter multiple rule expressions using the logical operators. The logical operators include OR, EXCLUDE and AND.
Using IP Address Range to Form a Search Rule
The range operator enables you to search the devices of the specified range of IP Addresses. You can select the range operator only for the ManagementIpAddress and IP.Address variables. You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address ranges. When you enter the IP Address range in the text field, you should:
Specify the range with permissible values for one or more octets in the IP Address. The minimum limit in the range is 0 and the maximum limit is 255. Use the hyphen character (-) as a separator between the numbers within a range. Specify the range of IP Addresses within the [ and ] characters to create a group rule.
4-9
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field. You should not:

Enter numbers lesser than 0 and greater than 255 in the IP Address range. Enter any characters other than the range separator (-). Enter the value of highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4].
Example for forming a Search Rule Using Expressions
For example, if you want to search all the devices in the network whose display name contains TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform the following:
Step 1
Click the Advanced Search icon in the Device Selector pane. The Define Advanced Search Rule dialog box appears. Create a search rule expression. To do so:
a. b. c.
Step 2
Select Variable as DisplayName Select Operator as equals Enter the Value as TestDevice
Step 3
Click Add Rule Expression. The rule is added into the Rule Text. Create another rule expression. To do this:
a. b. c. d.
Step 4
Select OR as the logical operator Select Variable as ManagementIPAddress/IP.Address Select Operator as range Enter the Value as 10.10.[210-212].[207-247]
Step 5
Click Add Rule Expression. The rule is appended into the Rule Text. Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.
Step 6
4-10
OL-20721-01
Chapter 4
Using Rule Text Fields

You can use Rule Text Fields to directly enter a rule without building any expressions. Ensure the rule you create follows the syntax Object type.Variable Operator Value. You can also enter multiple rule expressions using the logical operators.
TestDevice
For example, if you want to search all the devices in the network whose display name contains or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:
Device.DisplayName contains "TestDevice" OR Device.SystemObjectID startswith 1.3.12.1.4"
Note
We recommend that you use expressions to construct a complex rule instead of creating them using the Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.
Additional Notes
Read the following notes before you perform an advanced search:

You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith or contains. You can use Check Syntax button, when you add or modify a rule manually. You must delete the complete rule expression including the logical operator, when you delete a portion of your rule. The search string is case-insensitive.
Device Selector Settings

The devices are categorized under Device Type groups, User Defined groups, Subnet groups, Application specific groups or under All groups. You can define the settings of the Device Selector pane to customize the display of devices and the order of display. These configurations are specific to each user and you can save them. The devices are displayed in the appropriate category based on your roles and privileges. All the devices will be listed to the administrator role. This section has the following information:

Understanding Device Groups Customizing Device Grouping Customizing Display Order of Device Groups
Understanding Device Groups

The Device Selector pane displays the following top-level device groups:

All Devices Device Type Groups Subnet Groups User Defined Groups
4-11
All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their display names. The display names are defined when you have added the devices in DCR.
Device Type Groups

The Device Type Groups displays all devices in groups and subgroups based on their Device Category, Series and Model. By default, the device grouping is based on their Device Categories such as Routers, Switches and Hubs. The Device Category Groups folder can contain devices in subgroups based on their Device Series. For example, the Device Category Group Router can contain devices (Routers) in subgroups Cisco 7000 Router Series and Cisco 12000 Router Series. The Device Series subgroup can contain subgroups of devices based on their Model. For example, the subgroup Cisco 12000 Router Series can contain the devices Cisco 12012 Router and Cisco 12816 Router. See Customization of Device Type Groups for information on customizing the display of devices under Device Type Groups.
Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can check the functionality settings at Admin > System Administration > Collection Settings > Functionality Settings. In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services, then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups folder in the Device Selector pane. See Customization of Subnet Groups for information on customizing the display of devices under this group.
User Defined Groups

The User Defined Groups are created by users to administer the applications. The User Defined Groups are created in Groups Administration window based on defined group rules. All User Defined Groups (shared groups) from all application group hierarchies are collated and shown as subgroups under this group. In a Multi Server Setup, the top level User Defined Groups will be named as User Defined Groups@Server Name. When there two or more User Defined Groups with the same name, the Device Selector displays all of them. You have to use the Tooltip to find the source server where the User Defined Group is created.
Tip
We recommend you to provide unique and meaningful names to User Defined Groups when you create them to avoid the display of multiple User Defined Groups with the same name. See Customization of User Defined Groups for information on customizing the display of devices under this group.
4-12
OL-20721-01
Chapter 4
Customizing Device Grouping

You can customize the device grouping and display the customized device groups in the Device Selector pane. See Understanding Device Groups for more information on Device Groups. You can use the Group Customization option to customize the display of device groups. This section contains:

Customization of Device Type Groups Customization of Subnet Groups Customization of User Defined Groups
Customization of Device Type Groups

You can display or hide the Device Type Groups folder in the Device Selector pane using the Group Customization option. You can customize the Device Type Based Groups folder to display:

All devices in groups, based on their Device Category only All devices in groups and subgroups, based on their Device Category and Series All devices in groups and subgroups, based on their Device Category, Series and Model
By default, the Device Type Group folder displays the devices in sub groups based on their category only. To display the devices in groups based on their Device Category:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Category Groups check box from the Device Type Based Groups panel. Click Apply to save your changes or click Restore Defaults to restore the default values.
Step 2 Step 3
To display the devices in groups and subgroups based on their Device Category and Series:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Series Groups check box from the Device Types Based Groups panel. When you check the Show Series Groups check box, the Show Category Groups check box will also be checked automatically and will be disabled.
Step 2
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
4-13
To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Model Groups check box from the Device Type Based Groups panel. When you check the Show Model Groups check box, the Show Category Groups and Show Series Groups check boxes will also be checked automatically and will be disabled to you.
Step 2
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Go to the Device Type Based Groups Panel and uncheck all the check boxes. Click Apply to save your changes.
Step 2 Step 3
Customization of Subnet Groups

The Subnet Groups contains device groups from the Topology and Identity Services. By default, the Subnet Based Groups folder is not displayed in the Device Selector pane. You can customize the Device Selector pane to display the Subnet Based Groups folder using the Group Customization option. To display the devices under Subnet Based groups in the Device Selector Pane:
Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel. Click Apply to save your changes or click Restore Defaults to restore the default values.
Step 2 Step 3
Customization of User Defined Groups

You can customize the User Defined Groups folder in the Device Selector pane to contain the following:

Only User Defined Groups created by you in the local server Only User Defined Groups created by you in all Peer Servers in a Multi Server setup All User Defined Groups created by any user in the local server All User Defined Groups created by any user in all Peer Servers in a Multi Server setup
By default, you can view all the User Defined Groups (irrespective of any user) created in the local server in the Device Selector pane.
4-14
OL-20721-01
Chapter 4
To display only the User Defined Groups created by you:

Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel. Select either:
Step 2 Step 3
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups created by you in the local server. All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined Groups created by you in all the servers in a Multi-server setup.
Or
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
To display all the User Defined Groups created by all users:

Step 1
Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups panel. Select either:
Step 2 Step 3
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups in the local server. All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined Groups in all the servers in a Multi-server setup.
Or
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
Customizing Display Order of Device Groups

You can specify the order in which device groups appear in the Tree view on the Device Selector pane using the Group Ordering option. The Group Ordering setup is specific to each user and the changes will be reflected in the Device Selector panes of all applications. The default order of the groups displayed in the Device Selector pane is:
1. 2. 3.
All Devices Device Type Groups User Defined Groups
4-15
Chapter 4 Administering Device and Credential Repository
4. 5.
Subnet Groups Application Specific Groups
You can change the order and save the configurations. To change the order of the device groups:
Step 1
Select Admin > Network > Display Settings > Group Ordering. The Group Ordering page appears. Select a group from the list displayed. Click Up to move the device group up in the displayed order or click Down to move down. Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.
Administering Device and Credential Repository

The DCR Administration feature allows you to do the following tasks:

Changing DCR Mode Configuring Device Polling Configuring User Defined Fields Configuring Default Credentials
To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page appears with the current DCR Administration settings. You can change the Mode Settings or modify User Defined fields.
Changing DCR Mode

To change Mode Settings:
Step 1 Step 2
Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page appears. Click Change Mode to change the current mode. The DCR Mode dialog box appears. You can select the required mode from this dialog box.
This section contains information on:

Master-Slave Configuration Prerequisites Changing the Mode to Standalone Changing the Mode to Master Changing the Mode to Slave
4-16
OL-20721-01
Chapter 4
Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository
Master-Slave Configuration Prerequisites
Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure communication takes place between the Master and Slave.
Tip
We recommend you to configure the Master and all its Slaves in the management domain with the same version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory Management with Cisco Prime LAN Management Solution 4.1 . If machine M is to be the Master and S is to be the Slave:
Step 1
Add a Peer Server User and password in M See Setting up Peer Server Account for details. Add a System Identity user and password in S. This should be same as the Peer Server User set up in M. See Setting up System Identity Account for details. Copy the Self-Signed Certificate of S to M. Also, copy the Self-Signed Certificate of M to S. See Creating Self Signed Certificates for details on creating Self-Signed Certificate and Setting up Peer Server Certificate for details on copying Peer Certificate.
Step 2
Step 3
Step 4
Configure S as Slave and M as Master.
Changing the Mode to Standalone

Step 1 Step 2
Select the Standalone radio button. Click Apply to change mode. The default DCR mode is Standalone.
Changing the Mode to Master
Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in place.
Step 1 Step 2
Select the Master radio button. Click Apply to change mode.
Changing the Mode to Slave
Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place. You need to perform the following tasks:
Step 1 Step 2
Select the Slave radio button. Enter the hostname of the Master in the Master field. This hostname should exactly match the Hostname field in the Self Signed Certificate of the Master.
4-17
Step 3 Step 4
Specify the SSL port of the master. Default is 443. Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from Master to Slave. If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave) will be informed of the new master hostname. That is, they will become the slaves of the new Master.
Step 5
Select the Add new devices to Master check box to add the devices in Slave to the new Master. If the devices are already available in the new Master, they will be discarded. Click Apply. A warning message appears when the Master server has the earlier version of LMS. Click OK to change the mode to Slave. To cancel the change of mode, click Cancel.
Step 6
Step 7
Note
You must restart the daemon manager after the mode change to Slave is complete.
Changing the Hostname of a Master
Changing the hostname of a Master is equivalent to pointing Slaves to a new Master. When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same Domain ID as the current machine. If Domain ID is the same, DCR displays an error message that Master cannot be configured since the new Master has the same Domain ID. In this case, you need to convert the Slave to Standalone, and then register the machine with the new Master. When you re-register, the applications on Slave will clean up the device list. When you change the host name of the current Master, you must change the Slave mode to Standalone, and then re-register the machine as a Slave by providing the new Master hostname. However, when the machine is re-configured as Slave, the applications will clean up the device list. For example, if you have a Master M and Slave S, and if you change the hostname of M, you should change the mode of S to standalone. Then, you have to configure S as the Slave of M. But when you re-configure S as Slave, the applications on S will clean up their device lists. Therefore, you have to be aware that while changing the hostname of a Master, application data is cleaned up on all Slaves.
4-18
OL-20721-01
Chapter 4
Configuring Device Polling

In the earlier releases, there was no mechanism to detect the devices that were not reachable for a certain time period and easily identify the devices to be deleted. The Device Polling configuration feature overcomes this and helps you to:

Activate Device Polling to check whether the devices can be reached Configure Device Polling policy Schedule Device Polling Display a list of devices that are not reachable for a certain period of time Delete the selected unreachable devices from DCR
You should have the required privileges to configure Device Polling policy. You should be a Network Administrator, or a System Administrator to perform this task in Cisco Prime local mode. You should have the following privileges to delete the devices:

Privileges to perform the Delete Devices task Device level authorization Configuring Device Polling Settings Deleting Unreachable Devices from DCR

Configuring Device Polling Settings

You can configure a Device Polling policy and schedule a Device Polling job to check whether the devices can be reached. Read the following notes before you configure Device Polling settings:
You can use any one or more of the following protocols to poll devices:
ICMP (Ping) SNMPv3 SNMPv2c/SNMPv1
When you select all protocols, the devices in the network are polled using ICMP (Ping) first followed by SNMPv3, and later by SNMPv2c/SNMPv1. When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1 is used to poll the devices only if the SNMPv2c protocol has failed to query the device. If you use more than one protocol for polling and if a device is reachable using the first protocol, the other protocols will not be used. You can configure only one job at a time to detect unreachable devices. You can modify the schedule later at any point of time. You cannot schedule an immediate Device Polling job. In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job only from Master server.
4-19
To configure a Device Polling policy:

Step 1
Select Admin > Network > Device Credential Settings > Device Poll Settings. The Device Poll Settings page appears. Select the Activate Device Polling to Check Reachability check box to enable Device Polling. Device Polling is not enabled by default. You must select this check box to activate Device Polling. Configure a Polling Policy. To do so:
a.
Step 2
Step 3
Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for polling:
ICMP (Ping) SNMPv3 SNMPv2c/SNMPv1
You must select at least one protocol to activate Device Polling.

b.
Enter the timeout value for the selected protocols in the appropriate Timeout fields. The timeout denotes the time period after which the ICMP or SNMP query of devices times out. You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds and the maximum value is 20000 milliseconds. Default value is 1000 milliseconds. You cannot leave this field blank. Enter the value of retries for the selected protocols in the appropriate Retries fields. The retry denotes the number of attempts made to query the device. You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for both ICMP and SNMP protocols. You cannot leave this field blank. Enter the number of instances in Notify when devices not reachable for, to receive notifications when the devices are not reachable for a specific time period. This is mandatory. For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily, you will receive notifications of devices that are not reachable for two days or more than 2 days. If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will receive notifications of devices not reachable for last 18 hours or more than 18 hours. See Step 4 for details on the job frequencies available.
c.
d.
Step 4
Schedule the Device Polling task. To do this:

a.
Select a job frequency from the Run Type drop-down list. You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily, Weekly, or Monthly.
b.
Enter a date in the Date field or select a date from the date picker to start the scheduled job. The current date on the client system is displayed in the Date field by default.
You can edit the schedule at a later point of time. See Step 5 for details. If you do not want to edit the schedule, go to Step 7.
4-20
OL-20721-01
Chapter 4
Step 5
Select the Change Schedule check box if you want to edit the schedule information (Run Type and Starting Date). This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not been scheduled earlier. If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager (JRM) and a job is scheduled. The device reachability status is also reset. A warning message appears if you select this check box. Click OK. Enter the Job information. To do this:
a. b. c. d.
Step 6 Step 7
Select the Report Attachment field if you want to receive the report through e-mail. Select the Attachment Option as either PDF or CSV. Enter a brief description about the Device Polling job in the Job Description field. Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device Polling job. You can enter multiple e-mail addresses separated by commas. Entering an e-mail ID is mandatory when you have selected the Report Attachment field.
Step 8
Click Apply for the Device Polling settings to take effect. The Device Polling schedule is created and assigned with a job ID. Notification is sent to the e-mail address you have configured in the Device Polling Settings page.
Deleting Unreachable Devices from DCR

The possible reasons for device unreachability are:

Connectivity protocols such as SNMP or ICMP may be disabled on the device. Incorrect credentials may be configured for the device. Invalid timeout and retries may have been configured on the device.
To delete unreachable devices from DCR, select Reports > Inventory > Management Status > Unreachable Devices.
Configuring User Defined Fields

The User Defined Fields (UDFs) are used to store the additional information about a device. DCR supports a maximum of ten UDFs. By default, the user interface provides four UDFs:

user_defined_field_0 user_defined_field_1 user_defined_field_2 user_defined_field_3
4-21
You can add six more UDFs through the user interface. You can rename or delete all the UDFs including the four default UDFs provided by the user interface. This section explains the following:

Adding User Defined Fields Renaming User Defined Fields Deleting User Defined Fields
Adding User Defined Fields

To add a User Defined Field (UDF):
Step 1
Select Admin > Network Administration > Device Credential Repository Settings > User Defined Fields. The User Defined Fields page appears with the current settings.
Click Add to add a UDF. Enter the field label and description in the corresponding fields. Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.
Renaming User Defined Fields

To rename a UDF:
Step 1
Select Admin > Network > Device Credential Settings > User Defined Fields. The User Defined Fields dialog box appears. Select the radio button corresponding to the UDF you want to rename. Click Rename. The User Defined Field dialog box opens in a new window. Enter the UDF label and description in the corresponding fields. Click Apply. To return to the User Defined Fields page, click Cancel.
Step 2 Step 3
Step 4 Step 5
4-22
OL-20721-01
Chapter 4
Deleting User Defined Fields

By default, you can define four attribute fields for a device. These fields are used to store additional user-defined data for the device. You can add up to ten UDFs. To delete a UDF:
Step 1
Select Admin > Network > Device Credential Settings > User Defined Fields. The User Defined Fields dialog box appears. Select a UDF and click Delete. A confirmation message window appears. Click OK. To return to the User Defined Fields page, click Cancel.
Step 2
Step 3
Configuring Default Credentials

Devices added or imported into DCR do not contain all credentials required by the network management applications to manage them. Sometimes this could lead to failure of application jobs. The default credentials feature helps you to add or import devices into DCR with the default credentials and prevents the management applications from failing when the network management applications manage the devices added or imported in DCR. Default credentials are stored in DCR and are not associated with any device. You can configure multiple default credential sets. You can set these default credential sets for a range of devices to be added or imported to DCR based on certain policies. You should be a Network Administrator, a System Administrator, or a Super Admin to configure default credential sets and default credential set policies. This section explains:

Using Default Credentials Important Notes on Default Credentials Default Credentials Behavior in Multi-Server Setup Configuring Default Credential Sets Configuring Default Credential Set Policy
Using Default Credentials

You can choose to use the default credentials when you:
Manually add devices in DCR When you manually add devices with a similar credential set in DCR, you have to enter the credentials repetitively for every device addition. Instead, you use the default credentials defined in default credential sets or default credential set policies to populate DCR.
Add devices into DCR through Discovery Discovery populates only the SNMP read community string in DCR during device addition and leaves the other credentials as blank.
4-23
When other applications manage the newly added device, the management operations fail if they cannot retrieve the required credentials from DCR. To prevent the management operations failing, you can use the default credentials while adding devices through Discovery.
Import devices into DCR Importing devices from a file, NMS or any other third party applications into DCR populates the SNMP read-only community string and the SNMP read/write community string. When other applications manage the newly imported devices, the management operations fail if they could not retrieve the required credentials from DCR. To prevent the management operations from failing, you can use the default credentials while importing devices from NMS or any other third party application.
Important Notes on Default Credentials

You should read the following notes about the default credentials before you configure them and choose to use them in various flows:

The default credentials you use while adding or importing devices into DCR will not be verified. You can configure multiple default credential sets and add or import a set of devices in DCR with default credentials from a default credential set. Later, you can edit the value of the credentials in a default credential set and add another set of values with the edited default credentials. The devices that are already added or imported into DCR will not be affected if you edit the values of the default credentials or remove the default credentials from DCR. Devices added with default credentials in DCR populates all the credentials you have configured for the default credential set irrespective of the device management type. For example, if you have configured the default credential set with Standard credentials, SNMP credentials, and Auto Update Server Managed Device credentials and if you add a device of Standard management type in DCR, the Auto Update Server Managed Device credentials are also populated for that device.
We recommend you to configure a default credential set with the values common for most of the devices that are to be added or imported into DCR.
Default Credentials Behavior in Multi-Server Setup

You can configure the default credential sets and policies only in the DCR Master and Standalone modes. This option is not available in the DCR Slave Server. However, you can use the default credentials in the Cisco Prime applications in DCR Slave Server while adding the devices to DCR. If you opt to use the default credentials, the DCR Slave Server uses the credentials stored at the DCR Master Server. If you configure a LMS Server from DCR Standalone to DCR Slave mode, the default credentials entered in the server will not be used after the mode is changed to Slave. However, when you change the DCR mode back to the Standalone mode from the Slave mode, the default credential sets and policies are restored as configured earlier.
4-24
OL-20721-01
Chapter 4
Configuring Default Credential Sets

You can configure a maximum of 50 default credential sets. Each default credential set comprises the following credentials:

Primary Credentials (Username, Password, Enable Password) Secondary Credentials (Username, Password, Enable Password) SNMPv2c/SNMPv1Credentials (Read-Only Community String, Read-Write Community String) SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm, Privacy Password, Privacy Algorithm) HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and Password, HTTP port, HTTPS port, Current Mode) Auto Update Server Managed Device Credentials (Username and Password) Rx Boot Mode Credentials (Username, Password) Configuring a Default Credential Set Editing a Default Credential Set Deleting a Default Credential Set

Configuring a Default Credential Set

To configure a default credential set:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Step 3
Click Next or select Credential Sets name from the Default Credentials list panel and enter the respective credential information. Enter a name of the credential set in the Credential Set Name field. This is mandatory. The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9). You can include the following special characters in the Credential Set Name: Special Character _ . Description Underscore Hyphen Period
4-25
Step 4 Step 5
Enter a description of the credential set in the Set Description field. Click Next or select a credential type from the Default Credentials list panel and enter the respective credential information. You can select any of the credential types from the panel.

Standard Credentials SNMP Credentials HTTP Credentials Auto Update Server Managed Device Credentials Rx-Boot Mode Credential Standard Credentials
Primary Credentials (Username, Password, Enable Password) Secondary Credentials (Username, Password, Enable Password)
Step 6
Enter the following credentials as required:
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm) You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is AuthPriv.
HTTP Credentials
Primary Credentials (Username, Password) Secondary Credentials (Username, Password) Other Information (HTTP Port, HTTPS Port, Current Mode)
Auto Update Server Managed Device Credentials (Username, Password) Rx-Boot Mode Credentials (Username, Password)
Note
Re-enter the value of passwords in the respective Verify fields.
You must enter a value for at least one credential before applying the default credentials.
Step 7
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also click Back to navigate to the previous page and click Remove to delete the Default Credential Set and the credentials configured in this Credential Set, but it will not affect the devices that are already added or imported with default credentials.
4-26
OL-20721-01
Chapter 4
Editing a Default Credential Set

To edit a default credential set:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server.
Click Next or select Credential Set Name from the Default Credentials list panel. Select a default credential set name from the Credential Set drop-down list box. Edit the description of the credential set in the Set Description field. You cannot edit the name of the credential set. Click Next or select a credential type from the Default Credentials list panel. Edit the following credentials as required:
Step 5 Step 6
Standard Credentials
Primary Credentials (Username, Password, Enable Password) Secondary Credentials (Username, Password, Enable Password)
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm) You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default, these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is AuthPriv.
HTTP Credentials
Primary Credentials (Username, Password) Secondary Credentials (Username, Password) Other Information (HTTP Port, HTTPS Port, Current Mode)
Auto Update Server Managed Device Credentials (Username, Password) Rx-Boot Mode Credentials (Username, Password)
Note Step 7
Re-enter the value of passwords in the respective Verify fields.
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also click Back to navigate to the previous page and click Remove to delete the Default Credential Set and the credentials configured in this Credential Set, but it will not affect the devices that are already added or imported with default credentials.
4-27
Deleting a Default Credential Set

To delete a default credential set:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Step 3
Select a credential set from Credential Set drop-down list box. Click Remove to delete a default credential set. The selected default credential set is deleted from the LMS Server. The default credential set policies that you have configured with this default credential set will also be deleted.
Configuring Default Credential Set Policy

You can configure default credential set policies and apply the default credentials for a range of devices to be added or imported to DCR. We recommend that you create up to 50 default credential set policies. You can create default credential set policies based on following policy types:

IP Address Hostname Display Name Before Configuring a Credential Set Policy Creating a Default Credential Set Policy Patterns in IP Address Default Credential Set Policy Rules Regular Expressions in Default Credential Set Policy Rules Examples For Default Credential Set Policies Deleting Default Credential Set Policies Defining the Order of Default Credential Set Policies

Before Configuring a Credential Set Policy

Read the following notes before configuring a default credential set policy:
You can include patterns when creating rules for IP Address based default credential set policies. See Patterns in IP Address Default Credential Set Policy Rules for more information. Regular expressions are supported for policies based on Hostname and Display Names. IP Address based policy types do not support regular expressions. See Regular Expressions in Default Credential Set Policy Rules for more information.
4-28
OL-20721-01
Chapter 4
The expressions in default credential set policy rules are case insensitive. You can include the following characters in Display Name and Hostname:
Lower case alphabets Upper case alphabets Numerals ( 0 to 9) Special characters such as hyphen (-), underscore (_), period (.) and colon (:)
When you define more than one policy for a default credential set, all these policy rules work together. The policies will be applied in the same order in which they appear on the Credentials Sets Policy Configuration page. See Defining the Order of Default Credential Set Policies for more information.
Creating a Default Credential Set Policy

To create a default credential set policy:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Default Credentials Sets Policy Configuration page appears. The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct a policy rule. To do so:
a.
Step 3
Select a parameter from the Select a Policy Type drop-down dialog box. The listed parameters are IP Range, Hostname and Display Name. Based on the parameter that you have selected, the value field name changes dynamically. Enter a value for the rule parameter. If you have selected IP Range as the rule parameter, enter a value in the IP Range field. If you have selected Hostname as the rule parameter, enter a value in the Hostname field. If you have selected Display Name as the rule parameter, enter a value in the Display Name field. See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default Credential Set Policy Rules for more information. The expressions in credential set policy rules are case insensitive. Select a credential set name from the Credentials Set drop-down list box to associate the rule expression with the default credential set. Select No Default if you do not want to enter a credential set name.
b.
c.
Step 4
Click OK to go back to Credentials Sets Policy Configuration page. The policy that you have configured is listed in the Credentials Sets Policy Configuration page.
You can edit a default credential set policy later. To do so, you must select a default credential set policy in the Credentials Sets Policy Configuration page and click Edit.
4-29
Patterns in IP Address Default Credential Set Policy Rules

When you define a default credential policy type based on IP Address, you should follow these guidelines:

Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format. Any octet can have one of the following: Any Octet can have.. Numbers between:

Example

10.77.240.225 (IPv4 Address) 001:DB8:0:2AA:FF:C0A8:0:640A (IPv6 Address) 10.*.*.240 (IPv4 Address) 001:*:0:2AA:FF:*:*:* (IPv6 Address) 10.77.[220-240].[210-220] (IPv4 Address) 001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA F] (IPv6 Address)
0 to 255 for an IPv4 Address 0 to FFFF for an IPv6 Address
Asterisk (*) as wildcard denoting all numbers from 0 to 255 in an IPv4 Address and 0 to FFFF in an IPv6 Address. Range of numbers in the [StartingNumber-EndingNumber] format, where:
StartingNumber and EndingNumber should
be numbers between 0 to 255 in an IPv4 Address and 0 to FFFF in an IPv6 Address

StartingNumber should not be greater than
The following are examples of invalid IP Address ranges:

or equal to EndingNumber
10.77.[250-200].221 10.77.200-250.221 001:DB8:0:[EEEE-FF]:FF:C0A8:0:[D-5] 001:DB8:0:AA-BB:FF:C0A8:0:[D-5]
The octets in an IP Address policy type can also contain the combination of wildcard characters and range of numbers. Some examples of IP Address filter combinations include:
10.77.[210-230].* 10.77.*.[110-210] 001:DB8:*:*:FF:[C0A-DD8]:0:[5-D] [10-20]:[10-20]:[A-F]:2:4:*:*:*
4-30
OL-20721-01
Chapter 4
Regular Expressions in Default Credential Set Policy Rules

Hostname and Display Name policy types supports regular expressions. You can use the following characters in regular expressions: Character Description . ( ) * + \ Period Opening parenthesis Closing parenthesis Asterisk Plus character Trailing slash Purpose Matches any character Marks the beginning of a group of matched characters Marks the end of a group of matched characters Matches zero or more occurrences of regular expression specified earlier Matches zero or more occurrences of regular expression specified earlier Identifies a special character within a regular expression
Examples For Default Credential Set Policies

Example 1 - IP Range Policy Type
Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added or imported to DCR with the default credentials defined in a default credential set IPSet. You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears.
Step 2
Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Construct the policy:
a. b. c.
Step 3
Select the policy type as IP Range from the Select a Policy Type drop-down list box. Enter the IP Range value as 10.77.[210-230].* Select the Default Credential Name as IPSet
Step 4
Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.
4-31
Example 2 - IP Range Policy Type
Consider that all devices whose IP Addresses are within the range 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default credentials defined in a default credential set IPv6Set. You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Step 2
a. b. c.
Step 3
Select the policy type as IP Range from the Select a Policy Type drop-down list box. Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15] Select the Default Credential Name as IPv6Set
Step 4
Example 3 - Display Name Policy Type
Consider that all devices whose Display Names end with or contain device, should be added or imported to DCR with the default credentials defined in a default credential set SetName2. You should create a default credential set policy based on the Display Name policy type. To do so:
Step 1
Step 2
a. b. c.
Step 3
Select the policy type as Display Name from the Select a Policy Type drop-down list box. Enter the value as (.)*device Select the Default Credential Name as SetName2
Step 4
4-32
OL-20721-01
Chapter 4
Example 4 - Display Name Policy Type
Consider that all devices whose Display Names contain 1.3.6.1.4.1.9.1.n, should be added or imported to DCR with the default credentials defined in a default credential set SOIDset. You should create a default credential set policy based on the Display Name policy type. To do so:
Step 1
Step 2
a. b. c.
Step 3
Select the policy type as Display Name from the Select a Policy Type drop-down list box. Enter the value as (.)*\.1\.3\.6\.1\.4\.1\.9\.1\.(.) Select the Default Credential Name as SOIDset
Step 4
Example 5- Host Name Policy Type
Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with the default credentials defined in a default credential set SetName1. You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Step 2
a. b. c.
Step 3
Select the policy type as Host Name from the Select a Policy Type drop-down list box. Enter the value as Che(.)* Select the Default Credential Name as SetName1
Step 4
4-33
Example 6- Host Name Policy Type
Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the default credentials defined in a default credential set SetName3. You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Step 2
a. b. c.
Step 3
Select the policy type as Host Name from the Select a Policy Type drop-down list box. Enter the value as (.)*lab2(.)*. Select the Default Credential Name as SetName3
Step 4
Deleting Default Credential Set Policies

To delete default credential set policies:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Select a default credential set policy to delete. You can also select multiple default credential set policies to delete. Click Delete to remove the default credential set policies.
Step 3
4-34
OL-20721-01
Chapter 4
Defining the Order of Default Credential Set Policies

You can specify the order in which the default credential set policies should be applied for devices that are added or imported into DCR. The default credential set policies are applied in the order they appear on the Credentials Sets Policy Configuration page. The default credential set policies appearing at the top of the list are applied first. You can create more than one default credential set policy for a default credential set. When you define more than one policy for a default credential set, all these policy rules work together. For example, consider 10.77.240.[50-52] as a first IP Address policy associated with a default credential set name Test1 and 10.77.240.* as the second IP Address policy associated with a default credential set name Test2. The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.240.[50-52] added or imported into DCR. The default credentials defined in Test2 will be applied for all devices in the IP range 10.77.240.* except the devices with IP Addresses 10.77.240.50, 10.77.240.51 and 10.77.240.52. For example, consider 10.77.*.* as a first IP Address policy for a default credential set name Test1 and 10.77.210.* as the second IP Address policy for a default credential set name Test2. The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.*.* added or imported into DCR. The policy rule 10.77.210.* will never be applied as 10.77.210.* is a subset of 10.77.*.*. To specify the order of default device credentials policies:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears with a list of default credential set policies.
Step 2 Step 3
Select a default credential set policy. Either:
Click the Up Arrow icon to move the selected default credential set policy up in the displayed order. Click the Down Arrow icon to move the selected default credential set policy down in the displayed order.
Or
Step 4
Click Apply Settings to save the changes.
4-35
CH A P T E R
Managing Groups
LMS 4.1 combines the device grouping with a new attribute list. The other grouping services that are available in LMS are:

Fault Group - supports 50 groups IPSLA Collector Group - supports 100 groups Port and Module Group - supports 100 groups
The numbers of groups that LMS supports will vary according to the SKU that you use. For more details, see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN Management Solution 4.1 guide. This section explains the following:

Groups - Components and Basic Concepts Groups in Single-Server and Multi-Server Setup Device Group Administration DCR Mode Changes and Group Behavior Port and Module Group Administration Working with Fault System-defined Groups Working with Customizable Groups Managing Fault Groups Viewing Fault Group Details Viewing Fault Membership Details Refreshing Fault Membership Deleting Fault Groups Understanding Collector Group Rules IPSLA Collector Group Administration Process Understanding IPSLA Collector Group Administration Working with User-Defined Collector Groups Operation-Based Collector Groups (System-Defined)
5-1
Chapter 5 Groups - Components and Basic Concepts
Managing Groups
Groups - Components and Basic Concepts

This section explains the components of a group and the basic concepts of a group.
Components
The following are the components of a group:
Group Server: Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by the application. It interfaces with an application service adapter (ASA) to evaluate group rules and retrieve devices of a particular group.
Application Service Adapters (ASAs): Application-specific information repository that serves as source of the devices and attributes that are grouped by the Groups Server. Till LMS 3.2, ASA was an interface between applications and Groups Server. In LMS 4.1, there is only a single ASA. Group Admin: Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.
Basic Concepts
The following are the basic concepts of a group:
Group Class: Representation of a set of devices belonging to DCR. In this context a device in Device and Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set of attributes and a unique device ID.
Group Object: Device in a group class. Each device in the group will have a set of attributes stored in DCR. Associated with every device is a unique and immutable device ID.
Group: Named aggregate entity comprising a set of devices belonging to a single class or a set of classes, with a common superclass. Groups can be shared between users or applications, subject to access-control restrictions. The membership of a group is determined by a rule.
Group Rule: Consists of one or more rule expressions combined by operators, which can be AND, OR or EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.
5-2
OL-20721-01
Chapter 5
Managing Groups Groups in Single-Server and Multi-Server Setup
Groups in Single-Server and Multi-Server Setup

This section has the following subsections:

Groups in Single Server Scenario Groups in Multi-Server Scenario
Groups in Single Server Scenario

The devices you see in the Group Administration UI in depends on whether the devices are being managed by LMS or not, and not on any application like CS, RME, CM. In LMS 3.2, if there are Common Services, LMS, and RME installed on a server, you can see the following groups in the Groups UIs of the applications.

CS@hostname RME@hostname Campus@hostname Device Groups The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and Campus@hostname. LMS supports 200 device groups.
In LMS 4.1, there are no separate applications and there are four types of groups:
Fault Groups These groups are created by the Fault Management module in LMS, and consist of interface, trunk port, and access port groups. Each group has a set of properties (such as a name, description, and permission.), and are defined by the rules associated with the group.
IPSLA Collector Groups You can group IPSLA collectors based on a set of criteria such as operation name, operation type, source address, target address.
Port and Module Groups You can group ports and modules for easy port and module selection in various configuration workflows.
5-3
Chapter 5 Device Group Administration
Managing Groups
Groups in Multi-Server Scenario

Groups you create in LMS groups UI in the Master get synchronized with the Slave. If you create a subgroup under LMS@Master hostname in one server, it appears under LMS@Slave hostname in the peer server. However, in the Master server, if you create a subgroup under LMS@Master hostname, it will always appear under LMS@\Slave hostname\, in the Slave. That is, the subgroup created in the Master appears under the shared group of the application in the Slave. When the user-defined group under master and the user-defined group under slave has the same group name, then when doing master slave setup, the master group will be retained in slave. The slaves group will get deleted. Once the master slave setup is done, when we add a group in master it will be synced with slave only after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both the OGS will act as a individual servers.
Note
You can create groups in LMS even if the server on which it is installed is in Slave mode. If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under LMS@Slave hostname. In a cluster, if you have M as the Master, and S1 and S2 as Ms slaves, and you want to evaluate S1s groups from S2, you need to import the certificate of S1 to S2 and vice versa.
Device Group Administration

The Group Administration UI helps you to create, edit, view, delete, export, import, and refresh groups. The UI displays a Group Selector that contains the following predefined higher-level groups:

System-defined Groups User-defined Groups
The System-defined Groups shows subgroups only after Device and Credential Repository is populated. The predefined sub-groups under System-defined Groups are:

Cisco Interfaces and Modules Network Management Non Cisco Devices Routers Switches and Hubs Subnet Based Groups Contains sub folders representing subnets (one folder per subnet) discovered in the network. Each folder contains the devices corresponding to those subnets.
Note
Subnets groups will appear only after a successful Data Collection.
5-4
OL-20721-01
Chapter 5
Managing Groups Device Group Administration
Voice and Telephony Unknown Device Type Universal Gateways and Access Servers Wireless
You can create subgroups only under User-defined Groups. You cannot create them under System-defined Groups. However, you can view the details of a subgroup under System-defined Groups and refresh the group.
Note
Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone mode. The groups created in DCR Master will be copied to Group Administration instances on servers where DCR is in Slave mode. The following sections provide information on how to perform group administrative tasks in LMS 4.1:

Migrating Device Groups from Previous Releases of LMS Creating Groups Viewing Group Details Modifying Group Details Refreshing Groups Deleting Groups Exporting Groups Importing Groups Overview of Subnet Based Groups
Migrating Device Groups from Previous Releases of LMS
The following table explains migration of device groups from previous releases of LMS, in the table. In this example, Group A is an application group created separately in CS, RME, and CM, in earlier versions of LMS: Common Services UDG/SDG Group A
LMS Version 3.0.6 and later 4.0
RME UDG/SDG Group A
Campus Manager UDG/SDG Group A
After migration to After migration to After migration to LMS 4.1, LMS 4.1, Group A is LMS 4.1, Group A is not Group A is not available Available available Group A After migration to LMS 4.1, Group A will not be available Group A After migration to LMS 4.1, Group A will not be available Subnet-based groups After migration to LMS 4.1, CM Subnet-based groups will not be available.
3.0.6 and later 4.0
3.0.6 and later 4.0
You must create new subnet-based groups after a successful Data Collection
5-5
Managing Groups
Creating Groups
You can create device groups using this feature. To create a new device group:
Step 1
Either:
Select Admin > System > Group Management > Device. The Group Administration page appears.
Or
Select Inventory > Group Management > Device. The Group Administration page appears.
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2
Select the group from the groups listed in Group Selector to create a new subgroup. The Group Info fields on the right, display details of the selected group. The group you select here is the Parent group for the new group that you are about to create. You can change the Parent group later, if required. You cannot create groups under System-defined Groups but you can view details and refresh the group. Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public or Private). If you have the required permissions, you can create subgroups under groups.
Step 3
Click Create to create a new group. The Group Administration Creation wizard is launched and guides you through the process of creating a new group. Perform the following tasks using the Groups Create wizard.
a. b. c.
Specify group properties. See Specifying Group Properties for information. Define group rules. See Defining Group Rules for information. Assign group membership. See Assigning Group Membership for information.
The first page in the wizard is the Properties:Create window. While creating a new group you must complete all of the above three tasks in this sequence to create a group. If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the group will not be created.
The default limit of User Defined Groups you can create is 600. If you try to create more than 600 User-Defined Groups, you will get a message that you have exceeded the limit. This section contains:

Specifying Group Properties Defining Group Rules System Defined Attributes Assigning Group Membership
5-6
OL-20721-01
Chapter 5
Specifying Group Properties

While specifying group properties, you can enter the properties such as name and description, and modify the parent group, if required, and update membership, and specify the visibility scope. To complete the tasks in this phase:
Step 1
Either:
Or
Step 2
Click the Create button in the Group Administration. The Properties page appears. Enter a name for the group in the Group Name field in the Properties:Create dialog box. The group name should be unique within the Parent group. However, it need not be so across groups. The same group name cannot be used in the same group hierarchy. For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create another group with the same name MyView under /LMS@Servername/User Defined Groups.
Step 3
Step 4
Click Select Group, if you want to copy the attributes of an existing group. The Replicate Attributes dialog box appears. Select the group you need from the Replicate Attributes list and click OK. To return to the Properties page, click Cancel. Click Change Parent, to change the Parent group. The Group Selector page appears. Select the group you need from the Select Parent list. Click OK. The Group Administration wizard changes the Parent group to the one you selected. To return to the Properties page, click Cancel.
Step 5 Step 6
Step 7 Step 8
Step 9
Enter a description for the group. Typically, you can enter a detailed description of the group that identifies its characteristics in this field. Select the Membership Update mode for the group. The modes of membership updates available are:
Step 10
Automatic: The membership of the group is updated when you add a new device to the group, and each time the group is invoked.
Only Upon User Request: The membership of the group is recomputed only when an explicit request is made, using the Refresh option.
If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request, the group will be a Static group.
5-7
Managing Groups
Step 11
Select either Public or Private to specify the visibility scope.
Private The group created can be viewed only by user who creates the group. Public The group created can be viewed by all users.
Step 12
Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and composite group rules.
Defining Group Rules

In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase determine the contents of the group. The rules you specify here determine the devices to be included in the group. In the Rules:Create dialog box, you can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. The rule expression has the following components:
Object.Variable operator value
If you have created the group by copying the attributes of another group, the rules specified for that group appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a new set of rules. The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this facility to validate the rules you have created. If you leave the rule blank, it creates a Container group. Click View Parent Rules to display the rules defined for its ancestor groups. This section explains:

Defining a Group Rule Defining Composite Group Rules Using IP Address Range Operator Examples System Defined Attributes
Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in Properties:Create dialog box. See Specifying Group Properties for more information.
5-8
OL-20721-01
Chapter 5
Defining a Group Rule

To create a group rule:
Complete all the tasks in the Properties page. See Specifying Group Properties for more information. Delete the rules displayed in the Rule Text field, if any. Select appropriate parameters for the following:

Object Type Denotes the object type used for forming a group. All expressions start with the string Device. Variables Denotes the device attributes, which are used to form a device group. See System Defined Attributes for details on the variables. Operators Denotes the various operators to be used with the rule. The list of operators includes equals, contains, startswith and endswith. The list of operators changes dynamically with the value of the variable selected. For the ManagementIpAddress variable, you can select a range operator other than the standard list of operators. See Using IP Address Range Operator for more information.
Step 4
Value Denotes the value of the variable. The value field changes dynamically based on the value of the variable and operator selected, and the field type can be a text field or a list box.
Click Add Rule Expression. The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field. For example, the rule type:
Device.DisplayName equals "joe"
will select the device with the DisplayName joe. The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression. You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field. See Defining Composite Group Rules for more information. You can validate rules that are entered directly into the Rules Text field, or rules formed using the Add Rules Expression option in the dialog box.
Step 5
To check whether the syntax is valid, click Check Syntax. To view the rules defined for the parent groups, click View Parent Rules.
Click Next. The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information. If you have entered an invalid IP Address range or invalid values in the Value field, an error message will be displayed. You should correct the values and then navigate to the Membership:Create dialog box.
5-9
Managing Groups
Defining Composite Group Rules

A Composite rule contains more than one rule expression separated by a Boolean operator. The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you have entered at least one rule expression. When the composite rule has more than two simple rule expressions, you can adjust priorities among the expressions using opening and closing parenthesis. To create a composite rule:
Delete the rules displayed in the Rule Text field and click any other field. Form a simple rule. See Defining a Group Rule for details. Click Add Rule Expression. The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field. The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression.
Select a Boolean Operator from the drop-down list. Select the appropriate parameters for Object Type, Variables, and Operators. Enter a value in the Value field. Click Add Rule Expression. You can validate rules that are entered directly into the Rules Text field or rules formed using the Add Rules Expression option in the dialog box.

To check whether the syntax is valid, click Check Syntax. To view the rules defined for the parent groups, click View Parent Rules.
Step 8
Click Next. The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information.
Using IP Address Range Operator

The range operator enables you to group the devices of the specified range of IP Addresses. You can select the range operator only for the ManagementIpAddress and IP.Address variables. You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address ranges. When you enter the IP Address range in the text field, you should:
Specify the range with permissible values for one or more octets in the IP Address. The minimum limit in the range is 0 and the maximum limit is 255. Use the hyphen character (-) as a separator between the numbers that indicate a range. Specify the range of IP Addresses within the [and] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
5-10
OL-20721-01
Chapter 5
You should not:

Enter numbers less than 0 and greater than 255 in the IP Address range. Enter any characters other than the range separator (-). Enter the value of the highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4].
See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on the IP Address Range based device groups in a multi-server setup.
Examples

Example to Create a Simple Group Rule Example to Create a Composite Group Rule Example to Create a Group Rule Using Range Operator
Example to Create a Simple Group Rule
To create a group of all devices ending with the hostname Test, you should:
Step 1
Create an expression in the Rules:Create dialog box by entering:

a. b. c.
Select Variable as HostName Select Operator as endswith Enter the Value as Test
Step 2
Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered.
Example to Create a Composite Group Rule
If you want to group all the devices in the network that match the following criteria:

Display name of the device should contain TestDevice Category of the device should be equal to Routers or IP Address of the device should starts with
10.77
To create this composite rule:

Step 1

a. b. c.
Select Variable as DisplayName Select Operator as contains Enter the Value as TestDevice
Step 2
Click Add Rule Expression. The rule is added into the Rule Text.
5-11
Managing Groups
Step 3
Create another rule expression by entering:

a. b. c. d.
Select AND as the Boolean operator Select Variable as Category Select Operator as equals Enter the Value as Routers
Step 4
Click Add Rule Expression. The rule is appended into the Rule Text. Create another rule expression by entering:
a. b. c. d.
Step 5
Select OR as the Boolean operator Select Variable as ManagementIPAddress/IP.Address Select Operator as startswith Enter the Value as 10.77
Step 6
Click Add Rule Expression. The following composite rule is formed in the Rule Text Area:
Device.DisplayName contains TestDevice AND Device.Category equals Routers OR Device.ManagementIpAddress startswith 10.77
Step 7
Edit the rule expression in the text area to adjust the priorities among the group expressions. You should place two rule expressions together within an opening and a closing parentheses. Ensure that you leave a space between the parenthesis and the group expressions. The edited composite rule is:
Device.DisplayName contains "TestDevice" AND ( Device.Category equals "Routers" OR Device.ManagementIpAddress startswith "10.77" )
You can also check the syntax of the group rule entered.
Step 8
Click Next to proceed further.
Example to Create a Group Rule Using Range Operator
To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you should:
Step 1

a. b. c.
Select Variable as ManagementIPAddress/IP.Address Select Operator as range Enter the Value as 10.10.[0-212].[207-247]
Step 2
Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered.
5-12
OL-20721-01
Chapter 5
System Defined Attributes

The following table provides details on some of the System Defined attributes that are available in LMS. These are predefined attributes, available by default.
Note
In LMS 4.1, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are not available. If you backup and restore any group created in older versions of LMS using these attributes, the groups will not be restored.
Table 5-1
Group Attributes in LMS
Attribute Asset.CLE_Identifier Asset.Part_Number Asset.User_Defined_Identifier Category Chassis.Model_Name Chassis.Number_Of_Slots Chassis.Port_Count Chassis.Serial_Number Chassis.Vendor_Type Chassis.Version DeviceIdentity DiscoveryStatus DisplayName DomainName EnergyWise.Domain_Name EnergyWise.EnergyWise Version EnergyWise.EnergyWiseState
Description CLE identifier of the asset. Orderable part number of the asset. User-defined identifier of the asset Category into which the device falls. The first level entries in the Device Type tree in DCR Device Management UI. For example, Routers is a category. Name of the model. Number of slots in that chassis. Total port count of the chassis. Serial number of the chassis. Vendor type of the chassis. Version number of the chassis. Identifies pre-provisioning devices. The value would be application specific. Status of the data collection process. Device name, as you want it to be represented in reports or graphical displays. This can be derived from Host Name, Management IP Address or Device Identity. Domain name of the device. Name of the EnergyWise domain. Version of EnergyWise. EnergyWise status of the device, for example EnergyWise-capable devices, EnergyWise-enabled devices, EnergyWise-hardware-incapable devices and EnergyWise-software-incapable devices. EnergyWise Importance of the device. This value prioritizes the devices in a domain based on their power usage. A word that will help you identify a specific device or group of devices in the EnergyWise domain. Role or function of the device in the EnergyWise domain. Location of Flash file. Flash file size in MB. Model name of the Flash device. Free space in MB.
EnergyWise.Importance EnergyWise.Keyword EnergyWise.Role Flash.File_Name Flash.File_Size Flash.Model_Name Flash.Partition_Free
5-13
Managing Groups
Table 5-1
Attribute Flash.Partition_Name Flash.Partition_Size Flash.Size HostName Image.ROM_Sys_Version Image.ROM_Version Image.Sys_Description Image.Version ImageVersion IP.Address IP.Address_Type IP.Network_Mask IPv4.Subnet IPv4.SubnetMask IPv6.Subnet IPv6.SubnetMask ManagementIpAddress MDFId Medianet.EndPointConnected Memory.Free Memory.Name Memory.Size Memory.Type Memory.Used Model
Description Flash partition name. Flash partition size in MB. Total Flash device size in MB. Device Host name. System ROM software version Version of ROM. Image system description Running device image version. Software version running on the device. Device IP address. Version of IP, IPv4 or IPv6 Network mask address IPv4 subnet of a device. IPv4 subnet mask of a device. IPv6 subnet of a device. IPv6 subnet mask of a device. IP Address used to access the device. Both IPv4 and IPv6 address types are supported. Normative name for the device type as described in Cisco Meta Data Framework (MDF) database. Each device type has a unique normative name defined in MDF. Devices that have Medianet Endpoints connected to them. Free memory in MB. Name of the memory. Total RAM size in MB. Memory type. Used memory in MB. Model of the device. The third level entries in the Device Type tree in DCR Device Management UI.
Routers,
For example, the model Cisco 3101 Router falls under the Cisco 3100 Series which comes under the category Routers. Module hardware version.
Module.HW_Version Module.Model_Name Module.Port_Count Module.Serail_Number Module.Vendor_Type Processor.Model_Name Processor.NVRAM_Size Processor.NVRAM_Used
Name of the model. Total ports on that module. Serial number of the module. Vendor type of the module. Name of the model. Size of the processor NVRAM in MB. Size of the processor NVRAM that has been utilized, in MB.
5-14
OL-20721-01
Chapter 5
Table 5-1
Attribute Processor.Port_Count Processor.RAM_Size Processor.Serial_Number Processor.Vendor_Type Series
Description Total port count of the processor Size of the processor RAM in MB. Serial number of the processor. Vendor type of the processor. Series to which the device belongs. The second level entries in the Device Type tree in DCR Device Management UI. For example, Cisco 3100 Series Routers, that falls under the category Routers. Groups devices according to their Auto Smartport capability Device contact person name. Description of the system. Device domain name. Groups devices according to their Identity capability Device location information. Name of the system. Type of the operating system. Groups devices according to their Smart Install capability sysObjectID value. It may be UNKNOWN in the case the facility that populates the repository does not know the value.
System.ASP_Capability System.Contact System.Description System.DomainName System.Identity_Capability System.Location System.Name System.OSTYPE System.Smart_Install_Directors SystemObjectID
The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details, see Adding User Defined Fields. If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is appended to the User-Defined Field you add, to distinguish these two attributes. For example if you create a UDF called DisplayName (which is one of the predefined attributes present in the Variable drop-down list), this will be displayed as DisplayName_UDF.
Note
You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field stands for any attribute listed in the above table. By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum number of UDFs that can be added in the Variable drop-down list is 10.
5-15
Managing Groups
Assigning Group Membership

You can include more devices or exclude devices using this option. To decide the devices that will be available to the group you have created, the wizard uses the details of the parent members and rules you have already specified. These devices appear in Available Objects From Parent Group column based on the properties and rules you have already specified in the Properties:Create and Rule:Create dialog boxes. See Specifying Group Properties and Defining Group Rules for more information.
Note
You can add devices from the list of available objects in the parent group even if they do not match membership criteria. To add devices to the group you have created:
Step 1
Select one or more devices in Available Objects From Parent Group column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Click Add. The selected devices are removed from the Available Objects From Parent Group and added to the Object Matching Membership Criteria column.
Step 2
To remove devices from the group:

Step 1
Select one or more devices in Object Matching Membership Criteria column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Click Remove. The selected devices are removed from the Object Matching Membership Criteria column and added to Available Objects From Parent Group.
Step 2
Step 3
Click Next. The Summary:Create window appears. It displays the group name, the parent group, description, the membership update type, group rules, and the visibility scope of the group you created. If you want to change the parameters, click Back to go back to the previous windows and make changes. Click Finish to create the group based on the parameters specified.
Step 4
5-16
OL-20721-01
Chapter 5
Viewing Group Details

You can view the details of a group using this feature. To view the details of a group:
Step 1
Either:
Or
Step 2
Select a group from the Group Selector pane. The Group Info pane on the right side displays the high-level properties of the selected group. Click Details. The Group Administration wizard displays the details of the group in Properties:Details window.
Step 3
Click View Parent Rules to display the rules set for the parent group. The rules set for the parent group are displayed in the Show Parent Rules window. Click Membership Details to display a list of devices and their corresponding object types. The membership details are displayed in Membership:Details window. In the Membership:Details window, you can:
Click on the column headers to sort the entries in the table. Select the number of rows to be displayed in the table in the Rows per page option.
Step 4
Click Property Details to return to the Property:Details window.
Click Cancel to return to the Group Administration and Configuration page.
5-17
Managing Groups
Modifying Group Details

You can modify some of the details for a group using this feature. To modify the details of a group:
Step 1
Either:
Or
Step 2
Select a group from the Group Selector pane. The Group Info fields on the right side displays details of the selected group. Click Edit. The Group Administration wizard guides you through the process of editing a group. It displays the details of the group in Properties:Edit window.
Step 3
Step 4
Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit dialog box. You cannot change the Parent group or copy attributes from a different group in Edit mode. Click Next. The wizard takes you to the Rules:Edit window. Change the rules as required. For details on creating the rules, see Defining a Group Rule. Click Next. The wizard takes you to the Membership:Edit window. Add or remove devices from the list of objects in Objects Matching Membership Criteria as required. For details on creating the rules, see System Defined Attributes. Click Next. The wizard takes you to the Summary window. If you want to change the parameters specified, click Back to go back to the previous windows and make changes to the properties or rules.
Step 5
Step 6 Step 7
Step 8 Step 9
Step 10 Step 11
Click Finish to modify the group. Click OK. The Group Administration wizard copies the attributes of the selected group and displays it in the corresponding fields in Properties:Create window. Note that the Parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different Parent group.
5-18
OL-20721-01
Chapter 5
Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of Automatic groups is recomputed dynamically. The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with this option.
Note
Only users with read-write access can refresh the Only-upon-user-request groups. To refresh a group:
Step 1
Either:
Or
Step 2
Select a group from the Group Selector pane. The Group Info fields on the right pane displays details of the selected group. Click Refresh. The Group Administration popup window prompts you for confirmation. Click Yes. The selected group is recomputed and the window, refreshed.
Step 3
Step 4
Whenever you delete devices from a group, refresh the group so that group membership is recomputed.
5-19
Managing Groups
Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that belong to users removed from Cisco Prime). To delete a group:
Step 1
Either:
Or
Step 2
Select the group from the Group Selector. The Group Info fields on the right pane displays details of the selected group. Click Delete. The Group Administration prompts you for confirmation. Click Yes. The selected group is deleted.
Step 3
Step 4
See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.
Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file. You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to an output file. Private User-defined groups created by other users will not be exported. However, the privateUser-defined groups created by you will be exported. You must have Network Administrator, System Administrator or Super Admin privileges to export groups. In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same DCR domain. You can do this from a DCR Master Server and a Slave server. Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are not supported. See Sample Export Groups Output File for sample XML file generated by the Grouping Services export utility.
Note
We recommend that you use the file generated by the Grouping Services export utility for import operations and do not edit the XML file.
5-20
OL-20721-01
Chapter 5
You can:
Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details. or Export Groups through the CLI. See Exporting Groups Through CLI for details. Sample Export Groups Output File Exporting Groups From User Interface

Sample Export Groups Output File

<?xml version="1.0" encoding="UTF-8"?>  <ogs-groups> <server name="LMS@server-name"> <ogs-group-definition> <name>/CS@server-name/User Defined Groups/CSDyna</name> <description> </description> <rule/> <evaluation-type>2</evaluation-type> <scope>PUBLIC</scope> <tags> <tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/> <tag tag-name="USER_DEFINED" tag-value="TRUE"/> <tag tag-name="__GROUP_ID" tag-value="CS$216"/> <tag tag-name="__GROUP_OWNER" tag-value="admin"/> </tags> </ogs-group-definition> <ogs-group-definition> <name>/CS@server-name/User Defined Groups/CSStat</name> <description/> <rule>:CMF:DCR:Device.DisplayName contains "77"</rule> <evaluation-type>1</evaluation-type> <scope>PUBLIC</scope> <tags> <tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/> <tag tag-name="USER_DEFINED" tag-value="TRUE"/> <tag tag-name="__GROUP_OWNER" tag-value="admin"/> <tag tag-name="__GROUP_ID" tag-value="CS$221"/> </tags> </ogs-group-definition> </server> </ogs-groups>
Exporting Groups From User Interface

To export device groups from the user interface:
Step 1
Select Admin > System > Group Management > Device. The Group Administration page appears. Select a User-defined Group hierarchy from the Group Selector. Click Export. The Export Groups dialog box appears.
Step 2 Step 3
5-21
Managing Groups
Step 4
Select either one of the following options:
Export the selected User-defined Group hierarchy Exports the selected User-defined Group and its child groups. Export All Applications User-defined Groups Exports all User-defined Groups from all applications installed on all LMS Server in the same DCR domain.
Or
The browser-specific File Download window appears prompting you to open or save the output XML OGSExport.xml file.
Step 5
Click either of the following buttons:
Open to open the XML file Save to store the file on the client system with the same or a different filename.
Or
Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS Server. This feature is available from LMS 4.0 and later.
Note
You cannot import User-defined groups from older versions of LMS. You can import User-defined groups from an input file to the LMS Server. The private User-defined groups in the input XML file will be imported as your private User-defined groups in LMS Server. They will not be visible to other users. You must have Network Administrator, System Administrator or Super Admin privileges to import groups. In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave server.
Note
We recommend that you use the file generated by the Grouping Services export utility for import operations and do not edit the XML file.
5-22
OL-20721-01
Chapter 5
You can:
Importing Groups From User Interface Or Importing Groups Through CLI Important Notes on Importing Groups Importing Groups From User Interface

Important Notes on Importing Groups

Read the following notes before importing User-defined groups:

You must have the required file permissions to select a source XML file for import groups operation. After importing groups, the group selector may take some time to refresh and display the latest groups information. You must launch the Groups Administration page again to view the newly imported groups. To launch the Groups Administration page, select Admin > System > Group Management > Device.
Importing groups from an input XML file fails if:

The groups to be imported to the selected Grouping Server locations already exist. The User-Defined Fields (UDF) that are configured for the import group rules are not available
in the Grouping Servers to which the groups are to be imported.
Importing Groups From User Interface

To import device groups from the user interface:
Step 1
Either:
Or
Step 2
Click Import. The Import Groups - File Selection dialog box appears. Enter an input XML file name in the File Name field or click Browse to select a file from the client system. The Import Groups dialog box appears with a list of import groups specified in the input XML file. Select the list of groups to be imported from the Import Groups From field.
Step 3
Step 4
5-23
Managing Groups
Step 5
Select a server location to which the groups are to be imported in the Import Groups to Servers field. You can select multiple Grouping Server locations or All to select all the Grouping Server locations. This field is disabled on LMS Servers operating in the DCR Standalone mode. Click OK. A message appears indicating if the groups were imported or not. See Important Notes on Importing Groupsfor the possible causes of the import job failure.
Step 6
See Using Group Administration Features Through CLI for more information on using group administration feature using CLI.
Overview of Subnet Based Groups

Subnet based groups are automatically created when devices are managed. These are a part of System defined groups. You cannot create, edit or delete them. Subnet based groups help you work on smaller subsets of devices that are logically grouped. They are automatically deleted when all the devices in a subnet are deleted. This topic covers:

Accessing Subnet Based Groups Understanding Subnet Based Groups Creating Groups Based on Subnet
Accessing Subnet Based Groups

To access Subnet based groups:
Or
This displays the Group Management page. The Group Selector field displays two groups, System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System Defined Groups.
5-24
OL-20721-01
Chapter 5
Managing Groups DCR Mode Changes and Group Behavior
Understanding Subnet Based Groups

The Subnet based groups use the following name format:
Subnet -- Subnet Mask.
The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"
For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"
The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.
Creating Groups Based on Subnet

When you need to create subnet based groups, you can do it under User defined groups. For example, the following rules might be used to create two groups based on the IP address subnet:
Device.IP.Subnet equals "172.29.252.32" Device.IP.Subnet equals "172.29.252.64"
The examples provided here are simple. However, the Grouping Service allows complex rules to be arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives the administrator the power and flexibility to create view partitions tailored to the needs of their site.
DCR Mode Changes and Group Behavior

The DCR modes have a bearing on how groups are displayed in the Groups UI. Also the DCR mode decides whether you can perform any operation on the groups. In Standalone mode, you can create system-defined and user-defined groups. In Slave mode, LMS allows you to preserve the user-defined groups, and create new system-defined device groups. The port and module groups, Fault groups and Collector groups are not affected by the change in the DCR mode. All DCR devices in the Slave are removed, and synchronized with the Master server. Therefore, in a cluster that has several Slaves and a Master, if you need to create LMS group, you need to go to the LMS Groups UI in the Master and create the group. The group you create there, will be synchronized with the Slaves. The following table gives details of DCR mode changes and implications on Groups.
5-25
Chapter 5 DCR Mode Changes and Group Behavior
Managing Groups
Mode Changed to: The Initial Mode

Standalone Standalone Slave Master
Not applicable.
Slave will get Masters groups, both system-defined and user-defined groups. You can also create new user-defined groups in the Slave. These groups will not be shared with the Master or other slaves in the domain. Device Allocation Policy gets disabled (Inventory > Device Administration > Device Allocation Policy).
No change in the Group hierarchy.
Slave
Device Allocation Policy gets Not applicable. enabled. The groups pertaining to Master and Slaves will be removed. The existing Device Allocation Policy is retained.
Device Allocation Policy gets enabled. Groups pertaining to the previous Master and the associated Slaves will be removed. Local groups will behave in the same manner. The existing Device Allocation Policy is retained.
Master
All dependent Slaves will switch to Standalone mode. All groups pertaining to other machines will be removed. Device Allocation Policy will be enabled on all machines in the cluster.
If you select Inform current Slaves of new Not applicable. Master Hostname when you change the mode to Slave, all the Slaves in the domain, switch to the new Master. In this case, the groups in the Master will be seen in the new Slave. Device Allocation Policy gets disabled. If this check box is not selected, the new Slave will pickup the groups of the new Master. Other Slaves in the domain will move to Standalone mode.
5-26
OL-20721-01
Chapter 5
Managing Groups DCR Mode Changes and Group Behavior
Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain. The utility is useful in the following scenarios:

Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone or Master belonging to a different domain. When you uninstall Cisco Prime from the Slave. Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode changes, the Master will not be aware of the Slave mode change, when it comes up.
The Master will not receive any data from the Slave, but the Slave information will still be in its registry. A redundant group (such as LMS@Slave) will still appear in the Master Groups UI. In the case of DCR, any device operation on Master will update the Slave list. However, this does not happen in the case of Groups. You can run the UnregisterSlave utility to remove any unwanted slave information: From the CLI, run: NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name You have to enter the hostname of the machine you want to unregister. For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.
Behavior of IP Address Range Based Device Groups in Multi-Server Setup

The range operator allows you to group devices within a specified range of IP addresses. In a Master-Slave setup:

When the Master server is using an earlier version of LMS, you cannot create device groups based on IP Address range. When the Slave server is using an earlier version of LMS, the IP Address Range based device groups information in the Master is synchronized with the Slave. Even if you change the mode of Slave server to Standalone, the IP address range based device groups will remain as they were in the Groups Server. However, you cannot retrieve the device group information from the Standalone LMS Server to view it in the user interface. To retrieve and view the device group information, you should either:
Upgrade the LMS in Standalone LMS Server to LMS 4.1.
Or
Change the mode of the LMS Server that has the earlier version of LMS 4.1 from Standalone to
Slave for a DCR Master with the latest version of the software.
5-27
Chapter 5 Port and Module Group Administration
Managing Groups
Port and Module Group Administration

LMS allows you to create groups based on ports and modules for a selected set of devices or device groups using Port and Module Group Administration.
Notes for Port and Module Configuration
1. 2. 3. 4.
Port and Module configuration depends on the data collected by LMS Inventory. For the Port and Module configuration to work properly, the inventory collection for the devices must be successful. You must trigger a fresh inventory collection to update all the port and module attributes. If the data collection is not successful, then data will not be available for some attributes. The following are the recommended number of ports in LMS:
1. 2. 3.
The maximum number of ports supported in LMS is 500,000 ports. The maximum number of ports supported in a port group is 100,000 ports. The maximum number of ports supported in an LMS job is 250,000 ports.
4. 5.
In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry for the ifName will be considered and the duplicate entries will be dropped. The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in the device, then port configuration for the device will not work. For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the device. In this case, the port configuration for the device will not work.
The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Table 5-2 Fields on Port and Module Group Browser
Field/Button Group Name
Description Name of the group created. By default, the following System-defined groups are displayed:

1 Gbps Ethernet PortsContains all 1 Gbps Ethernet ports in the network. 10 Gbps Ethernet PortsContains all 10 Gbps Ethernet ports in the network. 10 Mbps Ethernet PortsContains all 10 Mbps Ethernet ports in the network. 100 Mbps Ethernet PortsContains all 100 Mbps Ethernet ports in the network. Access PortsContains all the Access mode ports. DMP PortsContains all ports connected to DMP. End HostsContains all ports connected to End Hosts. IP PhonesContains all ports connected to IP Phones. IPVSC PortsContains all ports connected to IPVSC. Link PortsContains all ports connected to other devices.
Description Group Type Created By
Description of the group created. Type of the group created. For example, Port or Module. User who created the group.
5-28
OL-20721-01
Chapter 5
Managing Groups Port and Module Group Administration
Table 5-2
Fields on Port and Module Group Browser
Field/Button Last Modification Time. Rows per page
Description Time at which the group settings were last modified. This page displays the number of rows you have set for display in the Rows per page field. You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You can navigate through the pages of the report using the navigation icons at the bottom right of this table.
Create Edit View Delete
Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module Groups. Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module Groups. Allows you to view the group details, as described in the Viewing Port and Module Group Details. Deletes the group, as described in the Deleting Port and Module Groups. You can perform the following tasks from the LMS Port and Module Group Browser window:

Creating Port and Module Groups Editing Port and Module Groups Viewing Port and Module Group Details Deleting Port and Module Groups
Creating Port and Module Groups

Creating a Port and Module Group involves the following steps:
1. 2. 3. 4.
Entering the Port and Module Group Properties Details Selecting Group Source Defining Rule Expression for Port or Module Groups Understanding the Summary
You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using Cancel, the details you have specified will be lost and the group will not be created.
Note
Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and Module configuration to work properly, the inventory collection for the devices must be successful.
5-29
Managing Groups
Entering the Port and Module Group Properties Details

In this step, you will enter the name and description for the group. The Port and Module Group Properties dialog box contains the following fields. (See Table 5-3)
Table 5-3 Fields on the Port and Module Group Properties dialog box
Field Group Name Description
Description Name of the group you are creating. Text description of the group.
To enter the values in Port and Module Group Properties dialog box:
Step 1
Either:
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2
Click Create. The Group Properties page appears. Enter a unique name for the group in the Group Name field. Enter a description for the group in the Description field (optional). Click Next. The Select Group Source page appears, displaying the Device Selection dialog box.
Selecting Group Source

In this step, you need to select the Group source. This can be either devices or groups (System-defined or User-defined). The Select Group Source page displays the Device Selection and Group Selection dialog box. The Device Selection and Group Selection dialog box contains the following fields. (See Table 5-4) You must select either devices or device groups from Device Selector or Group Selector, respectively.
5-30
OL-20721-01
Chapter 5
Table 5-4
Fields on the Device Selection dialog box
Fields Device Selector Search Input
Description Displays all LMS devices in the group. Enter the search expression in this field. You can enter single device names or multiple device names. If you are entering multiple device names, separate them with a comma. You can also enter the wildcard characters * and "?". For example: 192.168.10.1*, 192.168.20.*
Search
Use this icon to perform a simple search of devices based on the search criteria you have specified in the Search Input text field. For information on Search, see Performing Simple Search. Use this icon to perform an advanced search of devices based on the search criteria you have specified in the Search Input text field. For information on Advanced Search, see Performing Advanced Search. Lists all User-defined and System-defined groups for all applications that are installed on LMS Server. For more information, see Selecting Devices From All Tab. Displays all the search results from Search or Advanced Search. For more information, see Selecting Devices From Search Results. Lists all the devices that you have selected in the Search Results or All tab. Using this tab, you can deselect devices from the list. Displays all groups in LMS.
Advanced Search
All
Search Results Selection Group Selector
To select the group source:

Step 1
Either:

Select Device Selector. Select the devices. Select Group Selector. Select the groups.
or
Step 2
Click Next. The Rule Express page appears.
5-31
Managing Groups
Defining Rule Expression for Port or Module Groups

In this step, you will define the rules for creating port or module groups. The rules you define in this phase, determine the contents of the group. The rules you specify here, determine the ports and modules to be included in the group. You can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. The Rules Expression page contains the following fields: Field/Buttons Object Type Description Select the following object types to form a group:

Module Port
Variable Operator
Object type attributes, based on which you can define the group. See Rule Attributes for Port and Module Creation. Operator to be used in the rule. The list of possible operators change, based on the variable selected. When using the equals operator the rule is case-sensitive. Value of the rule expression. The possible values depend upon the variable and operator that you select. Depending on the operator selected, the value may be free-form text or a list of values. Wildcard characters are not supported. Adds the rule expression to the group rules. Displays the rule. Verifies that the rule syntax is correct. Use this button to verify the syntax of the rule that you have created before proceeding to the next step. Include List popup opens and lists all the modules or ports from the selected devices that do not match the rule. You can choose to include those modules or ports for group creation. The Include List popup will also list the modules or ports that match the rule but will not be enabled for selection. Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in the Include List window. You can also include modules or ports for the selected devices, without specifying a rule, by clicking Include.
Value
Add Rule Expression (Button) Rule Text Check Syntax (Button) Include (Button)
Exclude (Button)
Exclude List popup opens and lists all the modules or ports from the selected devices that match the rule. You can choose to exclude those modules or ports for group creation. The Exclude List popup will also list the modules or ports that do not match the rule but will not be enabled for selection. Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields in the Exclude List window.
5-32
OL-20721-01
Chapter 5
To define the group rule:

Go to the Rules Expression page. Set the parameters for Object Type, Variable and Operator. Enter the desired value for the Variable you have selected. Click Add Rule Expression. The LMS Port and Module Group Administration creates the rule based on the parameters you have specified and adds it to the rules already present in the Rules Text field. You can use the same procedure to add more rules. You can manually add or change any text in the Rule Text box. Click Include or Exclude.

Step 5
IncludeA popup window appears, allowing you to include ports or modules for the group. See Table 5-5 for the descriptions of the fields in the Include List window. ExcludeA popup window appears, allowing you to exclude ports or modules for the group. See Table 5-5 for the descriptions of the fields in the Exclude List window. If the syntax is correct, an information box appears with a message, The rule syntax is valid. If the syntax is incorrect, an error box appears with a message, You have entered an invalid
rule. Enter a valid rule. See the Help for examples of valid rules.
Step 6
Click Check Syntax to validate the rules expression syntax.

For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7
Click Next. The Summary page appears, displaying the group properties. See Understanding the Summary.
Note
You can also include modules or ports for the selected devices, without specifying a rule, by clicking Include. If you include the ports or modules for the selected devices, and also exclude the same ports or modules, the exclude option will have a higher priority.
Rule Attributes for Port and Module Creation
The following table lists the available attributes that you can use to define rules to create port and module groups.
5-33
Managing Groups
Object Type Attribute Module AdminStatus FW_Version ModuleName OperStatus SlotNumber SW_Version VendorType
Description Administrative status of the module. For example, Enabled/Commissioned. Firmware version of the module. For example, 12.1(27b)E1 Name of the module. For example, Linecard Operational status of the module. For example, Dormant Slot number of the module. For example, 6 Software version of the module. For example, 12.1(27b)E1 Vendor type of the module. For example, cevAS53004ct1
5-34
OL-20721-01
Chapter 5
Object Type Attribute Port AdminStatus CM.AccessStatus CM.Channel CM.Duplex CM.JumboFrameEnabled CM.L2L3 CM.LinkStatus CM.Neighbor CM.TrunkStatus CM.VLAN_ID CM.VLAN_NAME CM.VTP_DOMAIN EnergyWise_Importance EnergyWise_Role EnergyWise_Keyword FlexLink IFIndex IsEnergyWisePort Identity_Security_Mode
Description Administrative status of the port. For example, Disabled/Decommissioned Whether the port is an Access port or not. Whether the port is a channel port. The duplex mode of the port. The values could be unknown-duplex, full-duplex, half-duplex, default, disagree, auto-duplex. Whether the port is JumboFrame enabled or disabled. Whether the port is in switched or routed mode. Link status of the port. Whether the link is up or down. Whether the port is connected to a device, IP Phone, or End Host. Whether the port is a Trunk port. If trunk is configured in the port, then it is a trunk port. The index of the VLAN configured on the port. Name of the VLAN configured on the port. Name of the VTP Domain that the port is associated with. EnergyWise Importance of the device. This value prioritizes the devices in a domain based on their power usage. Role or function of the device in the EnergyWise domain. A word that will help you identify a specific device or group of devices in the EnergyWise domain. Whether the FlexLink status of the port is enabled or disabled. IFIndex of the port. For example, 10 Specifies if the port is EnergyWise-enabled. Specifies the security mode, based on the level of security you wish to implement in your network. The three types of security modes are:

Monitor Mode Low Impact Mode High Security Mode
MACsecStatus OperStatus PortDescription PortName SpanEnabled Speed Type
You can enable or disable MACsec on the interface. MACsec provides secure, encrypted communication on wired LANs. Operational Status of the port. For example, Stopped/Suspended Description of the port. For example, FastEthernet0/1 Name of the port. For example, Fa0/1 Whether the port is Span enabled. Speed of the port. For example, 10000000 (for 10 Mbps) Enter the value for the port type. For example, if you want to define a rule for the port type ethernetCsmacd, you need to enter 6 as the value. For information on the port type values, see http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift ype&translate=Translate&submitValue=SUBMIT&submitClicked=true
OL-20721-01
5-35
Managing Groups
Note
For the port attributes that start with name CM. , the data collection for the attributes must be successful.
Examples for Port and Module Groups
This section shows examples of a valid rule. The following are some examples for grouping tasks:

Rule to select all the Ports whose Port Description contains the string: Ethernet Rule to select all the Ports that are connected to another device Rule to select all the Modules whose Slot number is 1 Rule with OR Operator Rule with AND Operator
Rule to select all the Ports whose Port Description contains the string: Ethernet
This rule filters all ports whose Port description consists of the string Ethernet. To provide rule expression for this scenario: From the Create Rules dialog box:
Select Port from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select contains from the Operator drop down listbox Enter Ethernet in the Value textbox Click Add Rule Expression The following rule gets added to the Rule Text:
Port.PortDescription contains "Ethernet"
Rule to select all the Ports that are connected to another device
This rule filters all Ports that are connected to another device. To provide rule expression for this scenario: From the Create Rules dialog box:
Select Port from the Object Type drop down listbox Select CM.LinkStatus from the Variable drop down listbox Select = from the Operator drop down listbox Select Configured in the Value drop down list box. Click Add Rule Expression The following rule gets added to the Rule Text:
Port.CM.LinkStatus = "Configured"
5-36
OL-20721-01
Chapter 5
Rule to select all the Modules whose Slot number is 1
This rule filters all the modules that are placed in slot number 1. To provide rule expression for this scenario: From the Create Rules dialog box:
Select Module from the Object Type drop down listbox Select SlotNumber from the Variable drop down listbox Select = from the Operator drop down listbox Enter 1 in the Value textbox Click Add Rule Expression The following rule gets added to the Rule Text:
Module.SlotNumber = "1"
Rule with OR Operator
Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet. To provide rule expression for this scenario:
Step 1
From the Create Rules dialog box:

a. b. c. d. e.
Select Port from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select StartsWith from the Operator drop down listbox Enter Ethernet from the Value drop down listbox Click Add Rule Expression The following rule gets added to the Rule Text:
Port.PortDescription StartsWith "Ethernet"
Step 2 Step 3
Select the OR option from the logical operator list box. From the Create Rules dialog box:
a. b. c. d. e.
Select Port from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select StartsWith from the Operator drop down listbox Enter FastEthernet in the Value textbox Click Add Rule Expression The following rule gets appended to the Rule Text:
Port.PortDescription StartsWith "Ethernet" OR Port.PortDescription StartsWith "FastEthernet"
The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected based on either or both of the matching criteria.
5-37
Managing Groups
Rule with AND Operator
Rule to select all the FastEthernet Ports whose Operational status is up. To provide rule expression for this scenario:
Step 1
From the Create Rules dialog box:

a. b. c. d. e.
Select Ports from the Object Type drop down listbox Select OperStatus from the Variable drop down listbox Select = from the Operator drop down listbox Select OK from the Value drop down listbox Click Add Rule Expression The following rule gets added to the Rule Text:
Port.OperStatus = "OK"
Step 2 Step 3
Select the AND option from the logical operator list box. From the Create Rules dialog box:
a. b. c. d. e.
Select Ports from the Object Type drop down listbox Select PortDescription from the Variable drop down listbox Select StartsWith from the Operator drop down listbox Enter FastEthernet in the Value textbox Click Add Rule Expression The following rule gets appended to the Rule Text:
Port.OperStatus = "OK" AND Port.PortDescription StartsWith "FastEthernet"
The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both the criteria are selected.
5-38
OL-20721-01
Chapter 5
Include and Exclude
Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and Module Group Administration.
Table 5-5 Include and Exclude Window Fields Description
Window Include List
Fields/Buttons Device Selector
Description Devices selected for group creation. For some of the devices, if ports or module names are not available in the device, the message Not Available will be shown.
Port Name/Module Name Name of the port or module in the device.
Description/Vendor Type Description of the port or module. For some of the devices, if ports description or module vendor type is not available in the device, the message Not Available will be shown. Slot Number Include (Button) Filter by Port/Module Name Exclude List Device Selector Slot number of the module. This field is available only for modules. The selected ports or modules are included for group creation. Enter the filter expression and click Filter to filter the port or modules in the device. Devices selected for group creation. For some of the devices, if ports or module names are not available in the device, the message Not Available will be shown. Description/Vendor Type Description of the port or module. For some of the devices, if ports description or module vendor type is not available in the device, the message Not Available will be shown. Slot Number Exclude (Button) Filter by Port/Module Name Slot number of the module. This field is available only for modules. The selected ports or modules are excluded from group creation. Enter the filter expression and click Filter to filter the port or modules in the device.
Port Name/Module Name Name of the port or module in the device.
5-39
Managing Groups
Understanding the Summary

The final step in creating the port or module group is a summary page that displays the new group definition. The Summary page contains the following information. (See Table 5-6):
Table 5-6 Fields on the Summary page.
Field Group Name Description Rule Devices/Groups in Rule
Description Name of the group you are creating. Text description of the group. Rules used to filter the group. List of devices or groups to which the rule will be applied.
After reviewing the group summary, either:

Step 1
Click Finish to complete the procedure for Creating Groups. A confirmation box appears. Click OK. You can view the newly created group in the Port and Module Group Browser page. Or Click Back to change the group properties.
Step 2
Viewing Port and Module Group Details

To view the existing port or module group details:
Step 1
Either:
Or
5-40
OL-20721-01
Chapter 5
Step 2
Select the group name and click View. The View Group Details page appears, displaying Group: Details dialog box with the following details:
Field/Button Group Name Parent Group Type Description Rule Created By Last Modified By Devices/Groups Membership Details (Button) Cancel (Button)
Description Name of the group you are viewing. Parent group of the group you are viewing. Type of the objects that belong to the group. Text description of the group. Rules used to create the group. User who created the group. This also displays the time at which the group was created. User who last modified the group. This also displays the time at which the group was last modified. Devices or Device Groups that are part of the port or module group. Used to view the list of devices that belong to the group. See Viewing Membership Details. Closes the page and takes you back to the Port and Module Group Browser page.
Viewing Membership Details
You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.
Step 1
Either:
Or
Step 2
Select the group name for which you want to view the membership details and click View. The Group: Details dialog box appears.
5-41
Managing Groups
Step 3
Click Membership Details. The View Group Members dialog box appears with the following information:
Field/Button Device Selector Port Name/Module Name Description Filter by Port/Module Name Close (Button)
Description Devices selected for group creation. Name of the port or module in the device that are part of the group. Description of the ports or modules in the device that are part of the group. Enter the filter expression and click Filter to filter the port or modules in the device that are part of the group. To close the View Group Members dialog box.
Editing Port and Module Groups

You can edit all attributes that are defined while creating a group, except Group Name. To edit a port and module group:
Step 1
Either:
Or
Step 2 Step 3
Select the group by checking the check box. Click Edit. The Group Properties page appears, displaying Port and Module Group Properties dialog box. See Entering the Port and Module Group Properties Details. You cannot:

Modify the Group Name field. Click Finish to complete the edit flow.
5-42
OL-20721-01
Chapter 5
Step 4
Click Next. The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box.
Device Selection
If you have selected devices using Device Selector in the Create flow. If you have created the group by including the ports or modules without specifying the rule in
the Create flow. In this case, only the devices for which you selected ports or modules are displayed. Or
Group SelectionIf you have selected device groups using Group Selector in the Create flow.
You can modify the devices or groups that you have selected, based on your requirement.
Step 5
Click Next. The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression for Port or Module Groups. You can modify and define new rules. If you include the ports or modules for the selected devices, and also exclude the same ports or modules, the exclude option will have the higher priority.
Step 6
Click Next. The Summary page appears, displaying the group details. Understanding the Summary. Either: Click Finish to complete the editing procedure for the group. Or Click Back to change the group properties.
Step 7
Note
You can click Finish at any point in the workflow.
Deleting Port and Module Groups

To remove an existing port or module group:
Step 1
Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. Select the group to remove from the Port and Module Group Browser dialog box. Click Delete. A confirmation dialog box shows that the group will be deleted. Click OK.
Step 2 Step 3
Step 4
5-43
Chapter 5 Working with Fault System-defined Groups
Managing Groups
Working with Fault System-defined Groups

The group selector displays some groups such as Access Port Groups, Trunk Port Groups, and Interface Port Groups. See Fault System Defined Groups for more information. You can control the polling and thresholds settings for these groups using Monitor > Threshold Settings > Fault. See Monitoring and Troubleshooting Online Help for more information. These system defined groups can be used when searching for devices using the Advanced Search option in the device selector. This section contains:

LMS System-defined Groups Fault System Defined Groups
LMS System-defined Groups

The LMS system defined groups are visible to all Cisco Prime users, and are the factory default groups administered by LMS. Device Groups appear in the group selector when they have device members, that is, devices in the DCR that belong to that group. The following are the LMS system defined groups:

Broadband Cable Content Networking DSL and LRE Interfaces and Modules Network Management Optical Routers Security and VPN Server Fabric Switches Storage Networking Switches and Hubs Server Fabric Switches Universal Gateways and Access Servers Unknown Voice and Telephony Wireless
5-44
OL-20721-01
Chapter 5
Managing Groups Working with Fault System-defined Groups
Fault System Defined Groups

The fault system defined groups are visible to all Cisco Prime users, and are the factory default groups that are administered by the Fault Management module in LMS 4.1. The following are the Fault Management system defined groups:
System defined access port groups:

1 GB Ethernet 10 GB Ethernet 10MB-100MB Ethernet ATM Others
System defined interface groups:

1 GB Ethernet 10 GB Ethernet 10MB-100MB Ethernet ATM Backup Dial-on-Demand FDDI ISDN B channel ISDN D channel ISDN physical interface Others Serial Token Ring
System defined trunk port groups:

1 GB Ethernet 10 GB Ethernet 10MB-100MB Ethernet ATM Others
A 10 GB Ethernet interface device, during an upgrade, behaves in the following ways:
If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group, then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB Ethernet Group, you must set the priority of the group to high. If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group, then the 10GB device falls under 10 GB group.
For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.
5-45
Chapter 5 Working with Customizable Groups
Managing Groups
Working with Customizable Groups

Customizable groups are the only user-defined groups for which you can set polling and threshold parameters. They are provided so you can create groups that fit your needs. Fault Management in LMS 4.1 provides 28 customizable groups, which are divided into four categories:

Access Port Groups Trunk Port Groups Interface Groups Device Groups
Table 5-7 lists the seven customizable groups that appear in each of the four categories.
Table 5-7 Polling and Thresholds: Customizable Groups
Customizable Groups A B C 1 2 3 4
Intended Use Consider reserving customizable groups A, B, and C to troubleshoot Add one device to any of these groups when you need to test. For example, to test a changed threshold or interval value for a polling setting. Consider using customizable groups 1, 2, 3, and 4 when you want to override polling settings and thresholds for more than one device.
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups before you can set polling parameters or threshold values for them. To do so, see Working with Customizable Groups. Since you cannot change the rules for system defined groups, Fault Management provides groups that you can customize so that they contain devices, ports, or interfaces. Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold Settings > Fault). After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
Table 5-8 Fault Management Customizable Groups
Group Name Customizable Access Port Groups Customizable Groups Customizable Interface Groups Customizable Trunk Ports Groups
Use this group to monitor... Access ports Devices Interfaces Trunk ports
Settings you can configure for this group: Thresholds Polling and thresholds Thresholds Thresholds
5-46
OL-20721-01
Chapter 5
Managing Groups Managing Fault Groups
For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Table 5-9 Fault Management Customizable GroupsRestrictions
Group Name Customizable Group A Customizable Group B Customizable Group C
Restrictions

Use to troubleshoot a single device (but can contain more than one device) Cannot be deleted Cannot have subgroups Cannot have name changed Can contain multiple devices Cannot be deleted Cannot have subgroups Cannot have name changed
Customizable Group 1 Customizable Group 2 Customizable Group 3 Customizable Group 4
Managing Fault Groups

The Fault Group Administration and Configuration page is where all group management activities take place. To open the Group Administration and Configuration page: Either: Select Admin > System > Group Management > Fault. Or Select Inventory > Group Management > Fault.
Note
If you are connecting to the LMS server for the first time, a Security Alert window is displayed when you select an option. Do not proceed without viewing and installing the self-signed security certificate.
See Editing and Creating Fault Groups for information on how to use Group Administration to create and edit groups. In addition to creating and editing groups, Group Management provides the following functions:

Refreshing Fault Membership Deleting Fault Groups
5-47
Chapter 5 Managing Fault Groups
Managing Groups
Table 5-10 describes the fields in the Group Administration and Configuration page.
Table 5-10 Fields on Group Administration and Configuration Page
Field/Button Group Selector Group Info
Description Hierarchical display of all available groups. When you select an item from the Group Selector, the Group Info pane displays the following information:

Group NameName of the group you selected. TypeType of objects in the selected group. DescriptionText description of the group. Created ByPerson who created the group. Last Modified ByLast person to modify the group settings.
Create Edit
Starts the Group Creation Wizard for creating a group, as described in Editing a Fault Group. Starts the Group Edit Wizard for editing user defined groups, as described in Editing a Fault Group. Not supported for view groups created from the Alerts and Activities Defaults page. Opens the Properties: Details page, as described in Viewing Fault Group Details. Refreshes a group memberships, as described in Refreshing Fault Membership. Not supported for port and interface groups. Deletes a group, as described in Deleting Fault Groups.
Details Refresh Delete
Editing and Creating Fault Groups

The processes for editing and creating groups are similar. Keep these points in mind:
You can edit user defined customizable subgroups. For example, the subgroup Customizable Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with Customizable Groups. You can create or edit user defined miscellaneous groups. These groups can be used with views in the Alerts and Activities display, or with notification groups in Notification Services. You cannot edit or view groups created from the Alerts and Activities Defaults page.
This section contains information on:

Editing a Fault Group Creating a Fault Group Understanding Rules Finalizing Fault Group Membership Viewing the Fault Group Summary
5-48
OL-20721-01
Chapter 5
LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group. The wizard consist of four steps:
1. 2. 3. 4.
Setting properties (for details, see Editing a Fault Group) Creating rules (for details, see Understanding Rules). Modifying group membership (for details, see Finalizing Fault Group Membership). Viewing the summary (for details, see Viewing the Fault Group Summary).
Editing a Fault Group

You can edit the properties of user defined customizable port, interface, and device groups. You can also edit miscellaneous user defined groups you created using Group administration.
Procedure
Step 1
Either:
Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Or
Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears.
Step 2
In the Group Selector, select the group you want to edit, click Edit. The Properties: Edit page appears. You can modify the following in the Properties: Edit page:
Group Name Will be automatically populated when editing customizable subgroups; for example, Customizable Group 1 under Customizable Access Port Groups.
Description Membership update type (not supported for port and interface groups) The parent group is displayed, but it cannot be modified. Visibility Scope
Step 3
Click Next. The Rules: Edit page appears. For more information on creating rules, see Understanding Rules. To return to any of the previous pages in the wizard, click Back.
Note
If you edit a device-type group, you can launch the Preview.
5-49
Managing Groups

Adding and Deleting Rules from the Rules:Edit Page Adding and Removing Objects from the Rules: Edit Page
Adding and Deleting Rules from the Rules:Edit Page

You can add new rules or delete existing rules in the Rules: Edit page. To add a new rule:
Step 1
From the first list, select a logical operator (applicable when there are multiple rule expressions). The list of logical operators is enabled after at least one rule expression is entered.+ From the Object Type list, select an object type. From the Variable list, select a variable. From the Operator list, select an operator. In the Value field, enter a value. Click Add Rule Expression. The rule expression appears in the Rule Text box. You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\), an error is displayed. To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single backslash. You should always check the syntax after changing a rule expression. If you have added complex rules (containing both AND and OR conditions), you must manually enter parentheses, as in the following example:
(AccessPort.Mode equals OR AccessPort.Mode contains BACKUP OR AccessPort.Mode contains NORMAL) AND AccessPort.DuplexMode contains HALFDUPLEX OR AccessPort.DuplexMode contains FULLDUPLEX)
Step 7
Verify whether the syntax of the rule is correct by clicking Check Syntax. A dialog box appears, stating that the syntax is valid. Click OK. If you want to view the rules for the parent group, select View Parent Rules. All rules assigned to a parent group also apply to any of its subgroups. Click Next. The Membership: Edit page appears.
Step 8
Step 9
5-50
OL-20721-01
Chapter 5
To delete a rule:
Step 1
In the Rule Text box, select the entire rule text and press the Delete key. After deleting the rule, you must click the page so that the page can refresh, removing the list of logical operators.
Step 2
Click Next. The Membership: Edit page appears.
Adding and Removing Objects from the Rules: Edit Page

You can add or remove specific objects from the group membership. This feature is not supported for port and interface groups. The group's rule captures the list of objects that are added to or deleted from the group. The rule will contain an Includelist and an Excludelist section to reflect this. Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across both lists and ensure that no device is both included and excluded. You can add and remove objects from the Parent Group To add an object:
In the Available Objects from Parent Group column, select the device you want to add. Click Add. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
To remove an object:
In the Objects Matching Membership Criteria column, select the device you want to remove. Click Remove. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
5-51
Managing Groups
Creating a Fault Group

Creating fault groups is supported only for user defined miscellaneous groups. Once created, you can edit these groups.
Note
When you create a fault group, at least one device must be in the managed state.
Procedure
Step 1
Either:
Or
Step 2 Step 3
In the Group Selector, select User Defined Groups. Click Create. The Properties: Create page appears. Enter a group name for the new group. If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If you want to copy the attributes of an existing group to the new group, do the following:
a.
Step 4
Click Select Group. The Replicate Attributes page appears. Select the group from which you want to copy the attributes. Click OK. All attributes except the group name are copied to the new group.
b. c.
If you want to change the parent group (the location where the group will reside in the Group Selector), do the following:
a.
Click Change Parent. The Select Parent page appears. Select the parent group.
b. Step 5
Click OK. Enter a description. This is optional. Choose how you want the group membership updated. This choice is not displayed for port and interface groups):

Step 6
If you want the membership for this group updated automatically, select Automatic. If you want the membership for this group updated only when the Refresh button is clicked, select Only Upon User Request.
5-52
OL-20721-01
Chapter 5
Step 7
Select a Visibility Scope:

Available to Created User Only Available to All Cisco Prime Users
Step 8
Click Next. The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.) Do one of the following:

Step 9
To create rules to apply to the group, go to Step 10. Click Next and select the objects on the Membership: Create page (not supported for port and interface groups). Then go to Step 10. If you need to return to any of the previous pages in the wizard, click Back.
Step 10
Create all rules that you want to apply to the group:

a.
Select a logical operator (applicable when there are multiple rule expressions). The list of logical operators is enabled after at least one rule expression is entered. Select an object type. Select a variable. Select an operator. Enter a value. Click Add Rule Expression. The rule expression appears in the Rule Text box.
b. c. d. e. f.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\), an error is displayed. To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single backslash. You should always check the syntax after changing a rule expression. If you have added complex rules (containing both AND and OR conditions), you must manually enter parentheses, as in the following example:
(AccessPort.Mode equals OR AccessPort.Mode contains BACKUP OR AccessPort.Mode contains NORMAL) AND AccessPort.DuplexMode contains HALFDUPLEX OR AccessPort.DuplexMode contains FULLDUPLEX)
g.
Verify that the rule syntax is correct by clicking Check Syntax. A dialog box appears, stating the syntax is valid. Click OK. If you want to view the rules for the parent group, select View Parent Rules. All rules assigned to a parent group also apply to any of its subgroups. Click Next.
h.
i.
The Membership: Create page appears.
5-53
Managing Groups
Adding and Removing Objects from the Rules: Create Page

You can add or remove specific objects from the group membership. This feature is not supported for port and interface groups. The group's rule captures the list of objects that are added to or deleted from the group. The rule will contain an Includelist and an Excludelist section to reflect this. Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across both lists and ensure that no device is both included and excluded. You can add and remove objects from the Parent Group To add an object:
In the Available Objects from Parent Group column, select the device you want to add. Click Add. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
To remove an object:
In the Objects Matching Membership Criteria column, select the device you want to remove. Click Remove. Click Next. The groups information appears in the Summary: Create page. Click Finish. A dialog box appears, stating that changes to the group have been saved. Click OK.
Step 4
Step 5
5-54
OL-20721-01
Chapter 5
Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule expressions. Rules are created to filter in the objects that you want to belong to the group, and to filter out those that you do not want in the group. When determining the objects that belong to a group, Group Management compares object information to the rule. If an object information satisfies all of the rule requirements, it is placed in the group. One or more rule expressions can be applied to form a rule. Each rule expression contains the following: Object Type.Variable Operator Value For example:
Routers.Location equals "San Jose"
Complex rules that contain both OR and AND conditions require you to edit the rule manually. For example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.Mode equals OR AccessPort.Mode contains BACKUP OR AccessPort.Mode contains NORMAL) AND (AccessPort.DuplexMode contains HALFDUPLEX OR AccessPort.DuplexMode contains FULLDUPLEX)
Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You can define the following:

Logical Operators Object Type Variable Operator Value
Logical Operators
The logical operator field appears when you are defining multiple rules. The logical operators can be:
ORInclude devices that fulfill the requirements of either rule. For interface, access port, and trunk port groups, this operator can only be used between the variables of the same type, as in the following valid rule:
AccessPort.DuplexMode equals HALFDUPLEX OR AccessPort.DuplexMode equals FULLDUPLEX
If you used an AND operator in the previous port rule, it would be invalid.
ANDInclude only objects that fulfill the requirements of both rules. For interface, access port, and trunk port groups, this operator can only be used between the variables of different types, as in the following example:
AccessPort.Mode equals AND AccessPort.DuplexMode equals FULLDUPLEX
If you used an OR operator in the previous rule, it would be invalid.
5-55
Managing Groups
For device groups, this operator can only be used between variables of the same type, as in the following example:
Routers.Model equals "12816" AND Routers.Model equals 12810
The following would be an invalid rule for a device group:

Routers.Model equals "12816" AND SwitchesAndHubs.Type equals "6509"
In the previous example, you would have to use the OR operator.
EXCLUDEDo not include these devices.
Object Type
The Object Type field lists the available objects that you can use to form a group. Depending upon the type of group you are creating, the Object Type field may contain the following choices:
AccessPort TrunkPort Interface Cable ContentNetworking Device DSLAndLRE Group InterfacesAndModules NetworkManagement Optical Routers SecurityAndVPN ServerFabricSwitches StorageNetworking SwitchesAndHubs UniversalGatewaysAndAccessServers Unknown VoiceAndTelephony Wireless
Variable
The Variable field lists the possible attributes for the selected object type to be used for the rule. The list of possible variables changes based on the object type that is selected. Some variables for port and interface groups are described in Table 5-11.
Operator
The Operator field defines the operator to be used in the rule. The list of possible operators changes based on the object type and the variable selected. When using the equals operator, the rule is case-sensitive.
Value
The Value field describes the value of the rule expression. The possible values depend upon the object type, variable, and operator selected. Depending on the operator selected, the value may be free-form text or a list of values.
5-56
OL-20721-01
Chapter 5
Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some of the objects in the Variables field have special meanings or restrictions on how to enter the related attribute in the Value field. Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need further explanation.
Table 5-11 Explanations for the Values of Special Variables
Variable Description DuplexMode InterfaceCode MaxSpeed MaxTransferSpeed
Explanation Interface or port description. Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED). Interface types, protocols, or encapsulations. Maximum speed, in bits per second. Speed of the largest datagram that can be sent or received, specified in octets. For interfaces that use transmitting network datagrams, this is the speed of the largest network datagram that can be sent.
Mib2ifType
Type of interface, distinguished according to the physical or link protocols immediately below the network layer in the protocol stack, represented as a digit. Intended purpose (for example, for interfaces, backup, dial-on-demand, and so forth). Name of object. Name of the system. Name of system containing this element. System Object Identifier associated with vendor of system. Name of system supplier. Type of element (for example, interface), distinguished according to the physical or link protocols immediately below the network layer in the protocol stack.
Mode Name SystemModel SystemName SystemObjectID SystemVendor Type
Note
After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page. Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Table 5-12 Fields on the Rules: Edit Page
Field/Button Add Rule Expression Rule Text
Description Used to add the rule expression to the group rules. Displays the rule. For complex rules (which contain both OR and AND conditions), you must manually add parentheses in this field. (In Editing a Fault Group, see Step 10 and Step 6.)
5-57
Managing Groups
Table 5-12
Fields on the Rules: Edit Page (continued)
Field/Button Check Syntax View Parent Rules
Description Verifies that the rule syntax is correct. Used to view the parent group rules. All parent group rules apply to the subgroups.
Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location. Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains Dallas
Interface VariableDuplex.Mode OperatorContains ValueFULLDUPLEX Logical OperatorAnd VariableLocation Operatorcontains ValueDallas
You want to create a group that contains all of the security and VPN devices in the San Jose location. Form the following rule:
SecurityAndVPN.Location contains "SanJose"
Object TypeSecurityAndVPN VariableLocation OperatorContains ValueSan Jose
To understand the group rules, see the rules used for system defined groups. These rules appear in the Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group Details.
Finalizing Fault Group Membership

After the group rules have been defined, they are evaluated, and you can view the group members (except for port and interface groups, which are only used for polling and threshold purposes). In addition, the group membership can be modified by adding or removing specific objects. The group rule will be automatically modified to reflect the objects that were added or removed from the group. You add or remove specific objects from a group membership in the Membership: Edit page of the Create Group Wizard.
5-58
OL-20721-01
Chapter 5
Viewing the Fault Group Summary

The final step in the Create Group Wizard is viewing a summary page that displays the new group definition. Table 5-13 describes the fields on the Group Summary page of the Group Creation Wizard.
Table 5-13 Fields on the Group Summary Page
Heading/Button Group Name Parent Group Description
Description Name of the group you are creating. Parent group of the group you are creating. Text description of the group.
Membership Update Automatic (updated whenever the group is accessed) or upon user request (updated only when you click the Refresh button). Rules Visibility Scope Polling Overriding Group preview Threshold Overriding Group preview Rules used to filter group membership. Setting that determines whether all Cisco Prime users or only the created user can view the group. Click to display the Preview page. This page displays the priorities of the Polling Overriding Groups. Click to display the Preview page. This page displays the priorities of the Threshold Overriding Groups.
Viewing Fault Group Details

Information about a group is displayed on the Properties: Details page. To view the Fault group details:
Step 1
Either:
Or
Step 2 Step 3
In the Group Selector, select the group for which you want to view details. Click Details. The Properties: Details page appears.
5-59
Managing Groups
Table 5-14 describes the fields on the Properties: Details page.

Table 5-14 Fields on the Properties: Details Page
Heading/Button Group Name Parent Group Type Description Membership Update Created By Last Modified By Rules View Parent Rules Membership Details Cancel
Description Name of the group you are viewing. Parent group of the group you are viewing. Type of the objects that belong to the group. Text description of the group. Automatic (updated whenever the group is accessed) or upon user request (updated only when you click the Refresh button) Person who created the group. Last person to modify the group. Rules used to filter group membership. Used to view the parent group rules. All parent group rules apply to the subgroups. Used to view the list of devices that belong to the group. Does not apply to port and interface groups. Closes the page and takes you back to the Group Administration and Configuration page.
Viewing Fault Membership Details

You can view a list of the objects that belong to a group by accessing the Properties: Details page. Membership is not displayed for port and interface groups, which are used only for polling and threshold purposes.
Procedure
Step 1
Either:
Or
Step 2 Step 3
In the Group Selector, select the group for which you want to view details. Click Details. The Properties: Details page appears. Click Membership Details. The Membership: Details page appears.
Step 4
5-60
OL-20721-01
Chapter 5
Table 5-15 describes the fields on the Membership: Details page.

Table 5-15 Fields on the Membership: Details Page
Heading/Button Name Object Type Property Details Cancel
Description Name of the device for which you want to view membership details. Type of object for which you want to view details. Takes you back to the Properties: Details page. Closes the page and takes you back to the Group Administration and Configuration page.
Refreshing Fault Membership

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules and obtaining membership information from the data collectors. Port and interface group membership lists are not supported, because these groups are only used for polling and threshold purposes.
Procedure
Step 1
Either:
Or
In the Group Selector, select the group you want to refresh. Click Refresh. In the confirmation dialog box, click Yes. In the next dialog box, click OK.
5-61
Chapter 5 Understanding Collector Group Rules
Managing Groups
Deleting Fault Groups

You can only delete user defined groups that are not one of the seven customizable groups.
Procedure
Step 1
Either:
Or
In the Group Selector, select the group you want to delete. Click Delete. In the confirmation dialog box, click Yes. In the next dialog box, click OK.
Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a period of high CPU utilization after these processes are triggered.
Understanding Collector Group Rules

Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule expressions. You can access the IPSLA Collector groups using either:
Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group page appears.
Rules are created to filter in the devices that you want to include in the group, and to filter out those that you do not want in the group. While determining the devices that belong to a group, Group Management compares device information to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the group. The devices are filtered based on the data present in the IPSLA Performance database. One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
object type.variable operator value
5-62
OL-20721-01
Chapter 5
Managing Groups Understanding Collector Group Rules

IPSLA Collector Group Administration Process Understanding IPSLA Collector Group Administration
Table 5-16 lists the various operators that can be used to create rules to group Collectors.
Table 5-16 Understanding Collector Group Rules
Field/Button OR, AND, EXCLUDE, INCLUDE
Description Logical operators.

ORInclude objects that fulfill the requirements of either rule. ANDInclude only objects that fulfill the requirements of both rules. EXCLUDEDo not include these objects. INCLUDE Include these objects
The Rule Text field appears only after a rule expression is added. Object Type Variable Operator Type of object (collector) that is used to form a group. Collector components, based on which you can define the group. For more information, see Collector Components. Operator to be used in the rule. The list of possible operators changes based on the Variable selected. When using the equals operator the rule is case-sensitive.
5-63
Managing Groups
Table 5-16
Understanding Collector Group Rules
Field/Button Value
Description Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-from text or a list of values. Wildcard characters are not supported. The following are the values for the corresponding operations:

1 = echo 2 = pathEcho 5 = udpEcho 6 = tcpConnect 7 = http 8 = dns 9 = jitter 10 = dlsw 11 = dhcp 12 = ftp 14 = RTP 16 = icmpjitter 18 = VoipCallSetupPostDialDelay 19 = VoipGKRegDelay 1019-Ethernetping 1020-Ethernetjitter 1119-EthernetPingAutoIPSLA 1120-EthernetJitterAutoIPSLA
Add Rule Expression Rule Text Check Syntax View Parent Rules
Used to add the rule expression to the group rules. Displays the rule. Verifies if the rule syntax is correct. Use this button if you have entered the rules manually. Used to view the parent group rules. All parent group rules apply to the subgroups.
5-64
OL-20721-01
Chapter 5
Managing Groups Understanding Collector Group Rules
Collector Components
Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Table 5-17 Collector Components
Component Type Source Address Target Address Operation Type Operation Name VRF
Description Device IP address. Device IP address. All IPSLA operations available for LMS Name of a user-defined operation. Name of the VRF (Virtual Routing and Forwarding).
IPSLA Collector Group Administration Process

The IPSLA Collector Group Administration depends on the IPMOGSServer processes. If these processes are not running, then an error message appears:
Error in communicating with Group Administration Server. It may be down or not yet up. Please make sure that the Group Administration Server is up and running, then refresh the page.
You can resolve this error by starting the IPMOGSServer process. You can start this process using Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. In the Process Management page, select the IPMOGSServer and click Start.
If the IPMOGS Server is down, do the following:
You can start the IPMOGS Server either from the CLI, or from the LMS UI. To start IPMOGS Server from the CLI: Enter NMSROOT/bin/pdexec IPM OGSServer where NMSROOT is the Cisco Prime installation directory. To start IPMOGS server from the LMS UI:
Step 1
Select Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. Select IPM OGSServer in the Process Management dialog box. Click Start.
Step 2 Step 3
5-65
Managing Groups
If the CMFOGS Server is down, do the following:
You can start the CMFOGS Server either from the CLI, or from the LMS UI. To start CMF OGS Server from the CLI: Enter NMSROOT/bin/pdexec CMFOGSServer where NMSROOT is the Cisco Prime installation directory. To start CMFOGS server from the LMS UI:
Select Admin > System > Server Monitoring > Processes. Select CMFOGSServer in the Process Management dialog box. Click Start.
Understanding IPSLA Collector Group Administration

This section explains the various tasks that you can perform on the IPSLA Collector Group Administration. Table 5-18 lists the Fields and buttons available in the Group Administration page.
Table 5-18 IPSLA Collector Group Administration Page
Field/Buttons Group Selector Group Info
Description Hierarchical display of all available groups. Displays the following collector group information:

Group NameThe name of the group you selected. TypeThe type of objects in the selected group. DescriptionA text description of the group. Created ByThe person who created the group. You can also view the time at which the group was created. Last Modified ByThe last person to modify the group settings. You can also view the time at which the group was modified.
Create Edit Details Refresh Delete
Starts the Group Creation Wizard for creating a group, as described in the Creating and Modifying User-Defined Collector Groups. Starts the Group Edit Wizard for editing an existing group, as described in the Creating and Modifying User-Defined Collector Groups. Opens the Properties: Details page, as described in the Viewing Collector Group Details and Viewing Membership Details. Refreshes a group membership, as described in the Refreshing User-Defined Collector Group Membership. Deletes a group, as described in the Deleting User-Defined Collector Groups.
5-66
OL-20721-01
Chapter 5
Managing Groups Working with User-Defined Collector Groups
Working with User-Defined Collector Groups

These are collector groups created by the user based on a set of criteria such as operation name, operation type, source address, and target address. For example, if you want to create a location-based collector groups, you must select the devices used by that location and define the collector groups based on the criteria mentioned above. You can perform the following tasks on user-defined collector groups:

Creating and Modifying User-Defined Collector Groups Deleting User-Defined Collector Groups Viewing User-Defined Collector Groups Refreshing User-Defined Collector Group Membership
Creating and Modifying User-Defined Collector Groups

LMS provides a single wizard-based approach that leads you through the procedure to create multiple user-defined collector groups. This wizard process involves the following four steps:
1. 2. 3. 4.
Setting Collector Group Properties Defining Collector Group Rules Assigning Collector Group Membership Viewing the Collector Group Summary
You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard at any stage using Cancel, the details you have specified will be lost and the collector groups will not be created.
Setting Collector Group Properties

In this step, you can enter the group properties such as name and description, copy the attributes from another group, change the parent group, and modify the parent group and membership update details, if required.
5-67
Chapter 5 Working with User-Defined Collector Groups
Managing Groups
To set or edit the collector group properties:

Step 1
Either:
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group page appears.
Step 2
Select the required group from the Group Selector pane. For example:

If you want to create or edit a group, select the User Defined Group folder from the Group Selector pane. If you want to create or edit a subgroup, select the required collector group under the User Defined Groups folder. Click Create to create a group or subgroup. Or Click Edit to edit a group or subgroup.
Step 3
You can either:
The Properties page appears.

Step 4
Specify the collector group name and description in the Group Name and Description fields. The Group Name must be unique within the parent group. However, you can specify the same name in some other groups. For example, if you already have a group named MyGroup in a group named Views under User-Defined Groups, you cannot use the same name for another subgroup in the group Views. However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups. After entering the group name and description, you can either copy the attributes of an existing group to the new group or proceed to Step 5. To copy the attributes of an existing group to the new group, do the following:
a.
Click Select Group. The Replicate Attributes window appears. Select the required collector group from the User Defined Groups folder. Click OK. All attributes except the group name are copied to the new group. The parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different parent group.
b. c.
5-68
OL-20721-01
Chapter 5
To change the parent group, do the following:

a.
Click Change Parent. The Select Parent window appears. Select the required group. Click OK. The Properties page appears with the new parent group.
b. c.
Step 5
Select the Membership Update and Visibility Scope for the group. For more information, see Table 5-19. Click Next. The Rules page appears.
Step 6
Table 5-19
Setting Collector Group Properties
Field Group Name Copy Attributes from Group Parent Group Description Membership Update
Description Name of the group you are creating. Copy the attributes of an existing group to your new group using Select Group. Parent group of the group you are creating. You can change the parent group using Change Parent. Text description of the group. Group Membership is updated.

Automatic: Updates whenever the group is accessed. Only Upon User Request: Click Refresh. Private Groups: Visible only to users who created the group. Public: Visible to all users.
Visibility Scope
Defining Collector Group Rules

In this step, you can define the rules for the collector groups. This rule determines the contents and the collectors to be included in the collector group. This rule allows you to add collectors and VRFname based on the variables such as operation name, operation type, source address, and target address. You can use one or a combination of variables while defining the rule. The collectors that satisfy the rule will be added to the collector group. If you have created the collector group copying the attributes of another group, the rules specified for that group appears in the Rule Text field. You can retain these and add more rules, or delete these rules and create a new set of rules.
Note
All rules assigned to a parent group also apply to any of its subgroups.
5-69
Managing Groups
In the Rules page, you can either enter the rules directly in the Rule Text field or select the components of the rule from the Rule Expression fields and define a rule. Table 5-20 lists the various Fields and Buttons available in the Rules page.
Table 5-20 Defining Collector Group Rules
Field/Buttons OR, AND, EXCLUDE

ORInclude objects that fulfill the requirements of either rule. ANDInclude only objects that fulfill the requirements of both rules. EXCLUDEDo not include these objects.
The Rule Text field appears only after a rule expression is added. Object Type Variable Operator Type of object (Collector) that is used to form a group. All IPSLA Collector group rule expressions begin with the same Object Type, IPM:Collector Management: Collector. Collector attributes, based on which you can define the group. For more information, see Collector Components. Operator to be used in the rule. The list of possible operators change based on the Variable selected. When using the Equals operator, the rule is case sensitive. Value Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. Wildcard characters are not supported. Add Rule Expression Rule Text Check Syntax View Parent Rules Used to add the rule expression to the group rules. Displays the rule. Verifies that the rule syntax is correct. Use this button if you have entered the rules manually. Used to view the parent group rules. All parent group rules apply to the subgroups. For group rule restrictions and examples, see Understanding Collector Group Rules.
5-70
OL-20721-01
Chapter 5
To define the collector group rules:

Step 1
Either:
Or
Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears.
Step 2 Step 3
Select the Object Type from the drop-down list. Select the required variables from the Variable drop-down list. You can select one or a combination of variables. The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target Address. For more information, see Table 5-20. Select the Boolean operator from the Operator drop-down list. The Boolean operators change based on the variable you have selected. For more information, see Table 5-20. Specify the Value for the variable you have selected. Click Add Rule Expression. The IPSLA Collector Group Administration creates the rule based on the parameters you specified and adds it to the rules already present in the Rules Text field. You can use the same procedure to add more rules. If you want to delete a rule expression, you have to select the complete expression including the logical operator and press the Delete key on your keyboard.
Step 4
Step 5 Step 6
Step 7
Click Check Syntax to validate the rules expression syntax. If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is incorrect, an error message appears with syntax error messages along with the line and column number.
Step 8 Step 9
Click View Parent Rules to view the parent and group rules. Click Next. The Membership page appears.
Assigning Collector Group Membership

The Membership page allows you to create a highly customized user-defined collector group. This page lists the collectors in two panes, namely Objects From Parent Group and Objects Matching Membership.

Objects From Parent GroupLists the collectors in the parent group. Objects Matching MembershipLists the collectors that satisfy the rule defined by you. You can add or delete collectors from this pane. You can also add collectors from the parent group to create the collector group.
5-71
Managing Groups
To assign collector group membership:

Step 1 Step 2
Select the required collectors from the Objects From Parent Group pane. Click Add. The selected collectors are added to the Objects Matching Membership pane. Click Next. The Summary page appears with the User-Defined Group properties.
Step 3
To remove collectors from the group:

Step 1 Step 2
Select the required collectors from Objects Matching Membership pane. Click Remove. The selected collectors are removed from the Objects Matching Membership pane and added to the Objects From Parent Group pane.
Step 3
Click Next. The Summary page appears with the summary of the user-defined collector group.
Viewing the Collector Group Summary

The final step is the Summary page that displays the new group definition as in Table 5-21.
Table 5-21 Understanding Collector Group Summary
Field Group Name Description Parent Group
Description Name of the group you are creating. Text description of the group. Parent group of the group you are creating. You can change the parent group using Change Parent. You can select only IPSLA Collector User-Defined groups. You cannot edit this field in the Edit flow.
Membership Update
Updates group membership. Membership updates can be automatic (updated every time the group is accessed) or upon user request only (updated only when you click Refresh).
Rules Visibility Scope
Rules used to filter group membership. Describes if the group is public (all users) or private (only for the group owner).
5-72
OL-20721-01
Chapter 5
To view the collector group summary:

Step 1
Click Finish to complete the procedure for creating collector groups. A confirmation message appears. Click OK. You can view the newly created user-defined collector group in the Group Selector pane. Or Click Back to modify the group properties.
Step 2
Deleting User-Defined Collector Groups

In the The IPSLA Collector Group Administration page, you can use the Delete option to delete the user-defined collector groups. During the deletion process, only the collector group is deleted , and the associated collectors are not deleted. You cannot delete the system-defined collector groups. To delete user-defined collector groups:
Step 1 Step 2
Select the group for which you want to view details from the Group Selector pane. Click Delete. A confirmation message appears.
Viewing User-Defined Collector Groups

This section explains how to view the group and membership details and refresh the same.

Viewing Collector Group Details Viewing Membership Details Refreshing User-Defined Collector Group Membership
Viewing Collector Group Details

The Property Details page displays the group details. To view the collector group details:
Step 1
Either:
Or
5-73
Managing Groups
Step 2 Step 3
Select the group for which you want to view details from the Group Selector pane. Click Details. The Property Details page appears. For more information, see Table 5-22.
Table 5-22
Viewing Collector Group Details
Field/Button Group Name Parent Group Type Description Membership Update Created By Last Modified By Rules Visibility Scope View Parent Rules Membership Details Cancel
Description Name of the group you are viewing. Parent group of the group you are viewing. Type of the objects that belong to the group. Text description of the group. How group membership is updated. Person who created the group. This also displays the time at which it was created. Last person to modify the group. This also displays the time at which it was modified. Rules used to filter group membership. Indicates whether the group is Public (visible to all users) or Private (visible only for the group owner). Allows you to view the parent group rules. All parent group rules apply to the subgroups. Allows you to view the membership details. Takes you back to the Group Administration page.

The Property Details page allows you to view a list of the objects that belong to a group. To view the membership details:
Step 1
Either:
Or
Step 2 Step 3
Select the group for which you want to view details from the Group Selector pane. Click Details. The Property Details page appears.
5-74
OL-20721-01
Chapter 5
Step 4
Click Membership Details. The Membership Details page appears. For more information, see Table 5-23.
Table 5-23 Viewing Membership Details
Field/Button Name Object Type Property Details Cancel
Description Name of the device. Type of object. Takes you back to the Property Details page. Takes you back to the Group Administration page.
Refreshing User-Defined Collector Group Membership

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules and obtaining membership information from the data available. To refresh the membership of the group:
Step 1
Either:
Or
Step 2 Step 3
Select the group for which you want to view details from the Group Selector pane. Click Refresh to refresh the membership of the selected group. The Refresh Group Confirmation dialog box appears. Click OK. A message appears that the selected group membership has been refreshed. Or Click Cancel to return to the Group Administration page.
Step 4
5-75
Chapter 5 Operation-Based Collector Groups (System-Defined)
Managing Groups
Operation-Based Collector Groups (System-Defined)

The operation-based collector groups are predefined groups available with IPSLA module in LMS by default. They are also referred as system-defined collector groups. The various operation-based collector groups available are Echo, Path Echo, UDP Echo, ICMP Jitter, UDP Jitter, Call Setup Post Dial Delay, Gatekeeper Registration Delay, RTP, DNS, DHCP, HTTP, FTP, DLSW, TCP Connect, Ethernet Jitter, Ethernet Ping, Ethernet Jitter Auto IP SLA and Ethernet Ping Auto IP SLA. You can perform the following tasks on operation-based collector groups:

Viewing Operation-Based Collector Details Refreshing Operation-Based Collector Groups
To view the details of an operation-based collector group:

Step 1
Either:
Or
Step 2 Step 3
Select the default operation name from the Group Selector pane for which you want to view the collector group details. Click Details. The system-defined collector group details appear. Click Membership Details to know the membership details of this system-defined collector group. The Membership Details page appears.
Step 4
To refresh the membership of an operation-based group:

Step 1 Step 2
Select the group for which you want to view details from the Group Selector pane. Click Refresh to refresh the membership of the selected group. The Refresh Group Confirmation dialog box appears. Click OK. A message appears that the selected group membership has been refreshed. Or Click Cancel to return to the Group Administration page.
Step 3
5-76
OL-20721-01
CH A P T E R
Administering Data Collection

Data Collection runs automatically when you add, or delete devices in the Unified Device Manager (UDM). This section explains:

Modifying SNMP Timeouts and Retries. For details, see Modifying Data Collection SNMP Timeouts and Retries. Scheduling Data Collection. For details, see Scheduling Data Collection. Configuring Polling options. For more details, see Data Collection Critical Device Poller.
Modifying Data Collection SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when Data Collection fails for a particular device with SNMP timeout exceptions. The SNMP fallback methodology applicable for Data Collection, UT Acquisition, and Dynamic UT is as follows:

If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1. If you have configured a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
To modify SNMP timeouts and retries:

Step 1
Select Admin > Collection Settings > Data Collection > Data Collection SNMP Timeouts and Retries. The SNMP Timeouts and Retries dialog box appears.
Step 2
Modify the SNMP settings as given in Table 6-1.
6-1
Chapter 6 Modifying Data Collection SNMP Timeouts and Retries
Table 6-1
Modify Data Collection SNMP Timeouts and Retries
Field Target
Description Denotes the Target device. You should enter IPv4 or IPv6 address of the target device in this field. You can also use wildcard characters or range of numbers to specify the target device. For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB] as the target device
Timeouts
Time period after which the query times out. This also indicates the time interval between the request and the first initial response from the device. The SNMP response may be slow for remote devices. If your network has remote devices connected over a slow link, configure a higher value for time-out. If timeout is increased, discovery time could also increase. Enter the value in seconds. For every retry, the timeout value is doubled. For example, If the timeout is 10 seconds and retries 4: LMS waits for 10 seconds for response for the first try, 20 seconds for the second retry, 40 seconds for the third retry and 80 seconds for the fourth retry. 150 seconds (10+20+40+80) is the total time lapse after which LMS stops querying the device.
Retries
Step 3 Step 4
Number of attempts made to query the device. The allowed range is 0-8.
Click Add to add SNMP settings. Select a row and either:
Click Edit to edit the timeouts and retries values. Click Delete to delete the timeouts and retries values.
Or
Click OK to save the changes or click Cancel to exit.

Step 5
Click Apply.
6-2
OL-20721-01
Chapter 6
Administering Data Collection Scheduling Data Collection
Scheduling Data Collection

Data Collection runs automatically when you add, or delete devices in the Unified Device Manager (UDM). You can also schedule the day and time of data collection using this feature. You can start data collection immediately for all or failed devices and schedule data collection for all devices. All devices is a default option. You can select the Failed devices option to run data collection for failed devices. To schedule data collection:
Step 1
Select Admin > Collection Settings > Data Collection > Data Collection Schedule. The Data Collection Schedule dialog box appears. Modify the data collection settings as described in Table 6-2.
Table 6-2 Data Collection Schedule Settings
Step 2
Field
Schedule
Description Days on which and the time at which data collection is scheduled.
Usage Notes The optimum data collection schedule depends on the size of the network and the frequency of network changes. The default data collection schedule is every 4 hours, on the 4-hour mark, daily: 04.00, 08.00, 12.00, 16.00, 20.00, 24.00 Note that time is in the 24-hour format.
Days, Hour, Min
Step 3
Select a schedule and click Edit to edit the schedule. Select a schedule and click Delete to delete the schedule. Click Add to add a new schedule.
Best Practices
Be cautious while scheduling Data Collection:

Data Collection consumes significant resources on the network management system. Use the Polling option to see the device and link status without running data collection. For more details on polling see, Data Collection Critical Device Poller
6-3
Chapter 6 Data Collection Critical Device Poller
Data Collection Critical Device Poller

LMS polls the entire network for device and link status periodically.This feature allows you to:

Configure the time interval at which the network is polled. Poll only a critical set of devices. Use this option to see the device and link status without running Data Collection. Since Data Collection consumes significant system resources, you can simply poll the network and view the device and link status in Topology maps.
Adding Critical Devices to the Device Poller
To add a device to the Critical Devices list from Topology Map:

Step 1 Step 2
Launch a Topology map. Right click a device and select Add device to Critical Poller.
To add a device to the Critical Devices list from N-Hop View Portlet:
Step 1 Step 2
Launch N-Hop View Portlet. Go to the configuration screen and select Poll devices.
Caution
If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle will use a large amount of bandwidth. To configure Device Poller:
Step 1
Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller. The Device Poller screen appears. Configure the device poller options as specified in Table 6-3.
Table 6-3 Device Poller Options
Step 2
Field
Polling Details
Description
Usage Notes
All Devices Critical Devices
Specifies that all devices in the network will By default the whole network is polled every 2 be polled at the specified interval. hours. Specifies that only critical devices in the network will be polled at the specified interval. You can configure this option when you need to poll a few devices in the network more frequently. By default, the critical devices are polled every five minutes.
6-4
OL-20721-01
Chapter 6
Administering Data Collection Data Collection Critical Device Poller
Table 6-3
Device Poller Options
Field Time Interval
Description
Usage Notes
Time interval at which the specified devices Configure this option to change the interval from the default value. are polled. The time interval is added to the completion time of Data Collection. For example, you have configured the following:

Data Collection is scheduled to run at 07:00 hours Time interval is set to 4 hours.
If Data Collection completes at 08:00 hours, the next polling will happen at 12:00 hours (8 + 4). Show Devices For Critical Devices: Displays the list of critical devices in the network. The following information about the Critical Devices is displayed:

IP Address DeviceName
You can choose any device and click Delete to remove it from the Critical Device poller list. For All Devices: Launches the Data Collection report. The following information about the devices in the network is displayed:
Step 3
IP Address DeviceName DeviceType Neighbors
Click Apply to save the configuration.
6-5
CH A P T E R

User Tracking application of LMS allows you to track end stations. This chapter contains the following sections:

Understanding User Tracking Using User Tracking Administration Understanding Dynamic Updates Using User Tracking Utility
Understanding User Tracking

User Tracking helps you to locate and track the end hosts in your network. In this way, you get the information required to troubleshoot and analyze connectivity issues. The application identifies all end users connected to the discovered Cisco access layer switches on the network, including printers, servers, IP phones PCs and wireless hosts. User Tracking collects the details of the end users and the layer 2 connections, and updates User Tracking table in the LMS database. This is done through automated polling of the network, by User Tracking (UT) Major Acquisition process. In addition to polling the network, the Dynamic UT process receives details from the end users and updates the database dynamically. User Tracking also computes subnet related data and updates the database with complete host information. Thus you get latest information about the changes in the connections on your network. You can also configure User Tracking to collect usernames of the end hosts connected in the network. The user names are collected from the UTLite process installed in UNIX hosts, Primary Domain Controller (PDC), or Novell Directory Services (NDS). This makes it easier for you to locate and track specific users in your network. You can sort and query the User Tracking table that contains details such as VLANs, switches and switch ports to which the end users are connected. Predefined reports such as the reports on duplicate IP addresses or MAC addresses, multiple MAC addresses enable you to accurately locate the end users. Switch Port reports give you information on:

Recently down ports Ports that are in unused condition for the specified interval Connected ports and Free ports Percentage utilization of ports for each device
7-1
Chapter 7 Understanding User Tracking
These reports give a clear picture of the switch port utilization in the network and help you in doing capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from the megamenu. This topic covers:

Using User Tracking Accessing UT Data Various Acquisitions in User Tracking
Using User Tracking

You can use User Tracking to:
Display information about the connectivity between the devices, users, and hosts in your network. For example, you might want to identify all users connected to a particular subnet, or all hosts on a particular switch. Display information about the IP phones registered with discovered Media Convergence Servers. Use simple queries to limit the amount of information User Tracking displays. Configure or limit the User Tracking acquisition by subnets. Create and save simple and advanced queries. Modify, add, and delete username and notes. You can configure User Tracking Acquisition settings to collect usernames during UT Major Acquisition and update the UT table. The user names are collected from the UTLite process.
Customize User Tracking table layouts. For example, you can design a layout that displays only the MAC addresses of hosts on your network.
View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses. You can also view History Reports for Switch port utilization, and the connection and disconnection of endhosts and users from your network. You can set the schedule for generating the reports, and also generate the reports for a subset of devices.
Launch Device Center, host center, phone center.
Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports
You can generate End hosts or IP Phones report based on the given filter criteria For example, you can generate reports on end hosts that belong to a specific VLAN. To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.
7-2
OL-20721-01
Chapter 7
User Tracking and Dynamic Updates Understanding User Tracking
Scheduled Reports
You can schedule reports that run at the specified date and time. You can generate immediate reports or schedule them to run once or at repetitive intervals.
Custom Reports
You can customize the layout and columns displayed in the reports to suit your needs. To generate these reports select Reports > Report Designer > User Tracking > Custom Reports.
Command Line Interface
You can generate various User Tracking reports from the Command Line Interface also. For more details, see User Tracking Command Line Interface.
Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format. For more details, see Overview of Data Extraction Engine.
User Tracking Utility
Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful information about users or hosts discovered by LMS User Tracking application. You can use UTU search band to search for the users or hosts in your network. You can search using user name, host name or IP address, or MAC address.
Various Acquisitions in User Tracking

This section explains the various acquisitions that can be done using LMS, to get information about the end users.
User Tracking Major Acquisition
Discovers all the end hosts that are connected to the devices managed by LMS. For details on the various options that can be set before starting an acquisition, see Modifying UT Acquisition Settings. User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following command: NMSROOT/campus/bin/ut cli
performMajorAcquisition u
userid -p password
where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User Tracking Command Line Interface.
User Tracking Minor Acquisition
Minor acquisition occurs on a device if any of the following changes take place:

A new endhost or IP phone is added to the network. Port state changes (when the port comes up or goes down). A new VLAN is added to the network. There is a change in the existing VLAN.
7-3
Chapter 7 Using User Tracking Administration
Minor acquisition updates the LMS database with just the changes that have happened in the network. It is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the interval at which the acquisition takes place. For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
User Tracking IP Phone Acquisition
Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.
Subnet based User Tracking Major Acquisition
User tracking subnet based acquisition would run only on those subnets that are configured in LMS. LMS discovers end hosts on all the VLANs available in the configured subnets. Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by LMS. For details on running subnet based acquisition, see Configuring UT Subnet Acquisition
Single device on-demand User Tracking Acquisition
This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is useful for collecting information only on end hosts connected to the specified device. For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions
Using User Tracking Administration

You can perform the following administrative tasks using User Tracking Administration:
Modify Acquisition settings. Before you start collecting information about the hosts in your network, you can set various options that control the way in which Acquisition happens. For example, you can set LMS to perform DNS lookup, while resolving the IP address of a host. For complete details, see Modifying UT Acquisition Settings Schedule Acquisition. You can set the day and time of the week when you want to run Major Acquisition. The time interval at which Minor Acquisition happens in the network can also be set. For more details, see Modifying UT Acquisition Schedule Configure Ping Sweep options for Acquisition. You can configure LMS to perform Ping Sweep on selected subnets, during Acquisition. For more details, see Modifying Ping Sweep Options Configure Subnet Acquisition. You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition collects details about the end hosts that are connected to a particular subnet or a select set of subnets. This Acquisition completes faster, since it is not run on all devices managed by LMS. For more details, see Configuring UT Subnet Acquisition
7-4
OL-20721-01
Chapter 7
User Tracking and Dynamic Updates Using User Tracking Administration
Configure end host and IP phone data delete interval. You can modify the time interval for deleting entries from the End Host Table, IP Phone Table, or the History Table from the database. For more details, see Deleting User Tracking Purge Policy Details Configure UT Acquisition to discover end hosts connected to non-link trunk ports. Normally UT Acquisition only discovers end hosts that are connected to access ports. If you enable this feature, UT Acquisition also discovers end hosts that are connected to non-link trunk ports. For more details, see Configuring UT Acquisition in Trunk for End Host Discovery Specify Purge Policy. You can specify the intervals at which you want old reports and jobs to be purged. You can save the Purge Policy, so that the older jobs and archives are purged at the specified interval. For more details, see Specifying User Tracking Report Purge Policy Specify Domain Name display. You can specify the way in which domain names are to be displayed in User Tracking Reports. For more details, see Specifying Domain Name Display. Import information on end hosts. You can import user names and notes of end hosts that are already discovered by User Tracking, from a file. For more details, see Importing Information on End Host Users Enable Dynamic User Tracking. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. LMS tracks changes about the end hosts and users on the network to provide real-time updates, based on these traps. For more details, see Understanding Dynamic Updates Enable Debugging options. When you face issues in running User Tracking, logging can be enabled for debugging purposes. For more details, see Debugging Options for User Tracking Server and Debugging Options for User Tracking Reports
7-5
Viewing User Tracking Acquisition Information

You can view acquisition information. To view acquisition information:
Step 1
Either:
Select Admin > Collection Settings > User Tracking > Acquisitions Info. Or Select Inventory > User Tracking Settings > Acquisition Summary.
The acquisition information appears with the following information: Field Acquisition status Last acquisition type Description Status of the User Tracking Major Acquisition process. It can be either Idle or Running. Type of User Tracking acquisition that you had performed last time. Types of acquisition are:

MajorUser Tracking Major Acquisition DevicesUser Tracking Acquisition for a device SubnetsUser Tracking Acquisition for subnets IP PhonesUser Tracking Acquisition for IP phones
Acquisition start time Acquisition end time
Date and time at which User Tracking started the Acquisition process. This is displayed in the format dd mon yyyy hh:mm:ss. Date and time at which User Tracking stopped the Acquisition process. This is displayed in the format dd mon yyyy, hh:mm:ss time zone. Number of major and minor acquisitions performed. Number of hosts found after User Tracking acquisition. Number of MAC addresses that have duplicate entries in the list of hosts found. Number of IP addresses that have duplicate entries in the list of end hosts found. Number of Cisco CallManagers in the list of devices found after Data Collection. Number of IP phones available in the LMS managed network. Date and time of the previous LMS Data Collection process. This is displayed in the following format: dd mon yyyy hh:mm:ss time zone. Status of the LMS Data Collection process. It can be either Idle or Running.
Number of acquisitions Number of host entries Number of duplicate MAC Number of duplicate IP Number of CCM hosts Number of IP phone entries Last Campus data collection completed at Data collection status
7-6
OL-20721-01
Chapter 7
Configuring User Tracking Acquisition Actions

You can trigger the following acquisitions from this page:

Device based Acquisition Subnet based Acquisition IP Phone Acquisition
To configure the required acquisition:

Step 1
Either:
Select Admin > Collection Settings > User Tracking > Acquisition Action. Or Select Inventory > User Tracking Settings > Acquisition Actions.
The Acquisition Actions dialog box appears.

Step 2 Table 7-1
Configure Acquisition Actions as specified in Table 7-1.
Acquisition Actions
Field Select a type
Description
Usage Notes
You can select the type of acquisition. Type When you select a type of acquisition the appropriate of acquisition can be: fields are displayed.

Device Subnet IP Phones If you do not select the All hosts and users check box, the device selection field is enabled and you can enter the name or IP address of the device for which you require data. Click Select to select the device from the list of available devices.
Scope Selection
Select the All hosts and users check box to acquire information about all hosts and users in your network.
Device Selection
Device Name or IP Enter the name or IP address of the device Address about which data is to be acquired.
Subnets
Type Selection
Subnet Selection
You can choose to get data about a particular If you choose to acquire data about a particular subnet, the subnet or about all the configured subnets. subnet selection fields are enabled. Select the IDs of the subnets on which you need to get data. This field is enabled only if you select the Subnet option in the Type Selection area. Click Select to select the subnet ID from the list of available subnets.
Subnet ID
7-7
Table 7-1
Acquisition Actions (continued)
Field Subnet Mask Acquire Only VLAN Specific to Subnet
Description Enter the subnet mask. Select this check box to get data only about the VLANs specific to the subnet.
Usage Notes If you select the subnet ID, the subnet mask is automatically entered.
If you select this check box, only the work stations associated with the VLANs that are mapped to the selected subnets will be acquired. If you do not select this check box, work stations associated with all the available VLANs in the selected subnets will be acquired.
You do not have to specify any details for the IP Phones option.
Step 3
Click Start Acquisition.
Using User and Host Acquisition

You can modify the Acquisition settings and Acquisition schedule using the User and Host Acquisition option. This section contains:

Modifying UT Acquisition Settings Configuring Rogue MAC List Modifying UT Acquisition Schedule Modifying Ping Sweep Options Configuring UT Subnet Acquisition Deleting User Tracking Purge Policy Details Configuring UT Acquisition in Trunk for End Host Discovery Specifying User Tracking Report Purge Policy Importing Information on End Host Users
Modifying UT Acquisition Settings

You can modify User Tracking Acquisition settings. This section contains:

Modifying Acquisition Settings from UI UT Behaviour in DHCP Environment for Missing IP address Configuring Properties That Support Duplicate MAC Addresses Configuring User Tracking Properties from the Backend
7-8
OL-20721-01
Chapter 7
Modifying Acquisition Settings from UI
To modify acquisition settings:

Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings dialog box appears. Modify the acquisition settings as specified in Table 7-2.
Step 2 Table 7-2
Acquisition Settings Field Description
Field Enable User Tracking for DHCP Environment
Description Enables User Tracking for DHCP Environment.
Usage Notes If you enable this property, it allows you to control inclusion and exclusion of Duplicate MAC addresses in the Acquisition. To understand the behavior of User Tracking in case of missing IP address, see UT Behaviour in DHCP Environment for Missing IP address. For details on properties that support Duplicate MAC addresses, see Configuring Properties That Support Duplicate MAC Addresses.
Enable User Tracking on Access Points
Enables User Tracking on Access Points
This is enabled by default and allows UT Major Acquisition process to collect Access point information. However, WlseUHIC cannot collect Wlse related end host information. If disabled, it precludes Access point acquisition. However, WlseUHIC collects Wlse related end host information.
Get user names from UNIX hosts
Select this option to allow Acquisition to collect the active usernames of UNIX hosts. UNIX user names are updated at the end of major acquisitions.
Collects information only for users, who are logged into the console port of the UNIX hosts.
Get user names from hosts Allows LMS to collect active user This option helps you to: in NT and NDS names on the Windows or Novell Collect information only for users who are currently Directory Service (NDS) servers. logged into the network.
Collect information from NDS hosts. You must use NDS 5.0 or later.
For this option you need to install the UTLite script.
7-9
Table 7-2
Acquisition Settings Field Description (continued)
Field Use DNS to resolve host names
Description Resolves host names using DNS.
Usage Notes User Tracking performs DNS Lookup for a host to resolve its IP address. When you choose this option the Advanced button is enabled. Click on this to launch the Advanced UT Acquisition Settings window. The following options are available:
DNS threads Number of parallel threads allowed for name resolution. The default value is 1. Maximum number of threads allowed is 12.
DNS Timeout Time duration for which UT waits for a response from the DNS server, for name resolution. The value should be entered in milli seconds. The default value is 2000 milliseconds (2 seconds).
Enter values and click OK to save changes. User Port Number Specify the UDP port number from You must use the default port number unless it is already in where logon and logoff messages use. This port number must match the port indicated in the login script. are received from hosts in Windows and NDS. Enable notification when Rogue LMS sends e-mails to the specified addresses, when MACs are detected in the network. unauthorized end hosts are detected in the network. Specify the E-mail IDs to be notified when Rogue MACs are detected in the network. You can enter multiple E-mail IDs separated by commas. This field is enabled only when you check the Rogue MAC Detection field.
Rogue MAC Detection E-Mail
Define Rogue MACs New MAC Detection E-Mail
Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List. the screen that is launched. Enable notification when new LMS sends e-mails to the specified addresses, when new MACs are detected in the network. end hosts are detected in the network. Specify the E-mail IDs to be notified when new end hosts are detected in the network. You can enter multiple E-mail IDs separated by commas. This field is enabled only when you check the New MAC Detection field.
Step 3 Step 4
Click Apply to save the modifications in the settings. Click Start Acquisition to start User Tracking Acquisition with the modified settings.
7-10
OL-20721-01
Chapter 7
UT Behaviour in DHCP Environment for Missing IP address
Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion and exclusion of Duplicate MAC addresses in UT Acquisition. LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment property, is explained in Table 7-3. The conventions used in Table 7-3 are:

MACx MAC address of the endhost IPx IP address of the endhost Device x Device to which the end host is connected. Time in xx:xx format Time entries in the Last seen column NA Not Available.
Note
The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User Tracking for DHCP Environment property.
Table 7-3
Scenario Scenario1: Missing IP Address MAC1 MAC1 NA IP1 Device 1 Device 1 6:35 6:40
Explanation For an endhost, if the IP address is not available in the first UT acquisition, but is available in the next, the IP address field in the database is updated with the value that is currently discovered.
What gets Updated in Database MAC1 IP1 Device 1 6:40
Scenario 2: Missing IP Address MAC1 MAC1 IP1 NA Device 1 Device 1 6:45 6:50 For an endhost, if the IP address is MAC1 available in the first UT acquisition, but is not available in the next, the older value for IP address is retained in the database. IP1 Device 1 6:50
Scenario 3: Single MAC, Multiple IP Addresses MAC1 MAC1 MAC1 MAC1 IP1 IP2 IP3 NA Device 1 Device 1 Device 1 Device 1 6:55 6:55 6:55 7:00 MAC1 For an endhost with Single MAC address but multiple IP addresses, if MAC1 UT does not get the IP address in the current acquisition, it retains the MAC1 older values in the database. IP1 IP2 IP3 Device 1 Device 1 Device 1 7:00 7:00 7:00
Scenario 4: Dynamic change in IP Address
7-11
Table 7-3
Scenario MAC1 MAC1 MAC1 MAC1 IP1 IP2 IP3 NA Device 1 Device 1 Device 1 Device 1 4:00 5:00 6:00 7:00
Explanation
What gets Updated in Database MAC1 IP1 IP2 IP3 Device 1 Device 1 Device 1 4:00 5:00 7:00
MAC1 For an endhost with different IP addresses at different points of MAC1 time, if UT does not get the IP address in the current acquisition, it retains the value that was last discovered.
Scenario 5: Endhost moving between devices MAC1 MAC1 MAC 1 IP1 IP1 NA Device 1 Device 2 Device 1 4:00 5:00 6:00 When an end host moves between MAC1 devices, if UT does not find the IP address in the current acquisition, it retains the IP address value that was last discovered for that device. IP1 Device 1 6:00
Configuring Properties That Support Duplicate MAC Addresses
The following properties can be configured in the ut.properties file stored in NMSROOT/campus/etc/cwsi/ where NMSROOT is the root directory where you installed Cisco Prime. Table 7-4 lists the properties that support Duplicate MAC Addresses
Table 7-4 Properties Supporting Duplicate MAC Addresses
Property UT.DuplicateMac.Include_SwitchPorts
Description List of switchports connected to endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of switchports connected to endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of switches connected to end hosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of switches connected to end hosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of VLANs associated with endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition.
UT.DuplicateMac.Exclude_SwitchPorts
UT.DuplicateMac.Include_Switches
UT.DuplicateMac.Exclude_Switches
UT.DuplicateMac.Include_Vlans
7-12
OL-20721-01
Chapter 7
Table 7-4
Properties Supporting Duplicate MAC Addresses
Property UT.DuplicateMac.Exclude_Vlans
Description List of VLANs associated with endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of subnets associated with endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. List of subnets associated with endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition.
UT.DuplicateMac.Include_Subnets
UT.DuplicateMac.Exclude_Subnets
For the above list of properties:

Values should be separated by commas. IP addresses of the devices should be given. Port numbers should be given along with the device IP address as deviceip:port. The Exclude list takes precedence over the Include list. If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included or excluded as specified. For example, if you set the Include list as, UT.DuplicateMac.Include_Switches=X,Y Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y. Duplicate addresses will not be allowed for any other endhost.
The usage scenario for the above lists is as follows:
If you set both Include and Exclude list as, UT.DuplicateMac.Include_Switches=X,Y UT.DuplicateMac.Exclude_Switches=A,B Duplicate MAC addresses will not be allowed for endhosts connected only to Switches A and B. Duplicate addresses will be allowed for all other end hosts, even for those connected to switches not specified in the Include list. Thus when an Exclude list is set, the Include list is ignored.
The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs.
The order of priority for the property list is as follows:

a. SwitchPorts b. Switches c. VLANs d. Subnets
7-13
The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list. For example, if you set UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2 UT.DuplicateMac.Exclude_Switches=10.77.211.33 Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch. Thus the SwitchPorts list has higher priority over the Switches list.
Configuring User Tracking Properties from the Backend
This section explains the new user configurable properties that have been added to UT. You can configure properties that control DNS name resolution and history reports, by editing them in the file ut.properties, stored in NMSROOT/campus/etc/cwsi/ where NMSROOT is the root directory where you installed Cisco Prime.
7-14
OL-20721-01
Chapter 7
Table 7-5 lists the new properties added to UT:

Table 7-5 Configuring User Tracking Properties
Property HistoryHostPurgeTime
Default Value 10 days
Description Purges history entries that are older than the specified time. The value should be provided in minutes. For example, If you want to purge entries older than 10 days, set HistoryHostPurgeTime=14400
UT.nameResolution
both
Name resolution for end hosts using Java APIs JNDI and InetAddres.This property can have the following values:

wins (Use only InetAddress) dns (Use only JNDI) wins,dns (First InetAddress then JNDI) both (JNDI first and InetAddress next)
UT.nameResolution.dnsTimeout
2000
Time duration for which UT waits for response from the DNS server, for name resolution. The value should be entered in milliseconds. Time duration for which UT waits for response from the DNS server, for name resolution.The value should be entered in milliseconds. This property must be enabled only for windows server. Uses cache memory for name resolution in subsequent User Tracking discoveries. User Tracking performs DNS Lookup for a host only if the IP address of the host is being resolved for the first time.It does not perform DNS Lookup for every Major Acquisition. This helps the application to reduce the number of queries during User Tracking Acquisition. This in turn reduces the time taken for Acquisition process.
UT.nameResolution.winsTimeout
2000
UTMajorUseDNSCache
false
UT.RunLookupAnalyzer
OFF
To analyze the performance of DNS servers and provide the following information in the NMSROOT\log\ut.log file:

DNS Server Efficiency for each DNS Server Overall Summary of DNS Servers Namelookup related settings in ut.properties file Issues found and recommendations to overcome them
Set the value to ON to turn on the feature. You need not enable debugging for UT to get the LookupAnalyzer data in the ut.log file. For details on running Lookup Analyzer utility from the command prompt and example output of the utility, see Using Lookup Analyzer Utility
7-15
Configuring Rogue MAC List

MAC Addresses that are not authorized to exist in your network are termed as Rogue MAC addresses. When you enable the Rogue MAC notification feature, you need to define the list of MAC addresses that are to be classified as unauthorized addresses in the network. You can also import MAC addresses to Acceptable OUI either from a file or directly from UT. If you import the MAC Addresses from a file or directly from UT, the MAC addresses in the file are converted to OUIs before you add them to the Acceptable OUI list. To do so:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Settings. The User Tracking Acquisition settings window appears. Click Define Rogue MACs. The Rogue MAC Configuration window appears. The lists displayed in the window are:
Rogue MAC/OUI List Acceptable MAC/OUI List
Step 2
Step 3
Click Add MAC/OUI to add new entries to the list. The Add MAC/OUI window appears. The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely identify the vendor, manufacturer, or a worldwide organization. An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses, and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC), network protocol, or MAC addresses for Ethernet. In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three octets of the address are the OUI.
7-16
OL-20721-01
Chapter 7
The Add MAC/OUI page is as explained in Table 7-6:

Table 7-6 Populating the MAC/OUI list
Property Select Mode
Description Provides the following options to add MAC addresses to MAC/OUI List:
Manual Enables you to add MAC/OUI to either the Acceptable MAC/OUI List or to the Rogue MAC/OUI list. The Manual Add option is selected by default. Import from file Enables you to import MAC Addresses from a file to the Acceptable MAC/OUI List Import from UT Enables you to import MAC Addresses directly from UT to Acceptable MAC/OUI List
Add MAC/OUI
Enter the MAC Address or OUI in the text box provided. The values should be separated by spaces, tabs, or commas. You can also enter values on separate lines. The address can have only hexa decimal numbers separated by hyphen. Example: 00-c0-1d-99-06-b6
OUI List
Displays predefined values in LMS. You can select values from the list, to add to the Rogue OUI or Acceptable OUI list. To add more values to the list, add them to the Property file: NMSROOT/campus/etc/cwsi/OUI.properties where NMSROOT is the directory where you installed Cisco Prime. To get the latest OUIs listed by IEEE, see http://standards.ieee.org/regauth/oui/index.shtml
7-17
Step 4
Select any of the following:

a. b.
Manual Add Select the required OUIs from the list displayed in OUI List. Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your requirement. The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list that you selected.
a. b.
Import From File Click Browse and browse to the folder location and choose the file to be imported Click the Import to Acceptable OUI list. The MACs are converted to OUIs before you add them to the Acceptable MAC/OUI list. Import From UT Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to the Acceptable MAC/OUI List. It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header MAC Address followed by MAC Address entries. For example: In the example, the file to be imported includes a MAC Address column with MAC Address entries. MAC Address MAC 1 MAC 2 MAC 3
The newly added values are reflected in the Rogue MAC Configuration screen.
Step 5
Check Consider unqualified MAC as Rogue When you check this, LMS treats any new MAC address coming into the network as Rogue MAC. This is if it is not defined in the Acceptable MAC list.
Step 6
Click any of the following:
Save Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle.
If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the
network, are sent immediately.

If WLSE is integrated with LMS, notification for wireless MACs detected in the network is sent.
Delete Deletes entries.
Cancel Cancels changes and closes the window.
7-18
OL-20721-01
Chapter 7
Modifying UT Acquisition Schedule

You can modify UT acquisition schedule. To modify acquisition schedule:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Schedule. The Acquisition Schedule dialog box appears. Start the user tracking major acquisition for all or failed devices as specified below:

Step 2
Select either All devices or Failed devices . Click Start to start the user tracking major acquisition immediately for the selected devices. The UT Acquisition Confirmation pop up appears. Click OK to start user tracking acquisition. A success message appears. Click OK. To cancel the user tracking acquisition process, click Cancel.
Step 3 Table 7-7
Modify the acquisition schedule as specified in Table 7-7.
Acquisition Schedule Field Description
Field Minor Acquisition Major Acquisition
Description Specify, in minutes, the periodicity at which a minor acquisition should take place.
Usage Notes None.
Specify the time at which a major acquisition is to None. take place. Specify the days of the week on which a major acquisition is to be scheduled.
Days, Hour, Min Recurrence Pattern
Days on which and the time at which a major acquisition is to be carried out. Select the days of the week on which a major acquisition is to be scheduled. Select the schedule and do any of the following:

You can add new schedules and edit or delete existing schedules. This field is available only when you are adding or editing a schedule.
Step 4
Click Edit to edit the schedule. Click Delete to delete the schedule. Click Add to add a new schedule.
Step 5 Step 6
Click OK to save the changes or Cancel to cancel the changes. Click Apply after adding or editing a schedule.
7-19
Modifying Ping Sweep Options

A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out whether a specific end host exists on the network. A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older and slower methods used to scan a network. When Ping Sweep is enabled in LMS, the UTPing program in NMSROOT/campus/bin will be invoked during acquisition to send out a sweep of pings for each subnet. Before collecting information from a device, the subnets connected to the device are pinged. This serves as a connectivity check, as well as loads the ARP table of the layer 3 device with the latest information. After pinging, acquisition process starts collecting end host information from the device. To modify Ping Sweep options:
Step 1
Select Admin > Collection Settings > User Tracking > Ping Sweep. The Ping Sweep dialog box appears. Choose any of the following:

Step 2
Disable Ping Sweep Perform Ping Sweep on all subnets Exclude subnets from Ping Sweep When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude from Ping Sweep. You can select subnets from the list of available subnets and add to the list of subnets to be excluded.
Step 3
Specify the Wait Interval, if Ping Sweep is enabled. Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not flooded with ping packets. For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10 seconds. If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10 seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on Device 1. Same happens with Device 2.
Step 4
Click Apply. User Tracking does not perform Ping Sweep on large subnets. For more details, see Notes on Ping Sweep Option.
7-20
OL-20721-01
Chapter 7
Notes on Ping Sweep Option

User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not display the IP addresses. Ping Sweep will not refresh the ARP cache, if firewall or Access Control List is enabled to block the ICMP packets to the network devices. Hence, User Tracking will not display the IP addresses of the associated hosts. In larger subnets, the Ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources. You can increase the value of the wait interval. Wait interval helps the ping response traffic to settle, which may appear as Denial Of Service (DOS) or may affect the functioning of router by high CPU usage. To perform Ping Sweep on larger subnets, you can:

Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the arp time-out interface configuration command on devices running Cisco IOS. Use any external software, that will enable you to ping the host IP addresses. This will ensure that when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.
Configuring UT Subnet Acquisition

You can configure LMS to perform User Tracking Acquisition on selected subnets. These configurations are used for User Tracking Major Acquisition and Configured Subnets based acquisition. You can choose to include or exclude specified subnets to perform User Tracking major acquisition. To configure Subnet acquisition:
Step 1
Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration. The Configure Subnet Acquisition dialog box appears. Select either of the following options:
Step 2
Perform acquisition on all subnets All the subnets are included for User Tracking Major Acquisition. If you select this option do not perform steps 4 and 5.
Or
Perform Subnet-based acquisition The action depends on the Filter value.
Step 3
Select either of the following Filter values:
Perform major acquisition on selected subnets All subnets added to the Selected Subnets list are included for User Tracking acquisition.
Or
Do not perform major acquisition on selected subnets All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.
7-21
Step 4
Select subnets from the list of Available Subnets and add them to the list of Selected Subnets. In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking > Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.

If you select this check box, only the work stations associated to the VLANs that are mapped to the selected subnets will be acquired. If you do not select this check box, work stations associated to all the available VLANs in the selected subnets will be acquired.
For more information, see Configuring User Tracking Acquisition Actions.

Step 5
Click Apply.
Deleting User Tracking Purge Policy Details

Using this option, you can modify the time interval and delete entries from the End Host Table, IP Phone Table, or the History Table from the database. To delete user tracking purge policy details:
Step 1
Select Admin > Network > Purge Settings > User Tracking Purge Policy. The Delete Interval dialog box appears. Specify delete intervals for end host, IP phone and history tables. Either:
Step 2 Step 3
Click Delete now to delete the entries immediately. If you select this step do not perform Step 4.
Or
Select Delete After Every Major Acquisition. If you select this option, LMS will delete records older than the specified interval, after every UT Major Acquisition.
Step 4
Click Apply.
7-22
OL-20721-01
Chapter 7
Configuring UT Acquisition in Trunk for End Host Discovery

Normally UT Acquisition discovers end hosts connected only to access ports. If you enable this feature UT Acquisition discovers end hosts connected to non-link trunk ports also. LMS classifies trunk ports as follows:

Link ports Trunk ports connected to Cisco devices (Switch or Router). Non-link ports Trunk ports connected to end hosts or IP phones.
Scenarios where a Trunk port is connected to an end host:
In a switched network, many clients from different VLANs might access an enterprise resource, such as a database server. If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a different VLAN would have to send their traffic to a router. The router forwards the frames to the database server. The problem with this approach is the latency introduced by the router. To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN information. With this arrangement, an end station need not send its frame to the router. Instead it can directly access the file server. This makes the access much faster. To configure trunk ports:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk. The Configure Trunk for End Hosts Discovery page appears. You can:
Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT
Step 2
Major Acquisition. After choosing this option, go to Step 8.

Select Enable End Host Discovery on selected Trunks to include only the required set of
non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the
end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing this option, go to Step 8.
Step 3 Step 4
Select the list of switches where end hosts are connected to trunk ports, from the device selector. Click Show Trunks. This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down state are also listed here. If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display the ports. Link ports are not listed here.
Step 5 Step 6
Select the list of trunk ports where end hosts are connected from the Available Trunks list. Click Add. The selected ports are displayed under the Selected Trunks list.
7-23
Chapter 7 Understanding Dynamic Updates
Step 7
Select either
Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition.
Or
Step 8
Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition.
Click Apply. This saves the configuration on the server. After saving the configuration, run Data Collection. End hosts connected to trunk ports will be discovered in successive UT Major Acquisitions. For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.
Importing Information on End Host Users

You can import from a file, user names and notes for end hosts already discovered. To import information in end host users:
Step 1
Select Admin > Collection Settings > User Tracking > Table Import. The End Host Table Import dialog box appears. Specify the name of the file from which you are importing the end host table data. Click Apply.
Step 2 Step 3
Note
We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory headers: MAC Address, User Name and Notes. For example: MAC1 Peter Finance department
Understanding Dynamic Updates

User Tracking generates reports on various functions and attributes of the end hosts and devices connected to your network that are managed by LMS. These reports are generated by polling the network at intervals set by the network administrator. In addition to polling the network at regular intervals, LMS tracks changes in the end hosts and users on the network to provide real-time updates. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. When an endhost is connected to a switch managed by LMS, an SNMP MAC notification trap is sent immediately from the switch to the LMS Server, indicating an ADD event. This trap contains the MAC address of the end host connected to the switch.
7-24
OL-20721-01
Chapter 7
User Tracking and Dynamic Updates Understanding Dynamic Updates
Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts coming into and moving out of the network. Traps from suspended devices are not processed by LMS. The difference between a UTMajor Acquisition and a Dynamic UT process is: LMS collects data from the network at regular intervals for UTMajor Acquisition. In Dynamic UT, the devices send traps to LMS as and when changes happen in the network. This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have happened in your network. This is an improvement over the earlier versions, where updates on endhost information happened based on the polling cycle. As a result of Dynamic updates, the following reports contain up-to-date information:
End-Host Report Contains information from UT Major Acquisition and the recently added end-hosts. History Report Contains information from UT Major Acquisition and the recently disconnected end-hosts or end-hosts that have moved between ports or VLANs.
Switch Port reports Contains information about the utilization of switch ports.
SNMP Traps are generated when a host is connected to the network, disconnected from the network or when it moves between VLANs or ports in the network. To enable the Dynamic Updates feature:

Switches must be managed by LMS. Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP MAC Notification Listener. Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port number that you would have configured on LMS Administration screen). For more details, see Enabling SNMP Traps on Switch Ports. Configure DHCP snooping on the switches Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that filters untrusted DHCP message received from outside the network or Firewall, and builds and maintains a DHCP snooping binding table. LMS queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected. For details on configuring DHCP, see
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati on/guide/scg.html
User Tracking collects username and IP address through UTLite for Windows environment. For more details, see Understanding UTLite.
In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address of the end host. They can also co-exist.
7-25
If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device should be populated with the IP address, for UT Major Acquisition to discover it. The User Tracking Dynamic Updates process includes:

MAC User-Host Information Collector (MACUHIC) Process User Tracking Manager (UTManager) Process UTLite
MAC User-Host Information Collector (MACUHIC) Process

MAC User-Host Information Collector tracks wired end users dynamically. It receives MAC notifications from the switches either directly or through LMS or HPOV. After receiving the MAC notifications, MACUHIC validates the traps as follows:

Checks whether the traps are generated from a switch managed by LMS. Checks whether the source is an access port. Updates LMS database. Informs UTManager if the trap is received for an ADD event.
If the traps are from valid sources:

User Tracking Manager (UTManager) Process

UTManager receives the information from MACUHIC about the ADD MAC notification trap that is received. This information is not complete and can be completed using updates from DHCP or UTLite or from both. In the UTLite process, UTLite receives details of changes in username, and the time at which the host has logged in or logged out of the network.
UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active Directory, and Novell servers. To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell servers. You can also install UTLite in an Active Directory server. For complete information, see Understanding UTLite. When an end-host is connected to your network, the following happens in the background.
1. 2. 3.
The switch to which it is connected sends a MAC notification. The MACUHIC process in LMS receives the MAC notification either directly from the switch or through other applications like LMS Monitor and Troubleshoot module or HPOV. After processing this MAC notification, MACUHIC informs the UTManager.
7-26
OL-20721-01
Chapter 7
4. 5.
LMS updates the database with the username and IP Address received from the UTLite. Database does not contain the complete information about the end host. UTManager finds the following details:
Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data
Collection.
Hostname from DNS Server
LMS updates the database with the complete User Tracking information for the host. The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients, duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating reports.
Viewing Dynamic Updates Process Status

You can check whether the Dynamic Updates processes are running or not. To check the status:
Step 1
Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status. The Dynamic Updates Process Status window appears. If you have started the process already, the status window shows Dynamic Updates Processes are RUNNING.
Step 2
Click Stop to stop the Dynamic Updates processes.

STOPPED.
The Stop button then toggles to Start, and the status window shows Dynamic Updates Processes are When you stop these processes, LMS stops processing traps sent by devices. Click Start to restart the Dynamic Updates processes. The Start button again toggles to Stop.
Step 3
Enabling SNMP Traps on Switch Ports

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps. You can configure the ports CLI (see the Appendix Commands to Enable MAC Notification Traps on Devices ) or Through LMS Interface. Ensure that you have configured System Identity User under Admin > Trust Management > Multi Server > System Identity Setup, and the same username and password is configured under Admin > System > User Management > Local User Setup.
7-27
If you do not have Configuration Management functionality enabled on your LMS Server, you have to manually configure the switches, for the switches to send MAC Notifications to the LMS server.
Note
LMS supports only those switches that contain the Management Information Base (MIB) named MAC Notification, for enabling the SNMP traps.
Through LMS Interface
Prerequisites to enable MAC Notification on switches through LMS UI:
The switches must be managed by LMS. If the devices are managed in SNMP version 2 (SNMPv2), you need to configure the Read as well as the Write community strings to enable MAC Notification in the switches.
Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.
Note
LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic Updates. To enable MAC notification in switches:
Step 1
Select Admin > Collection Settings > User Tracking > Device Trap Configuration. The Configure Trap on Devices dialog box appears. Select the switches for which you want to enable the traps, from the Device Selector. Click Configure to see the devices that you have selected. Click Configure to configure MAC notification on the ports in the devices. The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in the Configure MAC-Notification Trap on Ports dialog box.
Table 7-8 Configure MAC-Notification Trap on Ports Field Description
Field Add LMS Server as Trap Receiver Trap Community
Description Check the check box to configure devices, to send SNMP traps to LMS. To configure LMS to listen to traps sent from devices, see Configuring SNMP Trap Listener. Set a community string for the SNMP traps sent by devices. This property is enabled only when LMS is the Primary receiver for SNMP traps. This string is added to the list of valid strings in the Dynamic User Tracking Configuration screen. Check the check box to make this community string as the default for future configurations, if LMS is the Primary Trap receiver. Allows you to filter the ports listed, based on port name, device name and the device address (IP address of the device). Port number that you entered for receiving traps. The default trap receiver port number of the LMS server is 1431.
Set as Dynamic User Tracking Default Filter Trap Receiver Port
7-28
OL-20721-01
Chapter 7
Table 7-8
Configure MAC-Notification Trap on Ports Field Description (continued)
Field Port Device Name Device Address Rows per page

Step 5 Step 6
Description Name of the port. Access ports as well as Non-link Trunk ports are listed. Name corresponding to IP address of the switch. IP address of the switch. Select to view 10 to 50 rows on a page.
Check the check boxes to select the ports that you want to enable SNMP traps. Click Configure to enable the SNMP traps. An Information window appears. Click OK.
Step 7
SNMP MAC Notification Listener

You must enable the switches to send SNMP MAC notifications to the listener, to avail the Dynamic Updates feature. After you enable the switches, you can choose either LMS Monitor and Troubleshoot module, or HP OpenView (HPOV) as the primary listener for MAC notifications.

If you select LMS as the Primary listener, the MAC notifications reach the application directly from the switches. If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and Troubleshoot module.
Note
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps. To select the MAC notification listener, see the following sections:

Configuring SNMP Trap Listener HPOV as Primary Listener LMS Fault Monitor Module as Primary Listener
7-29
Configuring SNMP Trap Listener

LMS receives SNMP traps directly from the switches, unless you configure the port to direct the traps through HP Open View (HPOV) or CiscoWorks Monitoring Services. To configure the trap listener:
Step 1
Select Admin > Collection Settings > User Tracking > Trap Listener Configuration. The Trap Listener Configuration dialog box appears. Check Listen traps from Device to configure the trap reception directly from the devices This makes LMS as the primary listener for receiving SNMP traps from devices. OR Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications. In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They forward it to LMS which acts as the secondary listener for traps. If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS Fault Monitor module.
Step 2
Step 3
Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port field. The default trap listener port number of the LMS server is 1431. Click Apply to save the details.
Step 4
HPOV as Primary Listener

If you select HPOV as the primary listener, you must perform the following to receive the Dynamic Updates through LMS:

Install Cisco Prime Integration Utility Install Trap Adapter for HPOV
The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.
Install Cisco Prime Integration Utility
You must have CiscoWorks Integration Utility (Integration Utility) installed on your system. Integration Utility is a utility that integrates Cisco Prime applications with third-party Network Management Systems (NMS). This utility is available as part of the DVD in the LMS 4.1. This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications. See User Guide for CiscoWorks Integration Utility 1.7, for more details on the integration utility.
Note
You must install the Integration Utility on the same machine on which you have installed HPOV.
7-30
OL-20721-01
Chapter 7
Install Trap Adapter for HPOV
LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems. To install the adapter on Windows:
Locate the TrapListener.conf file in the NMSROOT/campus/hpovadapter/WIN/ directory. Modify the Trap Receiver address and the port number to the LMS values, in the file. Set the LIB environment variable to HP OpenView lib directory. Run the fwdTrap.exe program located in the same directory. The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.
To install the adapter on Solaris/Soft Appliance:

Locate the TrapListener.conf file in the /opt/CSCOpx/campus/hpovadapter/SOL directory. Modify the Trap Receiver address and the port number to the LMS values, in the file. Set the LD_LIBRARY_PATH environment variable to HP OpenView lib directory. Run the fwdTrap program located in the same directory. The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.
7-31
Supported Platforms (Operating Systems)
The supported platforms for the HP NNM and HPOV adapters are: Network Management System HP OpenView 9.1 HP OpenView 9.01 HP OpenView 9.0 Supported Platforms

Solaris 10 Windows 2008 R2 Standard x 64 Edition Solaris 10 Windows 2008 R2 Standard x 64 Edition Solaris 10 Windows Server 2008 x64 with Service Pack 2 Windows Server 2008 x64 R2 with Service Pack 2
LMS Fault Monitor Module as Primary Listener

If you select Fault Monitor Module as the primary listener, you must perform the following to receive MAC Notifications. The default port number of the Fault Monitor Module for receiving Traps from the switches is 9000. You must configure or verify this port number on the device, for the device to forward the Traps to the Fault Monitor Module. The trapd.conf file has the details of the port number that receives the Traps from the Fault Monitor server. To enable Fault Monitor Module to forward the MAC Notifications, you must modify the trapd.conf file in the Fault Monitor Module server, at NMSROOT/object/smarts/conf/trapd directory. You can modify the file through the command line interface or through the application interface. You can configure the application to forward the MAC Notifications to LMS Server in two ways:

From LMS From the LMS Fault Monitor Server
7-32
OL-20721-01
Chapter 7
From LMS
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. The Notification Services page appears. Enter the Hostname and the port number of the LMS server to which you want to forward the MAC Notifications. Click Apply to configure. The trapd.conf file is modified and the DFMServer process is restarted.
Step 2 Step 3
Note
If you configure through CiscoWorks, LMS server receives all Traps including MAC Notification. From the LMS Fault Monitor Server
Access the LMS Fault Monitor server using Telnet. Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server. Navigate to NMSROOT/object/smarts/conf/trapd directory. Edit the trapd.conf file in the directory to reflect the following changes. Enter:
FORWARD:
address OID generic type specific type \ host [:port] | [:port:community] [host [:port] | [:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.
Step 5
Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.
Configuring Dynamic User Tracking

You can configure certain properties in Dynamic User Tracking to enhance the security of the system. These properties make the server receive traps only from specified devices and with specified community strings. To configure properties for filtering SNMP Traps:
Step 1
Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration. The Dynamic User Tracking Configuration page appears. Select the Validate SNMP Community check box. LMS validates the community string in SNMP traps, with the values you have set. You can add community strings only after checking this check box.

Step 2
If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1. If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
7-33
Step 3
Enter the community string in the Valid Community List text box and click Add. You can add the community strings one at a time. You can use the Delete button to remove the extra or erroneous strings. The default Trap community string that you might have added in the Device Trap configuration screen is also listed here.
Step 4
Select the Validate Trap Source check box. LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking this check box.
Step 5
Enter the IP Address in the text box provided and click Add. You can use the Delete button to delete extra or erroneous entries. Click Apply to save changes to the server. To revert to the default values, click Reset.
Step 6
You can use any one of the options to filter SNMP traps. For example: To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box) Community String = private, test Validate Trap Source =false
then traps from all sources with community string private or test will be processed by LMS. To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true Community String = private, test Validate Trap Source =true Valid IP Addresses = 10.77.210.211, 10.77.210.212
then traps from the listed IP addresses, with the community string private or test will be processed by LMS. In this case, LMS first validates the community string, and if it matches, validates the source address.
7-34
OL-20721-01
Chapter 7
User Tracking and Dynamic Updates Using User Tracking Utility
Using User Tracking Utility

CiscoWorks User Tracking Utility (UTU) is a Windows desktop utility that provides quick access to useful information about users, hosts, or IP Phones discovered by LMS User Tracking application. This section contains the following:

Understanding UTU Hardware and Software Requirements for UTU Downloading UTU Installing UTU Accessing UTU Configuring UTU Searching for Users, Hosts or IP Phones Using UTU Uninstalling UTU Upgrading to UTU 2.0 Re-installing UTU 2.0
Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones discovered by LMS User Tracking application. UTU comprises a server-side component and a client utility. UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.1, Network Topology, Layer 2 Services and User Tracking must be enabled and accessible through the network. UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS server in Secure Sockets Layer (SSL) mode. The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:
Windows Vista Support
Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts. UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this, UTU 2.0 now works on Windows Vista client systems
Support for Phone Number Search
In this release, UTU supports searching phone numbers in addition to existing search criteria.
7-35
Chapter 7 Using User Tracking Utility
Hardware and Software Requirements for UTU

Table 7-9 lists the minimum system requirements for UTU.
Table 7-9 System Requirements for UTU
Requirement Type Minimum Requirements System hardware System software IBM PC-compatible computer with Intel Pentium processor.

Windows 2008 Windows XP with SP2 or SP3 Windows Vista LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or LMS 3.2 (Campus Manager 5.2.1), or LMS 4.1 (Network Topology, Layer 2 Services and User Tracking) Microsoft .Net Runtime 3.5 Service Pack 1 You can download Microsoft .Net Runtime 3.5 Service Pack 1 from http://www.microsoft.com
Memory (RAM) Additional required software
512 MB
Network Connectivity
LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS 3.2 (Campus Manager 5.2.1) or LMS 4.1 (Network Topology, Layer 2 Services and User Tracking) must be running, and accessible through the network
Downloading UTU
UTU requires CiscoWorksUserTrackingUtility2.0.exe file to be downloaded and installed. To download UTU 2.0:
Step 1
Click http://www.cisco.com/public/sw-center/index.shtml. You must be a registered Cisco.com user to access this Software Download site. The site prompts you to enter your Cisco.com username and password in the login screen, if you have not logged in already.
Step 2 Step 3
Select the Software Product Category as Network Management and Automation. Select Routing and Switching Management > Network Management Solutions > CiscoWorks LAN Management Solution Products > CiscoWorks LAN Management Solution 4.0 and later from the product tree. Select LMS 4.1. Select the appropriate product software type. Select a product release version from the Latest Releases folder and locate the software update to download. Locate the file CiscoWorksUserTrackingUtility2.0.zip This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent installation).
7-36
OL-20721-01
Chapter 7
Step 8 Step 9
Click the Download Now button to download and save the device package file to any local directory on LMS Server. Extract the file using any file extractor such as WinZip.
Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode. Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware and Software Requirements for UTU. This section explains:

Installing UTU in Silent Mode Installing UTU in Normal Mode
Installing UTU in Silent Mode

To install UTU in silent mode, run the following command at the command prompt: exe-location\CiscoWorksUserTrackingUtility2.0.exe a s f1file-location\setup.iss where
exe-location is the directory where you have extracted the
CiscoWorksUserTrackingUtility2.0.exe file
file-location is the directory where you have the setup.iss file.
Do not use space after the -f1 option. Use the complete path for file-location. For example, if the install directory for UTU is c:\utu, enter the following at the command prompt:
c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss
Editing Setup.iss File
UTU is installed in the C:\Program Files\CSCOutu2.0 directory, by default. If you want to install UTU in some other directory, you must edit the content of the setup.iss file. Change the value of the szDir attribute in the setup.iss file. For example, if you want to set the installation directory as D:\utu20, change szDir=C:\Program Files\CSCOutu2.0 to szDir=D:\utu20 in the setup.iss file.
Setup.log File
The setup.log file is created during the installation in the same directory where you have extracted the setup.iss file. You should see the setup.log file to check the installation completion status. The value of the ResultCode attribute in the setup.log informs you whether the installation has completed successfully. The value 0 denotes that the UTU installation in silent mode is successful. When the value of the ResultCode attribute is other than 0, you must install UTU again.
7-37
Installing UTU in Normal Mode

To install UTU in normal installation mode:
Log into the system with local system administrator privileges. Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe. Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation. The User Tracking Utility Welcome screen appears. Click Next. A warning message appears if you have not installed .Net Framework 3.5 SP1. You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before completing the current UTU installation.
Step 4
Step 5
Click Next. A confirmation message appears. Click Yes. The Choose Destination Location dialog box appears. By default, UTU is installed in the directory C:\Program Files\CSCOutu2.0.
Step 6
Note
If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome screen.
If you click No in the confirmation message, the warning message appears again stating that you have not installed .Net Framework 3.5 SP1. You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7
Click Next to install UTU in the default directory. or

a. b.
Click Browse to choose a different directory and click OK. Click Next to continue with the installation.
The installation continues.

Step 8
Click Finish to complete the installation. User Tracking Utility is installed at the destination location you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see Accessing UTU.
7-38
OL-20721-01
Chapter 7
Accessing UTU
To access UTU, click either:
Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0
Or
UTU 2.0 shortcut available on the desktop
The UTU band appears. See Figure 7-1 for UTU 2.0 band. You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
Figure 7-1 User Tracking Utility - Search Band
1 - Settings Icon 3 - Close icon
2 - Minimize icon 4 - UTU task bar icon
After a system restart and during the startup, the system launches the UTU automatically.
7-39
Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.1 server configurations. To configure UTU:
Step 1
Click the Settings icon. Or

a.
Right-click the UTU search band. A popup menu appears. Click Settings.
b.
The CiscoWorks Server Settings dialog box appears.

Step 2 Step 3
Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS 4.0), or LMS 4.1 is installed. Enter the port number of the LMS Server. The default HTTP port number is 1741. You can modify the port number if required. Click Enable SSL for communicating with an SSL enabled server. The port is changed to 443, which is the default port for SSL. You can modify the port number if required. See Figure 7-2.
Figure 7-2 Enabling SSL
Step 4
Step 5
Enter a valid CiscoWorks Server user name and password. This is used to verify the validity of the user when searching for users, hosts, or IP Phones. Confirm the password by re-entering it.
Step 6
7-40
OL-20721-01
Chapter 7
Step 7
Select the Remember me on this computer checkbox if you want the client system to remember your credentials. The credentials are preserved only for the current user of Windows system. The credentials are not available when you log into the Windows system with a different user name.
Step 8
Click Apply to save the changes.
Searching for Users, Hosts or IP Phones Using UTU

You can use the UTU Search Band to search for the users, hosts, or IP Phones in your network.
Note
UTU search is case-insensitive. To search for users, hosts, or IP Phones:
Step 1
Right-click the UTU search band. A popup menu appears with the default search criterion Host name/IP Address selected. Select a search criterion from the popup menu. You can search using:

Step 2
User name Host name or IP Address Device name or IP Address MAC Address Phone number
The default search criterion is host name or IP Address of the host. The selected criterion is set for future searches until you change the criterion.
Step 3
Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC Address in the UTU search field. For example, you can enter 10.77.208 in the search field. Press Enter. If your server is not SSL enabled, go to Step 7. When you query for data from an SSL enabled server, the Certificate Summary dialog box appears. Click Details to view the certificate details. You can verify the authenticity and correctness of the SSL server here. See Figure 7-3.
Step 4
Step 5
7-41
Figure 7-3
Certificate Details
You can click Summary to go back to the Certificate Viewer dialog box.
Step 6
Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the certificate. SSL connection is established with the server. If you click No, the certificate is not stored and no connection is established with the server.
Note
The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes the first time, you are not prompted to store the certificate during subsequent sessions. Click the X Record(s) Found button to launch the results window. X denotes the number of matches found. For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See Figure 7-4.
Step 7
7-42
OL-20721-01
Chapter 7
Figure 7-4
UTU Search Band displaying the number of matching records
UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your search if you want better and more accurate results.
Step 8
Select an entry in the Results window. UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC Addresses, in a Results window. The Results window has the following options:

Copy to Clipboard, where you can copy the selected search result record. Copy All to Clipboard, where you can copy all the search result records. Close, which you can use to close the window. Table 7-10 for all search criteria except Phone Number Table 7-11 for search based on Phone Number
For a selected search result record, the Results window displays the details as described in:

See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results window.
Table 7-10 Details for Each Entry in Results Window For a User or Host Search
Entry User Name MAC Address Host IP Address Host Name Subnet Subnet Mask Device name Device IP Address VLAN Port Port Description Port State Port Speed
Description Name of the user logged in to the host. Media Access Control (MAC) address of network interface card in end-user node. IP Address of the host. Name of the host discovered by User Tracking. Subnet to which the host belongs. Subnet mask of the host Name of the switch. IP Address of the switch VLAN to which the port of the switch belongs. Port number to which the host is connected. Description of the port number to which the host is connected. State of the port: Static or Dynamic. Bandwidth of the port of the switch.
7-43
Table 7-10
Details for Each Entry in Results Window For a User or Host Search
Entry Port Duplex Last Seen
Description Port Duplex configuration details on the device. Date and time when User Tracking last found an entry for this user or host in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-5
MAC Address Search Results Window
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Entry Phone Number MAC Address Phone IP Address CCM Address Status Phone Type Phone Description Device Name Device IP Address Port
Description IP Phone number Media Access Control (MAC) address of network interface card on the phone. IP Address of the phone. IP Address of the Cisco Call Manager Status of the phone, as known to Cisco Call Manager Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus, 30VIP, SoftPhone, or unknown. Description of the phone. Name corresponding to IP Address of device. IP Address of the device Port number to which the phone is connected.
7-44
OL-20721-01
Chapter 7
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Entry Port Description Last Seen
Description Description of the port to which the phone is connected. Date and time when User Tracking last found an entry. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-6
IP Phone Number Search Results Window
Note
The search results for the value you enter in the search field depends on the default search criteria.
7-45
Using Search Patterns for UTU

UTU searches for the users, hosts, or IP Phones that match the search criterion. See Searching for Users, Hosts or IP Phones Using UTU for more information. You can search for users, hosts, or IP Phones by entering a search pattern or substring of a search pattern. For example, entering Cisco displays host names that start with, end with or contain Cisco for a search on host names. You do not have to use wildcard character * to match a pattern or substring of the pattern. To search for a MAC Address, you can use one of the following MAC Address patterns or a substring of these patterns:

xxxx.xxxx.xxxx xx:xx:xx:xx:xx:xx xxxxxxxxxxxx xx-xx-xx-xx-xx-xx
Here x denotes a hexadecimal number.
Uninstalling UTU
Ensure that UTU is not running while uninstalling. If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates. To uninstall UTU:
Step 1
Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall CiscoWorks User Tracking Utility 2.0 from the windows task bar. The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation. Click Yes. The Uninstallation continues. Click Finish to exit the uninstallation wizard.
Step 2
Step 3
Upgrading to UTU 2.0

You can install UTU 2.0 on the same system where UTU 1.1.1 is installed. You can choose to install UTU 2.0 on any directory other than the directory where UTU 1.1.1 is installed. See Installing UTU for installation instructions.
7-46
OL-20721-01
Chapter 7
Re-installing UTU 2.0

Re-installation of UTU 2.0 is supported on the normal mode of installation. In the normal mode of installation, you are prompted with a confirmation message to continue the installation. You must provide your inputs to continue the installation. See Installing UTU for installation instructions. The user profiles that are created are not lost during re-installation.
7-47
CH A P T E R

All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout settings are grouped under the collection settings in the Admin tab in the menu. This section contains:

Using the Inventory Job Browser Inventory Collection Settings Secondary Credentials Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System PSIRT or End-of-Sale or End-of-Life Data Administration Administering VRF Lite Modifying Fault Management SNMP Timeout and Retries Configuring Fault Management Rediscovery Schedules Configuring Event Forensics Fault Monitoring Device Administration Device Management Functions Performance Management SNMP Timeouts and Retry Settings IPSLA Application Settings Setting Up Archive Management Defining the Configuration Collection Settings Configuring Transport Protocols Overview: Common Syslog Collector Viewing Status and Subscribing to a Common Syslog Collector
8-1
Chapter 8 Using the Inventory Job Browser
Using the Inventory Job Browser

The Inventory Job Browser displays all user-defined jobs. It also displays the system-defined inventory collection and polling jobs. You can create and manage inventory jobs using the Job Browser. You can edit, stop, cancel or delete jobs using this Job Browser.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks. When you install LMS, a default job is defined for Inventory Collection and Inventory Polling. When the default job runs, LMS evaluates the all devices group and executes the job. This way, whenever new devices are added to the system, these devices are also included in the default collection/polling job. For the default system jobs, the device list cannot be edited. You can only change the schedule of those jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the scheduled job is not displayed in the Inventory Job Browser. The default system jobs for Inventory Collection and Inventory Polling are created immediately after installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers > Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job Browser (Admin > Jobs > Browser) only after some time has elapsed. The jobs are displayed in the Job Browser when they are running, or after they are completed, with all the details such as Job ID, Job Type, and Status. User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are running, and after they are completed. You can do the following tasks from the Inventory Job Browser:

Viewing Job Details Creating and Editing an Inventory Collection or Polling Job Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
8-2
OL-20721-01
Chapter 8
Administering Collection Settings Using the Inventory Job Browser
To invoke the Inventory Job Browser, either:
Select Inventory > Job Browsers > Inventory Collection. Or Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs. The columns in the Inventory Job Browser dialog box are: Column Job ID Description Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the Job details (see Viewing Job Details.) Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. Job Type Status Type of jobSystem Inventory Collection, System Inventory Polling, Inventory Collection and Inventory Polling. Status of the jobScheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start. The number, within brackets, next to Failed status indicates the count of the devices that had failed for that job. This count is displayed only if the status is Failed. For example, If the status displays Failed(5), then the count of devices that had failed is 5. This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions. Description Owner Scheduled at Completed at Schedule Type Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values. The field is restricted to 256 characters. Username of the job creator. Date and time at which the job was scheduled. Date and time at which the job was completed. Type of schedule for the job:

ImmediateRuns the report immediately. 6 - hourlyRuns the report every 6 hours, starting from the specified time. 12 - hourlyRuns the report every 12 hours, starting from the specified time. OnceRuns the report once at the specified date and time. DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.
8-3
You can filter the jobs using any of the following criteria and clicking Filter: Filter Criteria All Job ID Job Type Description Select All to display all jobs in the Job Browser Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display. Select Job Type and then select any one of the following:

Inventory Polling System Inventory Polling Inventory Collection
Status
System Inventory Collection Select Status and then select any one of these:
Schedule Successful Failed Cancelled Stopped Running Missed Start Missed start is the status when the job could not run for some reason at the scheduled time. For example, if the system was down when the job was scheduled to start, when the system comes up again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the specified job will be displayed as Missed Start.
Description Owner
Select Description and enter the first few letters or the complete description. Select Owner and enter the user ID or the beginning of the user ID.

Schedule Type Select the Schedule Type and select any one of these: Immediate Once 6-hourly 12-hourly Daily Weekly Monthly
Refresh (Icon)
Click on this icon to refresh the Inventory Job Browser.
8-4
OL-20721-01
Chapter 8
To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.
Table 8-1
Inventory Browser Buttons, the Tasks they Perform and their Description
Button Create Edit
Task Create jobs Edit jobs
Description You can create a new job. You can edit only a scheduled job. You can select only one job at a time for editing. If you select more than one job, the Edit button is disabled.
Cancel
Cancel jobs
You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are prompted to confirm the cancellation. If it is a periodic job, you are prompted to confirm whether you want to cancel only the current instance of the job or all future instances.
1.
Select a periodic job and click Cancel. The Cancel Confirmation dialog box appears. Select one of the following options:
Cancel only this instance Cancel this and all future instances
2.
3.
Click OK.
Stop
Stop jobs
You can stop a running job. However, the job will be stopped only after the devices currently being processed are completed. This is to ensure that no device is left in an inconsistent state.
Delete
Delete jobs
You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However, you cannot delete a running job. You can select more than one job to delete, provided they are scheduled, successful, failed, stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete button is disabled. If you are deleting a scheduled periodic inventory job, the following message is displayed:
If you delete periodic jobs, or instances of a periodic job, that are yet to be run, the jobs will no longer run, nor will they be scheduled to be run again. You must recreate the deleted jobs.
You are prompted to confirm the deletion. Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge Settings.
8-5
Viewing Job Details

In the Inventory Job Browser, click on the Job ID hyperlink to view the following job details for Inventory collection, or polling jobs:

Job DetailsExpand this node to display Job Summary and Job Results for the inventory collection or polling job. Job SummaryClick on this node to view the following for the inventory collection or polling job:
Job SummaryDisplays information about the job type, the job owner, the status of the job, the
start time, the end time, the schedule type, and details of email notification.
Device SummaryDisplays information about the total devices submitted for the job, the
number of devices that were scanned, the number of devices that were pending, the devices that were successful with change, successful without change, and the failed devices. Also, the Device Details and Not Attempted information appears. Not Attempted displays the number of devices for which the Inventory collection module did not attempt to collect the data.
Job ResultsDisplays information about the number of devices scanned, the names of the scanned devices, the duration of scanning, the average scan time per device, and the job results description, for the inventory collection or polling job. To see more details, expand the Job Results node. You will see the following details:
FailedIf you click on this node, you will see the collective list of failed devices and the reason
for their failure in the right pane, for the inventory collection or polling job. If you expand this node, the list of failed devices appears. If you select a device, the right pane displays the device name and the reason for the failure. For example, Device sensed, but collection failed, or Device not reachable.
Successful: With Changes
For a Inventory collection job: Expand the Successful: With Changes node to display a list of devices. If you select a device, the right pane displays the device name and a hyperlink: View Changes. If you click on this hyperlink, the Inventory Change Details report appears for the device. The report displays information about the attribute, the type of change, the time of change, the previous value and the current value for the collection job. If you do not expand this node, you will see the collective list of devices with the status Success: With changes with their View Changes hyperlinks, in the right pane, for the collection job. There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the changes on the devices are displayed. For a Inventory polling job: Click on the Successful: With Changes node to display a list of devices that have changes, as a comma separated list, in your right pane. When there is a change in the config of a device and when the device is polled, the information like Collection initated will appear in the job results. A separate job will be created for the inventory collection as a result of changes occuring in the inventory .
8-6
OL-20721-01
Chapter 8
Successful: Without Changes
If you click on this, you will see as a comma-separated list in your right pane, the devices that were successful for the inventory collection or polling job.
Note
Inventory Poller creates a Collection job when it detects changes.
Creating and Editing an Inventory Collection or Polling Job

To create or edit an Inventory collection or polling job:
Step 1
Either:
Select Inventory > Job Browsers > Inventory Collection. Or Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser appears.

Step 2
Select either:
Click Create. The Create Inventory Job dialog box appears. Or Select a job and click Edit. Device Selector, if you want to schedule report generation for static set of devices Group Selector, if you want to schedule report generation for dynamic group of devices.
Step 3
Select either:
Or
8-7
Step 4
Enter the information required to create a job: Description Select either Inventory Collection or Inventory Polling, as required. Specifies the type of schedule for the job:

Field Job Type

Scheduling
Run Type
ImmediateRuns the report immediately. 6 - hourlyRuns the report every 6 hours, starting from the specified time. 12 - hourlyRuns the report every 12 hours, starting from the specified time. OnceRuns the report once at the specified date and time. DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. If you select Immediate, the date field option will be disabled. Date
1. 2.
Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the calendar icon and select the date. Enter the start time by selecting the hours and minutes from the drop-down list. The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.
Job Info
Job Description E-mail
Enter a description for the report that you are scheduling. This is a mandatory field. Accepts alphanumeric values. This field is restricted to 256 characters. Enter e-mail addresses to which the job sends messages when the job has run. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
8-8
OL-20721-01
Chapter 8
Administering Collection Settings Inventory Collection Settings
Step 5
Click Submit. You get a notification that the job has been successfully created, and it appears in the Inventory Job Browser. To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit. The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change the Scheduling and Job Info fields as required, and click Submit. The job is edited.
Stopping, Cancelling or Deleting an Inventory Collection or Polling Job

You can stop, cancel or delete Inventory Collection or Polling jobs.

Stopping a job, see Stop in Table 8-1. Cancelling a job, see Cancel in Table 8-1. Deleting a job, see Delete in Table 8-1.
Inventory Collection Settings

This option enables you to set the default values for Inventory, Config timeout and retry settings. These values are applicable to all devices in LMS.
SNMP RetryNumber of times that the system should try to access devices with SNMP options. The default value is 2. The minimum value is zero and the maximum value is 6. SNMP TimeoutAmount of time that the system should wait for a device to respond before it tries to access it again. It refers to the total transaction time of SNMP Packets. The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection.
Telnet TimeoutAmount of time that the system should wait for a device to respond before it tries to access it again. It refers to the initial response time required to create a socket. The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the Telnet timeout value affects inventory collection. Natted LMS IP AddressThe LMS server ID. This is the translated address of LMS server as seen from the network where the device resides. You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the NAT boundary. The default value is Not Available. TFTP TimeoutAmount of time that the system should wait to get the result status of the copy operation. Changing the TFTP timeout value affects Config collection. The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit. SSH TimeoutAmount of time in seconds after which SSH session will be terminated when there is no data transfer from client.
8-9
Chapter 8 Secondary Credentials
To edit the Inventory, Config timeout and retry settings:

Step 1
Select Admin > Collection Settings > Inventory > Inventory, Config Timeout and Retry Settings. The Inventory, Config timeout and retry settings dialog box appears. Enter the default values for:

Step 2
SNMP Retry SNMP Timeout Telnet Timeout Natted LMS IP Address TFTP Timeout SSH Timeout
The value you enter here will be applicable for all LMS devices. You can change the value for individual devices and also enter the device serial number information using the Edit Devices Attributes option on LMS Devices window.
Step 3
Click Apply. A confirmation message appears:

Default settings are updated successfully.
Step 4
Click OK.
Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device Credential Repository (DCR).These credentials are:

Primary Credentials Secondary Credentials
LMS uses either the primary or secondary credentials to access the devices using the following protocols:

Telnet SSH
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as a fallback mechanism in LMS for connecting to devices. For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to failure. You can add or edit the Secondary Credentials information through the DCR page (Select Inventory > Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is not available for a device.
Note
The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
8-10
OL-20721-01
Chapter 8
Administering Collection Settings Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials fallback when the Primary Credentials for a device fails. This is a global option which you can use to enable or disable the use of Secondary Credential fallback for all LMS applications. To enable or disable the Secondary Credentials fallback:
Step 1
Select Admin > Collection Settings > Config > Secondary Credential Settings. The Secondary Credentials dialog box appears. Do either of the following:
Step 2
Check Fallback to Secondary Credentials check box if you want to enable the Secondary Credential fallback. Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary Credential fallback.
Or
Step 3
Click either Apply to apply the option or click Cancel to discard the changes.
Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
At the time of LMS installation, system jobs are created for both Inventory collection and polling, with their own default schedules. A periodic inventory collection job collects inventory data from all managed devices and updates your inventory database. Similarly, the periodic polling polls devices and updates the inventory database. You can change the schedule of these default, periodic system jobs. For inventory collection or polling to work, your devices must have accurate read community strings entered. The changes detected by inventory collection or polling, are reflected in all associated inventory reports. You can also change the job schedule for PSIRT/EOX System. This section contains:

Changing the Schedule for System Inventory Collection or Polling. Changing the Schedule for PSIRT/EOX System.
Changing the Schedule for System Inventory Collection or Polling

Note that the inventory poller allows you to collect inventory less often. The poller detects most changes in managed devices, with much less impact on your network. If the poller detects changes, it initiates inventory collection. To collect inventory or poll devices as a one-time event or for selected devices only, create user-defined inventory collection or polling jobs (see Creating and Editing an Inventory Collection or Polling Job).
8-11
Chapter 8 Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks. Select Admin > Collection Settings > Inventory > Inventory System Job Schedule. The System Job Schedule dialog box displays the current collection or polling schedule. Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2: Inventory data does not change frequently, so infrequent collection is better. However, if you are installing much new equipment, you may need more frequent collection. Infrequent collection reduces the load on your network and managed devices. Collection is also best done at night or when network activity is low. Also, make sure your collections do not overlap, by checking their duration using the Inventory Job Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Step 1
Step 2
Step 3
Click Apply. The new schedule is saved.
Changing the Schedule for PSIRT/EOX System

Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks. Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX system job schedule. The PSIRT and EOX Job Schedule displays the current PSIRT and EOX schedule. Set the new PSIRT and EOX schedule in the respective panes, as in Table 8-2. Click Apply. The new schedule is saved.
Step 1
Step 2 Step 3
Table 8-2
Details of Inventory system schedule and PSIRT and EOX System Job Schedule
Field
Scheduling
Description Select the run type or frequency for inventory collection or pollingDaily, Weekly, or Monthly. For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3.
Run Type
8-12
OL-20721-01
Chapter 8
Administering Collection Settings Changing the Schedule for System Inventory Collection or Polling, and PSIRT/EOX System
Table 8-2
Details of Inventory system schedule and PSIRT and EOX System Job Schedule
Field Date at
Job Info
Description Select the date for the collection or polling to begin, using the date picker. Enter the time for the collection or polling to begin, in the hh:mm:ss format. Has a default Job Description: If the Job Type is Inventory Collection, the description is, System Inventory Collection Job. If the Job Type is PSIRT and EOX, the description is, System PSIRT and EOX Job. Enter e-mail addresses to which the job sends messages when the collection or polling job has run. You can enter multiple e-mail addresses, separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address.
Job Description
E-mail
8-13
Chapter 8 PSIRT or End-of-Sale or End-of-Life Data Administration
PSIRT or End-of-Sale or End-of-Life Data Administration

Product Security Incident Response Team (PSIRT) of Cisco is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco products and networks. For every security vulnerability, a PSIRT document is created with a PSIRT Document ID. This document consists of definitions of the vulnerabilities, the IOS image version that is affect by the PSIRT, as well as the device that is impacted.
Note
System PSIRT job should be successful at least once before generating PSIRT/EoX reports. Report job will be successful even though there is no data to display for the selected devices. The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1. 2. 3.
If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not configured the Cisco.com credentials. If the system PSIRT job fails due to problems in the downloaded local XML file. If there is no PSIRT/EoX data in the database for the selected devices.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and EOX job runs. LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see Changing the Data Source for PSIRT/EOS/EOL Reports.
Changing the Data Source for PSIRT/EOS/EOL Reports

You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or End-of-Sale or End-of-Life report. To access this option, select Reports > Fault and Event > PSIRT Summary This section contains:

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data either from Cisco.com or from a local text file with XML data, depending upon the option you have set.
8-14
OL-20721-01
Chapter 8
Administering Collection Settings PSIRT or End-of-Sale or End-of-Life Data Administration
To change the PSIRT or End-of-Sale/End-of-Life report settings:

Step 1
Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option. The PSIRT/EOX Reports dialog box appears. Either:
Step 2
Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com Or Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from local file. The local file location is shown if you have selected Local.
Step 3
Click Apply The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com

You can use the Cisco.com option, if you have access to Cisco.com from the LMS server. When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data from Cisco.com. The report so generated consists of latest data from the system PSIRT and EOX job. If you have opted to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com, you must setup the Cisco.com user account using Admin > System > Cisco.com Settings > User Account Setup. If you do not configure the Cisco.com user account, the System PSIRT and EOX job will fail.
Note
While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy Password fields are also enabled.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location

You can use the Local option, if you do not have an internet connection from the LMS server. The local file is a text file with XML data in it.
Downloading the text file with XML data from Cisco.com
You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store it in the local file location on the LMS server. To download the text file with XML data from Cisco.com:
1. 2.
Use a server other than LMS server with internet connection as the external server. From this external server, access the following link to download the XML data:
8-15
Chapter 8 PSIRT or End-of-Sale or End-of-Life Data Administration
For EoS/EoL Hardware Report:

1.
Go to http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.1.1&mdfid=282635175&s ftType=CiscoWorks+Resource+Manager+Essentials+Patches&optPlat=Solaris&nodecount=2 &edesignator=null&modelName=CiscoWorks+Resource+Manager+Essentials+4.3&treeMdfI d=268439477&treeName=Network+Management&modifmdfid=&imname=&hybrid=Y&imst =N&lr=Y Login to Cisco.com by entering the Cisco.com user name and password. Download the PSIRT_EOX_OFFLINE.zip file. Extract the text file with XML data to the external server. Copy the text file from the external server into the LMS Server under: /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
2. 3. 4. 5.
On Solaris/Soft Appliance, On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
The text file with XML data gets saved under local_xml folder. Where NMSROOT is the default Cisco Prime installation directory. For EoS/EoL Software Report:
1.
Go to http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=4.1.1&mdfid=282635175&s ftType=CiscoWorks+Resource+Manager+Essentials+Patches&optPlat=Solaris&nodecount=2 &edesignator=null&modelName=CiscoWorks+Resource+Manager+Essentials+4.3&treeMdfI d=268439477&treeName=Network+Management&modifmdfid=&imname=&hybrid=Y&imst =N&lr=Y Login to Cisco.com by entering the Cisco.com user name and password. Download the EOX_SOFTWARE.zip file to the external server. Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under: /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
2. 3. 4.
On Solaris/Soft Appliance, On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
Note
You must not extract the EOX_SOFTWARE.zip file in the LMS Server. The EOX_SOFTWARE.zip file gets saved under local_xml folder. Where NMSROOT is the default Cisco Prime installation directory.
When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data from the XML file. To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1. 2.
Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external server which has internet connection. Store this retrieved XML information in the local file location.
8-16
OL-20721-01
Chapter 8
Administering Collection Settings Administering VRF Lite
3.
Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report. For more information, see:
Downloading the text file with XML data from Cisco.com
Administering VRF Lite

From the Admin tab in the mega menu you can administer the following features of VRF Lite:

Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings. Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector. Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and Retries.
You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select Admin > System > Debug Settings. For details, see Setting VRF Lite Debugging Options. You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view only VRF Lite jobs. You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging VRF Management Reports Jobs and Archived Reports. This section contains:

Using VRF Lite Collector Settings Scheduling VRF Lite Collector Modifying VRF Lite SNMP Timeouts and Retries
Using VRF Lite Collector Settings

You can perform the following administrative tasks using the VRF Lite Collector Settings page:
Schedule VRF Lite Collector You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and VRF Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs. To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link. For details, see Scheduling VRF Lite Collector. VRF Lite SNMP Timeouts and Retries Settings You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries Settings, click VRF Lite SNMP Timeouts and Retries Settings link. For details, see Modifying VRF Lite SNMP Timeouts and Retries.
8-17
Chapter 8 Administering VRF Lite
Scheduling VRF Lite Collector

You can schedule the day and the time of VRF Lite Collection using this feature. You can add a new schedule, edit or delete existing schedules. To schedule VRF Lite Collector:
Step 1
Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule. The VRF Lite Collector Schedule dialog box appears. Enter the details as mentioned in Table 8-3.
Step 2 Table 8-3
VRF Lite Collection Schedule Settings
Field
Schedule
Description Allows you to enable or disable VRF Lite Collection after every Data Collection. The VRF Lite Collection collects VRF Lite-specific details.
Usage Notes

Run VRF Lite Collector After Every Data Collection Job ID
Enable: Check the check box to enable VRF Lite Collection after every Data Collection and click Apply. Disable: Uncheck the check box to disable VRF Lite Collection after every Data Collection and click Apply.
Job ID of the VRF Lite Collector Schedule Display only. job. Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the Lite collection is scheduled. size of the network and the frequency of network changes. By default, the VRF Lite collection process is scheduled to run after the Data Collection process has completed.
Schedule VRF Lite Collector
Days, Hour, Min
Recurrence Pattern Job Description
Select the days of the week on which VRF This field is available only when you are adding or editing a Lite collection is to be scheduled. schedule. Description of the VRF Lite Collector Schedule job.
Step 3
Enter the description of the VRF Lite Collector Schedule job.
Select a schedule and click Edit to edit the schedule Select a schedule and click Delete to delete the schedule Click Add to add a new schedule
Click OK to save the details Or Click Cancel to exit the VRF Lite Collection Schedule dialog box.
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use the filter to view VRF Lite Collector Schedule job.
8-18
OL-20721-01
Chapter 8
Administering Collection Settings Administering VRF Lite
Modifying VRF Lite SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. To modify SNMP timeouts and retries:
Step 1
Select Admin > Collection Settings > VRF Lite > VRF Lite SNMP Timeouts and Retries. The VRF Lite SNMP Timeouts and Retries dialog box appears. Modify the SNMP settings as given in Table 8-4.
Table 8-4 Modify VRF Lite SNMP Timeouts and Retries
Step 2
Field Target Timeouts
Description IP address of the target device. For example, 10.*.*.* Time period after which the query times out. This also indicates the time interval between the request and the first initial response from the device. The SNMP response may be slow for remote devices. If your network has remote devices connected over a slow link, configure a higher value for time-out. If Time out is increased, Discovery time could also increase. Enter the value in seconds. The allowed range is 0-60. For every retry, the Timeout value is doubled. For example, If the Timeout is 10 seconds and retries 4: LMS waits for 10 seconds for response for the first try, 20 seconds for the second retry, 40 seconds for the third retry and 80 seconds for the fourth retry. 150 seconds (10+20+40+80) is the total time lapse after which Virtual Network Manager stops querying the device.
Retries
Step 3 Step 4
Number of attempts made to query the device. The allowed range is 0-8.
Click Add to add VRF Lite SNMP settings. Select a row and either:
Click Edit to edit the VRF Lite SNMP Timeouts and Retries value. Click Delete to delete the VRF Lite SNMP Timeouts and Retries value.
Or

Step 5
Click Apply.
8-19
Chapter 8 Modifying Fault Management SNMP Timeout and Retries
Modifying Fault Management SNMP Timeout and Retries

If an SNMP query does not respond in time, Fault Management will time out. It will then retry contacting the device for as many times as displayed when you select Admin > Collection Settings > Fault > Fault Management SNMP Timeouts and Retries. The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds and the retries value is 3, LMS waits for 4 seconds before the first retry, 8 seconds before the second retry, and 16 seconds before the third retry. The SNMP timeout and retries are global settings. The default values are:

Timeout4 seconds Retries3
Note
Changing the settings on this page will modify the settings on all devices managed by LMS.
Note
Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To modify the Fault Management SNMP timeout and retries:
Select Admin > Collection Settings > Fault > Fault Management SNMP Timeouts and Retries. The SNMP Configuration page appears. Select a new SNMP timeout setting. Select a new Number of Retries setting. Click Apply. In the confirmation box, click Yes.
8-20
OL-20721-01
Chapter 8
Administering Collection Settings Configuring Fault Management Rediscovery Schedules
Configuring Fault Management Rediscovery Schedules

Note
Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. LMS rediscovery probes the devices to discover their configuration and verify their manageable elements in inventory. LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional schedules. For more information, see

Suspending and Resuming a Rediscovery Schedule Adding and Modifying a Rediscovery Schedule
Suspending and Resuming a Rediscovery Schedule

LMS includes a default rediscovery schedule, Default_Schedule. You cannot edit or delete Default_Schedule, but you can suspend it. To completely suspend rediscovery for a period of time, you may have to repeat this procedure to suspend multiple schedules. To suspend and resume a rediscovery schedule:
Step 1
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule. The Rediscovery Schedule page appears. You can either:
Step 2
Select a schedule that does not have a Suspended status, and click Suspend. The status for the schedule changes to Suspended and the schedule does not run until you resume the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it. Or Select a schedule with a status of Suspended and click Resume. The status for the schedule changes to Scheduled.
8-21
Chapter 8 Configuring Fault Management Rediscovery Schedules
Adding and Modifying a Rediscovery Schedule

See Performing Scheduling Tasks to plan the rediscovery schedule for maximum efficiency and minimum system impact.
Performing Scheduling Tasks
You should plan the rediscovery schedule for maximum efficiency and minimum system impact. When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are scheduled by default to ensure that they do not run concurrently. You can configure the schedules for these tasks to meet the requirements of your site. However, you should still avoid running them concurrently.
Table 8-5 Scheduling Considerations
Configuration Task Database purging
Default Schedule Run daily at midnight.
Comments and Notes The amount of time it takes to purge the database depends on the size of the database. For more information on how to configure the Daily Fault History Purging Schedule, see Configuring the Daily Fault History Purging Schedule.
Rediscovery
Run weekly on Monday at 2:00 a.m.
By default, rediscovery starts 2 hours after database purging.
In addition to configuring schedules, a system administrator can schedule database backups. Be careful while coordinating the database backup schedule to avoid running concurrently with the tasks listed in Table 8-5. To add or edit a rediscovery schedule:
Step 1 Step 2
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule. Select either:
Click Add. Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit Default_Schedule.
Or
Step 3 Step 4
Enter a name for the schedule. Select how often the schedule should run:

Once Daily Weekly (default) Monthly
8-22
OL-20721-01
Chapter 8
Administering Collection Settings Configuring Event Forensics
Step 5 Step 6
Select the date, hour, and minute on which to start the rediscovery schedule and click Next. Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule page appears, listing the new schedule.
Deleting a Rediscovery Schedule
To delete a rediscovery schedule:

Step 1
Select a rediscovery schedule and click Delete. A confirmation dialog box appears.
Note Step 2
You cannot delete Default_Schedule.
Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job Browser.
Configuring Event Forensics

Event Forensics refer to additional information related to the specific events that are polled by LMS server. The polled data are stored on the server and you can use this for troubleshooting. You must enable the Event Forensics collection feature on LMS server to start collecting the event forensics data. To enable collection of Event Forensics:
Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event Forensics Configuration page appears. Select the Event Forensics Enable check box to enable LMS to collect forensics data. Click Apply. LMS polls for Event Forensics data for the following events only:

Device unavailability or unresponsiveness Flapping Operationally Down
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see the event forensics results when you move your mouse over the Annotations in the Faults table of Fault Monitor Device Fault Summary view tab.
8-23
Chapter 8 Fault Monitoring Device Administration
Fault Monitoring Device Administration

To rediscover and delete specific devices, select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page contains two panes.

The left pane displays a device selector, from which you select the device or group that you want to rediscover or delete. The left pane includes a search option The right pane displays the information for the selected object.
Click the Refresh button to refresh the view. The devices that appear in the device selector are organized in folders by device state. See, Understanding Device States in Inventory Management with CiscoWorks LAN Management Solution 4.1 for more information on device states. The folders appear only if there is a device to go in the folder.
Rediscovering Devices
When rediscovery takes place, if there are any changes to a device or group configuration, the new settings will overwrite any previous settings. Rediscovery occurs only for managed devices, and not suspended devices. Rediscovery also occurs when:

Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule) A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured to import that device type (or LMS automatically imports all DCR devices). Such DCR changes include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type) changed in the DCR. A device is manually added to LMS using the Device Import page.
Note
Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and Rediscovery is a process that affects only the LMS inventory.
8-24
OL-20721-01
Chapter 8
Administering Collection Settings Device Management Functions
To rediscover devices:
Step 1 Step 2
Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page appears. Select the device or group that you want to rediscover. With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the device selector.
Note
If you are connecting to the LMS server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. You should contact a user with System Administrator privileges to create a self-signed security certificate, and then install it. If you do not install the self-signed security certificate, you may not be able to access some LMS application pages.
Step 3
Click Rediscover. Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage Device State.
Device Management Functions

Till LMS 3.2 there were 8 different applications like Common Services, Portal and applications covering functionalities in FCAPS model. LMS 4.1 removes application boundaries and provides tighter integration among the components. It groups all the related functionalities in one place, thus making the product more user friendly. LMS 4.1 consists of the following five functionalities:

To view the functionality settings: Select Admin > System > Device Management Functions. By default, all the functions will be enabled. If you have a 10K license, only Inventory, Config and Image Management will function. You should disable all functions except Inventory, Config and Image Management from this page.
Note
If you disable a function, the function will stop collecting device information. For IPSLA Management, history data will be deleted.
8-25
Chapter 8 Performance Management SNMP Timeouts and Retry Settings
Performance Management SNMP Timeouts and Retry Settings

Cisco Prime LMS allows you to configure the Performance Management SNMP timeout and SNMP retries using the Poll Settings option. The Performance Management SNMP timeout and SNMP retries are based on the device and network response time.

SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to query the device again. SNMP retry is the maximum number of times LMS retries to query the device.
You can also set the notification interval time in case of poller failures and the e-mail ID to which the notification should be sent. You can also configure Poll Settings to send the polling failure report as an e-mail. To configure Poll Settings:
Step 1
Select Admin > Collection Settings > Performance > Performance Management SNMP timeouts and retry settings. The Poll Settings dialog box appears. Table 8-6 describes the fields in the Poll Settings dialog box.
Table 8-6 Poll Settings Fields
Field
Poll Details
Description Specify the SNMP timeout interval in seconds. The default SNMP timeout value is 3 seconds. You can change the default SNMP timeout value to a value between 1 to 15 seconds.
SNMP Timeout
SNMP Retries
Specify the SNMP retries count. The default SNMP retry count value is 1. You can set the default SNMP retry count to a value from 0 to 3.
8-26
OL-20721-01
Chapter 8
Administering Collection Settings IPSLA Application Settings
Table 8-6
Poll Settings Fields
Field
Polling Failure
Description Specify the polling failure notification interval. You can select any of these predefined values. The default option is 6 hours.

Notification Interval
01 - HourPolling failures notified every 1 hour. 06 - HoursPolling failures notified every 6 hours. 24 - HoursPolling failures notified every 24 hours. 48 - HoursPolling failures notified every 48 hours. WeeklyPolling failures notified every week.
Polling failure notification report is generated periodically based on notification interval. This report contains information on the SNMP polling failures with device details. E-mail ID Enter the e-mail address. The E-mail address must be in the format: user@domain.com. The poll failure report is send to the E-mail address based on the Notification Interval.
Step 2
Update the necessary fields in the following panes:

Poll Details Polling Failure
See Table 8-6 for the description of fields that appear in the Poll Settings dialog box.
Step 3
Click Apply to update the poll settings or Reset to cancel the poll settings. A message appears confirming that poll settings are updated successfully.
IPSLA Application Settings

The IPSLA Application Settings page allows you to copy IP SLA (Internet Protocol Service Level Agreement) configuration to running-config, and set managed source interface.

Copying IPSLA Configuration to Running-Config Managed Source Interface Setting
8-27
Chapter 8 IPSLA Application Settings
Copying IPSLA Configuration to Running-Config

You can see the IPSLA (Internet Protocol Service Level Agreement) probes for the collectors that you configure in LMS at the command line interface of the router in the running configuration by selecting the Copy IP SLA Configuration to running-config option on the Application Settings page. This option is not selected by default. You cannot view the IPSLA probes in the running configuration of the source router if this option is not set.
Note
The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and saved the IP SLA probes of the LMS collectors in the startup configuration. To view the configured collectors in the running configuration:
Step 1
Select Admin > Collection Settings > Performance > IPSLA application settings. The IPSLA Application Settings page appears. Select the Copy IPSLA Configuration to Running-config check box. Click Apply. A message appears that the application settings have been modified successfully. Click Default to retain the default settings. Click OK.
Step 2 Step 3
Step 4
Managed Source Interface Setting

Managed Source Interface configures the source router with appropriate IP address for sending/receiving the IPSLA (Internet Protocol Service Level Agreement) operation packets. You can set a source interface address for the source router by selecting the Use Managed Source Interface Address option on the Application Settings page. After this option is set, the source router uses the managed interface address while configuring the collectors on the source device. However, you can also specify a source interface address while configuring a collector. In this case, the source router uses the specified interface. If the Use Managed Source Interface option is not set, then by default, the source router selects the source interface for the collector from the Routing Table based on the IP address of the destination. To set a source interface address:
Step 1
Select Admin > Collection Settings > Performance > IPSLA application settings. The Application Settings page appears. Select the Use Managed Source Interface Address check box. Click Apply. A message appears that the application settings have been modified successfully. Click Default to retain the default settings. Click OK.
Step 2 Step 3
Step 4
8-28
OL-20721-01
Chapter 8
Administering Collection Settings Setting Up Archive Management
Setting Up Archive Management

You can move the directory for archiving the LMS device configuration and enable and disable the usage of Shadow directory. You can also list the commands that need to be excluded while comparing configuration To do this select Configuration > Configuration Archive > Summary. This section contains:

Preparing to Use the Archive Management Entering Device Credentials Modifying Device Configurations Modifying Device Security Moving the Configuration Archive Directory Enabling and Disabling the Shadow Directory Configuring Exclude Commands Configuring Fetch Settings
Preparing to Use the Archive Management

Before you start using the Archive Management, you must:

Enter Device Credentials (See Entering Device Credentials for details) Modify Device Configurations (See Modifying Device Configurations for details) Modify Device Security (See Modifying Device Security for details)
Entering Device Credentials

Enter the following device credentials in the Device and Credentials window (Admin > Network > Configuration Job Settings > Config Job Policies):

Read and write community strings Primary Username and Password Primary Enable Password
If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs, you are prompted for the following device credentials:

Login User name Login Password Enable Password
8-29
Chapter 8 Setting Up Archive Management
The supported Device authentication prompts are:
Routers Username:, Username: Password:, Password: Switches username: , Username: password: , "Password: Cisco Interfaces and ModulesNetwork Analysis Modules login: Password: password: Security and VPNPIX username: , Username: passwd: , password: , Password: Content NetworkingContent Service Switch Username: , username: , login: ,Username: , username: , login: Password: , password: , passwd: ,Password: , password: , passwd: Content NetworkingContent Engine Username: ,login: Password: Storage NetworkingMDS Devices Username:, Username: Password:, Password:
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more information.
Handling Custom Telnet Prompts
To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located at: NMSROOT/objects/cmf/data (on Solaris/Soft Appliance) NMSROOT \objects\cmf\data (on Windows) where NMSROOT is the location where you have installed Cisco Prime LMS. The format of this ini file is: [TELNET] USERNAME_PROMPT= PASSWORD_PROMPT=
8-30
OL-20721-01
Chapter 8
For example, if you have configured username and password prompts as MyUserName: and MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini file must be configured as: [TELNET] USERNAME_PROMPT=MyUsername:, Secret Username: PASSWORD_PROMPT=MyPassword:, Secret Password:
Note
You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only the custom prompts need to be added.
Modifying Device Configurations

To enable the configuration archive to gather the configurations, modify the device configurations for the following:

Enabling rcp Enabling scp Enabling https Configuring Devices to Send Syslogs
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your device configurations. Make sure the devices are rcp-enabled by entering the following commands in the device configurations: # ip rcmd rcp-enable # ip rcmd remote-host local_username {ip-address | host} remote_username [enable] Where ip_address | host is the IP address/hostname of the machine where LMS is installed. Alternatively, you can enter the hostname instead of the IP address. The default remote_username and local_username are cwuser. Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, no ip rcmd domain-lookup for rcp to fetch the device configuration.
8-31
Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your device configurations. To configure local User name:
aaa new-model aaa authentication login default local aaa authentication enable default none aaa authorization exec default local
username admin privilege 15 password 0 system ip ssh authentication-retries 4 ip scp server enable
To configure TACACS User name:

aaa new-model aaa authentication login default group tacacs+ aaa authentication enable default none aaa authorization exec default group tacacs+
ip ssh authentication-retries 4 ip scp server enable
User on the TACACS Server should be configured with priv level 15:
user = admin { default service = permit login = cleartext "system" service = exec { priv-lvl = 15 } }
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations. To modify the device configuration, follow the procedure as described in this URL: http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/mgtproto.html
Configuring Devices to Send Syslogs

Configure your devices for Syslog Analysis if you want the device configurations to be gathered and stored automatically in the configuration archive when Syslog messages are received. After you perform these tasks and the devices become managed, the configuration files are collected and stored in the configuration archive.
8-32
OL-20721-01
Chapter 8
Modifying Device Security

Configuration Management must be able to run certain commands on devices to archive their configurations. You must have the required permissions to run these Configuration Management commands:

Router Commands Switches Commands Content NetworkingContent Service Switch Commands Content NetworkingContent Engine Commands Cisco Interfaces and ModulesNetwork Analysis Modules Security and VPNPIX Devices
For example, you can use the LMS server to access the devices using Telnet or SSH to archive their configurations. Ensure that the user credentials provided by you in DCR has the required permissions to access the devices and execute the above mentioned configuration CLI commands on the devices to fetch the configurations. These configuration information fetched from the devices by the LMS server is stored in the LMS database.
Router Commands
Command
terminal length 0
Description Sets the number of lines on the current terminal screen for the current session Sets the number of character columns on the terminal screen for the current line for a session Displays your current level of privilege Gets running configuration. Gets startup configuration Gets the running configuration in brief by excluding the encryption keys.
terminal width 0
show privilege Show running Show startup Show running-brief1
1. This is applicable for the IOS release 12.3(7)T release or later.
The commands in the above tables also apply to the following device types:

Universal Gateways and Access Servers Universal Gateways and Access Servers Optical Networking Broadband Cable Voice and Telephony Wireless Storage Networking
8-33
Switches Commands
The switches commands are: Command
set length 0 set logging session disable write term
Description Configures the number of lines in the terminal display screen Disables the sending of system logging messages to the current login session. Gets running configuration.
Content NetworkingContent Service Switch Commands

The Content Service Switch commands are: Command
no terminal more show running-config show startup-config
Description Disables support for more functions with the terminal. Gets all components of the running configuration. Gets the CSS startup configuration (startup-config).
Content NetworkingContent Engine Commands

The Content Engine commands are: Command
terminal length 0
Description Sets the number of lines on the current terminal screen for the current session Gets running configuration. Gets startup configuration.
show run show config
Cisco Interfaces and ModulesNetwork Analysis Modules

The Network Analysis Modules commands are: Command
terminal length 0
Description Sets the number of lines on the current terminal screen for the current session Displays autostart collections Gets startup configuration.
show autostart show configuration
8-34
OL-20721-01
Chapter 8
Security and VPNPIX Devices

The PIX devices commands are: Command
terminal width 0
Description Sets the number of character columns on the terminal screen for the current line for a session Gets startup configuration. Gets running configuration. View the current logged-in user. Removes paging control
show config show running show curpriv no pager
Moving the Configuration Archive Directory

You can move the directory where the configuration of the devices can be archived on the LMS server. The default Configuration Archive directory is: On LMS Solaris/Soft Appliance server,
/var/adm/CSCOpx/files/rme/dcma
On LMS Windows server, NMSROOT\files\rme\dcma Where NMSROOT is the Cisco Prime installed directory. The new archive directory location should have the permission for casuser:casusers in Solaris and casuser should have Full Control in Windows. The new archive directory location should not be the root of any drive (F:\) and must be a subdirectory (F:\LMSarchives).
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. The following is the workflow for moving the configuration archive location:
Step 1
Stop the ConfigMgmtServer process. To do this:

a.
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Stop.
b. c. Step 2
Select Admin > Collection Settings > Config > Config Archive Settings. The Archive Settings dialog box appears. Enter the new location in the Archive Location field, or click Browse to select a directory on your system.
Step 3
8-35
Step 4
Click Apply. A message appears confirming the changes. Restart the ConfigMgmtServer process. To do this:
a.
Step 5
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Start.
b. c.
Enabling and Disabling the Shadow Directory

The configuration archive Shadow directory is an image of the most recent configurations gathered by the configuration archive. The Shadow directory contains subdirectories that represent each device class and the latest configurations supported by the configuration archive. Each file name is DisplayName.cfg, where DisplayName is the device's Display Name as defined in the Device and Credential Repository. Each time the archive is updated, the Shadow directory is updated with the corresponding information. The Shadow directory can be used as an alternative method to derive the latest configuration information programmatically by using scripts or other means. To access to the Shadow directory, you must be root or casuser on Solaris, or in the administrator group for Windows. You can find the Shadow directory in the following locations:

On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS is installed (the default is C:\Program Files\CSCOpx).
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. You can enable or disable the use of Shadow directory by following this workflow:
Step 1
Stop the ConfigMgmtServer process. To do this:

a.
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Stop.
b. c. Step 2
Select Admin > Collection Settings > Config > Config Archive Settings. The Archive Settings dialog box appears. Select the Enable Shadow Directory check box.
Step 3
8-36
OL-20721-01
Chapter 8
Step 4
Click Apply. A message shows that the changes were made. Restart the ConfigMgmtServer process. To do this:
a.
Step 5
Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. Select the ConfigMgmtServer process. Click Start.
b. c.
Configuring Exclude Commands

You can list the commands that have to be excluded while comparing configuration. To do this select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration. You can enter multiple commands separated by commas. LMS provides default exclude commands for some Device Categories. For example, the default exclude commands for Router device category are, end,exec-timeout,length,width,certificate,ntp clock-period You can specify Exclude Commands at all these levels:

Device Category (For example, Routers, Wireless, etc.) Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.) Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
While comparing configurations, if you have specified exclude commands in the Device Type, Device Family and Device Category, these commands are excluded only at the Device Type level. The commands in the Device Family and Device Category are not excluded.
Example 1:
If you have specified these commands at,
Routers (Device Category) level

end,exec-timeout,length,width,certificate,ntp clock-period
Cisco 1000 Series Routers (Device Family) level

banner incoming,snmp-server location
Cisco 1003 Router (Device Type) level

ip name-server,banner motd,snmp-server manager session-timeout
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are excluded.
8-37
Example 2:
If you have specified these commands only at Device Family and Device Category,
Routers (Device Category) level

end,exec-timeout,length,width,certificate,ntp clock-period
Cisco 1000 Series Routers (Device Family) level

banner incoming,snmp-server location
Cisco 1003 Router (Device Type) level No commands specified.
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands are excluded. If the commands are specified only at the Device Category level, these commands are applicable to all devices under that category. To configure Exclude Commands:
Step 1
Select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration. The Configure Exclude Commands dialog box appears. Select one of these from the Device Type Selector pane:

Step 2
Device Category (For example, Routers, Wireless, etc.) Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.) Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
Step 3
Enter the command in the Exclude Commands pane to add new commands. You can enter multiple commands separated by commas. You can also edit or delete the existing commands in the Exclude Commands pane. Click Apply. A message appears, The commands to be excluded are saved successfully.
Step 4
8-38
OL-20721-01
Chapter 8
Administering Collection Settings Understanding Configuration Retrieval and Archival
Configuring Fetch Settings

You can configure the Job Result Wait Time per device for the Sync Archive Jobs. The default value is 120 seconds. The minimum value can be set to 60 seconds. Job Result Wait Time is the maximum wait time that Archive Management waits to get the configurations from the device during the sync-archive job execution. To configure the Job Result Wait Time:
Step 1
Select Admin > Collection Settings > Config > Config Job Timeout Settings. The Fetch Settings dialog box appears. Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device (seconds) field. Click either of these:

Step 2 Step 3
Click Apply, if you want to submit the Job Result Wait Time entered. Click Cancel if you want to cancel the changes made to the Job Result Wait Time.
Understanding Configuration Retrieval and Archival

LMS supports different ways to trigger the retrieval of configuration files from the device for archival purposes. This section contains:

Schedule Periodic Configuration File Archival Schedule Periodic Configuration Polling Manual Updates (Sync Archive function) Using Version Summary Timestamps of Configuration Files How Running Configuration is Archived Change Audit Logging
Schedule Periodic Configuration File Archival

LMS will archive both the startup and running configuration files for all devices at the scheduled time (6-hourly, 12-hourly, daily, weekly, monthly), as configured by the user. Since this method collects the full running configuration and startup configuration files for the entire network, we recommend that you schedule this to run at no more than once per day, especially if the network is large and outside the LAN. See Defining the Configuration Collection Settings for further details.
8-39
Chapter 8 Understanding Configuration Retrieval and Archival
Schedule Periodic Configuration Polling

LMS can be configured to periodically poll configuration MIB variables on devices that support these MIBs according to a specified schedule, to determine if either the startup or running configuration file has changed. If it has, LMS will retrieve and archive the most current configuration file from the device. Polling uses fewer resources than full scheduled collection, because configuration files are retrieved only if the configuration MIB variable is set. On IOS devices the variables ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged from the CISCO-CONFIG-MAN-MIB MIB, and on CATOS the variable sysConfigChangeTime from CISCO-STACK-MIB are used to detect the change. Any change in the value of these variables causes the configuration file to be retrieved from the device. SNMP change polling works only in case of IOS and CATOS devices which support these MIBs. If these MIBs are not supported on the devices, then by default, configuration fetch will be initiated without checking for the changes. By default, the Periodic Collection and Polling are disabled. See Defining the Configuration Collection Settings for scheduling the periodic polling.
Note
The Syslog application triggers configuration fetch, if configuration change messages like SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
Manual Updates (Sync Archive function)

This feature allows the LMS user to force the configuration archive to check specified devices for changes to the running configuration file only. Use Sync Archive if you need it to synchronize quickly with the running configuration. You can also poll the device and compare the time of change currently on the device with the time of last archival of the configuration to determine whether the configuration has changed on a device. The Startup configuration is not retrieved during manual update archive operation. However, you can retrieve the Startup configuration by enabling the Fetch startup Config option while scheduling Sync Archive job. To use this function select Configuration > Configuration Archive > Synchronization.
Using Version Summary

You can trigger a configuration file retrieval by clicking on the Running or Startup configuration in the Configuration Version Summary report (select Configuration > Configuration Archive > Views > Version Summary). After a configuration file is fetched from the device, as described above, LMS submits the configuration file for archival.
8-40
OL-20721-01
Chapter 8
Administering Collection Settings Understanding Configuration Retrieval and Archival
Timestamps of Configuration Files

These are timestamps of a running configuration file, or the change time (in change audit), indicate the time at which LMS system archived the configuration file. This is not the time at which the configuration actually changed on the device. If changes are detected immediately using Syslog messages, the timestamp should be very close to the actual configuration change time on the device. Startup configurations are handled differently by LMS. Startup configs are simply saved into the system, as they are retrieved from the device (unlike running configurations, which are compared and saved in versioned archives, if different). The timestamps of Startup Configuration files are just the archival times, and do not indicate the change time. In the version summary reports, the Running and Startup are links, which when clicked will retrieve in real time, the respective configuration from the device. This column does not have a timestamp associated with it. In the Out-Of-Sync report (select Configuration > Compliance > Out-of-Sync Summary), the Startup configuration column indicates the last archived startup configuration along with its timestamp, and the Running configuration column indicate the last archived running config along with its timestamp.
How Running Configuration is Archived

The workflow for archiving the Running configuration is:
1. 2. 3. 4.
If LMS detects an effective change, the new configuration is queued for Archival. The archiver, calculates the exact effective changes, assigns a new version number for the newly collected archive, and archives it in the system. The archiver, at the end, logs a change audit record that the configuration of the device has changed, along with other Audit information. If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration file is also stored in a raw format for manual TFTP purposes to restore the configuration on the device, in the directory location:
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which
LMS is installed (the default is C:\Program Files\CSCOpx)
Note
Startup configurations are not versioned and only one copy of the startup configuration of devices (which supports startup configuration), is saved in the system. No change audit records are logged for changes in the Startup Configuration files. LMS first compares the collected configuration file, with the latest configuration in the archive, and checks to see if there are effective configurations changes from what was previously archived.
8-41
Chapter 8 Defining the Configuration Collection Settings
Change Audit Logging

Config change audit records include information about, who changed (which user) the configuration, when the configuration change was identified by LMS, and other change information.

Any configuration change made through the LMS system (example, using Config Editor or Netconfig), will have the user name of the user who scheduled the change job. Any configuration change that was done outside of LMS and detected through the configuration retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB variable (ccmHistoryEventTerminalUser). Changes identified through syslog messages, contain the user name identified in the Syslog message, if present.
Defining the Configuration Collection Settings

The configuration archive can be updated with configuration changes in two ways:

Periodic configuration archival (with and without configuration polling). To do this select Admin > Network > Collection Settings > Config > Config Collection Settings. Manual configuration archival. To do this select using Configuration > Configuration Archive > Synchronization.
You can modify how and when the configuration archive retrieves configurations by selecting one or all of the following:
Periodic Polling
The configuration archive performs a SNMP query on the device. If there are no configuration changes detected in the devices, no configuration is fetched.
Periodic Collection
The configuration is fetched without checking for any changes in the configuration. By default, the Periodic Collection and Polling are disabled.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. The following is the workflow for defining the configuration collection setting:
Step 1
Select Admin > Config > Config Collection Settings. The Config Collection Settings dialog box appears. Select one or all of the following options: Periodic Polling
a. b.
Step 2
Select Enable for Configuration archive to performs a SNMP query on the device to retrieve configuration. Click Schedule. The Config Collection Schedule dialog box appears.
8-42
OL-20721-01
Chapter 8
Administering Collection Settings Defining the Configuration Collection Settings
c.
Enter the following information:
Field
Scheduling
Description You can specify when you want to run the configuration polling job. To do this, select one of these options from the drop-down menu:

Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date
Job Information
You can select the date and time (hours and minutes) to schedule. The system default job description, Default config polling job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
d.
Click OK. Select Enable for Configuration archive to perform a periodic check on the device to retrieve configuration. Click Schedule. The Config Collection Schedule dialog box appears.
Periodic Collection
a. b.
8-43
Chapter 8 Defining the Configuration Collection Settings
c.
Enter the following information:
Field
Scheduling
Description You can specify when you want to run the configuration collection job. To do this, select one of these options from the drop-down menu:

Run Type
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date
Job Information
You can select the date and time (hours and minutes) to schedule. The system default job description, Default config collection job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
d. Step 3
Click OK.
Either click Apply to accept the new values provided. Or Click Cancel if you want to discard the changes and revert to previously saved values. If you had clicked Apply, a message appears:
New settings saved successfully.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
8-44
OL-20721-01
Chapter 8
Administering Collection Settings Configuring Transport Protocols
Configuring Transport Protocols

You can set the protocol order for Configuration Management features such as Archive Management, Config Editor, and NetConfig jobs to download configurations and to fetch configurations. For NetShow, you can set the protocol order to download configurations. This setup allows you to use your preferred protocol order for fetching and downloading the configuration. The available protocols are:

Telnet TFTP (Trivial File Transport Protocol) RCP (remote copy protocol) SSH (Secure Shell) SCP (Secure Copy Protocol) HTTPS (Hyper Text Transfer Protocol Secured) Requirements to Use the Supported Protocols Defining the Protocol Order
This section also explains:

Requirements to Use the Supported Protocols

If the following requirements are not met, an error message appears. To use this Protocols Telnet TFTP RCP
You must... Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password. Know read and write community strings for device. Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the following commands in the device configuration: # ip rcmd rcp-enable # ip rcmd remote-host local_username {ip-address | host} remote_username [enable] where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default remote_username and local_username are cwuser. For example, you can enter: # ip rcmd remote-host cwuser 123.45.678.90 cwuser enable Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, no ip rcmd domain-lookup for RCP to fetch the device configuration.
8-45
Chapter 8 Configuring Transport Protocols
To use this Protocols SSH
You must... Know the username and password for the device. If device is configured for TACACS authentication, enter the Primary Username and Primary Password. Know password for Enable modes. When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed. Some useful URLs on configuring SSHv2 are:
Configuring Secure Shell on Routers and Switches Running Cisco IOS: http://www.cisco.com/warp/public/707/ssh.shtml How to Configure SSH on Catalyst Switches Running Catalyst OS: http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml Configuring the Secure Shell Daemon Protocol on CSS: http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/css11500series/ v8.20/configuration/security/guide/sshd.html
Configuration Examples and TechNotes:

http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples
_list.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html
8-46
OL-20721-01
Chapter 8
Administering Collection Settings Configuring Transport Protocols
To use this Protocols SCP
You must... Know the SSH username and password for the device. To make sure the device is scp-enabled, enter the following commands in the device configuration. To configure local User name:
aaa new-model aaa authentication login default local aaa authentication enable default none aaa authorization exec default local
username admin privilege 15 password 0 system ip ssh authentication-retries 4 ip scp server enable
To configure TACACS User name:

aaa new-model aaa authentication login default group tacacs+ aaa authentication enable default none aaa authorization exec default group tacacs+
ip ssh authentication-retries 4 ip scp server enable
User on the TACACS Server should be configured with privilege level 15:
user = admin { default service = permit login = cleartext "system" service = exec { priv-lvl = 15 } }
HTTPS
Know the username and password for the device. Enter the Primary Username and Password in the Device and Credential Repository. To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html This is used for VPN 3000 device. The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and Enable passwords.
8-47
Chapter 8 Configuring Transport Protocols
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom Telnet Prompts. For module configs, the passwords on the module must be same as the password on the supervisor. This section also explains Supported Protocols for Configuration Management Applications.
Supported Protocols for Configuration Management Applications

For supported protocol at individual device-level, you can either see:
The LMS device packages Online help. You can launch the LMS device packages Online help using Help > Device Packages. or
The Supported Protocols for Configuration Management table on Cisco.com:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Defining the Protocol Order

The following is the workflow for defining the protocol order for Configuration Management applications to perform either Config fetch or Config update:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Collection Settings > Config > Config Transport Settings. The Config Transport Settings dialog box appears. Go to the first drop-down list box, select the application for which you want to define the protocol order. Select a protocol from the Available Protocols pane and click Add. If you want to remove a protocol or change the protocol order, you must remove the protocol using the Remove button and add the protocol, again. The list of protocols that you have selected appears in the Selected Protocol Order pane. When a configuration fetch or update operation fails, an error message appears. This message displays details about the supported protocol for the particular device and it modules, if there are any. For the list of supported protocols, see Supported Device Table for Configuration Management application on Cisco.com.
Step 1
Step 2 Step 3
Step 4
Click Apply. A message appears, New settings saved successfully. Click OK.
Step 5
8-48
OL-20721-01
Chapter 8
Administering Collection Settings Overview: Common Syslog Collector
Overview: Common Syslog Collector

Common Syslog Collector (CSC) is a service to receive, filter and forward syslogs to one or more Syslog Servers, thus reducing traffic on the network as well as processing load on the server. The Common Syslog Collector can be installed on the LMS Server, or on a remote UNIX or Windows machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want to run it on a remote UNIX or Windows server. Common Syslog Collector is a service that runs independently, listens for syslogs and forwards them to the registered applications after necessary filtering. This way, the parsing/filtering is taken away from the applications and each device sends only one copy of the processed, valid syslogs to the Common Syslog Collector. Although CSC runs independently, it can run either remotely or locally on the machine where an application is running. The LMS server and the Syslog Collector exchange updates such as status, and filters. You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at: On Solaris/Soft Appliance: NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/ Collector.properties On Windows: NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\ Collector.properties See the Installing and Migrating to CiscoWorks LAN Management Solution 4.1, for the complete details. In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the format is not correct. The device considers day-light-saving settings appropriately while putting the timestamps. CSC supports all the time zones that LMS supports, and alternatively you can provide the time zone information. See the Installing and Migrating to CiscoWorks LAN Management Solution 4.1, for the complete details. After the Syslog Analyzer has been registered with the Collector, it:

Receives the filters it needs from the LMS server to filter Syslog messages. Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from the Analyzer, including the number of messages read, number of messages filtered, and number of messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process. If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the Analyzer without filtering.
If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on the current filters, it continues to filter the syslogs and stores them in a local file: NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server name_port\DowntimeSyslogs.log The Syslog Analyzer will automatically restore the connection after LMS server restart. For the complete instructions on installing the Common Syslog Collector, see the Installing and Migrating to CiscoWorks LAN Management Solution 4.1.
8-49
Chapter 8 Viewing Status and Subscribing to a Common Syslog Collector
Viewing Status and Subscribing to a Common Syslog Collector

Using the Syslog Collector Status dialog box you can:

View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status) Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog Collector) Test Syslog Collector Subscription (see Testing Syslog Collector Subscription) Understanding the Syslog Collector Properties File
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
Viewing Common Syslog Collector Status

To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to, follow this procedure: Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears, with this information: Column Name Forwarded Invalid Filtered Dropped Received Up Time Description Hostname or the IP address of the host on which the Collector is installed. Number of forwarded Syslog messages Number of invalid Syslog messages. Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network > Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.) Number of Syslog messages dropped. Number of Syslog messages received. Time duration for which the Syslog Collector has been up. Time and time zone are those of the LMS Server. Test Collector Subscription Subscribe Unsubscribe Click to test a Syslog collector thats already subscribed or thats going to be subscribed.
Update Time Date and time of the last update.
Click to subscribe a Syslog collector. Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector. If you want to refresh the information in this dialog box, click Update.
8-50
OL-20721-01
Chapter 8
Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin > Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze processes come up. In this interval you may see the following message:
Collector Status is currently not available. Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again. To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common Syslog Collector.
Subscribing to a Common Syslog Collector

Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met: Check whether:
1. 2.
The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on both the servers. The Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. See Setting up Peer Server Certificate for more information.
3. 4.
The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server, are restarted after Step 2. Both hosts are reachable by host name.
To subscribe to a Common Syslog Collector:

Step 1
Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears. For the information in the columns in the dialog box, see Viewing Common Syslog Collector Status:
Step 2
Click Subscribe. The following message appears:

Check if: Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. You can perform this operation from Admin > System Administration > Multiserver Management > Peer Server Certificate Setup screen. 2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this server is restarted after step 1. 3. Both hosts are reachable by host name. 4. Certificates are valid. The Subscribe Collector dialog box appears.
Step 3 Step 4
Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to. Click OK. The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.
8-51
If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and click the Unsubscribe button. If you want to test the Syslog collector subscription, select the collector and click Test Collector Subscription. For more information see Testing Syslog Collector Subscription.
Testing Syslog Collector Subscription

You can test the status of the Syslog Collector that you have already subscribed or that you are going to subscribe using the Test Collector Subscription button. To test a Syslog collector:
Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common Syslog Collector Status. Either:

Select a Syslog collector and click Test Collector Subscription. Test Collector Subscription popup window appears with the Syslog collector address. Click Test Collector Subscription. Enter the Syslog collector in the Test Collector Subscription popup window.
Or
Step 4
Click OK. The Test Collector Subscription Status popup window appears, displaying the following status of the Syslog collector:

SSL certificate statusStatus of the SSL Certificates. For example, SSL certificates are valid and are properly imported. For more information see Syslog Collector Subscription Messages. Collector statusStatus of the Syslog collector. For example, Collector is up and reachable. For more information see Syslog Collector Subscription Messages.
8-52
OL-20721-01
Chapter 8
Syslog Collector Subscription Messages
The following table provides the Syslog collector subscription status messages shown when you test the subscription of a Syslog Collector: Subscription Status SSL Certification
Problem/Info When there is an issue with SSL Certificate
Message
SSL certificate issue occurred, check if:
1.
The Self-signed Certificates are valid. For example, Check the certificate expiry date on the servers. The Self-signed Certificates of this server are copied to the Syslog Collector server and vice-versa. To do this, go to Admin > System Administration > Multiserver Management > Peer Server Certificate Setup and add the certificate. See the Administration User Guide for LMS for more details.
2.
3.
The SyslogCollector process on Syslog Collector server and the SyslogAnalyzer process in the current working server are restarted after Step 2. Both hosts are reachable by hostname.
4.
When the SSL certificates are valid Collector When the hostname is not DNS resolvable If the SyslogCollector process is down
SSL certificates are valid and properly imported.
Unknown host address. Check if the host is DNS resolvable.
SyslogCollector process is down. Check if the SyslogCollector process is running on the port <<port number>>.
Cannot check SSL connectivity because the Syslog If the Syslog Collector is down Collector is down.
If the Syslog Collector is reachable
Syslog Collector <<collector name> is up and reachable.
8-53
Understanding the Syslog Collector Properties File

After installing the Syslog Collector on a remote system, you need to check the Syslog Collector Properties file to ensure that the Collector is configured properly. The Syslog Collector Properties file is available at this location: On Solaris/Soft Appliance: $NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.pr operties On Windows: %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector. properties The following table describes the Syslog Collector Properties file: Timezone-Related Properties TIMEZONE Description The timezone of the system where the Syslog Collector is running. Enter the correct abbreviation for the timezone. For example, the time zone for India is IST. For the correct Timezone abbreviation, see the Timezone file in the following location: On Solaris/Soft Appliance, /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/n m/LMSng/fcss/data/TimeZone.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\LMSng\fcss\data\TimeZone.lst See Timezone List Used By Syslog Collector. COUNTRY_CODE Country code for the Syslog Collector. We recommend that you set the country code variable with the appropriate country code, to make sure that the Syslog timestamp conversion works correctly. For example, if you are in Singapore, you must set the country code variable as COUNTRY=SGP.
8-54
OL-20721-01
Chapter 8
Timezone-Related Properties TIMEZONE_FILE
Description The path of the Timezone file. This file contains the offsets for the time zones. After installing the Syslog Collector, ensure that the offset specified in this file is as expected. If it is not present or is incorrect, you can add the Timezone offset as per the convention. The default path is: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/rmeng/fcss/data/TimeZone.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\fcss\data\TimeZone.lst
General Properties SYSLOG_FILES Filename and location of the file from which syslog messages are read. The default location is: On Solaris/Soft Appliance: /var/log/syslog_info On Windows: %NMSROOT%\log\syslog.log DEBUG_CATEGORY_NAME Name Syslog Collector uses for printed ERROR or DEBUG messages. The default category name is SyslogCollector. We recommend that you do not change the default value. DEBUG_FILE Filename and location of the Syslog Collector log file containing debug information: The default location is: On Solaris/Soft Appliance, /var/adm/CSCOpx/log/CollectorDebug.log On Windows, %NMSROOT%\log\CollectorDebug.log DEBUG_LEVEL Debug levels in which you run the Syslog Collector. We recommend that you retain the default INFO, which reports informational messages. Setting it to any other value might result in a large number of debug messages being reported. If you change the debug level, you must restart the Syslog Collector. The values for the Debug levels are:

Warning Debug Error Info
8-55
Timezone-Related Properties DEBUG_MAX_FILE_SIZE
Description Maximum size of the log file containing the debug information. The default is set to 5 MB. If the file size exceeds the limit that you have set, Syslog Collector writes to another file, based on the number of backup files that you have specified for the DEBUG_MAX_BACKUPS property. For example, if you have specified the number of backups as 2, besides the current log file, there will be two backup files, each 5MB in size. When the current file exceeds the 5 MB limit, Syslog Collector overwrites the oldest of the two backup files.
DEBUG_MAX_BACKUPS
The number of backup files that you require. The size of these will be the value that you have specified for the DEBUG_MAX_FILE_SIZE property. Interval at which the Collector polls the syslog file. The default is set to 1 second. Size of the internal buffer, for queuing syslog messages. The default is set to 100000 File that contains the list of parsers used while parsing syslog messages. The default path of the parser file: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/LMSng/fcss/data/FormatParsers.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\fcss\data\FormatParsers.lst
Miscellaneous Properties READ_INTERVAL_IN_SECS QUEUE_CAPACITY PARSER_FILE
SUBSCRIPTION_DATA_FILE
Syslog Collector data file that contains the information about the Syslog Analyzers that are subscribed to the Collector. The default path of the data file: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/rmeng/csc/data/Subscribers.dat On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\csc\data\Subscribers.dat
FILTER_THREADS COLLECTOR_PORT
Number of threads that operate at a time for filtering syslog messages. The default is set to 1. Default port of the Syslog Collector. The default is set to 4444. The port where the collector listens for registration requests from Syslog Analyzers.
8-56
OL-20721-01
Chapter 8
Timezone List Used By Syslog Collector

The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector Properties File. For the correct Timezone abbreviation, see the Timezone file in the following location: $NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.l st Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and the corresponding entry here is 55. You must use the same method while modifying it. The following is the timezone list used by Syslog Collector: Time Zone List Used by Syslog Collector ACT=95 AHST=-100 BST=10 CEST=20 EADT=-110 EET=20 GST=100 IET=-50 MESZ=-20 MYT=80 NZST=120 PRT=-40 VST=70 YST=-90 ADT=30 ART=20 BT=30 CET=10 EAST=100 EST=-50 HDT=90 IST=55 MET=10 NET=40 NZT=120 PST=-80 WADT=-80 ZP4=40 AET=100 AST=-90 CAT=10 CNT=-35 EAT=30 FST=-20 HST=-100 JST=90 MEWT=10 NST=120 PDT=-70 SST=110 WAST=70 ZP5=50 AEST=100 AT=-20 CCT=80 CST=-60 ECT=10 FWT=10 IDLE=120 MDT=-60 MIT=-110 NT=-110 PLT=50 SWT=10 WAT=-10 ZP6=50 AGT=-30 BET=-30 CDT=-50 CTT=80 EDT=-40 GMT=0 IDLW=-120 MEST=-20 MST=-70 NZDT=130 PNT=-70 UTC=0 YDT=-80
8-57
CH A P T E R
Monitoring and Troubleshooting Settings

Monitoring and Troubleshooting Settings in the Admin menu groups all the administrative tasks that you need to perform to monitor and troubleshoot your network using LMS. This section contains:

Configuring Fault Poller Settings For Topology Loading MIB Files Configuring NAM Configuring RMON Configuring Topology Settings
Configuring Fault Poller Settings For Topology

To display Fault Poller information in Topology Maps and N-Hop view portlet, you have to enable polling as follows:
Step 1
Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology. The Fault Monitor Poller Settings page appears. Select the Poll Fault Monitor Server for alerts check box. If you try to apply the settings when Fault Monitor module is not installed on a local or remote server, you will get an error message indicating the same. If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.
Step 2
9-1
Chapter 9 Loading MIB Files
You can enable this option, only if:

Fault Monitor module is installed in the local LMS Server or on a remote LMS Server in the
master slave mode. AND

LMS has detected the Fault Monitor server.
If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart ANI Server before enabling the above setting.
Step 3
Set the time interval at which the polling should occur. Fault Monitor updates the latest event information every 6 minutes. So the time interval can be a value between six minutes and fifty nine minutes, fifty nine seconds.
Step 4
Click Apply. The settings are saved to the server and polling starts within six minutes of the configuration. In addition to this, you can restrict the type of LMS event displayed in your machine. For example you can choose to display only critical events in Topology maps. The event information fetched from Fault Monitorserver can be launched from Topology Maps and N-Hop view portlet, by right clicking on the required device.
Loading MIB Files

You can load a new MIB file into LMS using the Load MIB option. The new MIB file is compiled and stored in LMS. You can use the new MIB file to create new templates by grouping MIB variables, to do this select Monitor > Performance Settings > Setup > Templates. For more information, see Creating a Template in Monitoring and Troubleshooting Online Help. You can load MIB files with the file extension .my. To load a MIB file:
Step 1
Select Admin > Network > Monitor / Troubleshoot > Load MIB. The Load MIB dialog box appears. Table 9-1 describes the field in the Load MIB dialog box.
Table 9-1 Load MIB Fields
Field MIB file
Description Use the Browse button to load a MIB file from a directory location. For example, RFC1213-MIB.my You are allowed to load a MIB file only from the following directory path:

In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs In Solaris/Soft Appliance, $NMSROOT/hum/mibmanager/mibcompiler/mibs
$NMSROOT is the default Cisco Prime LMS installation directory.
9-2
OL-20721-01
Chapter 9
Monitoring and Troubleshooting Settings Loading MIB Files
Step 2
Click Browse to select the MIB file from a directory location. The Server Side File Browser dialog box appears. Double-click the MIB file from the directory location. Click Apply to load the MIB file into LMS or Cancel to cancel the operation. You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are available in the directory location. For example, To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and RFC-1212) must also be available at the same directory location. If the dependent MIB files are not available, an appropriate error message is displayed and RFC1213-MIB does not compile. The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same as the MIB files names present in the definition files. Load only version2 MIB. The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:

Step 3 Step 4
RMON2-MIB.my BRIDGE-MIB.my RFC-1215.my INET-ADDRESS-MIB.my P-BRIDGE-MIB.my Q-BRIDGE-MIB.my CISCO-NETFLOW-MIB.my CISCO-STACK-MIB.my TOKEN-RING-RMON-MIB.my RFC-1212.my RMOM-MIB.my RFC1155-SMI.my RFC1213-MIB.my SNMP-FRAMEWORK-MIB.my CISCO-SMI.my ENTITY-MIB.my FDDI-SMT73-MIB.my CISCO-VTP-MIB.my SNMPv2-TC.my SNMPv2-SMI.my SNMPv2-MIB.my SNMPv2-CONF.my IF-MIB.my IANAifType-MIB.my
9-3
Chapter 9 Configuring NAM
To view the list of more dependent MIBs go to: http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file appears in the Show MIB drop-down list in Select MIB Variables page.
Configuring NAM
NAM refers to Cisco Network Analysis Module Traffic Analyzer. The NAM offers flow-based traffic analysis of applications, hosts, and conversations, performance-based measurements on application, server, and network latency, quality of experience metrics for network-based services such as voice over IP (VoIP) and video. Only NAM 4.1 is supported in LMS 4.1. To add, edit, or delete the NAM configuration details:
Step 1 Step 2
Select Admin > Network > Monitor / Troubleshoot > NAM Configuration. The NAM Configuration page appears. You can do the following:
Add
Click Add. The Add NAM Configuration page appears. Enter the IP Address in the NAM IP field. Enter the user name and password in the corresponding fields. Enter the SNMP read community. Select either HTTP or HTTPS as the protocol. Enter the port number. Click Add to add the new NAM configuration details or Cancel to return to the NAM
Configuration page.
Edit
Select a configuration detail that has to be edited. Click Edit. The Edit NAM Configuration page appears. Enter the IP Address in the NAM IP field. Enter the user name and password in the corresponding fields. Enter the SNMP read community. Select either HTTP or HTTPS as the protocol. Enter the port number. Click Edit to save the changes or Cancel to return to the NAM Configuration page.
Delete
Select a configuration detail that has to be deleted. Click Delete. A confirmation dialog box appears. Click OK to confirm or Cancel to return to the NAM Configuration page.
9-4
OL-20721-01
Chapter 9
Monitoring and Troubleshooting Settings Configuring RMON
Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology. Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best estimate of the mean physical layer network utilization on the links, during the sampling time interval. In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them. You can customize the filters to display bandwidth utilization. For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting Online Help. This section contains:

Modifying the Parameters Enabling RMON on All Ports in Selected Devices Enabling RMON on Selected Ports in Selected Devices Disabling RMON
Note
LMS computes bandwidth utilization only on ethernet links, and not on any other type of link. To compute bandwidth utilization in LMS, you must enable Remote Monitoring (RMON). Enabling RMON depends on two parameters.
Parameters to Compute Bandwidth Utilization
Enabling RMON depends on the following parameters:

Bucket SizeNumber of samples (incoming and outgoing packets) that will be examined for a given point of time. IntervalDuration for which samples are to be collected.
The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the values through the user interface of LMS, you can reconfigure these values through command line interface. For more details see Modifying the Parameters. LMS computes bandwidth utilization only for those devices that have the same parametric values as configured and displayed in the RMON Settings page. This application allows you to configure only the same parametric values on all link ports. This is to avoid conflicts in computation.
Enabling RMON on Ports
LMS allows you to enable RMON on:

All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices
LMS highlights links in the Topology Map even if the devices are managed by other applications such as HPOV, or CiscoView.
9-5
Chapter 9 Configuring RMON
Modifying the Parameters

The default Bucket Size is 10 and the Interval is 300 seconds. LMS does not compute bandwidth utilization for the links whose ports have different Interval values. You can configure new values for the parameters in the ANIServer.properties file. To reconfigure the values, you must restart the ANI server so that the file takes the new value. For computing bandwidth utilization, LMS takes only the latest values in the ANIServer.properties file. You must reconfigure the link ports according to the values set in the properties file for Topology Map to highlight the links. You must reconfigure the parametric values before you enable RMON on ports.
Note
You must configure the same value for Interval across the devices. To reconfigure the values:
Enter pdterm ANIServer at the command line to stop the ANI server. Go to NMSROOT/campus/etc/cwsi/ANIServer.properties. Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket Size. The maximum value that you can enter for RMON.interval is 3600 seconds (One hour). Enter pdexec ANIServer at the command line to start the ANI server.
Step 4
After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices. You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for the Interval in a range. This is a hidden property that creates a range for the Interval value. The property adds a value to the current interval that forms the upper limit and subtracts a value from the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the interval. For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330. Thus, the samples are collected for the range of 270 to 330 seconds. If you want to change this default value, you must:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Stop the ANI server. Enter pdterm ANIServer at the command line to stop the ANI server. Go to NMSROOT/campus/etc/cwsi/ANIServer.properties. Enter RMON.percentageTolerance=value. Start the ANI server. Enter pdexec ANIServer at the command line to start the ANI server.
9-6
OL-20721-01
Chapter 9
Monitoring and Troubleshooting Settings Configuring RMON
Enabling RMON on All Ports in Selected Devices

To enable RMON on all ports in selected devices:
Step 1
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration. The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices. Select the check box corresponding to the devices for which you want to enable RMON. The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as 300. For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds). To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters, repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 2
Step 3 Step 4
Check the Configure on all links check box to configure all the ports of the selected devices in the Device Selector. Click Configure to enable RMON on all the ports in the selected devices. The following command is configured on the selected ports:
rmon collection history
integer owner ownername buckets bucket-number interval seconds
Example:
4 owner campusmanager buckets 10 interval 300
Enabling RMON on Selected Ports in Selected Devices

To enable RMON on selected ports in selected devices:
Step 1
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration. The Enable RMON dialog box appears. The Device Selector pane displays the list of devices. Select the check box corresponding to the devices for which you want to enable RMON. The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as 300. For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes). To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters, repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 2
Step 3 Step 4
Uncheck the Configure on all Links check box since it is checked by default. Click Select links to select the ports for which you want to enable RMON. It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2. The Select Links check box is enabled only when you uncheck the Configure on all links check box.
9-7
Chapter 9 Configuring Topology Settings
Table 9-2
Select Links for RMON Configuration Column Description
Column Port Device Name Device Address isLink

Step 5 Step 6
Description Name of the port. Name of the device where the port is connected. The IP address of the device.
True
is displayed for link ports and False for a non-link port.
Select check boxes corresponding to the ports for which you want to enable RMON. Click Configure to enable RMON on the selected ports. The following command is configured on the selected ports:
integer owner ownername buckets bucket-number interval seconds
Example:
4 owner campusmanager buckets 10 interval 300
Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line Interface (CLI) only.
Commands to Disable RMON
For a device running Cisco IOS, enter the following command at the CLI prompt:
no rmon
For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable
Configuring Topology Settings

You can configure the following Topology Settings:
Restrict Topology Maps to display only authorized devices. For details, see Viewing Restricted Topology. Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps. For details, see Configuring Fault Poller Settings For Topology.
9-8
OL-20721-01
Chapter 9
Monitoring and Troubleshooting Settings Configuring Topology Settings
Viewing Restricted Topology

Topology Maps display all the devices discovered by LMS. To view the Restricted Topology:
Step 1
Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View. The configuration screen is displayed. Select Display Only the Authorized devices in Topology Maps. Click Apply. Topology Maps display only the devices you are authorized to view. If Topology Services is already launched, close it and relaunch for the change to take effect.
Step 2 Step 3
Important Notes
If you change the management IP address of an authorized device:

It becomes an unauthorized device. The device is not shown in Topology maps in the consecutive relaunches. When the changed IP address is given as root in N-hop view portlet, it results in an error.
9-9
CH A P T E R
10
Notification and Action Settings

The Notification and Action Settings groups all the administrative tasks involved in setting up notification, syslog settings. You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs. This section contains:

Understanding Notifications and Subscriptions Customizing LMS Events Configuring Event Sets and Notification Groups for Subscriptions Managing Fault SNMP Trap Notifications Managing Fault E-Mail Configurations Managing Fault Syslog Notifications Configuring Fault SNMP Trap Receiving and Forwarding Performance SNMP Trap Notification Groups Performance Syslog Notification Groups Defining Automated Actions Defining Syslog Message Filters Inventory and Config Collection Failure Notification IPSLA Syslog Configuration
10-1
Chapter 10 Understanding Notifications and Subscriptions
Understanding Notifications and Subscriptions

To use Notification Services, you must create and activate a notification subscription. The subscription requires a Notification group component. This component specifies the notification criteria (the devices to monitor, how severe an event must be to be reported, and so forth). Optionally the notification group can also contain an Event set listing the events you want to monitor; this is useful when you do not want to monitor all events that occur on a device. Notification groups can be static or dynamic. The Fault Management module in LMS 4. 0 can be set up to have either static notification groups or dynamic notification groups.

If you work with static groups, no further devices can be added to those groups. If you set up dynamic groups, then any device that fits the criteria for the groups will be added to those groups.
After you have configured your subscription, you can name it according to your needs. Regardless of whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a subscription containing a notification group. The final step in configuring your notification subscription is specifying the notification recipients.
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications. Notification Services tracks events on device types, not on device components. For details on Notifications and Subscriptions, see the following topics:

Creating a Notification Subscription Notification Types Notification Replay Subscriptions Events
Creating a Notification Subscription
To create a notification subscription, perform the following steps:

1. 2.
If you want to monitor a specific set of events, create an event set that contains the events you want to monitor. Otherwise, all events will be monitored. Create a notification group that specifies the criteria the Fault Management module should use when generating notifications:

One or more event sets (if no event set is specified, all events are monitored) Devices, event severity and status
You can specify the notification group name, along with entering identifying information (using the Customer ID and Customer Revision fields).
10-2
OL-20721-01
Chapter 10
Notification and Action Settings Understanding Notifications and Subscriptions
3.
Create a subscription by doing the following:

a. Select the notification type (SNMP Trap, E-Mail, or Syslog). b. Name the subscription and apply a notification group to it. c. Specify the recipients (hostname, e-mail address). d. Save the subscription. It will automatically start running.
4.
Customize the subject of the e-mail by doing the following:

a. Select the subject from the available list b. Add to the selected list c. Arrange the order of the subjects d. Save the customization of the e-mail subject
Notification Types
The Fault Management module in LMS 4.1 provides three types of notifications:
SNMP Trap NotificationFault Management module generates traps with information about the events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can also generate SNMP trap notifications for specified events. Using SNMP trap notification is different from forwarding raw traps to another server before they have been processed by LMS.
E-mail NotificationLMS generates e-mail messages containing information about the events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail in text format. You can specify that you want the e-mail to only contain an informational subject line or can customize the e-mail subject. For information on the customizing the e-mail subject, see Managing Fault E-Mail Subject Customization. Syslog NotificationLMS generates Syslog messages that can be forwarded to Syslog daemons on remote systems.
All notifications have a default maximum message size of 250 characters. You can reset this variable to any value between 250 and 1024 characters by editing the notification properties file. To do this:
Procedure
Step 1 Step 2
Open the configuration file NMSROOT/objects/nos/config/nos.properties. Locate the following lines and change the value to any value up to 1024 characters:
MAX_TRAP_DES=250 MAX_EMAIL_DES=250 MAX_SYSLOG_DES=250
10-3
Chapter 10 Understanding Notifications and Subscriptions
Step 3
Stop and restart the Cisco Prime daemon manager on the LMS server.
a.
Stop the daemon manager: On Windows:

net stop crmdmgmt
b.
Restart the daemon manager: On Windows:

net start crmdmgmt
Notification Replay
You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file /opt/CSCOpx/objects/nos/config/nos.properties as follows: To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to the default value (0), the notifications will not be replayed.
Subscriptions
LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:

DevicesThe devices or device groups of importance to the recipients. Event severity and statusOne or more event severity levels and status. You can also customize the names of the events used by Notification Services, and Fault History. See Customizing LMS Events. RecipientsOne or more hosts to receive SNMP traps or users to receive e-mail. For Syslog notifications, the recipient would be the remote host containing a Syslog daemon configured to listen for Syslog messages. NameA user-defined name to identify the subscription.
Subscriptions are based on user-configured event sets and notification groups. See Configuring Event Sets and Notification Groups for Subscriptions for more information.
Events
LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS compares the device, severity, and state against subscriptions and sends a notification when there is a match. Matches can be determined by user-configured event sets and notification groups. The procedure for configuring notification groups is described in Configuring Event Sets and Notification Groups for Subscriptions.
10-4
OL-20721-01
Chapter 10
Notification and Action Settings Customizing LMS Events
LMS assigns one severity to each event and changes the state of an event over time, responding to user input and changes on the device. Table 10-1 lists values for severity and explains how the state of an event changes over time.
Note
You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Table 10-1 Event Severity and Status
LMS categorizes events by severity and status

Severity
Critical Informational

Status
ActiveThe event is live. ACKA user has manually acknowledged the event. A user can acknowledge only active events. ClearedThe event is no longer active. Events that have been cleared either expire or, if associated with a suspended device, remain in LMS until a user resumes or deletes the device.
Customizing LMS Events

Notification Services allows you to customize the names and event severity in LMS.
Customizing Names: When you customize an event name, that name is reflected in all notifications, and in Fault History. The new event name is used for all instances of an event, regardless of the component on which the event occurs. You can easily revert to the default event names as needed. The Notification Customization page also lists the new name and default name, so you can easily check which names have been changed. Customizing Event Severity: The event severity can be customized using the New Event Severity feature. You can select Critical or Warning or Informational from the drop-down list.
To customize names and event severity:

Step 1
Select Admin > Network > Notification and Action Settings > Fault Notification Customization. The Notification Customization page appears. Select the event names you want to customize by clicking the check box beside each event name. Enter your new names in the New Event Description fields. Select the event severity from the New Event Severity drop-down list. You can select Critical or Informational. Enter any notes for information in the Troubleshooting Information field. Click Save to save your changes locally. Click Apply for the saved settings to take effect. The confirmation window appears.
10-5
Chapter 10 Configuring Event Sets and Notification Groups for Subscriptions
Step 8
Click Yes. The changes are applied to LMS. To revert to default event names:
a. b.
From the Notification Customization page, select the events you want to restore to their default names, and click Restore factory settings. Apply your changes by clicking Yes when the confirmation window appears.
Configuring Event Sets and Notification Groups for Subscriptions

Before you can create an SNMP trap or an e-mail or Syslog notification subscription, you must create a notification group. Creating event sets is optional.

Event sets list the events you want monitored for notifications Notification groups contain the criteria that LMS should use when generating a notification:
One or more event sets, or all events Devices Event status and severity Fields for user-specified additional information you want to include with the subscription
Creating event sets and notification groups are described in the following topics:

Configuring Event Sets Configuring Fault Notification Groups
Configuring Event Sets

Event sets are groups of the events you want to monitor. You can create up to nine event sets, labeled A through I. After you have created an event set, you can apply as many of them as you want to a notification group, thereby tracking the specific events in which you are interested. If you do not specify an event set, LMS will monitor all events for notifications.
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications.
10-6
OL-20721-01
Chapter 10
Notification and Action Settings Configuring Event Sets and Notification Groups for Subscriptions
To configure event sets:

Step 1
Select Admin > Network > Notification and Action Settings > Event Sets: The Event Sets page appears. The page contains the following information: Field Event Code Description Severity A-I Description Notification Services code for the event. This number cannot be changed and is used to map default names to customized names. Event description (user-defined or default). Event severity. Event set label. If an X appears in this column, the corresponding event belongs to that event set.
Select/Unselect All for Event Set Select an Event Set from the drop-down list.
Step 2
For each event set you want to configure, select events by doing either of the following:

Select specific events by clicking the editable field under the label, and selecting X. Select or deselect all events for an event set using the Select or the Deselect button.
Step 3
Click Apply. If you want to create a notification subscription, first create a notification group that uses your event set. See Configuring Fault Notification Groups.
Configuring Fault Notification Groups

When you set up a subscription, LMS lets you choose from existing notification groups. You can then configure an SNMP trap or an e-mail or Syslog notification to use a specific notification group. The notification groups contains the following information:

One or more event sets, if desired (otherwise, the notification group will contain all events) Devices Event status and severity Fields for user-specified additional information you want to include with the subscription Whether the group is static or dynamic
You can configure a maximum of 64 notification groups. Notification Services will not refilter the devices if there is a change in the device list you may access. This section contains: Setting Up a Fault Notification Group as Static or Dynamic
Note
You cannot delete a notification group that is being used by a running subscription.
10-7
Chapter 10 Configuring Event Sets and Notification Groups for Subscriptions
To configure Fault Notification groups:

Step 1 Step 2
Select Admin > Network > Notification and Action Settings > Fault Notification Group. Click Add to create a notification group. The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click the appropriate button and follow the instructions.)
Step 3
Specify the devices, event sets (if desired), and event severity and status. Click Next. If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications. With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the mega menu.
Step 4
Specify the notification group name, and enter any desired identifying information in the Customer ID and Customer Revision fields.

For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the notification. For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any notifications:
Customer ID: Customer Revision: *
Click Next. Create the notification group by clicking Finish. To create a notification subscription, follow the instructions in one of these topics:

Adding an SNMP Trap Notification Subscription Adding and Editing an E-Mail Notification Subscription Adding a Syslog Notification Subscription
Setting Up a Fault Notification Group as Static or Dynamic

Fault Notification groups in LMS can be static or dynamic. If you set up LMS to include static groups, mappings between the list of the devices and the notification events for those devices are generated. You cannot add devices to or delete devices from a static group. If you set up LMS to have dynamic groups, then any device that fits the criteria for a group will be added to that group. You can also delete devices from a dynamic group. When a device is added to a group, all similar devices are also added. For example, if you have ten routers in the network and create a dynamic group that contains five of these routers, when you add an eleventh router, that router is added to the group along with the other five routers. The group would then contain all eleven routers.
Note
Notification groups can be static or dynamic; you cannot have a mix of group types.
10-8
OL-20721-01
Chapter 10
Notification and Action Settings Managing Fault SNMP Trap Notifications
To set up LMS to include dynamic groups, edit the file /opt/CSCOpx/objects/nos/config/nos.properties and set the following value: DYNAMIC_NOTIF_GROUPS=1 For additional information, see the following topics:

Customizing LMS Events Configuring Event Sets
Managing Fault SNMP Trap Notifications

The SNMP Trap Notifications page displays the following information:

SubscriptionThe name of the user-defined request for notification. StatusThe subscription status; can be either of the following:
RunningLMS is using the subscription while monitoring events to determine when to send a
notification.
SuspendedLMS will not use the subscription unless you resume it.
Notification GroupThe name of notification group that is applied to the subscription.
You are completely in control of subscriptions. LMS does not delete subscriptions under any circumstances. From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.
Table 10-2 SNMP Trap Notification Subscriptions
Task Add
Sample Usage
Reference
Add a subscription that will send SNMP trap notification Adding an SNMP Trap for one device with an event of any severity (critical or Notification Subscription informational) and any status (active, acknowledged, or cleared). View the notification group and hosts that comprise the subscription. Change the trap recipients/notification groups that comprise the subscription. Temporarily stop sending SNMP trap notifications to a host. Temporarily stop sending SNMP trap notifications about a device group. Start sending SNMP trap notifications to a host again. Start sending SNMP trap notifications about a device group using a previously suspended subscription. Suspending an SNMP Trap Notification Subscription Resuming an SNMP Trap Notification Subscription Editing an SNMP Trap Notification Subscription
Edit
Suspend
Resume
Delete
Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap Notification Subscription longer useful. Remove redundant SNMP trap notification subscriptions.
10-9
Chapter 10 Managing Fault SNMP Trap Notifications
Adding an SNMP Trap Notification Subscription

After you add a subscription for SNMP trap notification, generated SNMP traps are forwarded to the hosts you specify until you change, suspend, or delete the subscription.
Note
Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish button on the final page.
Before You Begin
You must create a notification group before you can create an SNMP trap notification subscription. Refer to Configuring Fault Notification Groups. To add an SNMP trap notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Click Add. Complete the Trap Subscription Save: Add window:
a. b.
Step 2 Step 3
Enter a subscription name. Select a notification group. If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)
c. Step 4
Click Next. For each host, enter:
Enter one or more hosts as recipients for traps:

a.
An IP address or DNS name for the hostname. Restart the NOSServer to pick up the change in the host name when host name is used for the trap server and there is a change in that host name.
b. Step 5
A port number on which the host can receive traps. If the port number is unspecified (empty), the port defaults to 162. (You can verify this in Step 5.) A comment. (This is optional).
Click Next.
Review the information that you entered and click Finish. The SNMP Trap Notifications page is displayed, showing the new subscription.
Note
No information is saved until you complete Step 5.
10-10
OL-20721-01
Chapter 10
Notification and Action Settings Managing Fault SNMP Trap Notifications
Editing an SNMP Trap Notification Subscription

You can edit an SNMP trap notification subscription regardless of its status (Running or Suspended). After you edit an SNMP trap notification subscription, if the subscription status is Running, traps are forwarded as specified until you edit, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it.
Note
Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish button on the final page. Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Select the subscription you want to edit by clicking the radio button beside it. Click Edit. No information is saved until you complete Step 5. Edit the Trap Subscription Save: Edit window:
a. b.
Step 1
Step 2 Step 3
Step 4
Change the subscription name. Select another notification group. If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)
c. Step 5
Click Next. To add one or more recipients, for each host, enter:

Add or delete a recipient host or change the port number for a host:
a.
An IP address or DNS name for the hostname. A port number on which the host can receive traps. If the port number is unspecified (empty), the port defaults to 162. (You can verify this in Step 6.) A comment. This is optional.
b. c. Step 6
To delete a recipient, delete the hostname, port number, and comment, if any. Click Next.
Review the information that you entered and click the Finish. The SNMP Trap Notifications page is displayed.
10-11
Chapter 10 Managing Fault SNMP Trap Notifications
Suspending an SNMP Trap Notification Subscription

After you suspend an SNMP trap notification subscription, LMS stops using the subscription to select and forward traps. The subscription status changes to Suspended. To do this:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Select the subscription you want to suspend by clicking the radio button beside it. Click Suspend. Click OK in the confirmation dialog box. The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.
Resuming an SNMP Trap Notification Subscription

You can resume an SNMP trap notification subscription only when the subscription status is Suspended. After you resume a subscription, LMS starts using it to identify events for which to forward traps. The subscription status changes to Running. To do this:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Select the subscription you want to resume by clicking the radio button beside it. Click Resume. Click OK in the confirmation dialog box. The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Running.
10-12
OL-20721-01
Chapter 10
Notification and Action Settings Managing Fault E-Mail Configurations
Deleting an SNMP Trap Notification Subscription

You can delete an SNMP trap notification subscription regardless of the subscription status. Deleting a subscription removes it permanently from LMS.
Note
You can also suspend a subscription. Suspending a subscription causes the subscription to not be used until a user resumes it. To delete an SNMP trap notification subscription:
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. Select the subscription you want to delete by clicking the radio button beside it. Click Delete. Click OK in the confirmation dialog box. The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.
Managing Fault E-Mail Configurations

This section contains the following topics:

Managing Fault E-Mail Notification Subscriptions Managing Fault E-Mail Subject Customization
You can use the E-Mail Configuration page to configure E-mail notification subscription and to customize the E-mail subject. The E-Mail Configuration page displays the following information:

E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are based on Notification Groups. E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.
Note
You may not be able to use some of these functions if you do not have the required privileges.
Managing Fault E-Mail Notification Subscriptions

The E-Mail Notification Subscription page displays the following information:

SubscriptionThe name of the user-defined request for notification. StatusThe subscription status; can be either of the following:
RunningLMS is using the subscription while monitoring events to determine when to send a
notification.
SuspendedLMS will not use the subscription unless you resume it.
Notification GroupThe name of notification group that is applied to the subscription.
10-13
Chapter 10 Managing Fault E-Mail Configurations
You are completely in control of subscriptions. LMS does not delete subscriptions under any circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.
Table 10-3 E-Mail Notification Subscriptions
Task Add
Sample Usage Add a subscription that will send e-mail notification to a user for one device with an event of any severity (critical or informational) and any status (active, acknowledged, or cleared). See Adding and Editing an E-Mail Notification Subscription for more information.

Edit
View the notification group and e-mail recipients that comprise the subscription. Change the e-mail recipients/notification group that comprise the subscription. Temporarily stop sending e-mail notifications to a user. Temporarily stop sending e-mail notifications about a device group. Start sending e-mail notifications to a user again. Start sending e-mail notifications about a device group using a previously suspended subscription. Remove e-mail notification subscriptions that are no longer useful. Remove redundant e-mail notification subscriptions.
Suspend Resume
Delete
Adding and Editing an E-Mail Notification Subscription

After you add or edit a subscription for e-mail notification, LMS sends e-mail to the users you specify whenever an event occurs that matches the subscription.
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.
Before You Begin
You must create a notification group before you can create an E-Mail Notification subscription. Refer to Configuring Fault Notification Groups. To add or edit a subscription for e-mail notification:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Email notification. The E-Mail Notification Subscriptions page appears. You can do one of the following:

Step 2
Click Add. Click Edit. You can edit an e-mail notification subscription regardless of its status (Running or Suspended). After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it.
10-14
OL-20721-01
Chapter 10
Notification and Action Settings Managing Fault E-Mail Configurations
Click Delete. Click OK in the confirmation dialog box. The E-Mail Subscriptions page appears. The subscription is no longer displayed. Select the subscription you want to suspend by clicking the radio button beside it and click Suspend. Click OK in the confirmation dialog box. The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended. After you suspend an e-mail notification subscription, LMS stops using the subscription to send e-mail notification.
Select the subscription you want to resume by clicking the radio button beside it and click Resume. Click OK in the confirmation dialog box. The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After you resume an e-mail notification subscription, LMS starts using the subscription to determine when e-mail notification should be sent in response to an event.
Step 3
When you add or edit a subscription for e-mail notification, a page appears with the following fields: Field Subscription Name Notification Group Description Enter a subscription names. Select a notification group. If you are upgrading LMS and want to use the e-mail recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)
Step 4 Step 5
Click Next. Enter the following e-mail information: Field SMTP Server Description The name of the default Simple Mail Transfer Protocol (SMTP) server may already be displayed. The server is specified using Admin > System > SMTP Default Server. You may also enter a fully qualified DNS name or IP address for an SMTP server. To select from any non-default SMTP servers in use by existing subscriptions, click the SMTP Servers button. Sender Address Enter the e-mail address that notifications should be sent from. If the senders e-mail service is hosted on the SMTP server specified, you need enter only the username. You do not need to enter the domain name.
10-15
Chapter 10 Managing Fault E-Mail Configurations
Field Recipient Addresses
Description Enter one or more e-mail addresses that notifications should be sent to, separating multiple addresses with either a comma or a semicolon. If a recipients e-mail service is hosted on the SMTP server specified, you need to enter only the username. You do not need to enter the domain name. By default, e-mail notification supplies a fully detailed e-mail message. To omit the message body and send only a subject line, select the Headers Only check box.
Headers Only (check box)
Step 6 Step 7
Click the Next button located at the bottom of the page. Review the information that you entered and click Finish. The E-Mail Notification Subscriptions page is displayed, showing the new subscription.
Note
Managing Fault E-Mail Subject Customization

You can use the E-Mail Subject Customization page to customize the e-mail subject for forwarded events. You need to select the subject attributes and the order in which they are to be displayed. When you apply and save the selections, the e-mails are sent in the customized order. The E-Mail Subject Customization page displays the following information:
Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You can use these subjects along with the default available subjects while sending e-mail notifications. By default, following list of e-mail subject attributes are displayed in the Available Subjects for E-Mail box:
ifAlias sysLocation sysContact user_defined_field_0 user_defined_field_1 user_defined_field_2 user_defined_field_3
When you import devices from DCR, the subject information gets updated into LMS database and they are displayed as available subjects for e-mails.
Selected Subjects for E-mail: The selected subjects including the default ones in the selected order displayed by the side of the available subjects.
10-16
OL-20721-01
Chapter 10
Notification and Action Settings Managing Fault Syslog Notifications
To customize the e-mail subject:

Step 1
Select Admin > Network > Notification and Action Settings > Fault - Email subject customization. The available and selected lists of the subject attributes for e-mail are displayed. To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list. By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail box.

Event ID Device Name Time Severity Event Name Status Select the subject attribute from Available Subjects for E-Mail. Click Add. The selected subject attribute is added to the Selected Subjects for E-Mail list. You can add a subject attribute only from the Available Subjects list to the Selected Subjects list. You cannot add a subject attribute from the Selected subject list to the Available Subject list.
To add a subject:
a. b.
To remove a subject attribute:

a. b.
Select the subject attribute from Selected Subjects for E-Mail. Click Remove. The selected subject attribute is removed from the Selected list and added to the Available subjects for E-Mail list. You can remove a subject attribute only from the Selected Subjects list and not from the Available Subjects list.
Step 2 Step 3
Click Up or Down to rearrange the order of the selected e-mail subject attributes. Click Apply to save the customized e-mail subject attributes.
Managing Fault Syslog Notifications

The Syslog Notifications page displays the following information:

SubscriptionThe name of the user-defined request for notification. Notification GroupThe name of notification group that is applied to the subscription. StatusThe subscription status; can be either of the following:
RunningFault Management module is using the subscription while monitoring events to
determine when to send a notification.

SuspendedFault Management module will not use the subscription unless you resume it.
10-17
Chapter 10 Managing Fault Syslog Notifications
You are completely in control of subscriptions. Fault Management module does not change or delete subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks listed in Table 10-4.
Table 10-4 Syslog Notification Subscriptions
Task Add
Sample Usage
Reference
Add a subscription that will send a Syslog notification to Adding a Syslog Notification Subscription a remote machine for one device with an event of any severity (critical or informational) and any status (active, acknowledged, or cleared). View the notification group and Syslog recipient that comprise the subscription. Change the Syslog recipients/notification group that comprise the subscription. Temporarily stop sending Syslog notifications to a remote host. Temporarily stop sending Syslog notifications about a device group. Suspending a Syslog Notification Subscription Editing a Syslog Notification Subscription
Edit
Suspend
Resume
Start sending Syslog notifications to a remote host again. Resuming a Syslog Notification Subscription Start sending Syslog notifications about a device group using a previously suspended subscription.

Delete
Remove Syslog notification subscriptions that are no longer useful. Remove redundant Syslog notification subscriptions.
Deleting a Syslog Notification Subscription
Adding a Syslog Notification Subscription

After you add a subscription for Syslog notification, LMS sends a Syslog message to the specified remote hosts whenever an event occurs that matches the subscription.
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.
10-18
OL-20721-01
Chapter 10
Before You Begin

You must create a notification group before you can create a Syslog Notification subscription. Refer to Configuring Fault Notification Groups. A remote machines Syslog daemon must be configured to listen on a specified port, and you must enter this information in Step 3 of the following procedure. LMS uses the default port 514.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Click Add.
a. b. c.
Step 2
Enter a subscription name. Select a notification group. Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event severity are used for the PRI portion of the Syslog message, as follows: [Facility*8][Severity] Event severity values are as follows:

Critical = 2 Information = 6
You can enter location information (up to 29 characters). This information will be populated in the Syslog message. This is optional.
d. Step 3
Click Next. For each host, enter:

Enter one or more hosts as recipients for Syslog notifications.

a.
An IP address or DNS name for the hostname. A port number on which the Syslog daemon is listening. If the port number is unspecified (empty), the port defaults to 514. (You can verify this in Step 5.) A comment. This is optional.
b. Step 4 Step 5
Click Next.
Enter the name of the subscription in the Save As field and click Next. Review the information that you entered and click Finish. The Syslog Notification Subscriptions page is displayed with the new subscription.
Note
10-19
Chapter 10 Managing Fault Syslog Notifications
Editing a Syslog Notification Subscription

You can edit a Syslog notification subscription regardless of its status (Running or Suspended). After you edit a Syslog notification subscription, if the subscription status is Running, Syslog messages are forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it.
Note
Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page. Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Select the subscription you want to edit by clicking the radio button beside it. Click Edit. Edit the Syslog Subscription Save: Edit window:
a. b. c.
Step 1
Change the subscription name. Select a different notification group. Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event severity is used for the PRI portion of the Syslog message, as follows: [Facility*8][Severity] Event severity values are as follows:

Critical = 2 Informational = 6
You can enter location information (up to 29 characters). This information will be populated in the Syslog message. This is optional.
d. Step 5
Click Next. To add one or more recipients, for each host, enter:

Add or delete a recipient host or change the port number for a host:
a.
An IP address or DNS name for the hostname. A port number on which the Syslog daemon is listening. If the port number is unspecified (empty), the port defaults to 514. (You can verify this in Step 7.) A comment. This is optional.
b. c. Step 6 Step 7
To delete a recipient, delete the hostname, port number, and comment, if any. Click Next.
Click the Next button located at the bottom of the page. Review the information that you entered and click Finish. The Syslog Notification Subscriptions page is displayed.
10-20
OL-20721-01
Chapter 10
Suspending a Syslog Notification Subscription

After you suspend a Syslog notification subscription, LMS stops using the subscription to send Syslog notifications. The subscription status changes to Suspended.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Select the subscription you want to suspend by clicking the radio button beside it. Click Suspend. Click OK in the confirmation dialog box. The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.
Resuming a Syslog Notification Subscription

After you resume a Syslog notification subscription, LMS starts using the subscription to determine when Syslog notifications should be sent in response to an event. The subscription status changes to Running. To resume a syslog notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Select the subscription you want to resume by clicking the radio button beside it. Click Resume. Click OK in the confirmation dialog box. The Syslog Notification Subscriptions page is displayed. The subscription status is Running.
Deleting a Syslog Notification Subscription

You can delete a Syslog notification subscription regardless of the subscription status. Deleting a subscription removes it permanently from LMS.
Note
You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes it. To delete a syslog notification subscription:
Step 1 Step 2
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. Select the subscription you want to delete by clicking the radio button beside it.
10-21
Chapter 10 Configuring Fault SNMP Trap Receiving and Forwarding
Step 3 Step 4
Click Delete. Click OK in the confirmation dialog box. The Syslog Subscriptions page appears. The subscription is no longer displayed.
Configuring Fault SNMP Trap Receiving and Forwarding

LMS can receive traps on any available port and forward them to a list of devices and ports. This capability enables LMS to work with other trap processing applications. This section contains the following topics:

Enabling Devices to Send Traps to LMS Enabling Cisco IOS-Based Devices to Send Traps to LMS Enabling Catalyst Devices to Send SNMP Traps to LMS Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs Updating the SNMP Trap Receiving Port Configuring SNMP Trap Forwarding
LMS will only forward SNMP traps from devices in the LMS inventory. It will not change the trap formatit will forward the raw trap in the format in which the trap was received from the device. However, you must enable SNMP on your devices and you must do one of the following:

Configure SNMP to send traps directly to LMS Integrate SNMP trap receiving with an NMS or a trap daemon
Note
The ports and protocols used by Cisco Prime are listed in Installing and Migrating to CiscoWorks LAN Management Solution 4.1 .
Enabling Devices to Send Traps to LMS

Note
If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs. Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must be enabled and the device must be configured to send SNMP traps to the LMS server. Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface appropriate for your device:

Enabling Cisco IOS-Based Devices to Send Traps to LMS Enabling Catalyst Devices to Send SNMP Traps to LMS
10-22
OL-20721-01
Chapter 10
Notification and Action Settings Configuring Fault SNMP Trap Receiving and Forwarding
Enabling Cisco IOS-Based Devices to Send Traps to LMS

For devices running Cisco IOS software, enter the following commands:
(config)# snmp-server [community string] ro (config)# snmp-server enable traps (config)# snmp-server host [a.b.c.d] traps [community
string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the SNMP trap receiving host (the LMS server). For more information, see the appropriate command reference guide. To enable Cisco IOS-Based devices to send traps to LMS:
Log into Cisco.com. Select Products & Services > Cisco IOS Software. Select the Cisco IOS software release version used by your IOS-based devices. Select Technical Documentation and select the appropriate command reference guide.
Enabling Catalyst Devices to Send SNMP Traps to LMS

For devices running Catalyst software, provide the following commands:
(enable)# set snmp community read-only [community string] (enable)# set snmp trap enable all (enable)# set snmp trap [a.b.c.d] [community string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the SNMP trap receiving host (the LMS server). For more information, see the appropriate command reference guide.
Log into Cisco.com. Select Products & Services > Cisco Switches. Select the appropriate Cisco Catalyst series switch. Select Technical Documentation and select the appropriate command reference guide.
10-23
Chapter 10 Configuring Fault SNMP Trap Receiving and Forwarding
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs

You might need to complete one or more of the following steps to integrate SNMP trap receiving with other trap daemons and other Network Management Systems (NMSs):
If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to CiscoWorks LAN Management Solution 4.1 . This guide also provides information on supported versions). You do not need to install any adapters if HP OpenView or NetView is installed locally. Add the host where LMS is running to the list of trap destinations in your network devices. See Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS will use by default.) If your network devices are already sending traps to another management application, configure that application to forward traps to LMS.
Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.
Table 10-5 Configuration Scenarios for Trap Receiving
Scenario Network devices send traps to port 162 of the host where LMS is running. LMS receives the traps and forwards them to the NMS.
Advantages

No reconfiguration of the NMS is required. No reconfiguration of network devices is required. LMS provides a reliable trap reception and forwarding mechanism. NMS continues to receive traps on port 162. Network devices continue to send traps to port 162. No reconfiguration of the NMS is required. No reconfiguration of network devices is required. LMS does not receive traps dropped by the NMS.
NMS receives traps on default port 162 and forwards them to port 162 on the host where LMS is running.
Updating the SNMP Trap Receiving Port

By default, LMS receives SNMP traps on port 162 (or, if port 162 is occupied, port 9000). If you need to change the port, you can do so. LMS supports SNMP V1, V2, and V3 traps for trap receiving.
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings. Enter the port number in the Receiving Port text box. Click Apply.
For a list of ports that are already in use, see Installing and Migrating to CiscoWorks LAN Management Solution 4.1 . If you have two instances of the DfmServer process running, traps will be forwarded from the first instance to the second instance.
10-24
OL-20721-01
Chapter 10
Notification and Action Settings Performance SNMP Trap Notification Groups
Configuring SNMP Trap Forwarding

Note
Your login determines whether or not you can perform this task. View the Cisco Prime Permission Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user role. LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap formatit will forward the raw trap in the format in which it was received from the device. All traps are forwarded in V1 (SNMP Version) format.
Step 1 Step 2
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. For each host, enter:

An IP address or DNS name for the hostname. A port number on which the host can receive traps.
Step 3
Click Apply.
Performance SNMP Trap Notification Groups

Cisco Prime LMS allows you to create SNMP Trap Receiver Groups using the Trap Receiver Groups option.This is group of hosts that receives specified trap notifications, when any TrendWatch or Threshold violation occurs in LMS. The Trap destination is defined by the IP address or it can be a host name. From the Trap Receiver Groups page, you can create a Trap Receiver Group, modify the configuration of a Trap Receiver Group, and delete a Trap Receiver Group. To access the Trap Receiver Group page, Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups page appears. Table 10-6 describes the fields in the Trap Receiver Groups.
Table 10-6 Trap Receiver Groups Fields
Field Trap Group Name
Description Name of the Trap Receiver Group. Click on the Name hyperlink to view the details of the Trap Receiver Group created.
Number of Receivers Create (button) Edit (button)
Number of Trap Receivers added to the Trap Receiver Group. Creates a Trap Receiver Group. See Creating a Trap Receiver Group. Modifies an existing Trap Receiver group. See Editing a Trap Receiver Group.
10-25
Chapter 10 Performance SNMP Trap Notification Groups
Table 10-6
Trap Receiver Groups Fields
Field Delete (button) Filter (button)
Description Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver Group. Filters information based on the criteria that you select from the drop-down list. The drop-down list contains the following criteria: All Group Name See Filtering Trap Receiver Groups
You can perform the following tasks from the Trap Receiver Groups dialog box:

Creating a Trap Receiver Group Editing a Trap Receiver Group Deleting a Trap Receiver Group Filtering Trap Receiver Groups
Creating a Trap Receiver Group

To create a Trap Receiver group
Step 1
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups page appears.
Step 2
Click Create. The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box. Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Table 10-7 Trap Group Configuration
Field Group Name
Description Enter the name of the Trap Receiver Group. For example, Trap Receiver Group 1. The name can contain a mix of alphabets, numerals, and some special characters (such as - _ . # @ $ &).
Receiver Details
Host
Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the trap message should be delivered.
Port
Enter the Port Number on which Trap Receiver is listening for traps. The default port value is 162. This field is optional.
10-26
OL-20721-01
Chapter 10
Table 10-7
Trap Group Configuration
Field Community Create (button) Add More (button) Cancel (Button)

Description Enter the community string that appears in the trap message. The default community string is public. This field is optional. Creates the Trap Receiver Group. Adds more hosts to the present Group. Cancels the creation of Trap Receiver Group.
Enter a descriptive name for the Trap Group name in the GroupName field. Enter the IP address or hostname of the destination to which the trap should be delivered in the Host field. Enter the Port Number on which Trap Receiver is listening for traps in the Port field. Enter the community string that appears in the trap message in Community field. The community string will be displayed as asterisks.
Note
You can add as many as five hosts or devices to the Trap Group by default.
To add more than five hosts to the Trap Group,

Step 1 Step 2
Click Add More to add another host information to the Trap Group. Go to Step 4 to continue. Click Create to create the Trap Group. Or Click Cancel to cancel the operation. The Trap Receiver Group dialog box appears, displaying the Trap Groups.
10-27
Editing a Trap Receiver Group

You can edit a Trap Receiver Group to update or change the hosts, ports and community string of the selected Trap Receiver Group using the Edit button in the List of Trap Receiver Groups. You can edit only one Trap Receiver Group at a time. If you select multiple Trap Receiver Groups using the check box, the Edit button is disabled. You cannot edit the Trap Receiver Group Name field. To edit a Trap Receiver Group:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups dialog box appears.
Step 2 Step 3
Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver Group Name. Click Edit. The Edit Trap Receiver Group dialog box appears, displaying the earlier settings. Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Table 10-8 Trap Group Configuration
Field Group Name

Receiver Details
Description Name of the Trap Receiver Group. For example, Trap Receiver
Host
Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the trap message should be delivered.
Port Community Update (button) Add More (button) Cancel (Button)

Step 4
Enter the Port Number on which Trap Receiver is listening for traps. For example, 162 Enter the community string that appears in the trap message. The default community string is public. Updates the Trap Receiver Group. Adds more hosts to the present Group. Cancels the modification of the Trap Receiver Group.
Make the necessary changes to the Receiver Details.
10-28
OL-20721-01
Chapter 10
To add more receivers to the present configuration,

Click AddMore in the Trap Group Configuration dialog box. Make necessary changes to the Receiver Details. Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver Group. Or Click Cancel to cancel the operation. The Trap Receiver Group dialog box appears, displaying the Trap Groups.
Deleting a Trap Receiver Group

You can delete one or more Trap Receiver Groups using the Delete button on the List of Trap Receiver Groups dialog box. You cannot delete a Trap Receiver Group that is associated with any Threshold or TrendWatch. If you want to delete such Trap Receiver Groups, first remove the Trap Receiver Group from the associated Threshold or TrendWatch. Before a Trap Receiver Group is deleted, you are prompted to confirm the deletion because you cannot restore a Trap Receiver Group that you have deleted from the database. To delete a Trap Receiver Group:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The List of Trap Receiver Groups dialog box appears.
Step 2
Select the Trap Group Name by checking the appropriate check box. You can select multiple Trap Receiver Groups by checking their respective check boxes. Click Delete. A message appears, prompting you to confirm the deletion, Click OK to delete the Trap Receiver Groups. Or Click Cancel to cancel the operation. If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully. The Trap Receiver Groups dialog box appears.
Step 3
Step 4
10-29
Filtering Trap Receiver Groups

This section describes how you can use the filter option to display the Trap Receiver Group information based on a specific criteria. To filter a Trap Receiver Groups:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The List of Trap Receiver Group dialog box appears.
Select a criteria for filtering from the drop-down list. Enter the data to be filtered. Click Show. The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information based on the filter criteria. Table 10-9 describes the criteria to filter.
Table 10-9 Trap Receiver Groups Field Description
Filter Criteria Group Name
Description Select Group Name and enter the data. You can use either of the following methods to filter by entering:

Complete Group name Any wildcard characters of the Trap Receiver Group name (such as *trap, trap*)
10-30
OL-20721-01
Chapter 10
Notification and Action Settings Performance Syslog Notification Groups
Performance Syslog Notification Groups

Cisco Prime LMS allows you to create Syslog Receiver Groups using the Syslog Receiver Groups option. Syslog Receiver Groups is a group of hosts that receives Syslog messages when any TrendWatch or Threshold violation occurs in LMS. From the Syslog Receiver Groups page you can create a Syslog Receiver Group, modify the configuration of a Syslog Receiver Group, and delete a Syslog Receiver Group. To access the Syslog Receiver Group page, select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The List of Syslog Receiver Groups dialog appears. Table 10-10 describes the fields in the Syslog Receiver Groups.
Table 10-10 Syslog Receiver Groups Fields
Field Syslog Group Name Number of Receivers Create (button) Edit (button) Delete (button) Filter (button)
Description Name of the Syslog Receiver Group. For example, Syslog Group Number of Syslog Receivers added to the Syslog Receiver Group. Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group. Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver Group. Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver Group. Filters information based on the criteria that you select from the drop-down list. The drop-down list contains the following criteria:

All Group Name
See Filtering Trap Receiver Groups Update Facility (button) Sends the Syslog message to the receiver, based on the facility level selected in the drop-down list. The drop-down list contains the following criteria:

local 0 local 1 local 2 local 3 local 4 local 5 local 6 local 7
10-31
Chapter 10 Performance Syslog Notification Groups
You can perform the following tasks from the Syslog Receiver Groups dialog box:

Creating a Syslog Receiver Group Editing a Syslog Receiver Group Deleting a Syslog Receiver Group Filtering Syslog Receiver Groups
Creating a Syslog Receiver Group

To create a Syslog Receiver group:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog appears. Click Create. The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box. Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-11 Syslog Groups Configuration
Step 2
Field Group Name
Description Enter the name of the Syslog Group name. For example, Syslog Group. The name can contain a mix of alphabets, numerals, and some special characters (such as - _ . # @ $ &).
Receiver Details
Host
Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the syslog message should be delivered. This IP address should be DNS resolvable.
Port
Enter the Port Number on which Syslog Receiver is listening for syslog messages. The default port value is 514. This field is optional. Creates the Syslog Receiver Group Adds more hosts to the present Group Cancels the creation of Syslog Receiver Group
Create (button) Add More (button) Cancel (Button)

Enter a descriptive name for the Syslog Group name in the GroupName field. Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in the Host field. Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.
10-32
OL-20721-01
Chapter 10
Note
You can add as many as five hosts or devices to the Syslog Group by default. To add more than five hosts to the Syslog Group,
Step 1 Step 2
Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue. Click Create to create the Syslog Group. Or Click Cancel to cancel the operation. The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Editing a Syslog Receiver Group

You can edit a Syslog Receiver Group to update or change the hosts and ports of the selected Syslog Receiver Group using the Edit button in the List of Syslog Receiver Groups. You can edit only one Syslog Receiver Group at a time. If you select multiple Syslog Receiver Groups using the check box, the Edit button is disabled. You cannot edit the Syslog Receiver Group Name field. To edit a Syslog Receiver Group:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog box appears. Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver Group Name. Click Edit. The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings. Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-12 Syslog Groups Configuration
Step 2 Step 3
Field Group Name

Receiver Details
Description Name of the Syslog Group name. For example, Syslog Group.
Host
Enter the host name or IP address. for example 10.77.201.52 Enter the IP address or hostname of the destination to which the Syslog message should be delivered.
Port
Enter the Port Number on which Syslog Receiver is listening for Syslog messages. The default port number is 512.
10-33
Chapter 10 Performance Syslog Notification Groups
Table 10-12
Syslog Groups Configuration
Field Update (button) Add More (button) Cancel (Button)

Step 4
Description Updates the Syslog Receiver Group. Adds more hosts to the present Group. Cancels the modification of the Syslog Receiver Group.
Make the necessary changes to the Receiver Details. To add more receivers to the current configuration:
Click AddMore in the Syslog Group Configuration dialog box. Make the necessary changes to the Receiver Details. Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver Group. Or Click Cancel to cancel the operation. The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Deleting a Syslog Receiver Group

You can delete one or more Syslog Receiver Groups using the Delete button on the List of Syslog Receiver Groups dialog box. You cannot delete a Syslog Receiver Group which is associated with any Threshold or TrendWatch. If you want to delete such Syslog Receiver Groups, first remove the Syslog Receiver Group from the associated Threshold or TrendWatch. Before a Syslog Receiver Group is deleted, you are prompted to confirm the deletion because you cannot restore a Syslog Receiver Group that you have deleted from the database. To delete a Syslog Receiver Group:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog box appears. Select the Syslog Group Name by checking the appropriate check box. You can select multiple Syslog Receiver Groups by checking their respective check boxes.
Step 2
10-34
OL-20721-01
Chapter 10
Step 3
Click Delete. A message appears, prompting you to confirm the deletion. Click OK to delete the Syslog Receiver Groups. Or Click Cancel to cancel the operation. If you choose to click OK, a message appears that the Syslog Receiver Group is deleted successfully. The Syslog Receiver Groups dialog box appears.
Step 4
Filtering Syslog Receiver Groups

You can use the Filter option to display the Syslog Receiver Group information based on a specific criteria. To filter a Syslog Receiver Groups:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The List of Syslog Receiver Group dialog box appears. Select a criteria for filtering from the drop-down list. Enter the data to be filtered. Click Show. The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information based on the filter criteria. Table 10-13 describes the criteria to filter.
Table 10-13 Syslog Receiver Groups Field Description
Filter Criteria Group Name
Description Select Group Name and enter the data. You can use any of the following methods to filter by entering:

Complete Group name Any wildcard characters of the Syslog Receiver Group name (such as *Syslog, Syslog*)
10-35
Chapter 10 Defining Automated Actions
Defining Automated Actions

You can create automated actions to be executed automatically whenever Syslog Analyzer receives a specific message type. This section contains:

Creating an Automated Action Editing an Automated Action Guidelines for Writing Automated Script Enabling or Disabling an Automated Action Exporting or Importing an Automated Action Deleting an Automated Action Automated Action: An Example
When you select Admin > Network > Notification and Action Settings > Syslog Automated Actions, a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are two system-defined automated actions (the rest are user-defined). The system-defined automated actions are:

Inventory FetchTo fetch inventory from the device. Config FetchTo fetch configuration from the device.
You can edit these system-defined automated actions, but you cannot delete them. These actions are enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable. Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating system device. You can then edit Config Fetch automated action and you can delete SYS-6-CFG_CHG-*SNMP* message type. In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices or not. The columns in the Automated Actions dialog box are: Column Name Status Type Description Name of the automated action. Status of the automated action at creation timeEnabled, or disabled Type of automated actionE-mail, script or URL.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.
10-36
OL-20721-01
Chapter 10
Notification and Action Settings Defining Automated Actions
Using the automated actions dialog box, you can do the following tasks: Task Create an automated action (see Creating an Automated Action). Edit an automated action (see Editing an Automated Action). Enable or Disable an automated action (see Enabling or Disabling an Automated Action) Import or Export an automated action (see Exporting or Importing an Automated Action) Delete an automated action (see Deleting an Automated Action). Button Create Edit Enable/Disable Import/Export Delete
If you are creating an automated action, see the example (Automated Action: An Example) of how to set up an automated action that sends an e-mail when a specific Syslog message is received. On Windows, you cannot set up an automated action to execute an.exe file that interacts with the Windows desktop. For example, you cannot make a window pop up on the desktop.
Related Topics

Defining Automated Actions Creating an Automated Action Editing an Automated Action Enabling or Disabling an Automated Action Exporting or Importing an Automated Action Deleting an Automated Action Automated Action: An Example Guidelines for Writing Automated Script
Creating an Automated Action

To create an automated action:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can choose whether to include interfaces of selected devices or not. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Click Create. A dialog box appears for device selection. Select All Managed Devices or Choose Devices. If you select the All Managed Devices option:

Step 3
You cannot select the individual devices or device categories from the device selector. All managed devices are considered. The syslog messages from the various device interfaces are considered for creating automated actions.
10-37
If you select Choose Devices option, you must select the required devices.
Step 4
Click Next. A dialog box appears in the Define Message Type page. Enter a unique name for the automated action that you are creating. Select either Enabled or Disabled as the status for the action at creation time. Select the Syslog message types for which you want to trigger the automated action from the Define New Message Type section of the dialog box. Click Next. The Automated Action Type dialog box appears. Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.
Step 9
If you select E-mail, enter the following information in the Automated Action Type dialog box: Description List of comma separated e-mail addresses. Mandatory field. Subject of the e-mail. Content that you want the e-mail to contain.
Field Send to Subject Content
If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:
$D (for the device) $M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box. Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account. The script files must be available at this location: On Windows: NMSROOT/files/scripts/syslog On UNIX: /var/adm/CSCOpx/files/scripts/syslog
10-38
OL-20721-01
Chapter 10
To select the script file:

a.
Click Browse. The Server Side File Browser dialog box appears. Select the file (*.sh on Unix and *.bat on Windows).
b. Step 10 Step 11
Click OK. Click Finish.
If the executable program produces any errors or writes to the console, the errors will be logged as Info messages in the SyslogAnalyzer.log. This file is available at: On UNIX, /opt/CSCOpx/log directory On Windows, NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).
Editing an Automated Action

To edit an automated action:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Actions page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Select an automated action from the drop-down list and click Edit. The Select Devices dialog box appears. Select the required devices and click Next. A dialog box appears in the Define Message Type page. This dialog box allows you to:

Step 3
Change the Message Filter TypeFrom Enabled to Disabled, or vice, versa. Add a message type Edit a message type Delete a message type Select a message type from system-defined message types
Step 4
Click Next.
10-39
Step 5
The Automated Action Type dialog box appears. This dialog box allows you to change the type of action. For example, you can change from E-mail to URL or Script.
For E-mail, enter or change the following information in the Automated Action type dialog box: Description List of comma separated e-mail addresses. Subject of the e-mail (optional). Content that you want the e-mail to contain. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent with the E-mail ID as the sender's address
For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box. Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account. The script files must be available at this location: On Windows: NMSROOT/files/scripts/syslog On UNIX: /var/adm/CSCOpx/files/scripts/syslog
10-40
OL-20721-01
Chapter 10
To select the script file:

a.
Click Browse. The External Config Selector dialog box appears. Select the file (*.sh on Unix and *.bat on Windows).
b. Step 6
Click Finish. The edited automated action appears in the dialog box on the Automated Action page.
Guidelines for Writing Automated Script

To write an automated script:
Step 1
Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.1 server and put this file in: For Solaris/Soft Appliance: /var/adm/CSCOpx/files/scripts/syslog directory For Windows: NSMROOT/files/scripts/syslog Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory. Here is an example shell script (called syslog-email.sh) for UNIX:
#!/bin/sh /opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl -text_message "MEssage: $2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from nobody@nowhere.com -smtp mail-server-name.nowhere.com
Step 2
For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.
Enabling or Disabling an Automated Action

To enable or disable an automated action:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2 Step 3
Select the required automated action from the list in the dialog box. Click Enable/Disable to toggle its status. The dialog box in the Automated Action page is refreshed and it displays the changed state for the specified automated action.
10-41
Exporting or Importing an Automated Action

You can export an automated action to a flat file and use this file on any Syslog Analyzer, using the import option. To export or import an automated action:
Step 1
Step 2
Select an automated action. You can select more than one automated action. If you do not select an automated action before clicking the Export/Import button, then only the Import option will be available. The Export option will be disabled
Step 3
Click Export/Import. The Export/Import Automated Actions dialog box appears with the Export or Import options. Select either Export or Import. Either:
Step 4 Step 5
Enter the location of the file to be exported or imported. Click Browse. The Server Side File Browser appears. You can select a valid file, and click OK.
Or
The file location appears in the Export/Import dialog box.

Step 6
Click OK.
Deleting an Automated Action

To delete an automated action:
Step 1
Step 2 Step 3
Select the required automated action from the list in the dialog box. Click Delete. You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.
10-42
OL-20721-01
Chapter 10
Automated Action: An Example

This is an example of how to set up an automated action that sends an e-mail when a specific Syslog message is received. This example assumes that devices have been imported and are sending Syslog messages to the LMS Server.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, with a list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 1
Step 2
Click Create. The Devices Selection dialog box appears. Select the required devices and click Next. The Define Message Type dialog box appears. Enter a unique name for the automated action that you are creating. Select either Enabled, or Disabled as the status for the action at creation time. Click Select. The Select System Defined Message Types dialog box appears. Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined Message Types list, and click OK. The dialog box on the Define Message Type page appears. Click Next. The Automated Action Type dialog box appears. Select the type of actionE-mail, Script, or URL. If you had selected Email in Step 9: Enter the following information:
Step 3
Step 7
Step 8
Step 9
Description List of comma-separated e-mail addresses. Subject of the e-mail (optional). Content that you want the e-mail to contain. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). If a syslog is found with the matching type for managed (normal) devices, an e-mail is sent with the E-mail ID as the sender's address. Then go to Step 10. If you had selected Script in Step 9: Choose the appropriate bat file for Windows, or shell script for Solaris, from the File Selector. For details about these files, see the topic Creating an Automated Action. Then go to Step 10.
10-43
If you had selected URL in Step 9: Enter the URL to be invoked. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:
When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and $M is replaced with the URL-encoded syslog message.
Step 10
Click Finish. Also see Verifying the Automated Action.
Verifying the Automated Action

To verify the automated action:
Step 1
Select a managed router that is already sending Syslog messages to the LMS server and generate a SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:
a. Connect to the managed router using Telnet and log in. b. In enable mode enter enable, then enter a password. c. At the config prompt enter configure terminal. d. Change the banner by entering:
banner motd z This is a test banner z end
e. Exit the Telnet session. Step 2
Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows:

On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has been configured to receive Syslog messages. On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory. Where NMSROOT is the LMS installation directory.
Step 3
Verify that there is a message from the managed router whose banner-of-the-day was changed. This message appears at the bottom of the log.

If the message is in the file, an e-mail is mailed to the e-mail ID specified. If the message is not in the file, the router has not been configured properly to send Syslog messages to the LMS Server.
10-44
OL-20721-01
Chapter 10
Notification and Action Settings Defining Syslog Message Filters
Defining Syslog Message Filters


Creating a Filter Editing a Filter Enabling or Disabling a Filter Exporting or Importing a Filter Deleting a Filter
You can exclude messages from Syslog Analyzer by creating filters.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To launch the message filters dialog box:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box appears in the Message Filters page. A list of all message filters is displayed in this dialog box, along with the names, and the status of each filterEnabled, or Disabled.
Step 2
Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either Drop or Keep.

If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop filters from further processing. If you select Keep, Collector allows only the syslogs that match any of the Keep filters, for further processing.
Note Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Specify whether interfaces of selected devices should be included. In the dialog box that displays the message filters, you can do the following tasks:
Task Create a filter (see Creating a Filter). Edit a filter (see Editing a Filter). Enable or disable a filter (see Enabling or Disabling a Filter). Export or import a filter. (see Exporting or Importing a Filter). Delete a filter (see Deleting a Filter).
Button Create Edit Enable/Disable Export/Import Delete
10-45
Chapter 10 Defining Syslog Message Filters
Creating a Filter
You can create a filter for Syslog messages by:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box with a list of filters, appears in the Message Filter page. Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.

Step 2
If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop filters from further processing. If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further processing.
Note Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Click Create. The dialog box appears for device selection. Select All Managed Devices or Choose Devices. If you select the All Managed Devices option:

Step 4
You cannot select the individual devices or device categories from the device selector. All managed devices are considered. The syslog messages from the various device interfaces are considered for creating message filters.
If you select the Choose Devices option, you must select the required devices.
Step 5
Click Next. .A dialog box appears in the Define Message Type page. Enter a unique name for the filter. Select either the Enabled, or the Disabled status for the filter at creation time. Select the Syslog message types for which you want to apply the filter. Click Finish. The list of filters in the message filter dialog box on the Message Filters page is refreshed.
Editing a Filter
To edit a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, displaying the list of filters, appears in the Message Filter page. Select a filter by clicking on its check box, and click Edit. The Select Devices dialog box appears.
Step 2
10-46
OL-20721-01
Chapter 10
Notification and Action Settings Defining Syslog Message Filters
Step 3
Select the required devices and click Next. A dialog box appears in the Define Message Type page. This dialog box allows you to:

Change the filter StatusFrom Enabled to Disabled, or vice, versa. Add a message type Edit a message type Delete a message type Select a message type from system-defined message types
Step 4
Click Finish after you make all your changes. The edited filter appears in the dialog box on the Message Filter page.
Enabling or Disabling a Filter

To enable or disable a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, with the list of filters, appears in the Message Filter page. Select the required filter from the list in the dialog box. Click Enable/Disable to toggle its status. The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified filter.
Step 2 Step 3
Exporting or Importing a Filter

You can export a filter to a flat file and use this file on any Syslog Analyzer, using the import option. To export or import a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, with the list of filters, appears in the Message Filter page. Select a filter. You can select more than one filter. Click Export/Import. The Export/Import dialog box appears with the Export or Import options. Select either Export or Import.
Step 2 Step 3
Step 4
10-47
Chapter 10 Inventory and Config Collection Failure Notification
Step 5
Either:
Enter the location of the file to be exported or imported. Or Click Browse. The Server Side File Browser appears. Select a valid file location, and click OK. The file location appears in the Export/Import dialog box.
a.
b.
Step 6
Click OK.
Deleting a Filter
To delete a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, displaying the list of filters, appears in the Message Filter page. Select the required filter from the list in the dialog box. Click Delete. When you confirm the deletion, the filter is deleted.
Step 2 Step 3
Inventory and Config Collection Failure Notification


Configuring Trap Notification Messages Examples for Collection Failure Notification Fields in a Trap Notification Message
You can use the Collection Failure Notification option to configure the destination Server and Port to receive trap notification on Inventory Collection or Config Fetch failure. This failure trap is sent per device from the LMS server whenever the collection does not happen. Other network management stations can use this trap to know about LMS Inventory or Config collection failure status. You can check or uncheck the options available in this page to enable or disable the sending of trap notifications to other servers on Inventory Collection or Config Fetch failure.
10-48
OL-20721-01
Chapter 10
Notification and Action Settings Inventory and Config Collection Failure Notification
Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:
Table 10-14 Collection Failure Notification
Field All
Description Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information.
Config Collection
Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed servers. Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information.
Inventory Collection
Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed servers. Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information.
Trap Destination Information
Server Port List of Destinations

Buttons
The name or IP address of the destination server. The port number of the destination server. The names of the destination servers along with their ports which are configured to receive the trap notifications. Use the Add button to add the destination server and port information. On clicking Add, the server and port information get reflected in the List of Destinations list. Use the Delete button to remove server and port information from the List of Destinations. To do so, select one or more server and port entry from the list of Destinations list and click on Delete to remove the entries from the list. Click to accept the changes made.
Add Delete
Apply
10-49
Chapter 10 Inventory and Config Collection Failure Notification
Configuring Trap Notification Messages

To configure the distribution of trap notification messages from LMS to the connected hosts:
Step 1
Select Admin > Network > Notification and Action Settings > Inventory and Config collection failure notification. The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog box.
Step 2
Click Apply to accept the changes made.
Examples for Collection Failure Notification

Example for Config Fetch Failure
You are providing the following information in the Collection Failure Notification screen: Destination Server: 10.77.153.47 Destination Port: 162 You are also enabling the Send Notification on Config Fetch Failure option. By enabling this option you are allowing trap notifications to be sent to the specified destination server on Config Fetch Failure using the specified port. After that you add few new devices to LMS and schedule a job to fetch the configurations for all the devices. There is a Config Fetch Failure as the scheduled job is unable to fetch the configurations for the new devices. The server 10.77.153.47 receives trap notifications for each Config Fetch Failure per device.
Example for Inventory Collection Failure
You are providing the following information in the Collection Failure Notification screen: Destination Server: 10.77.153.47 Destination Port: 162 You are also enabling the Inventory Collection option. By enabling this option you are allowing trap notifications to be sent to the specified destination server on Inventory Collection Failure using the specified port. After that you add few new devices to LMS and schedule a job to fetch the inventory information for all devices. There is a Inventory Collection Failure as the scheduled job is unable to fetch the inventory details for the new devices. The server 10.77.153.47 receives trap notifications for each Inventory Collection Failure per device.
10-50
OL-20721-01
Chapter 10
Notification and Action Settings IPSLA Syslog Configuration
Fields in a Trap Notification Message

Table 10-15 lists the various fields that constitute a Configuration Fetch or Inventory Collection Failure trap notification message.
Table 10-15 Fields in a Trap Notification Message
Field Device Display Name Collection Failure Time Error Message
Description Network device for which the inventory or configuration collection has failed. Time at which the inventory or configuration collection job failed. The message that describes the reason for the collection failure. Some examples of trap error messages:
Inventory Collection Failed due to SNMP TimeOut Exception. Config Collection Failed due to authentication failure.
Application Name LMS application that caused this change or identified the change and generated the notification.
IPSLA Syslog Configuration

Syslog is a trap message that is sent from the device if any changes occur to the device. You can either enable or disable the IPSLA Syslog. However the IPSLA Syslog can be configured only by a Network Administrator or System Administrator. The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any Target devices. To enable or disable IPSLA Syslog:
Step 1
Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration. The IPSLA Syslog Configuration page appears. Click Enable If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server. This enables the generation of the IPSLAs specific traps through the system logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display the Syslog details. Or If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server. (LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display the Syslog details.
Step 2
Note
In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be greater than LMS 4.1
10-51
CH A P T E R
11
Administering Change Audit and Software Management

Change Audit tracks and reports changes made in the network. Change Audit allows other LMS to log change information to a central repository. Device Configuration, Inventory, and Software Management changes can be logged and viewed using Change Audit. LMS writes change records to Change Audit. Change Audit stores these records in the log tables (summary and details) for later use with reports. For example, Software Management records a change for each completed device upgrade. If a job has ten devices, then Software Management writes ten entries to the Change Audit log, but the Change Audit report shows only one job with ten devices. You can then access individual device information. Each application writes its own change records to Change Audit. For example, in Inventory you can set inventory change filters to filter out all kinds of information for different device types. Change Audit record maintenance is controlled by the Change Audit Delete Change History option. You can convert change records into SNMP V1 traps and forward them to a destination of your choice. This allows system administrators to forward critical network change data to their own NMS. You can define automated actions (e-mail and automated scripts) on creation of change audit record. The automated action gets triggered on creation of the change audit record. This section contains:

Setting Up Preferences Performing Change Audit Tasks Performing Maintenance Tasks Defining Exception Periods Defining Change Audit Automated Actions Software Management Administration Tasks Setting Change Report Filters
11-1
Chapter 11 Setting Up Preferences
Setting Up Preferences
You can use this feature to set up your editing preferences. Config Editor remembers your preferred mode, even across different invocations of the application. You can change the mode using the Device and Version, Pattern Search, Baseline or External Configuration option but the changes do not affect the default settings. To set up preferences:
Step 1
Select Configuration > Tools > Config Editor > Edit Mode Preference. The User Preferences dialog box appears. Set the default edit mode:
Step 2
Select Processed to display the file in the Processed mode. The configuration file appears at the configlet level (a set of related configuration commands). The default is Processed.
Select Raw to display the file in the Raw mode. The entire file appears as shown in the device.
Step 3
Click Apply to apply the set preferences.
Performing Change Audit Tasks

Change Audit allows you to:
Determine changes being made in the network during critical operations time System administrators can define the start and end times during the day when network changes should not be made. Based on this selection you can quickly see, for a given day, whether changes were made when they should not be. See Defining Exception Periods for defining the exception periods. Define automated actions on creation of change audit record Automated action gets triggered on creation of the change audit record. You can define any number of automated actions. The supported automated actions are, E-mail, Traps, and Automated scripts See Defining Change Audit Automated Actions for defining the Change Audit automated actions. Monitor your software image distribution and download history for software changes made using the Software Management application. Software Management automatically sends network change data to the Change Audit summary and details tables.
Track any configuration file changes Device Configuration automatically sends data on configuration file changes to the Change Audit log. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.
11-2
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Performing Maintenance Tasks
Monitor inventory additions, deletions, or changes Inventory tracks specific messages or monitors any and all changes in your network inventory. To set inventory filters, use the Inventory Change Filter option. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.
View all the latest changes that occurred in the network over the last 24 hours 24-Hour Reports provides a quick way to access the latest changes in the Change Audit log. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.
Purging the Change Audit records Frees disk space and maintains your Change Audit records at a manageable size. You can either schedule for periodic purge or perform a forced purge of Change Audit data. See Performing Maintenance Tasks for scheduling a periodic purge. Generating change audit data in XML format
cwcli export changeaudit
is a command line tool that also provides servlet access to change audit data. This tool uses the existing Change Audit log data and generates the Change Audit log data in XML format.
Set the debug mode for Change Audit application You can set the debug mode for Change Audit application in the Log Level Settings dialog box (Select Admin > System > Debug Settings > Config and Image Management Debugging settings; select Change Audit from the Application drop-down list.).
Generating 24 Hours and Standard Change Audit Reports
To generate 24 Hours and Standard Change Audit Reports:

Select Reports > Audit. Select Change Audit from the first drop-down list box. Select Standard from the second drop-down list box.
Performing Maintenance Tasks

You can either schedule for periodic purge or perform a forced purge of Change Audit data. This frees disk space and maintains your Change Audit data at a manageable size. You can perform these tasks:

Setting the Purge Policy Performing a Forced Purge Config Change Filter
11-3
Chapter 11 Performing Maintenance Tasks
Setting the Purge Policy

You can specify a default policy for the periodic purging of Change Audit data.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To set the Change Audit Purge Policy:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Purge Policy. The Purge Policy dialog box appears in the Periodic Purge Settings pane. Enter the following information: Description Enter the number of days. Only Change Audit records older than the number of days that you specify here, will be purged. The default is 180 days. Enter the number of days. Only Audit Trail records older than the number of days that you specify here, will be purged. The default is 180 days.
Step 2
Field Purge change audit records older than Purge audit trail records older than
Scheduling
Run Type
You can specify when you want to run the Purge job for Change Audit and Audit Trail records. To do this select one of the following options from the drop-down menu:

The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date at You can select the date and time (hours and minutes) to schedule. Enter the start time, in the hh:mm:ss format (23:00:00).
11-4
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Performing Maintenance Tasks
Field
Job Info
Description The system default job description, ChangeAudit Records - default purge job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
Caution
You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted. Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes made to a Purge policy.
Step 3
Performing a Forced Purge

You can perform a Forced Purge of Change Audit, as required.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To perform a Change Audit Forced Purge:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Force Purge. The Purge Policy dialog box appears. Enter the information required to perform a Forced Purge: Description Enter the number of days. Only Change Audit records older than the number of days that you specify here, will be purged. Enter the number of days. Only Audit Trail records older than the number of days that you specify here, will be purged.
Step 2
Field Purge change audit records older than Purge audit trail records older than
11-5
Chapter 11 Performing Maintenance Tasks
Field
Scheduling
Description You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records. To do this select one of the following options from the drop-down menu:

Run Type
ImmediateRuns this task immediately. OnceRuns this task once at the specified date and time.
Date
Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar icon and select the date. The Date field is enabled only if you have selected Once as the Run Type. Enter the start time, in the hh:mm:ss format (23:00:00). The At field is enabled only if you have selected Once as the Run Type
at
Job Info
Enter a description for the job. This is mandatory. Enter e-mail addresses to which the job sends messages at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.
Step 3
Click Submit for the Forced Purge to become effective.
11-6
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Defining Exception Periods
Config Change Filter

You can use this option to enable or disable VLAN Change audit filtering. When there is a change to the device configuration, a change record is created. By default, the VLAN change audit record is created for those devices that have a VLAN configuration. To enable or disable the VLAN Change Audit Filter option:
Step 1
Select Admin > Network > Change Audit Settings > Config Change Filter. The Config Change Filter dialog box appears. Check or uncheck the Enable VLAN Change Audit Filter option.

Step 2
Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created for devices that have a VLAN configuration. Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for devices that have VLAN configuration. By default, this option is unchecked.
Step 3
Click either Apply to apply the option or click Cancel to discard the changes.
Defining Exception Periods

An Exception period is a time you specify when no network changes should occur. This period does not prevent you from making any changes in your network. The set of Exception periods is known as an Exception profile. You can have only one Exception period for a day. You perform the following tasks for Exception profiles: Tasks Creating an Exception Period Enabling and Disabling an Exception Period Editing an Exception Period Deleting an Exception Period Description Creating an exception profile. Enabling and disabling a set of exception profiles. Editing an exception profile. Deleting a set of exception profiles.
11-7
Chapter 11 Defining Exception Periods
Creating an Exception Period

To create an Exception profile:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select:

Step 1
Step 2
Days of the week from the Day drop-down list box Start and end times from the Start Time and the End Time drop-down list box.
Step 3
Click Add. The defined exception profile appears in the List of Defined Exception Periods pane. To enable the exception period, see Enabling and Disabling an Exception Period.
Enabling and Disabling an Exception Period

To enable and disable a set of exceptions periods:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select one or more exception profiles in the List of Defined Exception Periods pane. Click Enable/Disable.

Step 1
Step 2 Step 3
If you have selected Enabled, then the exception period report is generated for that specified time frame. If you have selected Disabled, then the exception period report is not generated for that whole day. For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then there will not be any exception period report generated for Monday.
11-8
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Defining Exception Periods
Editing an Exception Period

To edit an exception profile:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select a day from the Day drop-down list box for which you want to change the exception period. Change the start and end times in the Start Time and the End Time drop-down list box. If required you can also enable or disable the status for the exception period. Click Add. The edited exception profile appears in the List of Defined Exception Period dialog box. This will overwrite the existing exception profile for that day.
Step 1
Step 2 Step 3
Step 4
Deleting an Exception Period

To delete a set of Exceptions Periods:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Select one or more exception profiles in the List of defined Exception Periods pane. Click Delete.
Step 1
Step 2 Step 3
11-9
Chapter 11 Defining Change Audit Automated Actions
Defining Change Audit Automated Actions

You can define automated actions on creation of change audit record. This automated action gets triggered on creation of the change audit record. You can define any number of automated actions. The supported automated actions are:

E-mail Traps Automated scripts Understanding the Automated Action Window Creating an Automated Action Editing an Automated Action Enabling and Disabling an Automated Action Exporting and Importing an Automated Action Deleting an Automated Action

Understanding the Automated Action Window

This window contains the following entries: Field Name Status Type Description Name of the automated action. Status of the automated actionEnabled, or disabled. Type of automated actionEmail, Script or Trap.
You perform the following tasks from this window: Tasks Creating an Automated Action Enabling and Disabling an Automated Action Editing an Automated Action Description Creating an automated action. Enabling and disabling a set of automated actions. This button gets activated only after selecting an automated action. Editing an automated action. This button gets activated only after selecting an automated action. Exporting and Importing an Automated Action Deleting an Automated Action Exporting and importing a set of automated actions. Deleting a set of automated actions. This button gets activated only after selecting an automated action.
11-10
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Defining Change Audit Automated Actions
Creating an Automated Action

To create an automated action:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions. The Automated Action dialog box appears. Click Create. The Define Automated Action dialog box appears. Enter the following: Field Name Status Application Category Mode User Description Name for the automated action. Select either Enabled or Disabled For the automated action to trigger. Select the name of the application on which the automated action has to be triggered. Select the types of the changes, for example, configuration, inventory, or software on which the automated action has to be triggered. Select the connection mode on connection modes on which the automated action has to be triggered. Select the user name on which the automated action has to be triggered.
Step 1
Step 2
Step 3
Step 4
Click Next. The Automated Action Type dialog box appears. Select either E-mail or Trap or Script. Based on your selection, enter the following data: Description Enter the E-mail ID for which the trigger has to be notified. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). You will receive the e-mail with the E-mail ID as the sender's address.
Step 5
Field Send To
If you have selected E-mail, enter:
Subject Content
Enter the subject of the e-mail. Enter the content of the e-mail.
11-11
Field
Description
If you have selected Trap, perform:
Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit. Ensure that you have copied these files:

CISCO-ENCASE-MIB.my CISCO-ENCASE-APP-NAME-MIB.my
into the destination system to receive the traps. These files are available in the following directories on LMS server: On UNIX: /opt/CSCOpx/objects/share/mibs On Windows: NMSROOT\objects\share\mibs. Where NMSROOT is the root directory of the LMS Server.
a. b.
Enter the Server and Port details in the Define Trap field. Click Add. The server and port information appears in the List of Destinations text box. If you want delete, the server and port information, select the server and port information from the List of Destinations text box and click Delete.
If you have selected Script, enter...
You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute from within the casuser account. The following are the parameters for change audit automated action that will appear in the script:
Application Name Category User Name Description Connection Mode Host Name
The script files must be available at this location: On UNIX: /var/adm/CSCOpx/files/scripts/changeaudit On Windows: NMSROOT/files/scripts/changeaudit To select the script file:
a.
Click Browse. The Server Side File Browser dialog box appears with the predefined location. Select the script file (*.sh on Unix and *.bat on Windows) Click OK.
b. c.
11-12
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Defining Change Audit Automated Actions
Step 6
Click Finish. The Automated Action window appears with the defined automated action.
Editing an Automated Action

To edit an automated action:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Select an Automated Action. Click Edit. (See step 3 to step 5 in Creating an Automated Action.). Click Finish. The Automated Action window appears with the updated data.
Step 1
Enabling and Disabling an Automated Action

To enable or disable a set of automated actions:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Select one or more Automated actions. Click Enable/Disable. The Automated Action window appears with the updated data.
Step 1
Step 2 Step 3
11-13
Exporting and Importing an Automated Action

To export or import an automated action:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. If you want to export an Automated action, then select the automated actions else go to next step. Click Export/Import. The Export/Import dialog box appears. Select the task to be performedExport or Import. Either:
Step 1
Step 2 Step 3
Step 4 Step 5
Enter the filename along with the absolute path. Click Browse, The Server Side File Browser dialog box appears. Select a folder. Click OK. Enter the filename.
Or
a. b. c. Step 6
Click OK.
Deleting an Automated Action

To delete a set of automated actions:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Select a or a set of Automated actions. Click Delete. The Automated Action window appears with the updated data.
Step 1
Step 2 Step 3
11-14
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Software Management Administration Tasks
Software Management Administration Tasks

You can set your preference to download images. To do this, select Admin > Network > Software Image Management. The following section explains how to set the Software Management preferences:
Viewing/Editing Preferences
Viewing/Editing Preferences
Edit Preferences helps you to set or change your Software Management preferences. The options you specify here are applicable to Software Management tasks such as image distribution, image import, etc. This section contains:

Selecting and Ordering Protocol Order How Recommendation Filters Work for an IOS Image
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To view and edit the preferences:
Step 1
Select Admin > Network > Software Image Management > View/Edit Preferences. The View/Edit Preferences dialog box appears. Enter the following: Description New directory to store software images. By default the software images are stored at this location: On Solaris/Soft Appliance: /var/adm/CSCOpx/files/rme/ repository/ On Windows: NMSROOT/files/rme/repository Where NMSROOT is the Cisco Prime installed directory. Usage Notes If you enter a new name, all existing files are moved to this directory. If the directory does not have enough space, the files are not moved and an error message appears. If the specified directory does not exist, Software Management creates a new directory before moving the files to the new directory. The new directory should be empty. The new directory specified by you should have the permission for casuser:casusers in Solaris/Soft Appliance and casuser should have Full Control in Windows.
Step 2
Field
Repository Management
Image Location
11-15
Chapter 11 Software Management Administration Tasks
Field
Distribution
Description
Usage Notes
Script Location
On UNIX, the scripts should have read, write, and execute You can specify only shell scripts (*.sh) on UNIX and batch permissions for the owner (casuser) and read and execute permissions for group casusers. That is, the script should have 750 files (*.bat) on Windows. permission. The script files must be available On Windows, the script should have read, write, and execute at this location: permissions for casuser/Administrator. On UNIX: The other users should have only read permission. You must /var/adm/CSCOpx/files/scripts/ ensure that the scripts contained in the file have permissions to swim execute from within the casuser account. On Windows: This script is run before and after completing each device software NMSROOT/files/scripts/swim upgrade for all scheduled jobs. To select the script file:
a.
Click Browse. The Server Side File Browser dialog box appears with the predefined location.
b. c.
Select the script file (*.sh on Unix and *.bat on Windows) Click OK.
You can use Clear to clear your selections for Script Location. This clears all previous values. Script Timeout (seconds) Protocol Order Number of seconds the users script can run (default = 90). Specify an order of preferred protocol for image import/distribution. The supported protocols are:

Software Management waits for the time specified before concluding that the script has failed. This preferred protocol order is followed only for those devices that permit more than one protocol for image transfer. In devices, where multiple protocol option is not available for image transfers, Software Management uses its own knowledge and selects the relevant protocol to upgrade the device. For fetching configuration from device, the protocol settings of Configuration Management is used. Software Management uses the same protocol for fetch and download of configurations. You can set the Configuration Management protocol order using Admin > Collection Settings > Config > Config Transport Settings.
RCP TFTP SCP HTTP
See Selecting and Ordering Protocol Order for further details.
11-16
OL-20721-01
Chapter 11
Field Use SSH for software image upgrade and software image import through CLI (with fallback to TELNET).
Description Uses this protocol to connect to the devices. By default, Telnet is used to connect to the devices. If SSH fails, then Telnet is used to connect to the devices.
Usage Notes The device must support SSH for Software Management to use this protocol. Software Management uses command line interface to upgrade software images and to import software images. When you select the SSH protocol for the Software Management, the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed and Telnet is used to connect to the device. See the Software Management Functional Supported Device tables on Cisco.com for SSH and CLI device support information. http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod ucts_device_support_tables_list.html
Recommendation Filters (See How Recommendation Filters Work for an IOS Image.)
Include Cisco.com images for image recommendation Include General deployment images Include latest maintenance release (of each major release).
During image distribution, recommend Cisco.com images for Cisco devices. Includes only GD images. For Cisco IOS devices only.
Includes the latest major releases For Cisco IOS devices only. of IOS images. For example, if Release 12.2(5) was latest maintenance version in the 12.2 major release, the recommended image is IOS 12.2(5). For Cisco IOS devices only.
Include images higher Includes the images that are than running image. newer than the images running on your device. For example, if the device is running Release 11.2(3), the recommended images are 11.2(4) and later.
11-17
Field Include same image feature subset as running image.
Description Include only images that have the same feature subset as the current image. For example, if you want IOS images with the ENTERPRISE IPSEC feature, the recommended images contain the latest version. This version contains feature subset that fits the Flash.
Usage Notes For Cisco IOS devices only.
Password Policy
Enable Job Based Password
Enter a username and password for running a specific Software Management job. If you enter a username and password, Software Management application uses this username and password to connect to the device, instead of taking these credentials from the Device and Credential Repository.
If you have enabled User Configurable option, you can disable this option while scheduling the distribution jobs. If you have disabled User Configurable option, you must enter the username and password while scheduling the distribution jobs.
These passwords are used only to connect to devices for which Software Management uses CLI, Telnet, and SSH.for software upgrades. See the Software Management Functional Supported Device tables on Cisco.com for CLI, Telnet and SSH device support information. http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod ucts_device_support_tables_list.html
Step 3
Either:

Click Apply to save your changes. Click Defaults to display the default configuration. Click Cancel to discard the values entered and revert to previously saved values.
11-18
OL-20721-01
Chapter 11
Selecting and Ordering Protocol Order

In the View/Edit Preferences dialog box (Admin > Network > Software Image Management > View/Edit Preferences) you can define the protocol order that Software Management has to use for software image download. Software Management tries to download the software images based on the specified protocol order. While downloading the images, Software Management uses the first protocol in the list. If the first protocol in the list fails, these jobs use the second protocol and so on, until Software Management finds a transport protocol for downloading the images.
To Enable the Protocols:
Step 1 Step 2
Select a protocol from the Available Protocols pane. Click Add or double click the mouse.
To Disable the Protocols:

Step 1 Step 2
Select a protocol from the Selected Protocol Order pane. Click Remove or double click the mouse.
To Reorder the Protocols

Step 1 Step 2
Select the protocols from the Selected Protocol Order pane. Click Remove. You can either select the protocols individually or use the mouse to select all of them and click Remove. Select a protocol from the Available Protocols pane. Click Add or double click the mouse.
Step 3 Step 4
11-19
How Recommendation Filters Work for an IOS Image

This section describes how the recommendation filters that you select in the View/Edit Preferences dialog box (Admin > Network > Software Image Management > View/Edit Preferences) work for a Cisco IOS image. If you have selected the option, Include Cisco.com Images for image recommendation, Software Management checks for the images that are available on Cisco.com and the Software repository. If the same image is available in the Software repository and Cisco.com, the image is recommended from the Software repository. If you have not selected the option, Include Cisco.com Images for image recommendation, the Software Management checks and recommends images only from Software repository.
Table 11-1 Recommending Images for an Cisco IOS Image
Option Number 1
Include General Deployment Images Not selected
Include Latest Mainten ance Release (of Each Major Release) Not selected
Include Images Higher Than Running Image Not selected
Include Same Image Feature Subset as Running Image Not selected
Recommendation The recommendation image list includes:

All available images. In case of,

Multiple images with the same version as that of the running
image version are present, the image with a higher compatible feature than the running image is recommended.
Similar images in Cisco.com and Software Management
repository, the image from the repository is recommended.
The image feature can be the same or a superset of the running image.
If a higher version is not available, then no recommendation is made. 2 Not selected Not selected Not selected Selected The recommended list contains images that have the same feature set as that of the running image. The images with the highest version among the recommended image list are recommended. 3 Not selected Not selected Selected Not selected The recommend list contains all types of releases (deployment status). The images with the highest version among recommended image list are recommended. The feature set of the recommended image may be superior than the running image. 4 Not selected Selected Not selected Not selected The latest maintenance version in each release is available in the recommend image list. The latest image version is recommended.
11-20
OL-20721-01
Chapter 11
Table 11-1
Recommending Images for an Cisco IOS Image (continued)
Option Number 5
Include General Deployment Images
Include Latest Mainten ance Release (of Each Major Release)
Include Images Higher Than Running Image Not selected Not selected
Include Same Image Feature Subset as Running Image Not selected
Recommendation The images with deployment status identified as GD are available in the recommended image list and other recommendation flow remains the same as the option 1.
Selected Not selected Selected Not selected Selected Not selected
6 7
Selected Same as option5. However, the recommended list contains images that have the same feature set as that of running image. Same as option 5. However, the image with the highest version in the recommended image list is recommended. The feature set of the recommended image may be superior than the running image.
Selected Not selected
Selected Not selected
Selected Selected Same as option 6. However, the image with the highest version in the recommended image list is recommended. All recommend images will have the same feature subset as the running image.
Selected Selected Not selected
Not selected
The images with the highest version among recommended image list are recommended. The images of GD types of releases are available in the recommended image list.
10
Selected Selected Not selected
Selected The images with the same feature as that of running image is available in the recommended list and the latest maintenance version of all release is available in the recommended list. Only an image with higher version than running image is recommended. The recommended images can have only GD status.
11
Selected Selected Selected Not selected
Same as option 9. In addition to this, an image with the higher version than running image is also recommended.
11-21
Chapter 11 Setting Change Report Filters
Setting Change Report Filters

Using the Inventory Change Filter dialog box, you can select the attributes that you do not wish to log using Change Audit. The history of inventory changes are logged by and viewed through Change Audit. The attributes that you select in the Inventory Change Filter dialog box, are monitored for Inventory changes like other variables. However, they are not logged using Change Audit. Consequently, these changes are not displayed in your inventory change reports. For example, for Stack devices, if you do not want to log the operational status for changes in Change Audit, select the Operational Status option in the Inventory Change Filter dialog box. The Inventory Change Filter dialog box, displays each attribute group and the corresponding filters for the attribute group, for your selection.
To view all inventory change reports, select Reports > Inventory. In the Report Generator dialog box, first select the application, Change Audit, and then select the Exception Period Report from the respective drop-down lists. To view inventory changes from the last 24 hours, select Reports > Inventory. In the Report Generator dialog box, first select the application, Inventory, and then select report 24 Hour Inventory Change report from the respective drop-down lists.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. To set Inventory change filters:
Step 1
Select Admin > Network > Change Audit Settings > Inventory Change Filter. The Inventory Change Filter dialog box appears. Select a group from the Select a Group drop-down list. See Table 11-2. The dialog box refreshes to display the filters available for the attribute group that you selected. Select the attributes that you do not want to monitor for changes. Click Save. A confirmation dialog box appears. Click OK to save the details. You can use Reset All to reset your selections for all groups. This resets all previous values to blanks.
Step 2
Step 3 Step 4
Step 5
11-22
OL-20721-01
Chapter 11
Administering Change Audit and Software Management Setting Change Report Filters
Table 11-2
Inventory Change Filters
Report Inventory Group

Asset
Custom Report Group/Attribute Orderable Part Number Tag CLE Identifier Mfg Assembly Revision Mfg Assembly Number Physical Index
Description Orderable part number of asset. Asset tag. Represents CLIE (Common Language Equipment Identifier) code for the physical entity. Manufacturing assembly revision of asset. Manufacturing assembly number of asset. Physical index of asset Operational status of backplane. Indicates the relative position of this child component among all its sibling components. Name of manufacturer. Name of physical entity. Configuration of backplane slots Name of model. Type of vendor. Serial number of backplane. Description of backplane. Type of component. Index of backplane. FRU of backplane. Field-replaceable unit is a hardware component that can be removed and replaced on site. Alias name of backplane. Type of bridge. Number of ports in the bridge. Base address of bridge.
Back Plane
Operational Status Parent Relative Position Manufacturer Name Physical Entity Name Slot Configuration Model Name Vendor Type Serial Number Description Component Type Index Field Replaceable Unit
Alias Name
Bridge
Bridge Type Number of Ports Base Bridge Address
11-23
Table 11-2
Inventory Change Filters (continued)

Chassis
Custom Report Group/Attribute Chassis Model Name Chassis Serial Number Chassis Vendor Type Chassis Version Report Published Description Field Replaceable Unit Component Type Alias Name Index Parent Relative Position Physical Entity Name Free Slots Slot Capacity Power Available (Watts) Power Consumption (Watts) Power Consumption (%) Power Remaining (Watts) Operational Status Manufacturer Name Slot Configuration
Description Name of the chassis model. Serial number of the chassis. Type of vendor. Version number of the chassis. Indicates whether Report is published or not. Displays the value as True or False. Description of chassis. FRU of chassis. Type of component. Alias name of chassis. Physical index of chassis. Indicates the relative position of this child component among all its sibling components. Name of physical entity. Free slots in chassis. Slot capacity of chassis. Power available at chassis level Power consumption at chassis level Percentage of power consumption at chassis level. Power remaining at chassis level. Operational status of chassis. Name of manufacturer. Slot configuration of chassis. Physical index of component. FRU of component. Alias name of component. Indicates the relative position of this child component among all its sibling components. Operational status of component. Name of manufacturer. Name of component. Slot configuration of component. Name of model. Vendor type of component. Component serial number. Description of component. Type of component.
Component
Index Field Replaceable Unit Alias Name Parent Relative Position Operational Status Manufacturer Name Name Slots Configured Model Name Vendor Type Serial Number Description Component Type
11-24
OL-20721-01
Chapter 11
Table 11-2

Container
Custom Report Group/Attribute Alias Name Operational Status Manufacturer Name Slot Configuration Container Model Name Container Vendor Type Parent Relative Position Container Serial Number Physical Entity Name Description Component Type Index Field Replaceable Unit
Description Alias name of container. Operational status of container. Name of manufacturer of container. Slot configuration of container. Model name of container. Vendor type of container. Parent Relative Position of container. Serial number of container. Physical entity name of container. Description of container. Type of container component. Index of container. FRU of container. Name of model of fan. Vendor type of fan. Parent Relative Position of fan. Serial number of fan. Description of fan. Physical entity name of fan. Component type of fan. Index of fan. FRU of fan. Alias name of fan. Operational status of fan. Name of manufacturer of fan. Slot configuration of fan. Module index of flash.
Fan
Fan Model Name Fan Vendor Type Parent Relative Position Fan Serial Number Description Physical Entity Name Component Type Index Field Replaceable Unit Alias Name Operational Status Manufacturer Name Slot Configuration
Flash
Module Index
11-25
Table 11-2

Flash Device
Custom Report Group/Attribute Removable Jumper Controller Chip Count Size (MB) Partition Count Maximum Partitions Minimum Partition Size (MB) Name Index Description
Description Indicates whether the flash device removable. Jumper of the flash device. Flash device controller. Flash device chip count. Total flash device size in MB. Partition count of flash device. Maximum partitions in flash device. Minimum partition size of flash device. Name of the flash device. Index of flash device. Description of flash device. Flash file index. Flash file status. Checksum of flash file. Size of flash file. Name of flash file. Algorithm of the flash partition Flash filename length. Whether an erase is needed. Method of upgrade of flash partition. Status of flash partition. Free space in MB. Flash partition size in MB. Name of flash partition. Flash partition index.
Flash File
Index Status Checksum Size (MB) Name
Flash Partition
Algorithm Filename Length Erase Needed Upgrade Method Status Free (MB) Size (MB) Name Index
11-26
OL-20721-01
Chapter 11
Table 11-2

IP Address
Custom Report Group/Attribute IP Address Index Address State Address Type Protocol of Address Max Re-assemble Size Broadcast Address Network Mask
Description IP Address of the device. IP Address index. IP Address state. Type of IP Address. Protocol of IP Address. Maximum re-assemble size. Broadcast address. Network mask of IP Address. ROM system software version. Version of ROM. System Boot Variable System image file. Minimum Boot Flash in MB. Minimum NVRAM in MB. Minimum DRAM in MB. Media of image. Image feature Image module. Software image present on the device. Build time of image. Image family. Image system description. Version of the software image on the device. Description of image. Processor index of image. Maximum transmission unit. Maximum packet size, in bytes, that this interface can handle. Interface alias. Time of last change. Operational status of interface. Administrative status of interface. Speed of interface in Mbps. Type of interface. Description of interface. Name of interface Physical address of interface.
Image
ROM Sys Version ROM Version System Boot Variable System Image File Minimum Boot Flash (MB) Minimum NVRAM (MB) Minimum DRAM (MB) Media Feature Module Image Build Time Family System Description Version Description Processor Index
Interface
MTU Alias Last Changed Operational Status Admin Status Speed (Mbps) Type Description Name Physical Address
11-27
Table 11-2
Custom Report Group/Attribute Index Identifier FlexLink Enabled SPAN Enabled
Description Index of interface. Identifier of interface. FlexLink status of the interface. Whether the interface is Span enabled Processor index. Total memory in MB. Lowest free block of memory in MB. Largest free block of memory in MB. Free memory in MB Used memory in MB. Validity of memory pool. Alternate memory pool. Name of the memory pool. Memory pool type.
Memory
Processor Index Total Memory (MB) Lowest Free Block (MB) Largest Free Block (MB) Free (MB) Used (MB) Validity Alternate Pool Name Type
Memory Pool
11-28
OL-20721-01
Chapter 11
Table 11-2

Module
Custom Report Group/Attribute Parent Relative Position Field Replaceable Unit Alias Name Reset Reason Admin Status Additional Status Module IP Address Hardware Encryption Slot Number Inline Power Capable Parent Type Multiservice Parent Index Number of Slots FW Version SW Version HW Version Operational Status Manufacturer Name Physical Entity Name Slot Configuration Model Name Vendor Type Serial Number Description Component Type Index
Description Parent Relative Position of module. FRU of module. Alias name of module. Module reset reason. Administrative status of module Additional status of module IP Address of module Hardware encryption of module Slot number of module Inline power capability of module Module parent type. Is this a multiservice module Parent index of module Number of slots in module Firmware version of module Software version of module Module hardware version. Operational status of module Name of manufacturer of module Physical entity name of module Slot configuration of module Name of module. Vendor type of the module. Serial number of module. Description of module Component type of module Index of module
11-29
Table 11-2

Port
Custom Report Group/Attribute Manufacturer Name Slot Configuration Port Model Name Port Vendor Type Port Serial Number Parent Relative Position Description Component Type Physical Entity Name Port Index Field Replaceable Unit Alias Name Status Operational Status POE Admin Status POE Power Allocated
Description Port manufacturer name. Slot configuration of port. Model name of port. Port vendor type. Serial number of port. Parent Relative Position of port. Description of port. Port component type. Physical Entity Name of port. Port index. FRU of port. Alias name of port. Status of port Operational Status of port The POE Port Admin Status. The amount of power allocated from the Power Sourcing Equipment (PSE) for the Powered device. This is a POE device specific attribute. The maximum amount of power that the PSE makes available to the Powered device connected to the Port interface. This is a POE device specific attribute. Power consumption percentage of the port. Power consumption of the port. Power available for a powered device connected to the port. Power remaining for a powered device connected to the port. Port interface number.
POE Maximum Power
Power Consumption (%) Power Consumption Power Available Power Remaining

Port Interface
Number
11-30
OL-20721-01
Chapter 11
Table 11-2

Power Supply
Custom Report Group/Attribute Parent Relative Position Physical Entity Name Admin Status Operational Status Manufacturer Name Field Replaceable Unit Slot Configuration Alias Name Power Supply Model Name Power Supply Vendor Type Power Supply Serial Number Description Component Type Index
Description Parent Relative Position of power supply. Physical Entity Name of power supply. Administrative status of power supply. Operational status of power supply. Manufacturer Name of power supply. FRU of power supply. Slot configuration of power supply. Alias name of power supply. Model name of power supply. Vendor type of power supply. Serial number of power supply. Description of power supply. Component type of power supply. Index of power supply.
11-31
Table 11-2

Processor
Custom Report Group/Attribute Field Replaceable Unit Alias Name Slot Number Parent Type Parent Index Reboot Config Register Value Config Register Value Physical Entity Name NVRAM Used (KB) NVRAM Size (KB) RAM Size (MB) Operational Status Manufacturer Name Slot Configuration Model Name Reset Reason Vendor Type Admin Status Serial Number Additional Status Description Module IP Address Component Type Hardware Encryption Index Inline Power Capable Multiservice Number of Slots FW Version SW Version HW Version Parent Relative Position
Description Processor FRU. Alias name of processor. Slot number of processor. Parent type of processor. Parent index of processor. Reboot configuration register value. Configuration register value Name of physical entity. Size of the processor NVRAM that has been utilized, in KB. Size of the processor NVRAM in KB. Size of processor RAM in MB. Operational status of processor. Manufacturer name of processor. Slot configuration of processor. Name of the processor model. Processor reset reason. Processor vendor type. Administrative status of processor. Serial number of processor. Additional status of processor. Description of processor. Module IP Address of processor. Component type of processor. Hardware encryption. Index of processor. Inline power capability of processor. Multiservice. Number of slots in processor. Firmware version of processor. Software version of processor. Hardware version of processor. Parent Relative Position of processor.
11-32
OL-20721-01
Chapter 11
Table 11-2

Sensor
Custom Report Group/Attribute Parent Relative Position Physical Entity Name Operational Status Manufacturer Name Field Replaceable Unit Alias Name Slot Configuration Sensor Model Name Sensor Vendor Type Sensor Serial Number Description Component Type Index
Description Parent Relative Position of sensor. Name of physical entity of sensor. Operational status of sensor Manufacturer name of sensor FRU of sensor Alias name of sensor Slot configuration of sensor Model name of sensor Vendor type of sensor Serial number of sensor Description of sensor Component type of sensor Index of sensor Serial number of slot. Description of slot. Component type of slot. Index of slot. Parent Relative Position of slot. Physical Entity Name of slot. Operational Status of slot. Name of manufacturer of slot. FRU of slot. Configuration of slot. Alias name of slot. Model name of slot. Vendor type of slot. FRU of stack. Operational status of stack. Alias name of stack Manufacturer name of stack Slot configuration of stack Model name of stack Vendor type of stack Serial number of stack Description of stack Parent Relative Position of stack
Slot
Serial Number Description Component Type Index Parent Relative Position Physical Entity Name Operational Status Manufacturer Name Field Replaceable Unit Slot Configuration Alias Name Model Name Vendor Type
Stack
Field Replaceable Unit Operational Status Alias Name Manufacturer Name Slot Configuration Stack Model Name Stack Vendor Type Stack Serial Number Description Parent Relative Position
11-33
Table 11-2
Custom Report Group/Attribute Component Type Index Physical Entity Name
Description Stack component type. Index of stack. Physical Entity Name of stack. Index of system application Software serial number of system application. Software version of system application Name of software product. Software manufacturer of system application System Up Time. Host name of the system Management type of system. Modularity of system. OSI layer services of system. System name. System Object ID of the device. Date and time of last system update. System location. System contact. Domain name of the system. Description of the system.
Sys Application
Index Software Serial Number Software Version Software Product Name Software Manufacturer
System
SysUpTime Host Name Management Type Modular OSI Layer Services System Name System Object ID Last Updated At Location Contact Domain Name Description
11-34
OL-20721-01
CH A P T E R
12
Managing Jobs
In LMS 4.1, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs. LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group of users designated as job Approvers approves each job before it can run. This section contains the following:

Using Job Browser Configuring Default Job Policies Configuring NetShow Job Policies Enabling Approval and Approving Jobs Using Job Approval Job Approval Workflow Using Device Selector
Using Job Browser

In LMS 4.1, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs. The job details that you can view here include the job ID, the job type, the job status, the job description, the job owner, the time the job is scheduled to run at, the time of job completion, and the schedule type. To open the job browser, select Admin > Jobs > Browser. The Job Browser appears.
12-1
Chapter 12 Using Job Browser
Managing Jobs
Table 12-1 displays the fields in the LMS Job Browser.

Table 12-1 LMS Job Browser
Column Job ID
Description Unique number assigned to this task at creation time. This number is never reused. There are two formats:
Job ID: Identifies the task. This does not maintain a history. For Example:1001
JobID.Instance ID: Here, in addition to the task, the instance of the task can also be identified. For example: 1001.1, 1001.2
Type
Type of job. The jobs include User Tracking jobs, LMS reports, Inventory Collection, Identity provisioning, Identity monitoring and so on. Job states include:

Run Status
Running Waiting for approval Scheduled (pending) Succeeded Succeeded with Info Failed Crashed Cancelled Suspended Rejected Missed Start Failed at Start
Select a job state from the Run Status drop-down list box to view the details of the all jobs that match the job state. If there are no jobs with any of these job states, the Run Status drop-down list box will not display the respective job state. Sched Type Frequency of the job. This can be:

Once Immediate Periodic (calendar/time based).
Description Run Sched
Description of the job. Schedule details of the job.
12-2
OL-20721-01
Chapter 12
Managing Jobs Using Job Browser
Table 12-1
LMS Job Browser (continued)
Column Status
Description Provides the status of the current jobs. The status of the current jobs is displayed as succeeded or failed. It also displays the failure reasons. Username of the job creator. Date and time at which the job was scheduled. Date and time at which the job was completed.
Owner Scheduled At Completed At

Filtering Jobs
You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria, enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs pertaining to that category are displayed. Column All Job ID Description Displays all jobs in Job Browser. This is the default filter type. Unique ID of the job. For example, 1007.0. Job IDs have N.x format, where x stands for the number of instances of that job. For example, 1007.4 indicates that the Job ID is 1007 and it is the fifth instance of that job. You should enter a valid Job ID as filter value. You can also:

Enter multiple Job IDs separated by commas Include the wildcard character * (asterisk) in the Job ID value Enter a range of Job IDs 1002 1010.5 1004,1008.8, 1004 1007* 1001-1010 1019.20-1019.100
Examples of valid Job IDs are:

Type
Type of job. The jobs include User Tracking jobs, LMS reports, Inventory Collection, Identity provisioning, Identity monitoring and so on. Filters and displays all jobs that match a job type value in Job Browser. You must select a job type from the list of available types.
12-3
Chapter 12 Using Job Browser
Managing Jobs
Column Run Status
Description Job states include:

Running Waiting for approval Scheduled (pending) Succeeded Succeeded with Info Failed Crashed Cancelled Suspended Rejected Missed Start Failed at Start
Select a job state from the Run Status drop-down list box to view the details of the all jobs that match the job state. If there are no jobs with any of these job states, the Run Status drop-down list box will not display the respective job state. Sched Type Frequency of the job. This can be:

Once Immediate Periodic (calendar/time based).
Description
Description of the job. Filters and displays all jobs with a specified description. You cannot leave the description field blank when you select this filter type.
Owner
Username of the job creator. Filters and displays all jobs that are scheduled by a user. You can select a user from the drop-down list of users as a filter value.
Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs:
Stop buttonStops or cancels a running job. You will be prompted to confirm the cancellation of the job. However, the job is stopped only after the devices currently being processed are successfully completed. This is to ensure that no device is left in an inconsistent state. Delete buttonDeletes the selected job from the job browser. You can select more than one job to delete. You will be asked to confirm the deletion.
Note
You cannot delete a running job.
12-4
OL-20721-01
Chapter 12
Managing Jobs Configuring Default Job Policies
Configuring Default Job Policies

Each Configuration Management job has properties that define how the job will run. You can configure a default policy for these properties that applies to all future jobs. You can also specify for each property whether users can change the default when creating a job. You have the option of entering a username and password for running a specific Archive Management, Config Editor, NetConfig, or NetShow job. If you enter a username and password, Archive Management, Config Editor, or NetConfig applications use this username and password to connect to the device, instead of taking these credentials from the Device and Credential Repository. While the job is running, the password is retrieved from the Device and Credential Repository for each of the selected devices. For example, if the TACACS server is managing the devices, the passwords in the TACACS server and the passwords in the Device and Credential Repository should be synchronized (with every password change). This option of entering the username and password for running a job is useful in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds. To use this option of entering a username and password for running a specific job, you should enable the job password policy for Archive Management, Config Editor, NetConfig, or NetShow jobs. You can do this by using the Enable Job Password option in the Config Job Policies window. If you have enabled Enable Job Password option, you can enter these credentials while scheduling a job:

Login Username Login Password Enable Password
This section also explains about Defining the Default Job Policies.
12-5
Chapter 12 Configuring Default Job Policies
Managing Jobs
Defining the Default Job Policies

The following is the workflow for defining the default job policies for Configuration Management applications like NetConfig, ArchiveMgmt, ConfigEditor, Netshow:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. Select Admin > Network > Configuration Job Settings > Config Job Policies. The Config Job Policies dialog box appears. Select one application from the drop-down list. You can select one of the following options:

Step 1
Step 2
NetConfig ArchiveMgmt ConfigEditor Netshow
Step 3
Based on your selection, enter the following information: Description Usage Notes
Field Name Failure Policy
Select what the job should do if it fails to run on the You can create rollback commands for a job in device. You can stop or continue the job, and roll the following ways: back configuration changes to the failed device or to Using a system-defined template. all devices configured by the job. Rollback commands are created You can select one of the options: automatically by the template. Stop on failureStops the job on failure. The Banner system-defined template does

Ignore failure and continueContinues the job on failure. Rollback device and stopRolls back the changes on the failed device and stops the job. This is applicable only to NetConfig application. Rollback device and continueRolls back the changes on the failed device and continues the job. This is applicable only to NetConfig application. Rollback job on failureRolls back the changes on all devices and stops the job. This is applicable only to NetConfig application. This field appears only if you select either Config Editor or NetConfig application.
not support rollback. You cannot create rollback commands using this template. Creating a user template. Allows you to enter rollback commands into the template. When you use the Adhoc and Telnet Password templates, you cannot create rollback commands.
Note
12-6
OL-20721-01
Chapter 12
Field Name
Description
Usage Notes Notification is sent when the job is started and completed.
E-mail Notification Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by Notification E-mails include a URL to enter to display job details. If you are not logged in, do so commas. using log in panel. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address. Sync Archive before Job Execution Copy Running Config to Startup The job archives the running configuration before making configuration changes.
Note
None.
This field appears if you select either Config Editor or NetConfig application. Does not apply to Catalyst OS devices.
The job writes the running configuration to the startup configuration on each device after configuration changes are made successfully.
Note
This appears if you select either Config Editor or NetConfig application. None. You can use this option even if you have configured only the Telnet password (without configuring username) on your device. You must enter a string in the Login Username field. Do not leave the Login Username field blank. The Login Username string will be ignored while connecting to the device since the device is configured only for the Telnet password. See Usage Scenarios When Job Password is Configured on Devices.
Enable Job Password
The Job Password Policy is enabled for all the jobs. The Archive Management, Config Editor, and NetConfig jobs use this username and password to connect to the device, instead of taking these credentials from the Device and Credential Repository. These device credentials are entered while scheduling a job.
Fail on Mismatch of Config Versions
The job is considered a failure when the most recent None. configuration version in the configuration archive is not identical to the most recent configuration version that was in the configuration archive when you created the job.
Note
This appears if you select either Config Editor or NetConfig application.
Delete Config after The configuration file is deleted after the download. download Note This appears if you select Config Editor.
12-7
Managing Jobs
Field Name Execution Policy
Description Allows you to configure the job to run on multiple devices at the same time (Parallel execution) or in sequence (Sequential Execution).
Usage Notes If you select sequential execution, you can select Device Order in the Job Schedule and Options dialog box to set the order of the device.
1. 2.
Select a device in the Set Device Order dialog box. Either: Click the Move Up or Move Down arrows to change its place in the order. Click Done to save the current order. Or Close the dialog box without making any changes.
You cannot alter the device sequence for Archive Management application jobs such as Sync Archive, Check Compliance and Deploy, etc. Sequential Execution is not supported for the following jobs:

Manual Sync Archive Periodic Config Collection and Polling cwcli config get
User Configurable
Select this check box next to any field to make corresponding policy user configurable.
You can configure a user-configurable policy while defining job. You cannot modify non-user-configurable policies.
Step 4
Click Apply. A message appears, Policy values changed successfully. Click OK.
Step 5
Usage Scenarios When Job Password is Configured on Devices
The following tables list the usage scenarios and their implications for Configuration application when job password is configured on devices.

Table 12-2When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP (Read or Write) Table 12-3When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write) Table 12-4When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP Table 12-5When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write)
12-8
OL-20721-01
Chapter 12
Table 12-2
When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP (Read or Write)
Scenario Device is added into LMS
Archive Mgmt Fails
cwcli config Not applicable Not applicable Fails Not applicable
NetConfig Not applicable Not applicable Not applicable Not applicable
Config Editor Not applicable Not applicable Not applicable Not applicable
Update archive request Fails through user interface Update archive request Not applicable through command line Config update when Syslog message is received Config update through periodic scheduled process Config update through SNMP poller based scheduled process Config upload/restore through cwcli config NetConfig Job Config Editor job Fails
Fails
Not applicable
Not applicable
Not applicable
Fails
Not applicable
Not applicable
Not applicable
Not applicable Not applicable Not applicable
Fails Fails Not applicable
Not applicable Succeeds Not applicable
Not applicable Not applicable Succeeds
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Archive Mgmt Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices
cwcli config Not applicable
NetConfig Not applicable
Config Editor Not applicable
Update archive request through user interface Update archive request through command line Config update when Syslog message is received Config update through periodic scheduled process
Not applicable
Not applicable
Not applicable
Succeeds for SNMP supported devices Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
12-9
Managing Jobs
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Scenario Config update through SNMP poller based scheduled process Config upload/restore through cwcli
config
Archive Mgmt Succeeds for SNMP supported devices Not applicable
Succeeds for SNMP supported devices Fails Not applicable
Not applicable
Not applicable
NetConfig Job Config Editor job
Not applicable Not applicable
Succeeds Not applicable
Not applicable Succeeds
Table 12-4
When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP
Scenario Device is added into LMS Update archive request through user interface Update archive request through command line Config update when Syslog message is received Config update through periodic scheduled process Config update through SNMP poller based scheduled process Config upload/restore through cwcli
config
Archive Mgmt Succeeds Succeeds Succeeds Succeeds Succeeds Succeeds Succeeds Not applicable Not applicable
cwcli config Not applicable Not applicable Succeeds Not applicable Not applicable Not applicable Succeeds Not applicable Not applicable
NetConfig Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Succeeds Not applicable
Config Editor Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable Succeeds
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write)
Archive Mgmt Succeeds for SNMP supported devices Succeeds for SNMP supported devices
Update archive request through user interface
Not applicable
Not applicable
Not applicable
12-10
OL-20721-01
Chapter 12
Managing Jobs Configuring NetShow Job Policies
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write) (continued)
Scenario Update archive request through command line Config update when Syslog message is received Config update through periodic scheduled process Config update through SNMP poller based scheduled process Config upload/restore through cwcli
config
Archive Mgmt Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Succeeds for SNMP supported devices Not applicable Not applicable
cwcli config Succeeds for SNMP supported devices Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Succeeds for SNMP supported devices Fails Not applicable
Not applicable
Not applicable
Fails Not applicable
Not applicable Fails
Configuring NetShow Job Policies

Each NetShow job has properties that define how the job runs. You can configure a default policy for these properties that apply to all future jobs. For each job property you can specify whether users can change the default property when creating a job. NetShow supports the following Job Policies:
Defining Default Job Policies The default job policies that NetShow support are E-Mail Notification, Enable Job Password, and Execution Policy.
Purging Configuration Management Jobs The Job Purge option provides a centralized location for you to schedule purge operations. Defining Protocol Order You can define the protocol order for NetShow through the Protocol Ordering option in the Config Management feature in LMS. This section also gives details on Masking Credentials
12-11
Chapter 12 Configuring NetShow Job Policies
Managing Jobs
Defining Default Job Policies

NetShow supports E-Mail Notification, Enable Job Password, and Execution Policy.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To define these default Job Policies:
Step 1
Select Admin > Network > Configuration Job Settings > Config Job Policies. The Job Policy dialog box appears. Select NetShow from the Application drop-down list: Enter the following information in the Job Policy dialog box: Description Usage Notes Notification is sent when job is started and completed. Notification e-mails include a URL to enter to display job details. If you are not logged in, log in using the login panel.
Step 2 Step 3
Field Name
E-mail Notification Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address. Enable Job Password
You can use this option even if you have configured only the Telnet password NetShow jobs use this username and password to connect to (without configuring username) on your the device, instead of taking these credentials from the device. Device and Credential Repository. You must enter a string in the Login These device credentials are entered while scheduling a job. Username field. Do not leave it blank. The Job Password Policy is enabled for all the jobs. The Login Username string is ignored while connecting to the device since the device is configured only for the Telnet password.
Execution Policy
Allows you to configure the job to run on multiple devices at None. the same time (Parallel Execution) or in sequence (Sequential Execution).
12-12
OL-20721-01
Chapter 12
Managing Jobs Configuring NetShow Job Policies
Step 4
Click Apply. A message appears, Policy values changed successfully. Click OK.
Step 5
Purging Configuration Management Jobs

The Job Purge option provides a centralized location for you to schedule purge operations for certain Configuration Management jobs including NetShow jobs. Select Admin > Network > Purge Settings > Config Job Purge Settings to invoke the Job Purge option. The Job Purge window contains the following information: Column Application Status Policy Job ID Description Lists the application for which the purge is applicable. Whether a purge job is enabled or disabled. This value is in days. Data older than the specified value, will be purged. You can change this value as required. This is a mandatory field. The default is 180 days. Unique ID assigned to the job by the system, when the purge job was created. This Job ID does not change even if you disable or enable or change the schedule of the purge job. For the Purge Now task, a Job ID is not assigned. Also, if a Job ID already exists for that application, this Job ID is not updated for the Purge Now tasks. That is, the job scheduled for purging is not affected by the Purge Now task. Scheduled At Schedule Type Date and time that the job was scheduled at. For example: Nov 17 2004 13:25:00. Specifies the type of schedule for the purge job:

DailyDaily at the specified time. WeeklyWeekly on the day of the week and at the specified time. Monthly Monthly on the day of the month and at the specified time. (A month comprises 30 days).
12-13
Chapter 12 Configuring NetShow Job Policies
Managing Jobs
To purge Configuration Management Jobs:

Step 1
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:
Button Schedule Enable Disable Purge Now
Description Schedule a job purging. Enable a job for purging after you schedule it. Disable the purge after enabling a job for purging. Purge a job immediately.
Defining Protocol Order

You can define the protocol order for NetConfig, Archive Mgmt, Config Editor, and NetShow through the Protocol Ordering option in the Config Management feature in LMS.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To define the protocol order for NetShow:
Step 1
Select Admin > Collection Settings > Config > Config Transport Settings. The Transport Settings dialog box appears. Select NetShow from the Application drop-down list: Select a protocol from the Available Protocols pane and click Add. NetShow supports only Telnet and SSH. If you want to remove a protocol or change the protocol order, you can remove the protocol using the Remove button and then add it again. The protocols that you have selected appear in the Selected Protocol Order pane. Click Apply. A message appears, New settings saved successfully. Click OK. The protocol used for communicating with the device is based on the order in which the protocols are listed here.
Step 2 Step 3
Step 4
Step 5
12-14
OL-20721-01
Chapter 12
Managing Jobs Enabling Approval and Approving Jobs Using Job Approval
Masking Credentials
You can mask the credentials shown in the output of show commands. If you want to mask the credentials of a particular command, you must specify the command in the NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre dCmds.properties file. In this file you can specify all the commands whose output should be processed to mask the credentials. We recommend that you enter the complete command in the file. For example, you must enter show running-config, not show run. This file contains some default commands like show running-config.
Enabling Approval and Approving Jobs Using Job Approval

LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group of users designated as job Approvers approves each job before it can run. See Job Approval Workflow for more information. Job Approval sends job requests through e-mail to users on a jobs Approver list. If none of the Approvers approve the job before its scheduled run time, or if an Approver rejects the job, the job is moved to the rejected state and will not run. When Job Approval is enabled, applications that use it, require you to schedule the job to run in the future, rather than immediately. Job approval cannot be enabled for jobs that run immediately. A user with the appropriate privileges uses a Cisco Prime application to schedule jobs. When you use Job Approval, different people can perform different tasks:
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform job approval tasks.
Role System Administrator Approver
Responsibilities Creates and maintains the Approver lists Approves/rejects a job, or changes the schedule for a job. To select the log level settings for the Job Approval application, select Admin > System > Debug Settings > Config and Image Management Debugging settings. Job Approval is also referred to as Maker Checker in a few places within LMS. For example, in Loglevel Settings and Permission Report (Reports > System > Users > Permission) it is mentioned as Maker Checker.
12-15
Chapter 12 Job Approval Workflow
Managing Jobs
Job Approval Workflow

A typical job approval workflow may look like this: A system administrator does the following:
1. 2. 3. 4.
Specifies user/Approver information (see Specifying Approver Details.) Creates one or more job Approver lists (see Creating and Editing Approver Lists). Assigns Approver lists (see Assigning Approver Lists). Sets up Job Approval (see Setting Up Job Approval).
The planner analyzes the network and prompts the network engineer to schedule a job to perform a needed network change. The job creator uses a Cisco Prime application to create a job.The application must have an Approver list assigned to it before Job Approval is enabled. Also, it must be scheduled to run in the future (not immediately). All Approvers on the Approver list receive an automatic email notification. The job Approvers approve or reject the job (see Approving and Rejecting Jobs) and give their comments. The job creator and all Approvers on the Approver list receive an automatic e-mail notification. A job that is not approved or rejected before its scheduled time is automatically moved to the Rejected state. E-mail notification is sent to all Approvers and the user who scheduled the job. If the job is approved, it runs as scheduled.
Specifying Approver Details

Use the option, Approver Details, to maintain information about users with Approver roles.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To specify Approver details:
Step 1
Select Admin > Network > Configuration Job Settings > Approver Details. The Approver Details dialog box appears. Click Synchronize with Local User Database. All the approvers in with valid E-mail IDs, will appear in theApprovers list. The E-mails of the approvers will be the same as that added in LMS. (You can create a valid Cisco Prime user using the Local User Setup option under Admin > System > User Management > Local User Setup). If you want to change the E-mail ID of any of the Approvers, select the Approver from the Approvers list, and change specifying the new e-mail ID in the E-mail Address field. You can add more than one e-mail, separated by commas
Step 2
12-16
OL-20721-01
Chapter 12
Managing Jobs Job Approval Workflow
Step 3
Click Save to save your changes. All approvers, have to be manually added to LMS. To do this, enter the name of the Approver that you want to add in the New Approver field, enter a valid e-mail ID for that user in the E-mail Address field, and click Save. The Approver that you added, appears in the Approvers box.
Creating and Editing Approver Lists

You can use the option Create/Edit Approver Lists to create, edit, or delete Approver lists. Before you create an Approver list, ensure that users have been added, through the Approver Details option (see Specifying Approver Details).
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To create and edit Approvers lists:
Step 1
Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists. The Create/Edit Approver List dialog box appears. Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an alphanumeric name. Click Add. A message appears:
List
Step 2 Step 3
Listname has no users. To save the list successfully, add users and click Save.
Step 4
Click OK to proceed. The newly-created list appears in the lists box. (If previously-created lists exist, you can highlight a list to see the List Members in the Users group of fields.)
Step 5
Add users to the newly-created list, by highlighting the list. In the Users group of fields, the Available Users box lists users who have Approver permissions. Only these users can be added to Approver lists to approve jobs.
To add a user to the Approver List, select the name from the Available Users list box, and click Add. The name appears in the List Members list box. To remove a user from the Approver list, select the name from the List Members list box, then click Remove. The name is removed from the List Members list box.
Step 6
Click Save. The Approver Lists box displays the name of the new Approver list and the users on this list appear in the box below Approver Lists.
12-17
Managing Jobs
To edit an Approver List:

a.
Select the list. The approvers of the list appear in the List Members list box. Add new approvers, or remove existing ones in using the Add and Remove buttons in the Users group of fields. Select the list. Click Delete. A message appears:
Are you sure you wish to delete? Approval will be disabled for applications to which the Listname is assigned!
b.
To delete an Approver List:

a. b.
c.
Click OK to delete the list.
Assigning Approver Lists

You can assign an Approver list to each of the LMS applications, from the available Approver lists.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. To assign an Approver list:
Step 1
Select Admin > Network > Configuration Job Settings > Assign Approver Lists. The Assign Approver Lists dialog box appears. Select the required Approver list from the drop-down list box for that application. Repeat this for each of the applications listed here. Click Assign. The selected Approver lists are assigned to the applications.
Step 2 Step 3
Setting Up Job Approval

The Approval Policies dialog box allows you to set up Job Approval for all applications for which you can set up job approval. The applications are:

NetConfig NetShow Config Editor Archive Management. See Using Job Approval for Archive Management for details. Software Management. See Using Job Approval for Software Management for details
12-18
OL-20721-01
Chapter 12
Prerequisite
Make sure the approver list is assigned to the application, before you enable approval for the application.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. To set up Job Approval:
Step 1
Select Admin > Network > Configuration Job Settings > Approval Policies. The Approval Policies dialog box appears. You can enable or disable Job Approval for the following applications:

NetConfig NetShow Config Editor Archive Management. Software Management. Select the Enable check box that corresponds to an application, to enable Job Approval. Deselect the Enable check box that corresponds to an application, to disable Job Approval. Select the All check box to enable Job Approval, for all applications to which it is applicable. Deselect the All check box to disable Job Approval, for all applications to which it is applicable.
Step 2
Set up Job Approval for the various applications that support job approval, by doing one of the following:

Step 3
Click Apply to apply your changes. After you enable Job Approval, two additional fields appear in the job schedule wizard of the applications. These are:

Maker CommentsJob creators comments. Maker E-mailJob creators e-mail address.
Using Job Approval for Archive Management
You can enable Job Approval for Archive Management tasks, (Admin > Network > Configuration Job Settings > Approval Policies). This means all jobs require approval before they can run. Only users with Approver permissions can approve Archive Management jobs. Jobs must be approved before they can run if Job Approval is enabled on the system. For more details on enabling job approval see Setting Up Job Approval. The following Archive Management tasks require approval if you have enabled Job Approval: Out-of-Sync (Configuration > Compliance > Out-of-Sync Summary) Sync Archive jobs do not have Job Approval enabled because this job only archives the configuration from the device and there is no change to the device configuration.
12-19
Managing Jobs
If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule and Options dialog box:

Approval CommentApproval comments for the job approver. Maker E-MailE-mail-ID of the job creator.
Using Job Approval for Software Management
You can enable Job Approval for Software Management tasks, (Admin > Network > Configuration Job Settings > Approval Policies) which means all jobs require approval before they can run. Only users with Approver permissions can approve Software Management jobs. Jobs must be approved before they can run if Job Approval is enabled on the system. The following Software Management tasks require approval if you have enabled Job Approval:
Adding images to Software Repository (Configuration > Tools > Software Image Management > Software Distribution) using:
Cisco.com Device URL Network
Distribution software images (Configuration > Tools > Software Image Management > Software Distribution) using any one of these methods:
Distributing by Devices [Basic] Distributing by Devices [Advanced] Distributing by Images Remote Staging and Distribution
If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options dialog box, you get these two options:

Maker CommentsApproval comments for the job approver. Maker E-MailE-mail ID of the job creator.
Approving and Rejecting Jobs

Use the Approve or Reject Jobs option to approve or reject a job for which you are an Approver. The job will not run until you or another Approver approves it. If no Approver approves the job by its scheduled run time, or an Approver rejects it, the job is moved to the rejected state and will not run. For periodic jobs, only one instance of the job needs to be approved. If one instance is approved all other instances are considered approved, and vice-versa. When a job for which you are an Approver is created, you are notified by email. An Approver can edit the job schedule at the time of approving the job.
12-20
OL-20721-01
Chapter 12
The e-mail displays these details: Details Job ID Job Description Job Schedule Server Name Server Time-zone: Maker Comments URLS Description ID of the job that has been put up for approval. Description of the job. Date and time for which the job has been scheduled. Name of the server. Time zone of the server. Comments for the Approver, entered by the job creator. Two URLs to launch dialog boxes for:

Viewing job details. Approving or rejecting jobs.
View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. You need to be a user with an Approver role.
Note
You will be able to select only those jobs for which you are a part of the Approver List. The other jobs, for which you are not a part of the Approver List, will be disabled. To approve or reject jobs:
Step 1
Select Admin > Jobs > Approval. The Jobs Pending Approval dialog box appears with the following information about the scheduled jobs on the system:
Column Job ID
Description Unique number assigned to the job when it is created. For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. Click the Job ID hyperlink to view the details of the job.
Owner Job Type Scheduled to Run at Approver List Description
Job owner. Application that registered job. When job is scheduled to run. Name of Approver list whose members can approve job. Job description, entered by job creator. You can filter the pending jobs by any specified criteria using the Filter By drop-down list. Select your criteria and click Filter.
12-21
Managing Jobs
Step 2
Either:
Select the job and click Approve to approve the job. The job is approved. Or Select Next. The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details before approving or rejecting it. Fields in the Job Details box are:
Field
Job
Description ID of the job (display only). To see the detailed description of the job, click the View Job Details hyperlink.
ID
Schedule Options
Run Type
Select the frequency at which the job should be run:

ImmediateRuns the report immediately. 6 - hourlyRuns the report every 6 hours, starting from the specified time. 12 - hourlyRuns the report every 12 hours, starting from the specified time. OnceRuns the report once at the specified date and time. DailyRuns daily at the specified time. WeeklyRuns weekly on the day of the week and at the specified time. MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. To change, select the required run type from the drop-down list.
12-22
OL-20721-01
Chapter 12
Managing Jobs Using Device Selector
Field
Current Schedule
Description Scheduled date and time of the job. Click Change Schedule to change the schedule of the job. You must click the Change Schedule button for the changed schedule to take effect. If you do not click this button, the changed schedule will not be set.
Date
Approver
Comments
Step 3
Enter your comments. This field is mandatory only if you are rejecting a job. Click Approve. The job is approved. If you want to reject the job, enter comments in the Comments text box and then click Reject.
Using Device Selector

The Device Selector pane is used to select devices to perform LMS tasks. This pane lists all devices in a group. The devices are listed in the appropriate groups based on Device type groups and User-defined group rules. The devices name that you see in this pane is the Display Name that you have entered at the time of adding the devices in Device and Credential Repository. You can use the following search options to search for devices:

Using Simple Search Using Advanced Search Using the All Tab Using the Search Results Tab Using the Selection Tab
Note
If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you while performing the tasks are based on your role and associated privileges that are defined in Cisco Secure ACS.
12-23
Chapter 12 Using Device Selector
Managing Jobs
The Device Selector pane contains the following field/buttons: Field/Button Search Input Description Enter the search expression in this field. You can enter single device names or multiple device names. If you are entering multiple device names, separate them with a comma. You can also enter the wildcard characters * amd "?". For example: 192.168.10.1*, 192.168.20.* Search Use this icon to perform a simple search of devices based on the search criteria you have specified in the Search Input text field. For information on Search, see Using Simple Search. Advanced Search Use this icon to perform an advanced search of devices based on the search criteria you have specified in the Search Input text field. For information on Advanced Search, see Using Advanced Search. All Lists all User-defined and System-defined groups for all applications that are installed on LMS Server. For more information, see Using the All Tab. Search Results Selection Displays all the search results from Search or Advanced Search. For more information, see Using the Search Results Tab. Lists all the devices that you have selected in the Search Results or All tab. Using this tab, you can deselect devices from the list. For more information, see Using the Selection Tab. Figure 12-1 shows the new device selector.
Figure 12-1 Device Selector
12-24
OL-20721-01
Chapter 12
Managing Jobs Using Device Selector
Tool-tips are provided for long device names so that you do not have to scroll to see the complete device name.
Using Simple Search

You can search for devices by entering the devices name (Display Name) in the Search Input field. The search is based on the Display Name that you view in the Device Selector pane. This Display Name is entered when you add devices to Device and Credential Repository.
Usage Notes
The following are the usage notes for Simple Search:
You can enter multiple device names separated with a comma. You can also enter wildcard character, * or ? for selecting multiple devices. For example: You can enter device names in these many ways to select multiple devices:
192.168.80.140, 192.168.135.101, rtr805 192.168.80.*, 192.168.* 192.168.22.?
You cannot enter multiple wildcard characters for selecting the devices For example, 192.*.80.*. This is not allowed.
You must enter either the complete device name or enter the partial device name appended with wildcard character *. That is,
No devices are selected, if you enter only 192.168 in the Device Name text box. You have to enter either 192.168* or 192.168.10.10.
The search is not case-sensitive. The devices that are selected is a unique list. There are no duplicate entries of devices. For example: If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20, 192.168.10.21, 192.168.10.30, and 192.168.10.31 then,
a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices
node.
b. Enter the search criteria 192.168.10.2* c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30
in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node. However, the selected devices count that is displayed in the Device Selector is only three and not five.
The All Devices node is expanded without selecting any devices, if the search criteria is not satisfied. The objects selected text displays 0 (zero) device selected.
12-25
Chapter 12 Using Advanced Search
Managing Jobs
Using Advanced Search

You can use the Advanced Search icon to specify a set of rules for advanced search. Advanced search is based on the Grouping Services attributes of Grouping Services Server. In the Advanced Search dialog box, you can create rules to search for devices. Figure 12-2 shows the Advanced Search dialog box.
Figure 12-2 Device Selector Advanced Search
This dialog box contains the following fields and buttons (See Table 12-6):
Table 12-6 Advanced Search Dialog Box
Field/Buttons OR, AND, EXCLUDE

ORInclude objects that fulfill the requirements of either rule. ANDInclude only objects that fulfill the requirements of both rules. EXCLUDEDo not include these objects.
This field appears only after a rule expression is added in the Rule Text box. Object Type Type of object (device) that is used to form a group. All rule expressions begin with the same Object Type, RME:INVENTORY:Device. Variable Operator Device attributes, based on which you can define the group. See Advanced Search Rule Attribute. Operator to be used in the rule. The list of possible operators changes based on the Variable selected.
12-26
OL-20721-01
Chapter 12
Managing Jobs Using Advanced Search
Table 12-6
Advanced Search Dialog Box (continued)
Field/Buttons Value
Description The value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. The wildcard characters are not supported. Used to add the rule expression to the group rules. Displays the rule. Verifies that the rule syntax is correct. Use this button if you have entered the rules manually. Used to search for devices based on the defined rule.
Add Rule Expression Rule Text Check Syntax Search

Usage Notes
The following are the usage notes for Advanced Search:

If you have not selected any device nodes, then advanced search is applied only for All Devices node. You can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. Each rule expression contains the following: object type.variable operator value Object TypeThe type of object (device) that is used to form a group. All rule expressions begin with the same Object Type, RME:INVENTORY:Device. VariableDevice attributes, based on which you can define the group. See the Advanced Search Rule Attribute. OperatorOperator to be used in the rule. The list of possible operators changes based on the Variable selected. ValueValue of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values.
If you are entering the rule expressions manually, the rule expression must follow this syntax: object type.variable operator value If you are entering more than one rule expression, you must enter logical operators OR, AND or EXCLUDE after every rule expression. You must use Check Syntax button only when you add a rule manually or when you modify a rule expressions in the Rule Text.
The advanced search operation is not case-sensitive. To delete the rules in the Rule Text box, select the complete rule including the logical operator and press the Delete key on your keyboard. If you want to perform a new search, click Clear All before selecting any new devices.
12-27
Managing Jobs
Advanced Search Rule Attribute
Table 12-7 lists the available device advanced search rule attributes that you can use for defining advanced search.
Table 12-7 Advanced Search Rule Attribute
Attribute Group Asset
Attribute Type Asset.CLE_Identifier Asset.Part_Number Asset.User_Defined_Identifier
Description CLE identifier of the asset. Orderable part number of the asset. User-defined identifier of the asset Name of the model. Number of slots in that chassis. Total port count of the chassis. Serial number of the chassis. Vendor type of the chassis. Version number of the chassis. Name of the flash file. Flash file size in MB. Model name of the flash device. Free space in MB. Flash partition name. Flash partition size in MB. Total flash device size in MB. ROM system software version Version of ROM. Image system description Running image version. Device IP address. Version of IP, IPv4 or IPv6 Network Mask address Free memory in MB. Name of the memory. Total RAM size in MB. Memory type. Used memory in MB. Module hardware version. Name of the model. Total ports on that module. Serial number of the module. Vendor type for the module.
Chassis
Chassis.Model_Name Chassis.Number_Of_Slots Chassis.Port_Count Chassis.Serial_Number Chassis.Vendor_Type Chassis.Version
Flash
Flash.File_Name Flash.File_Size Flash.Model_Name Flash.Partition_Free Flash.Partition_Name Flash.Partition_Size Flash.Size
Image
Image.ROM_Sys_Version Image.ROM_Version Image.Sys_Description Image.Version
IP Address
IP.Address IP.Address_Type IP.Network_Mask
Memory
Memory.Free Memory.Name Memory.Size Memory.Type Memory.Used
Module
Module.HW_Version Module.Model_Name Module.Port_Count Module.Serial_Number Module.Vendor_Type
12-28
OL-20721-01
Chapter 12
Table 12-7
Advanced Search Rule Attribute (continued)
Attribute Group Processor
Attribute Type Processor.Model_Name Processor.NVRAM_Size Processor.NVRAM_Used Processor.Port_Count Processor.RAM_Size Processor.Serial_Number Processor.Vendor_Type
Description Name of the model. Size of the processor NVRAM in MB. Size of the processor NVRAM that has been utilized, in MB. Total port count of the processor Size of the processor RAM in MB. Serial number of the processor. Vendor type of the processor. Device state such as Normal, Alias, etc. Device contact person name. Description of the system. Device domain name. Device location information. System Object ID of the device (sysObjectID).
State System
State System.Contact System.Description System.DomainName System.Location System.SystemOID

Using Advanced SearchAn Example
The following example describes the procedure for selecting devices whose IP address starts with 192.168 or Network Mask is 255.255.255.0. Also, these devices are assumed to be in Normal state. The devices in your network are:

192.168.101.200 with network mask 255.255.255.128 192.168.101.201 with network mask 255.255.255.0 192.168.102.251 with network mask 255.255.255.0 192.168.102.202 with network mask 255.255.255.19 192.168.200.210 with network mask 255.255.255.128
Use the following procedure for advanced search:

Step 1
Click the Advanced Search icon in the Device Selector pane. The Define Advanced Search Rule dialog box appears. Select,
a. b. c.
Step 2
State as Variable = as Operator Normal as Value
Step 3
Click Add Rule Expression. The rule is added into the Rule Text.
12-29
Managing Jobs
Step 4
Select,
a. b. c. d.
And as Logical Operator IP.Address as Variable Contains as Operator Enter 192.168.101 for Value.
Step 5
Click Add Rule Expression. The rule is added into the Rule Text. Select,
a. b. c. d.
Step 6
OR as Logical Operator IP.Network_Mask as Variable Equals as Operator Enter 255.255.255.0 for Value.
Step 7
Click Add Rule Expression. The rule is added into the Rule Text. Click Search. The Device Selection dialog box appears. The devices that satisfied the search condition are selected. That is these two devices are selected.

Step 8
192.168.101.200 with network mask 255.255.255.128 192.168.101.201 with network mask 255.255.255.0 192.168.102.251 with network mask 255.255.255.0
Using the All Tab

The All tab lists all the devices that are available in the LMS. The list is based on the Display Name that you entered in the Device Properties dialog box when you added devices to Device and Credential Repository.
List of Device Folders
The following is the list of device folders under the All tab:

The All Devices folder lists all devices. That is, this includes devices in Normal, Alias, Pending, and Pre-deployed states. This folder does not include devices in Suspended and Conflicting states. The Normal Devices folder lists devices that has been successfully contacted by LMS or the device has contacted LMS at least once (polling, successful job completion, Syslog receipt etc.). The Pre-deployed folder lists Device has never ever been reachable by LMS (by protocol such as SNMP). The Previous selection folder lists LMS devices that were selected in previous LMS task in the same session. Saved device list folder lists devices that are saved explicitly by you while generating the Inventory Reports, View Credential Verification Report and Error Report.
12-30
OL-20721-01
Chapter 12
Only one Saved device list is created within the device selector. If concurrent users have created Saved device list, only the last created Saved device list appears in the Device Selector. The previous Saved device list is overwritten with the latest.
Note
You can use the Previous selection and Saved device groups only when you are working on a application. You cannot use these device groups when you are working on another Cisco Prime application. That is, if you are working on the Campus Manager application, these groups must not be used.
The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined by you at the time of creating the User-defined groups. See Managing RME Device, Port and Module Groups Using Group Administration for further details on User-defined groups.
Based on the applications that are installed on your LMS Server, you will also view device folders related to other Cisco Prime applications: CiscoWorks_ApplicationName@CiscoWorks_ServerHostName For example: For Cisco Prime Common Services, you will see: CS@CiscoWorks_ServerHostName. In a stand-alone system, server name is not appended. For example, for Common Services, you will see CS.
Other application folders are displayed in LMS based on the settings. For more details, see Common Services Online Help. In Device Selector, the other Cisco Prime application device folders will list only devices. For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you will view on device list, A, B, and C.
The device appears in a disabled (greyed out) state when:

Device type is Unknown in Device and Credential Repository. In all applications device is
shown as disabled except in Inventory job creation and reports.

Device type is known and correct in Device and Credentials (that is, the SysObjectID is correct
and is available in Device and Credentials). However, that device is not supported by applications. (Inventory, Software Management, and Configuration Management). There are two types of device selectors in LMS:

Single Device Selector Multiple Device Selector
Single Device Selector
In the single device selector, you can select a device only at the leaf-level (device-level). The radio buttons at the node-level (folder-level) are grayed out.
12-31
Managing Jobs
Multiple Device Selector
In the multiple device selector, you can select devices at both the node-level and leaf-level. The following are the usage notes for the multiple device selector:
If you select devices at the node-level, all devices listed under this node are selected. For example, if you select the All Devices node, all devices under this node are selected. If you expand a device node, you cannot select devices at the node-level. You need to select devices individually at the leaf-level. For example, if you expand the All Devices node, you cannot select devices at the All Devices node-level (the check-box is grayed out). You need to select devices individually under the All Devices node.
If you select devices at a node-level and expand that particular node, you can deselect the devices only at the leaf-level and not at the node-level. For example, if you select the Normal Devices node and expand the same, you can deselect the devices only at the leaf-level. You cannot deselect all the devices at the Normal Devices node-level (the check-box is grayed out), when it is expanded. However, you can use Clear All to deselect all the devices.
You can select multiple device nodes to perform the tasks. For example, you can select the Previous selection and the Saved device list nodes together to perform the tasks.
Using the Search Results Tab

The Search Results Tab lists all the results of Simple search or advanced search operations. It displays a flat list of devices and you can do a select all , clear all , or select a few devices from the list.
Using the Selection Tab

The Selection Tab serves as a repository of all the devices that you select from the Search Results tab or the All Tab. There are three ways to select devices in the Device Selector:

Selection Using All Tab Selection Using Search Selection Combining All and Search
Selection Using All Tab
You can select devices using the tree view in the All tab. This tab displays all devices that are available in LMS.
Selection Using Search
You can search devices using Search or Advanced Search. The list of devices matching the search criteria is shown under the Search Results tab. You can select the required devices from the Search Results tab. The Selection tab reflects whatever you selected from Search Results. If you click the All tab now, the devices selected from Search Results will be shown in the All Devices group.
12-32
OL-20721-01
Chapter 12
Selection Combining All and Search
After you select devices using the All tab, you can add a few more devices using Search. You can enter the search criteria and search using Search or Advanced Search and the Search Results tab displays the devices matching the criteria. You can select the required devices from the Search Results tab. The Selection tab displays the accumulated list from both All and Search Results tabs. If you click the All tab, it displays the selected devices from Search Results under the All Devices group also. You can enter another search criteria and select more devices. The selected devices are accumulated in the All tab from the Selection tab, as you select more devices.
Note
The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of devices you have selected. It launches the Selection tab when you click on it.
Editing Device Attributes

To edit the device attributes for a single device
Step 1
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings. The Edit Devices dialog box appears.
Step 2 Step 3
Select the devices for which you want to edit the device attributes. See Using Device Selector for further information. Click Edit Device Attributes. The Device Attributes dialog box appears. Click Inline Edit. The Device Attributes Information dialog box appears. Select a device from the Devices pane. Edit the device attributes in the Device Information pane. You can check the Apply to all Devices checkbox to apply the device attributes of one device to all other devices that are listed in the Devices pane.
Step 4
Step 5 Step 6
Step 7 Step 8
Click Modify in the Device Attributes Information dialog box. Click Apply in the Device Attributes dialog box.
12-33
Managing Jobs
To edit the device attributes for the bulk of devices

Step 1
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings. The Devices dialog box appears.
Step 2 Step 3
Select the devices for which you want to edit the device attributes. See Using Device Selector for further information Click Edit Device Attributes. The Device Attributes dialog box appears. Click Export. The Export Device Attributes to File dialog box appears.
a.
Step 4
Enter the folder name and the filename on the server. or

Browse to select a folder on the server.
The Server Side File Browser dialog box appears.

Select a folder and enter the filename on the server. Click OK in the Server Side File Browser dialog box. b.
Click OK in the Export Device Attributes to File dialog box. The notification window displays Data exported successfully. Click OK in the notification window.
c. Step 5
Edit the exported file. You can edit only the device attributes, Serial Number, SNMP Retry, SNMP Timeout, Telnet Timeout, and Natted IP Address. You cannot edit the Device Display Name (device_identity) and add new device entries. See Device Attributes Export File Format for more information. Click Import in the Device Attributes dialog box. The Import Device Attributes to File dialog box appears. We recommend that you import the same file that you have exported after editing. If any new device entries are added, these device entries are ignored. Only device entries that match the existing device entries are imported.
a.
Step 6
Enter the folder name and the filename on the server. or

Browse to select a folder on the server.
The Server Side File Browser dialog box appears.

Select a folder and file on the server. Click OK in the Server Side File Browser dialog box. b.
Click OK in the Import Device Attributes to File dialog box. The notification window displays Data imported successfully. Click OK in the notification window.
c.
The Device Attributes window refreshes to display the updated device attributes.
12-34
OL-20721-01
Chapter 12
While importing the edited device attributes file an error message may appear,
Attribute values for some selected devices are invalid. See Attribute Error Report for details.
See Editing Device Attributes section to know the minimum and maximum values for the device attributes. Also see Attribute Error Report for more information.
Step 7
Click Apply. The Devices window appears.
The device attributes are:
Device Display Name Display name of the device. Serial Number Cisco manufacturing serial number from chassis. You can enter alphanumeric characters up to 255. The default value is Default Not Defined. This attribute is available when you either export or edit the device attributes from the Devices window.
SNMP Retry Number of times that the system should try to access devices with SNMP options. The default value is 2. The minimum value is zero. SNMP Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection. Telnet Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value limit.
Note
The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH Timeout.
Natted IP Address The server ID. This is the translated address of server as seen from the network where the device resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to enable support for NAT. The default value is Default Not Defined. TFTP Timeout Duration of time that the system should wait for a device to respond before it tries to access it again.
12-35
Managing Jobs
The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value limit. This attribute is available only when you edit the device attributes from the Device Attributes window. Do any one of the following to edit the device attributes:
Set the device attributes value for a single device using Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline Edit. See To edit the device attributes for a single device Set the device attributes value for the bulk of devices using Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Export. See To edit the device attributes for the bulk of devices
Note
View Permission Report to check if you have the required privileges to perform this task.
Attribute Error Report

The Attribute Error report is generated when the attribute values imported for some selected devices are invalid. This error occurs when the device attributes that are imported as a CSV file contain invalid attributes. You can click on the Attribute Error Report link that is displayed in the error message, to open the Attribute Error Report. You can also view the Attribute Error Report by clicking on the Attribute Error Report button from: Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes
Note
The Attribute Error Report link is available only if importing of device attributes causes error.
Device Attributes Export File Format

The device attributes are exported in CSV 3.0 format. The exported file format is:
; This file is generated by DM Export utility Cisco Systems NM Data import, Source=DM Export; Type=DMCSV; Version=3.0
; ;Start of section 0 - DM Export ; ;HEADER: device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,RMEId ; 192.168.8.4,Default Not Defined,2,2,36,Default Not Defined
;End of CSV file
12-36
OL-20721-01
Chapter 12
Where,

device_identityDisplay
name of the device as entered in Device and Credential Repository.
serial_numberCisco manufacturing serial number from chassis. You can enter 0 to 255 alphanumeric characters. The default value is Default Not Defined. SNMPRetryCountNumber of times, system should try to access devices with SNMP options. The default value is 2. The minimum value is zero. SNMPTimeoutDuration
of time the system should wait for a device to respond before it tries to access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection.
TelnetTimeoutDuration of time the system should wait for a device to respond before it tries to access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value limit. Natted IP Addressserver ID. This is the translated address of server as seen from the network where the device resides. This is used when LMS tries to contact devices outside the NAT boundary. The default value is Default Not Defined.
12-37
CH A P T E R
13

Software Center helps you to check for software and device support updates, download them to their server file system along with the related dependent packages, and install the device updates. Software Center allows you to look for software and device updates from Cisco.com, and download them to a server location. You can install the updates from this location. In the case of device updates, Software Center helps you to install the updates using a web based user interface, and command line interface, wherever possible. Most of the device family-based packages can be installed directly from the web interface while the device support packages such as IDU have to be installed based on the installation instructions in the respective Readme files. You may also uninstall a device support package. Software Center does not support installation and uninstallation of software updates. To backup what is installed on the server, Software Center maintains a package and device map in the installed packages directory of the respective applications. The package map is a list of all device packages installed on the server and device map is a list of all the supported devices on the server. Software Center also provides a Command Line Interface to download device updates and software updates, and install or uninstall device packages. This chapter explains the following:

Performing Software Updates Performing Device Update Scheduling Device Package Downloads Using the Software Center CLI Utility
13-1
Chapter 13 Performing Software Updates
Performing Software Updates

You can view a list of all Cisco Prime related bundles and products currently installed on your system using this option. For software updates the default site is Cisco.com. The Software Updates link under Software Center takes you to the Software Updates page. The Software Updates page has two dialog boxes:

Bundles Installed dialog box that lists the bundles installed. Products Installed dialog box that lists the applications installed.
These dialog boxes display the bundle or product name, the version, and the date on which the software was installed. To sort the table by version or date of installation, click on the Version / Installed Date link. You can click the product name links to view the Applications and Packages Installed with the Product page that gives the details of the installed applications, patches, and packages of the product. See You can navigate further down for each product to get a detailed list of all individual OS level packages installed on the system, along with the versions. The Software Updates page provides two options:

Select Software Updates Download Software Updates Viewing the List of Installed Applications and Packages Selecting Software Updates Downloading Software Updates
This section contains the following:

Viewing the List of Installed Applications and Packages

You can view the information on all the applications, patches, and packages installed for a selected product. To do so:
Step 1
Select Admin > System > Software Center > Software Update. The Software Updates page appears. Go to the Products Installed dialog box and click the link provided on a product. A new window displays the details of:

Step 2
Patches InstalledProvides details about the patches installed on the product, the patch version and the date on which the patches were installed. Application InstalledProvides details of the applications installed, the application version, and the date on which the applications were installed. Packages InstalledProvides details about the packages installed on the product, the package version with patch level, and the date on which the packages were installed.
13-2
OL-20721-01
Chapter 13
Working With Software Center Performing Software Updates
Selecting Software Updates

You can select new software packages to update the applications or products.To select updates from Software Center:
Step 1
Select Admin > System > Software Center > Software Update. The Software Updates page appears. Go to the Products Installed dialog box and select the check box corresponding to the product for which you want to select update. You can select multiple products by selecting the corresponding check boxes. Click Select Updates. The Cisco.com and Proxy Server Credentials dialog box appears. Enter your Cisco.com username and password to connect to Cisco.com, for software updates. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter the Proxy server username and password.
Step 2
Step 3
Step 4
Step 5
Click Next. A list of available Software Updates for the selected product appears. Select the Software Update you need to download and click Next. You can filter the required images based on Type, Package Name, Product Name, and Available Version With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages with name starting as cmfSw001 will be listed. Regular expressions are not supported for the patterns. Patterns are case sensitive. For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 6
Step 7
Select a destination location or browse to the location and click Next. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub-directories. By default, the destination location is:

/opt/psu_download (On Solaris/Soft Appliance) System Drive:\psu_download (On Windows)
The Download Summary window appears.

Step 8
Click Finish to confirm download of the selected packages. If you do not want to add the selected packages, click Back to reselect packages or click Cancel to exit.
13-3
Chapter 13 Performing Device Update
Downloading Software Updates

You can download the selected updates from Software Center. To download updates from Software Center:
Step 1
Select Admin > System > Software Center > Software Update. The Software Updates page appears. Go to the Products Installed table and select the check box corresponding to the product for which you want to download the update. You can select multiple products by selecting the corresponding check boxes. Click Download Updates. The Cisco.com and Proxy Server Credentials dialog box appears. Enter your Cisco.com username and password. Both are mandatory. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter Proxy server username and password.
Step 2
Step 3
Step 4
Step 5
Select a destination location or browse to the location and click Next. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories. By default, the destination location is:

Step 6
Click Finish to confirm the download operation. To return to the Software Update page, click Cancel.
Performing Device Update

You can view a list of all Cisco Prime related devices packages on your system using this option. It displays a count of devices supported for each product installed in the system. For device updates the source location could be Cisco.com or the Server Side Directory. The Device Updates link under Software Center takes you to the Device Updates page. The Device Update page lists the product name and the device type count. The default summary screen shows the number of devices supported for each product installed in the system. You can view a package map and a device map for each product installed.
13-4
OL-20721-01
Chapter 13
Working With Software Center Performing Device Update
You can also check for the device updates and delete the device packages using the Device Update page. This section contains the following:

Viewing Package Map Viewing Device Map Checking for Updates Deleting Packages
Viewing Package Map

A package map is a snap shot of the currently installed device packages for a Product. The backup-restore framework uses Package map during data backup. To view a package map for an installed product, click the product name link. A popup window appears with the information on the packages installed. The package name, version, and description are displayed. You can filter the device packages based on Package Name and Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you specify the Filter Source as Package Name and Pattern as Cat, all package names starting with Cat will be listed. A package name identifies the device package. For example, the package name AP350 represents Cisco Aironet 350 Device Package. You have to use package name while specifying the download policy, and while performing other Software Center operations where you have to specify the package name.
Viewing Device Map

To view a device map for an installed product, click the device type count link. A popup window appears with the information on the devices installed. The device map lists the sysObjectID, Device Name, Package Name, and Version. You can filter the packages based on sysObjectID, DeviceName, Package Name, and Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you specify the Filter Source as sysObjectID and pattern as 1.3.6.1.4.1.9, details of all devices with SysobjectID starting with 1.3.6.1.4.1.9 will be listed.
13-5
Chapter 13 Performing Device Update
Checking for Updates

You can check for updates using this option. To check for the updates:
Step 1
Select Admin > System > Software Center > Device Update. The Device Updates page appears. Select the check box corresponding to the product for which you want to check for updates and click Check for Updates. The Source Location page appears. You can check for updates at Cisco.com or a server.

Step 2
To check for updates at Cisco.com, select the Cisco.com radio button. To check for updates from a server, select the Enter Server Path radio button and enter the path or browse to the location using the Browse tab.
Step 3
Click Next. The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for updates at Cisco.com.
Step 4
Enter your Cisco.com username and password. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter Proxy server username and password.
Step 5
Click Next. The Available Packages and Installed Packages page appears. It displays:

Package Name: Name of the package. Type: Type of the update. For example, whether the update is a device package or IDU package. Product Name: Product for which the update is available. Installed Version: Current version of that product installed in the server. Available version: Version of the product that is available (Other than the installed version). Readme Details: Links to the Readme files associated with the update. Posted date: Date on which the update was posted on Cisco.com. Size: Size of the update.
Step 6
Select the check box corresponding to the package that you wish to update and click Next. The Device Update page appears. You can either install the device packages or download them.

To install device packages, select the Install Device Packages radio button. To download device packages, select the Download Device Packages radio button.
13-6
OL-20721-01
Chapter 13
Working With Software Center Performing Device Update
If you select Download Device Packages:

a.
Enter the folder in File Selection field or click Browse to select the destination directory. By default, the destination location is:
b.
Set the frequency of downloads, select the run type from the Run Type drop-down list. The options are:
Immediate Once
If you choose any of the options other than Immediate, set the date and time.
Select the date from the date picker. The date picker displays the date from the client system. Specify the time from the drop-down lists. c. d.
Enter a description for the download job in the Job Description field. This is mandatory. Enter an e-mail ID in the E-mail field. You can enter multiple e-mail addresses separated by comma. Click Next. The Summary window displays the details. Click Finish to confirm. Click Next. The Summary window displays the details. Click Finish to confirm. A message that the daemons are restarted, appears.
e.
f.
If you select Install Device Packages:

a.
b.
Step 7
Click OK to continue.
Deleting Packages
You can also delete packages that are outdated or you no longer use. To delete a package:
Step 1
Select Admin > System > Software Center > Device Update. The Device Update page appears. Select the check box corresponding to the product and click Delete Packages. The wizard displays a window that has the Package name, the Product name, and the Installed version details.
Step 2
Step 3
Select the check box corresponding to the Package you want to delete.
13-7
Chapter 13 Scheduling Device Package Downloads
You can filter the available device packages based on Package Name, Product Name, Installed Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages with name starting as cmfSw001 will be listed. Regular expressions are not supported for the patterns. Patterns are case sensitive. For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 4
Click Next. The Summary window appears with the details of the Product and the Packages selected. Click Finish to confirm deletion.

Step 5
To make changes in the previous windows, click Back. To cancel the operation, click Cancel.
After you have confirmed the Delete Packages operation, a message that the daemons are restarted appears.
Step 6
Click OK to continue.
Scheduling Device Package Downloads

You can schedule device package downloads and specify the time, frequency of the downloads. You can also specify download policies. Software Center supports the following download policies:

Download all latest device packages of products installed in the machine. Download newer versions of currently installed packages. Download the specified packages (comma separated).
You have to provide your Cisco.com credentials and the location to which the packages should be downloaded. To schedule device package downloads:
Step 1
Select Admin > System > Software Center > Schedule Device Downloads. The Schedule Device Downloads dialog box appears. Enter your Cisco.com username and password. Enter the Proxy server username and password only if you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup.
Step 2
Step 3
Enter the destination location, or browse to the location using the Browse tab. By default, the destination location is:

13-8
OL-20721-01
Chapter 13
Working With Software Center Scheduled Job
Step 4
Specify the download policy you require:

Download the latest versions of all packages Download only the latest versions of currently installed packages Download specified packages
Note
You must enter the device package name without any extension. The package name is case-sensitive.
Step 5 Step 6
Select the run type from the Run Type drop-down list, to set the frequency of downloads. Select the date from the drop-down calendar, and specify the time using the drop-down lists. The calendar displays the date from the client system. Enter a description for the download job in the Job Description field. This is mandatory. Enter an e-mail ID in the E-mail field. You can enter multiple e-mail addresses separated by comma. Click Apply to apply the changes. Or Click Cancel to exit without saving changes.
Step 7 Step 8
Step 9
Note
You can schedule only one download at a time.
You can view the scheduled job status and details from the Job Browser window (Admin > Jobs > Browser).
Scheduled Job
The Scheduled Job Details page displays the activities that are performed using Software Center. The Scheduled Job table records and displays the downloads to the server. You can view the log from the server or any client workstation. To view Scheduled Job Details: Select Admin > System > Software Center > Scheduled Job Details. The Scheduled Job Details page appears with the following information:

JobJob ID of the job that is scheduled by Cisco Prime user. DateTime and the date on which the job was run. Applicable ProductsProducts to which the download is applicable.
You can delete the information on a job from the list. To delete a job information, select a job from the list, and click Delete. The job information is deleted only from this page. However, this remains in the Job Browser page.
13-9
Chapter 13 Event Log
Event Log
The Event log page displays the activities that are performed using Software Center. The Event Log table shows the list of immediate downloads, installations and un-installations of device packages carried out. You can view the log from the server or any client workstation. To view the Event Log: Select Admin > System > Software Center > Event Log. The Event Log page appears with the following information:

Product NameName of the product. DescriptionSummary of the activity. DateDate and time when the operations were carried out. Event TypeShows one of the following:
Device Package Downloads Software Download Install Device Packages / Uninstall Device Packages
StatusStatus of the event (Completed Successfully, Failed or Executed). Click on the Status link to get more details on the operation.
You can delete either all the event logs or specific event logs from the list. Select the log entries and click Delete to delete the selected entries.
Using the Software Center CLI Utility

LMS provides a command line utility that supports most of the Software Center features. The utility is available at NMSROOT/bin/, as:

PSUCli.bat (on Windows) PSUCli.sh (on Solaris/Soft Appliance) Download Software Updates. Download Device Package Updates. Install Device Packages. Uninstall Device Packages. Query Updates on the LMS Server. List Dependent Device Packages. List Device Packages Version.
The utility helps you do the following:

13-10
OL-20721-01
Chapter 13
Working With Software Center Using the Software Center CLI Utility
To install new device packages from Cisco.com, you have to first download the packages from Cisco.com, save them to a directory in your computer, and then install them, specifying the directory. To get help on command usage, enter:

NMSROOT\bin\PSUCli.bat -h (On Windows) NMSROOT/bin/PSUCli.sh -h (On Solaris/Soft Appliance)
This lists the commands, options, and valid product names. This section explains the following:

Querying Updates on the LMS Server Installing Device Packages Uninstalling Device Packages Downloading Software Updates Downloading Device Updates Listing Dependent Device Packages Listing Device Packages Version
Querying Updates on the LMS Server

To get a list of installed packages, enter: NMSROOT\bin\PSUCli.bat -p product -query [-src dir] {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -query [-src dir] {-all |PackageNames} (On Solaris/Soft Appliance) You have to use either the -all option or specify the package names.

-p
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with the -h option lists the valid product names. Lists the packages (default source location is installed repository of the product). all packages available at the source location.
-query (-q)
-allSelects -src
dirSource location of the packages
PackageNamesNames of the device packages, for example Cat5000, Cat6000, AS5850
Note
Example
NMSROOT\bin\PSUCli.bat -p rme -q -all This lists all the installed packages for LMS in the installed repository for LMS. To list all packages in the specified directory for LMS, enter: NMSROOT\bin\PSUCli.bat -p rme -src dir -q
13-11
Chapter 13 Using the Software Center CLI Utility
Installing Device Packages

To install device packages from the directory you specify, enter: NMSROOT\bin\PSUCli.bat -p product -install -src dir {-all |PackageNames}[-noprompt] (On Windows) NMSROOT/bin/PSUCli.sh -p product -install -src dir {-all |PackageNames} [-noprompt] (On Solaris/Soft Appliance) You have use either the -all option or specify the package names.

-p
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with the -h option lists the valid product names. packages (from user specified directory). all packages available at the source location.
-install (-i)Installs -allSelects -src
dirSource location of the packages
Note
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -i -src dir Cat6000 Cat4000 This installs the specified packages (Cat6000, Cat4000) for LMS, from the specified directory.
Uninstalling Device Packages

To uninstall device packages, enter: NMSROOT\bin\PSUCli.bat -p product -uninstall {-all |PackageNames} [-noprompt] (On Windows) NMSROOT/bin/PSUCli.sh -p product -uninstall {-all |PackageNames} [-noprompt](On Solaris/Soft Appliance) You have use either the -all option or specify the package names.

-p
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. Uninstalls packages (from user specified directory). all packages available at the source location.
-uninstall (-u) -allSelects
Note
13-12
OL-20721-01
Chapter 13
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -u -all This uninstalls all packages of LMS, from the installed repository.
Downloading Software Updates

To download the Software Updates, enter: NMSROOT\bin\PSUCli.bat -p product -software -dst download directory {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -software -dst download directory {-all |PackageNames} (On Solaris/Soft Appliance)

-p productSpecify the Product for which you want to download the Software Update. Invoking CLI with -h option lists the valid product names. -software (-s)
Download Software packages for the specified product or products.
-dst download directorySpecify the directory to which you want to download the Software Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub directories in it.

-allSelects
all the available software updates on Cisco.com for download.
PackageNamesNames of the software update package available on Cisco.com, for example, cwcs3_0_4_win, cwcs3_0_6_sol_k9.
Note
You must enter the software update package name without any extension. The package name is case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials. The destination location should not be the location where Cisco Prime is installed or any one of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories.
Downloading Device Updates

To download the Device Updates, enter: NMSROOT\bin\PSUCli.bat -p product -download -dst download directory {-all |PackageNames} (On Windows). NMSROOT/bin/PSUCli.sh -p product -download -dst download directory {-all |PackageNames} (On Solaris/Soft Appliance).
-p productSpecify the Product for which you want to download the Device Update. Invoking CLI with -h option lists the valid product names.
13-13
Chapter 13 Using the Software Center CLI Utility
-download (-d)Download -dst
Device packages for the specified product or products.
download directorySpecify the directory to which you want to download the Device Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub directories in it.

-allSelects
all available device packages for download from Cisco.com.
PackageNamesNames of the device packages, for example Cat5000, Cat6000, AS5850.
Note
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories.
Listing Dependent Device Packages

To list the dependent packages of one or more device packages, or all device packages, enter: NMSROOT\bin\PSUCli.bat -p product -pkgDependents -src dir {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -pkgDependents -src dir {-all |PackageNames} (On Solaris/Soft Appliance) You have use either the -all option or specify the package names.

-p
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. the base or dependent packages for the specified packages present
-pkgDependents (-pdep)List
in the source location.

-allSelects
all packages available at the source location.
Note
Example
NMSROOT\bin\PSUCli.bat -p rme -pdep Cat5000 This lists all dependent packages of LMS Cat5000 device package installed.
13-14
OL-20721-01
Chapter 13
Listing Device Packages Version

To list the versions of one or more device packages, or all device packages, enter: NMSROOT\bin\PSUCli.bat -p product -pkgVersion -src dir {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -pkgVersion -src dir {-all |PackageNames} (On Solaris/Soft Appliance) You have use either the -all option or specify the package names.

-p
product Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. theversions of all or specified packages present in the source location. all packages available at the source location.
-pkgVersion (-pver)List -allSelects
Note
Example
NMSROOT\bin\PSUCli.bat -p rme -pver Cat5000 This lists the version of the LMS Cat5000 device package installed.
13-15
CH A P T E R
14
Discrepancies and Best Practices Deviations

The Discrepancies Reporting module of LMS allows you to view the discrepancies and best practices deviations in your network. This chapter contains the following:

Understanding Discrepancies and Best Practices Deviations Interpreting Discrepancies Interpreting Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation
Understanding Discrepancies and Best Practices Deviations

LMS provides reports on discrepancies, such as network inconsistencies and anomalies or misconfiguration in the discovered network. This makes it easy to identify configuration errors such as link-speed mismatches on either end of a connection. Discrepancies are computed at the end of each data collection schedule. LMS also reports Best Practices Deviations. These are variations from the normal or recommended practices in a network. These do not have any serious impact on the functioning of the network. LMS allows you to:

View Reports on Discrepancies. Select Reports > Fault and Event > Best Practices > Discrepancies. View Reports on Best Practices Deviations. Select Reports > Fault and Event > Best Practices > Deviation. Acknowledge Discrepancies. Acknowledge Best Practices Deviations. Resolve Discrepancies and Best Practices Deviations. Customize Discrepancies Reporting. For details, see Customizing Discrepancies Reporting and Syslog Generation.
14-1
Chapter 14 Interpreting Discrepancies
Fixing Discrepancies and Best Practices Deviations through LMS
The following Discrepancies can be fixed through LMS:

Link Duplex Mismatch Link Speed Mismatch Link Trunk/NonTrunk Mismatch Port Fast Enabled on Trunk Port BPDU Filter Disabled on Access Ports BPDU-Guard Disabled on Access Ports Loop Guard and Port Fast Enabled on Ports UDLD Disabled on Link Ports CDP Enabled on Access Ports High Availability not Operational
The following Best Practices Deviations can be fixed through LMS:

Interpreting Discrepancies
This section contains information on each of the discrepancy reported in LMS. It describes the discrepancy, the impact it has on the network, and ways to resolve it. The user interface in LMS displays commands you can use to make configuration changes on devices to resolve discrepancies. This section contains:

Trunking Related Discrepancies VLAN-VTP Related Discrepancies Link Related Discrepancies Port Related Discrepancy Device Related Discrepancy Spanning Tree Related Discrepancy
Trunking Related Discrepancies

The trunking related discrepancies that LMS reports are:

Trunk Negotiation Across VTP Boundary Native VLANs Mismatch Trunk VLANs Mismatch Trunk VLAN Protocol Mismatch
14-2
OL-20721-01
Chapter 14
Discrepancies and Best Practices Deviations Interpreting Discrepancies
Trunk Negotiation Across VTP Boundary

LMS reports a discrepancy when the trunk mode on any end of the trunk link is set to Auto or Desirable. Dynamic Trunking Protocol (DTP) cannot be used for trunk negotiation across VTP domain boundary. This occurs when trunk mode on both sides has any of the following combinations:

On/Auto On/Desirable Desirable/Auto Desirable/Desirable Off/Desirable
Impact
Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of different VTP domains) fails.
Fix
You cannot fix this discrepancy using LMS. To fix the discrepancy on switches using Cisco IOS:
Step 1 Step 2
Make sure that the Trunk mode is ON, on both sides of the link. Enter the following command:
switchport trunk encapsulation switchport mode trunk end
dot1q | isl
Step 3
Enter the following command to check the status:

show interfaces trunk
Or
show interface
mod interface_id trunk
To fix the discrepancy on switches using Catalyst operating system:

Step 1 Step 2
Make sure that the Trunk mode is ON, on both sides of the link. .Enter the following command:
set trunk
mod/port on Dot1Q | ISL
Step 3
Enter the following command to check the status:

show trunk
mod/port
14-3
Native VLANs Mismatch

LMS reports a discrepancy when the native VLANs of all ports in a trunk do not match. This mismatch occurs when you have created a trunk port to connect another switch, and both ends are in different native VLANs.
Note
This discrepancy is applicable only for trunks that use 802.1q encapsulation.
Impact
The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link is affected. The trunk continues to remain operational.
Fix
If you have altered the default native VLAN configuration, ensure that all trunks have the same native VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport trunk native vlan command for Cisco IOS switches to specify the native VLAN. You cannot fix this discrepancy through LMS. For more information on configuring VLANs, see the document Creating and Maintaining VLANs at the following location: http://www.cisco.com/en/US/partner/products/hw/switches/ps637/ products_configuration_guide_chapter09186a008007f261.html
Trunk VLANs Mismatch

LMS reports a discrepancy when the list of active or allowed VLANs between the two ends of a trunk do not match.
Impact
The trunk remains operational but the network traffic across the link is affected.
Fix
You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.
Trunk VLAN Protocol Mismatch

LMS reports a discrepancy when different trunk encapsulations are set on the two ends of a trunk. For example, when one end of a trunk is configured as ISL and the other as 802.1q, LMS reports a discrepancy. ISL and 802.1q are the different encapsulation types that you can configure in a trunk VLAN.
Impact
The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching encapsulation types. However, the network traffic across the link is affected because of the mismatch.
14-4
OL-20721-01
Chapter 14
Fix
Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy through LMS.
VLAN-VTP Related Discrepancies

The VLAN-VTP related discrepancies that LMS reports are:

VTP Disconnected Domain No VTP Server in Domain with at least One VTP Client
VTP Disconnected Domain

LMS reports a discrepancy if the devices that are part of the same VTP domain have different VTP configuration revision numbers. When a switch in the same VTP domain has a higher configuration revision number compared to the other switches, it could overwrite your server-configured switch with incorrect information.
Impact
The VLAN information is not dynamically shared across the VTP domain.
Fix
Ensure that you configure VTP Configuration Revision number consistently across devices of the same VTP domain. You cannot fix this discrepancy through LMS.
No VTP Server in Domain with at least One VTP Client

LMS reports a discrepancy when there is no VTP Server configured in a VTP domain. You can configure a switch to operate in any one of these VTP modesServer, Client, Transparent, and Off. Primary and secondary servers are two types of servers that may exist on an instance in the VTPv3 domain. A VTP client cannot store VLAN information. When a VTP client boots, it needs to reacquire the entire configuration that is propagated by VTP. The primary server can initiate or change the VTP configuration. The main purpose of a VTP secondary server is to back up the configuration that is propagated over the network.
Impact
LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no alternative or backup server. This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when the existing primary server or server mode device has gone down temporarily and if the server mode device does not come up. If you do not configure at least one server, the devices become unreachable. LMS discovers only the client-mode devices in the domain and ignores the rest.
14-5
Fix
Configure at least one device as server in a VTP domain. If the device you have configured as server is temporarily down, configure another device as server. You cannot fix this discrepancy through LMS. For more information on VTP domain, see the document Configuring VTP at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/vtp.html
Link Related Discrepancies

The link related discrepancies that LMS reports are:

Link Duplex Mismatch Link Speed Mismatch Link Trunk/NonTrunk Mismatch
Link Duplex Mismatch

LMS reports a discrepancy when there is a duplex mismatch between links. Duplex mismatch on 10/100Mb Ethernet links occurs when one port on the link is operating at half-duplex while the other port is operating at full-duplex. This happens when one or both ports on a link are reset and the auto-negotiation process does not cause both partners to have the same configuration. It also happens when you reconfigure one side of a link and do not reconfigure the other side.
Impact
Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a full-duplex device transmits whenever it has something to send, regardless of other devices. If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will consider this either a collision (during the slot time), or a late collision (after the slot time). Since the full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet. A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.
14-6
OL-20721-01
Chapter 14
Figure 14-1
Duplex Mismatch
A (root) Half-Duplex Half-Duplex: Still runs carrier sense and collision detection Collision C BPDU lost to be retransmitted A Full-Duplex Does not do carrier sense
X
Fix
LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated between devices. To fix the discrepancy on switches using Cisco IOS:
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command:
duplex auto end
where auto enables the autonegotiation capability.

Step 2
Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
130876
14-7
To fix the discrepancy on switches using Catalyst operating system:

Step 1
set port speed
mod/port auto
where:
Step 2
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
Link Speed Mismatch

LMS reports a discrepancy when there is a mismatch in the link speeds, that is, different link speeds on either side of a link (for 10/100 ports or for any group of links). The IEEE 802.3u autonegotiation protocol manages the switch settings for speed (10 Mbps or 100 Mbps) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances:

A manually-set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port. A port is in Autonegotiate mode and the connected port is set to full duplex with no autonegotiation.
Impact
Link speed mismatch results in reduced performance of the link.

Fix
LMS displays commands to resolve link speed mismatch. To fix the discrepancy on switches using Cisco IOS:
Step 1
speed auto end
where auto enables the autonegotiation capability.

Step 2
14-8
OL-20721-01
Chapter 14
To fix the discrepancy on switches using the Catalyst operating system:

Step 1
set port speed
mod/port auto
where:
Step 2
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.
Link Trunk/NonTrunk Mismatch

LMS reports a discrepancy when there are trunking ports and non-trunking ports on either side of a link. This happens when one end of the trunk is set to On, and the other end is set to Off.
Impact
This results in the trunk not coming up, and there would be no traffic flow across the link.
Fix
LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode. To fix the discrepancy on switches using the Catalyst operating system:
Step 1
set trunk
mod/port desirable
where:
Step 2
desirable
causes the port to negotiate actively with the neighboring port to become a trunk link
mod/port specifies the number of the module and the port or ports on the module
14-9
To fix the discrepancy on switches using Cisco IOS:

Step 1
switchport mode dynamic desirable end
where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link.
Step 2
Port Related Discrepancy

The port related discrepancy that LMS reports is Port is in Error Disabled State. See Port is in Error Disabled State
Port is in Error Disabled State

LMS reports a discrepancy when one or more of the switch ports in the discovered network have a status of errDisable.
Causes of errDisable
A port enters errdisable state for any of the following reasons:

Channel misconfiguration Duplex mismatch BPDU port-guard UDLD
Impact
When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange and when you enter the show port command, the port status shows errdisable.
Fix
To recover from errDisable:

Step 1 Step 2
Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so on). Re-enable the port.
14-10
OL-20721-01
Chapter 14
You cannot fix this discrepancy through LMS. For more information on the errDisable state, see the document Recovering From errDisable Port State on the CatOS Platforms at the following location: http://www.cisco.com/en/US/partner/tech/tk389/tk214/technologies_tech_note09186a0080093dcb.sht ml
Device Related Discrepancy

The device related discrepancy that LMS reports is Devices With Duplicate Sysname. See Devices With Duplicate SysName, page 14-11
Devices With Duplicate SysName

LMS reports a discrepancy when it discovers two devices with the same SysName. LMS stores the device details of only one of the two devices.
Impact
LMS manages only one of these devices.

Fix
Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.
Spanning Tree Related Discrepancy

The spanning tree related discrepancy that LMS reports is PortFast Enabled on Trunk Port. See Port Fast Enabled on Trunk Port
Port Fast Enabled on Trunk Port

LMS reports a discrepancy when PortFast is enabled on trunk ports. PortFast causes a spanning tree port to immediately enter the forwarding state, bypassing the listening and learning states. You must disable STP PortFast for switch-switch links. This is because, if you enable PortFast on a port that is connected to another Layer 2 device, such as a switch, you might create network loops.
Impact
If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge Protocol Data Units (BPDUs) are being transmitted and received on those ports.
14-11
Chapter 14 Interpreting Best Practices Deviations
Fix
LMS provides commands for disabling PortFast on ports. To fix the discrepancy on switches using the Catalyst operating system:
Step 1
set spantree portfast mod/port disable
where disable disables the spanning tree PortFast-start feature on the port.
Step 2
To fix the discrepancy on switches using Cisco IOS:

Step 1
no spanning-tree portfast end
This command disables PortFast on the given port.

Step 2
Interpreting Best Practices Deviations

This section contains information on each of the Best Practice Deviation reported in LMS. It gives a description of the Best Practice Deviation, the impact (if any) it has on the network, and ways to resolve it. The user interface in LMS displays commands to make configuration changes on devices, to resolve some Best Practices deviations. This section contains:

Channel Ports Related Best Practices Deviations Spanning Tree Related Best Practices Deviations Trunk Ports Related Best Practices Deviations VLAN Related Best Practices Deviations Link Ports Related Best Practice Deviation Access Ports Related Best Practice Deviation Cisco Catalyst 6000 Devices Related Best Practice Deviation
14-12
OL-20721-01
Chapter 14
Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations
Channel Ports Related Best Practices Deviations

The channel ports related best practices deviations that LMS reports are:

Non-channel Port in Desirable Mode Channel Port in Auto Mode
Non-channel Port in Desirable Mode

LMS reports a Best Practice Deviation when a non-channel port is in the Desirable mode. There are four user-configurable channel modes:

On Off Auto Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable modes. Ports configured in on or off mode do not exchange PAgP packets. To form EtherChannel between, it is best to have both switches set to the Desirable mode. This gives the most robust behavior if one side or the other encounters error situations or is reset. The default mode of the channel is Auto. Both Auto and Desirable modes allow ports to negotiate with connected ports to determine whether they can form a channel. The determination is based on criteria such as port speed, trunking state, and native VLAN. Ports can form an EtherChannel when they are in different channel modes if the modes are compatible. Examples of ports that can form an EtherChannel are:

A port in desirable mode can successfully form an EtherChannel with another port that is in Desirable or Auto mode. A port in the Auto mode can form an EtherChannel with another port in the Desirable mode. A port in the Auto mode cannot form an EtherChannel with another port that is also in the Auto mode, since neither port initiates negotiation. A port in the On mode can form a channel only with a port in the On mode because ports in On mode do not exchange PAgP packets. A port in Off mode cannot form a channel with any port.
Impact
When a non-channel port is in the Desirable mode, the links will not be efficiently used.
14-13
Fix
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practice Deviation report and click the hyperlink in the Summary field. The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the following command: set port channel mod/port mode auto Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 2
To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1
Go to the Best Practice Deviation report and click the hyperlink in the Summary field. The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the following command: channel-group Channel group number mode auto Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 2
Channel Port in Auto Mode

LMS reports a Best Practice Deviation when a channel port is in Auto mode. There are four user-configurable channel modes:

On Off Auto Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable mode. Ports configured in On or Off mode do not exchange PAgP packets. For switches to which you want to form an EtherChannel, it is best to have both switches set to Desirable mode. This gives the most robust behavior if one of the sides encounters error situations or is reset. The default mode of the channel is Auto. Both Auto and Desirable modes allow ports to negotiate with connected ports to determine if they can form a channel. The determination is based on criteria such as port speed, trunking state, and native VLAN. Ports can form an EtherChannel when they are in different channel modes if the modes are compatible. Examples of ports that can form an EtherChannel are:

A port in Desirable mode can successfully form an EtherChannel with another port that is in Desirable or Auto mode. A port in Auto mode can form an EtherChannel with another port in Desirable mode.
14-14
OL-20721-01
Chapter 14
A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since neither port initiates negotiation. A port in On mode can form a channel only with another port also in On mode, because ports in this mode do not exchange PAgP packets. A port in Off mode cannot form a channel with any port.
Impact
Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious impact on the network.
Fix
To fix the Best Practise Deviation on switches using the Catalyst operating system:
Step 1
Go to the Best Practise Deviation report and click the hyperlink in the Summary field. The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the following command:
set port channel
mod/port mode desirable
which sets the port to desirable mode.

Step 2
Click Fix. A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
To fix the Best Practise Deviation on switches using Cisco IOS:

Step 1
Go to the Best Practise Deviation report and click the hyperlink in the Summary field. The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the following command:
channel-group Channel group number mode desirable
which sets the port to desirable mode.

Step 2
Click Fix. A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Spanning Tree Related Best Practices Deviations

The spanning tree related best practices deviations that LMS reports are:

BPDU Filter Disabled on Access Ports BPDU-Guard Disabled on Access Ports BackboneFast Disabled in Switch UplinkFast not Enabled Loop Guard and Port Fast Enabled on Ports
14-15
BPDU Filter Disabled on Access Ports

LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports.
Impact
BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.
Fix
LMS provides commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
set spantree bpdu-filter
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
enables BPDU packet filtering
Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Step 1
spanning-tree bpdufilter enable end
where enable enables BPDU Filtering on the particular interface.

Step 2
14-16
OL-20721-01
Chapter 14
BPDU-Guard Disabled on Access Ports

LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port. BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state.
Impact
Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.
Fix
LMS displays commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
set spantree bpdu-guard
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
enables BPDUGuard

Step 1
spanning-tree bpduguard enable end
where enable enables BPDUGuard on the particular interface.

Step 2
14-17
BackboneFast Disabled in Switch

LMS reports a Best Practice Deviation when BackboneFast is enabled on one of the switches and not enabled on all other switches in a switch cloud. Cisco recommends that BackboneFast be enabled on all switches running STP. It can be added without disruption to a production network.
Impact
If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning tree operation. BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP, you can reduce convergence times from the default of 50 seconds to 30 seconds. Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects directly to Switch B is in the blocking state.
Figure 14-2 BackboneFast Example Before Indirect Link Failure
Switch A (Root) L1
Switch B
L2
L3 Blocked port Switch C

11241
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to link L1. Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to move immediately to the listening state without waiting for the maximum aging time for the port to expire. BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch B to Switch A. This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the topology to account for the failure of link L1.
14-18
OL-20721-01
Chapter 14
Figure 14-3
BackboneFast Example After Indirect Link Failure
Switch A (Root) L1 Link failure L2 L3
Switch B
Switch C
Fix
Enable BackboneFast on all switches in a switch cloud. To enable BackboneFast Globally on a Catalyst operating system:
Step 1
Enter the command:

set spantree backbonefast enable
Step 2
Enter this command to check the status:

show spantree backbonefast
To enable BackboneFast Globally on Cisco IOS:

Step 1
Enter the command:

spanning-tree backbonefast
Step 2

show spanning-tree backbonefast
You cannot fix this Best Practice Deviation through LMS. For more information on Spanning Tree related configuration, see the document Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/stp_enha.ht ml
11244
BackboneFast transitions port through listening and learning states to forwarding state
14-19
UplinkFast not Enabled

LMS reports a Best Practice Deviation when UplinkFast is not enabled on switches.
Note
This Best Practice Deviation is not applicable if the device is not an access layer switch. Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access layer. Do not use on switches without the implied topology knowledge of a backup root linktypically, distribution and core switches in Cisco's multilayer design. It can be added without disruption to a production network.
Impact
UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It operates without modifying STP, and its purpose is to speed up convergence time in a specific circumstance to less than three seconds, rather than the typical 30-second delay. Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected directly to Switch B is in the blocking state.
Figure 14-4 UplinkFast Example Before Direct Link Failure
Switch A (Root) L1
Switch B
L2
L3 Blocked port Switch C

11241
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5 seconds.
14-20
OL-20721-01
Chapter 14
Figure 14-5
UplinkFast Example After Direct Link Failure
Switch A (Root) L1
Switch B
L2 Link failure
L3 UplinkFast transitions port directly to forwarding state Switch C

11242
Fix
Enable UplinkFast on all access layer switches. To enable Uplink Fast on Catalyst operating system:
Step 1
Enter the command:

set spantree uplinkfast enable
Step 2

show spantree uplinkfast
To enable Uplink Fast on Cisco IOS:

Step 1
Enter the command:

spanning-tree uplinkfast
Step 2

show spanning-tree uplinkfast
You cannot fix this Best Practice Deviation through LMS. For more information on Spanning Tree related configuration, see the document Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/stp_enha.ht ml
14-21
Loop Guard and Port Fast Enabled on Ports

Loop Guard
Assume that a switch port is receiving BPDUs, and is in the blocking state. The port makes up a redundant path. It is blocking because it is neither a Root Port nor a Designated Port. If, the flow of BPDUs stops, the last known BPDU is retained until the Max Age timer expires. When the Max Age timer expires, that BPDU is flushed, and the switch thinks there is no longer a need to block the port. The port moves through the STP states until it begins to forward traffic. The switch then forms a bridging loop. In its final state, the port becomes a Designated Port. To prevent this situation, you can use the loop guard STP feature. When you enable this feature, loop guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is allowed to behave normally. When BPDUs are missing, loop guard moves the port into the loop-inconsistent state. The port is effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role. After BPDUs are received on the port again, loop guard allows the port to move through the normal STP states and become active. In this way, Loop Guard automatically governs ports without the need for manual intervention.
STP PortFast
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes up, STP calculation occurs on that port. The result of the calculation is the transition of the port into forwarding or blocking state. The result depends on the position of the port in the network and the STP parameters. This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data passes through the port. Owing to this, some user applications can time out during the period. To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. This way the port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP blocking mode.
Impact
Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best Practice Deviation.
Fix
If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port. To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1
set spantree portfast disable
Step 2
14-22
OL-20721-01
Chapter 14

Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command:
spanning-tree portfast disable
Step 4
Trunk Ports Related Best Practices Deviations

The trunk ports related best practices deviations that LMS reports are as follows:

Non-trunk Ports in Desirable Mode Trunk Ports in Auto Mode
Non-trunk Ports in Desirable Mode

LMS reports a Best Practice Deviation when non-trunk ports are set to Desirable mode.
Impact
Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the intended behavior.
Fix
To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports. To fix it through LMS, on switches using the Catalyst operating system:
set port host mod/port
Step 4
14-23
To fix it through LMS, on switches using Cisco IOS:

switchport mode access
Step 4
Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best Practice Deviation.
Table 14-1 Trunking Configuration 1
Modes On
On None. (Trunking)
Auto
Desirable None. (Trunking)
Nonegotiate None. (Trunking)
Off Reports Best Practice Deviation. (Not Trunking)
Reports Best Practice Deviation. (Trunking)
Auto
Reports Best None. Practice (Not Deviation. Trunking) (Trunking) None. (Trunking) Reports Best Practice Deviation. (Trunking) Reports Best Practice Deviation. (Not Trunking)
Reports Best Practice Deviation. (Trunking) None. (Trunking)
Reports Best Practice Deviation. (Not Trunking) Reports Best Practice Deviation. (Not Trunking)
None. (Not Trunking)
Desirable
Reports Best Practice Deviation. (Not Trunking)
Nonegotiate
None. (Trunking)
None. (Trunking)
Off
Reports Best None. Practice (Not Deviation. Trunking) (Not Trunking)
None. (Not Trunking)
1. Information in brackets indicate the trunking state of the interface.
14-24
OL-20721-01
Chapter 14
Trunk Ports in Auto Mode

LMS reports a Best Practice Deviation when trunk ports are set to Auto mode.
Impact
Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1 for different trunk mode combinations.
Fix
To fix the Best Practice Deviation on switches using the Catalyst operating system:
set trunk mod/port desirable
Step 4

switchport mode dynamic desirable
Step 4
VLAN Related Best Practices Deviations

The VLAN related best practices deviations that LMS reports are as follows:

VLAN Index Conflict VLAN Name Conflict
14-25
VLAN Index Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Index. A VLAN Index conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices, where a same VLAN index has different VLAN name in transparent and server mode devices in the domain.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names in transparent and server mode devices.
Fix
Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain. You cannot fix this Best Practice Deviation through LMS.
VLAN Name Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Name. A VLAN Name conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices, where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of the server mode device in the domain.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of the server mode device in the domain.
Fix
Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the server mode devices. You cannot fix this Best Practice Deviation through LMS.
Link Ports Related Best Practice Deviation

The link port related Best Practice Deviation that LMS reports is UDLD Disabled on Link Ports. See UDLD Disabled on Link Ports
14-26
OL-20721-01
Chapter 14
UDLD Disabled on Link Ports

LMS reports a Best Practice Deviation if UniDirectional Link Detection (UDLD) is disabled on link ports.
Impact
If you disable UDLD, it could result in Spanning Tree loops. Unidirectional links are often caused by a failure not detected on a fiber link, or by a problem with a transceiver.
Figure 14-6 Unidirectional Links
B Blocking
In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop. To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports. For maximum protection against symptoms resulting from uni-directional links, we recommend that you enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the message interval to the default 15 seconds.
Fix
LMS provides commands to enable UDLD on link ports. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
set udld enable mod/port
where enable enables the UDLD information display.

Step 2
14-27
130877
BPDU lost this way
X
B unblocks its port and can forward traffic this way......

Select Reports > Fault and Event. Select Best Practices Deviation Report from the TOC. Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix displays the following command:
udld port end
This command enables UDLD in normal mode by default on all interfaces.

Step 4
Access Ports Related Best Practice Deviation

The access ports related Best Practice Deviation that LMS reports is CDP Enabled on Access Ports. See CDP Enabled on Access Ports
CDP Enabled on Access Ports

LMS reports a Best Practice Deviation when Cisco Discovery Protocol (CDP) is enabled on the access port of a switch. CDP is enabled by default and is essential to gain visibility of adjacent devices and for troubleshooting. It is also used by network management applications to build Layer 2 topology maps.
Impact
In parts of the network where a high level of security is required (such as Internet-facing de-militarized zones), you should turn off CDP.
14-28
OL-20721-01
Chapter 14
Fix
LMS provides commands to disable CDP on switches. To fix the Best Practice Deviation on switches running Catalyst operating system:
set cdp disable mod/port
Step 4
To fix the Best Practice Deviation on switches running Cisco IOS:

no cdp enable
Step 4
Cisco Catalyst 6000 Devices Related Best Practice Deviation

The Cisco Catalyst 6000 devices related Best Practice Deviation that LMS reports is High Availability not Operational. See High Availability not Operational
High Availability not Operational

Enabling High Availability on switches is applicable only for Cisco Catalyst 6000 devices. LMS reports a Best Practice Deviation when there are two supervisor engines in Cisco Catalyst 6000 devices and High Availability is not enabled.
Impact
High Availability:

Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum productivity in a network. Allows you to minimize the switch-over time from active supervisor engine to the standby supervisor engine, if the active supervisor engine fails.
14-29
Chapter 14 Customizing Discrepancies Reporting and Syslog Generation
Allows the active supervisor engine to communicate with the standby supervisor engine, keeping feature protocol states synchronized. Provides a versioning option that allows you to run different software images on the active and standby supervisor engines.
You can enable High Availability using Command Line Interface (CLI).
Fix
As a general practice with redundant supervisors, we recommend that you enable High Availability feature for normal operation. LMS provides commands for enabling High Availability. To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
set system highavailability enable
Step 2
For more information on Supervisor engines and High Availability, see the document Configuring Redundancy at the following location: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/6.x/configuration/guide/redund.htm l
Customizing Discrepancies Reporting and Syslog Generation

You can customize the Discrepancies Report and Best Practices Deviations Report to display only those discrepancies and Best Practice Deviations about which you want to be notified. To customize the reports:
Step 1
Select Admin > Network > Best Practices Deviation Settings. The discrepancies page appears. You can view the list of Network discrepancies, and Discrepancies configured to send Syslog messages by clicking the corresponding View Details link.
Step 2
Click Configure. The Configuring Discrepancies dialog box appears.
To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it. Checking all the check boxes results in a report displaying all discrepancies and Best Practice Deviations in the network.
To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding check box.
14-30
OL-20721-01
Chapter 14
Discrepancies and Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation
Step 3
Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check Configure Syslog and click Next. A list of the selected Discrepancies and Best Practice Deviations appears. Check Send Syslogs and enter the name of the server in the Syslog Server field. Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages and click Next. A summary of the selected Discrepancies and Best Practice Deviations appears. Click Finish.
Step 4 Step 5
Step 6
You can use the filters to display discrepancy reports for specific devices, link or network types. This makes it easy to find a particular discrepancy for a particular type. You can use more than one filter at the same time, but results will vary.
If you select more than one filter in the same top-level category, Boolean OR is used. For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter criteria will be displayed in the report.
If you select more than one filter from different top-level categories, Boolean AND is used. For example, if you select both a Link type and a Port type filter from the discrepancy filter, any link that fulfils both filter criteria will appear in the report.
14-31
CH A P T E R
15
Report Setting
Describes how to configure some settings for generating reports and set a report publish location. This section contains the following sections:

Specifying User Tracking Report Purge Policy Specifying Domain Name Display Set Report Publish Location
Specifying User Tracking Report Purge Policy

You can specify the intervals at which old reports and jobs are to be purged, using the Purge Policy option. You can save the Purge Policy, so that the older jobs and archives are purged at the specified interval. To specify the Purge Policy:
Step 1
Select Admin > Network > Purge Settings > User Tracking Report Purge Policy. The Report Settings dialog box appears. Check the relevant check box:

Step 2
Purge Archives Older than Purge Jobs Older than
You must specify in days, or weeks, or months the period for which you want to retain the report archives or jobs.
Step 3
Click Save.
15-1
Chapter 15 Specifying Domain Name Display
Report Setting
Specifying Domain Name Display

You can specify the way in which domain names are to be displayed in User Tracking Reports, using the Domain Name Display option. To specify the Domain Name display:
Step 1
Select Admin > Network > Display Settings > Domain Name Display. The Domain Name Display window appears. Select the format for displaying the domain names in User Tracking Reports. You can:

Step 2
Show full domain name suffix Hide full domain name suffix Hide specified domain name suffix If you want to hide the specified domain name suffix, enter the domain name suffix in the field.
Step 3
Click Save.
Set Report Publish Location

Cisco Prime LMS allows you to publish the PDF, HTML and CSV format of all the reports to a directory location of your choice. This is done by setting a default directory path.
Note
Ensure that the casuser is assigned the required write permission to publish the PDF format of the report to the directory path. To set a report publish location:
Step 1 Step 2
Select Reports > Report Settings > Report Publish Path. Select Report Location. The Default Report Publish Location page appears, displaying Default Location Settings dialog box. Table 15-1 describes the field in the Default Location Settings dialog box.
Table 15-1 Default Location Settings Fields
Field/Button Report Location
Description Directory path where the PDF format of the reports are published. Use the Browse button to select a directory path. The Server Side File Browser dialog box is launched. You can select the directory path in this dialog box.
Step 3
Click Browse. The Server Side File Browser dialog box appears.
15-2
OL-20721-01
Chapter 15
Report Setting Set Report Publish Location
Step 4 Step 5
Select the directory path from the Server Side File Browser dialog box. Click OK. The directory path is displayed in the Report Location field. Click Apply to save the default directory path settings or Cancel to reset the directory path.
Step 6
15-3
CH A P T E R
16
Purge Settings
Describes how to configure the purge settings of all modules in LMS. This section contains the following sections:

Purging Reports Jobs and Archived Reports Purging VRF Management Reports Jobs and Archived Reports Purging Configurations from the Configuration Archive Syslog Administrative Tasks Setting the Syslog Purge Policy Purging Configuration Management Jobs Performance Purge Jobs Performance Purge Data View Performance Purge Details IPSLA Data Purging Settings Configuring the Daily Fault History Purging Schedule
Purging Reports Jobs and Archived Reports

You can purge Layer2 services jobs or report archives in LMS. By default, purging is disabled. To enable the purge option for Layer2 services report jobs and archives:
Step 1
Select Admin > Network > Purge Settings > Layer2 Services Purge Settings. The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the Purge Policy for archives or jobs here.
Step 2
Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives. For instance, if you select 44 days, LMS purges archives that are older than 44 days. Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs. For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks. Click Save.
Step 3
Step 4
16-1
Chapter 16 Purging VRF Management Reports Jobs and Archived Reports
Purge Settings
Purging VRF Management Reports Jobs and Archived Reports

You can purge VRF Management jobs or report archives in LMS. By default, purging is disabled. To enable the purge option for VRF Management report jobs and archives:
Step 1
Select Admin > Network > Purge Settings > VRF Management Purge Settings. The Purge Settings dialog box appears. Specify the Purge Policy for archives or jobs. Check the Purge Archives Older Than to specify the periodicity at which to purge archives. For instance, if you select 44 days, VRF Management purges archives that are older than 44 days. Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs. For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks. Click Save.
Step 2 Step 3
Step 4
Step 5
Purging Configurations from the Configuration Archive

You can specify when to purge archived configurations. Purging archives frees disk space and keeps your archive at a manageable size. By default, the purging jobs are disabled. You can purge configurations based on two criteria:
Number of versions to retain. Maximum number of versions of each configuration to be retained. The oldest configuration is purged when the maximum number is reached. For example, if you set the maximum versions to retain to 10, when the eleventh version of a configuration is archived, the earliest (first version) is purged to retain total number of latest archived versions at 10.
Age. Configurations older than the number of days that you specify are purged. The Labeled configuration files are not purged even if they satisfy either of the purge conditions (Maximum versions to retain and Purge versions older than options in the Archive Purge Settings window) unless you enable the Purge labeled files option in the Archive Purge Settings window. The labeled files are purged only if they satisfy the conditions given in the Maximum versions to retain and Purge versions older than options.
Archive Management will not purge the configuration files, if there are only two versions of these files in the archive. Archived configurations that match the purge criteria that you set are purged from the system. This purge policy applies to Running configuration only.
Caution
Ensure that the configuration change detection schedule does not conflict with purging, since both processes are database-intensive. Also backup your system frequently to prevent losing versions.
16-2
OL-20721-01
Chapter 16
Purge Settings Purging Configurations from the Configuration Archive
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task. The workflow to define the Configuration Archive purge policy is:
Step 1
Select Admin > Network > Purge Settings > Config Archive Purge Settings. The Archive Purge Setup dialog box appears. Select Enable. Click Change to schedule a Purge job. The Config Purge Job Schedule dialog box appears. Enter the following information: Description You can specify when you want to purge the configuration archive files. To do this, select one of these options from the drop-down menu:

Step 2 Step 3
Step 4
Field
Scheduling
Run Type
DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date
Job Information
You can select the date and time (hours and minutes) to schedule the job. The system default job description, Default archive purge job is displayed. You cannot change this description. Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from the E-mail ID.
16-3
Chapter 16 Syslog Administrative Tasks
Purge Settings
Step 5
Specify when to purge configuration files from the archive by selecting one or all of the following purge policies:

Click Maximum versions to retain and enter the number of configurations to be retained. Click Purge versions older than and enter the number of days, weeks, or months. Click Purge labeled files to delete the labeled configuration files. The Purge labeled files option must be used either with the Maximum versions to retain or Purge versions older than options. You cannot use this option without enabling either Maximum versions to retain or Purge versions older than options. The labeled files are purged only if they satisfy the conditions given in the Maximum versions to retain and Purge versions older than options. The Labeled configuration files are not deleted even if they satisfy either of the purge conditions (Maximum versions to retain and Purge versions older than) unless you enable the Purge labeled files option. These purge policies are applied sequentially. That is, if you have enabled all the three purge policies, LMS applies the Purge policies in this sequence:
a. b. c.
Maximum versions to retain Purge versions older than Purge labeled files
Archive Management does not purge the configuration files, if there are only two versions of these files in the archive.
Step 6
Click Apply. A message appears, New settings saved successfully. Click OK. You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
Step 7
Syslog Administrative Tasks

You can perform the following Administrative tasks:

Back up Syslog messages (see Setting the Syslog Backup Policy). Purge Syslog messages (see Setting the Syslog Purge Policy). Perform a Forced Purge (see Performing a Syslog Forced Purge).
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform these tasks.
16-4
OL-20721-01
Chapter 16
Purge Settings Syslog Administrative Tasks
Setting the Syslog Backup Policy

The Backup Configuration feature allows you to save the Syslog messages to a flat file. The syslog data that is trimmed from the database will be moved to the flat file.

In Solaris/Soft Appliance, the backup file is created with -rw-r----- casuser casusers irrespective of the permissions given to the directory for backup on purge. In Windows, the backup file inherits the permission and ownership of the directory it is created in, which is the directory selected as the backup location (on purge).
View the Permission Report (Reports > System > Users > Permission) to check if you have the privileges required to perform this task. To set up the backup policy:
Step 1
Select Admin > Network > Purge Settings > Syslog Backup Settings. The Backup Policy dialog box appears. By default, the backup policy is set to disabled. Select Enable to enable the backup process for Syslog messages, after configuring backup. Click Browse to select the backup file location. The Server Side File Browser dialog box appears. In the Server Side File Browser dialog box:
a.
Step 2 Step 3
Specify the external directory. The external directory must be under the syslog directory, or a sub-directory within the syslog directory. For example, $NMSROOT/files/rme/syslog/sysbackup. The external directory cannot be outside the syslog directory. If you attempt to navigate outside the syslog directory, an error message appears.
b. c. Step 4 Step 5
Select Directory Content, Click OK.
Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB. Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter multiple e-mail addresses separated with commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail ID.) If you also want a notification to be sent when the backup is a success, select Also Notify on Success. Either click Save to save the backup configuration details that you have specified or click Reset to clear the values that you specified and reset to the previously saved values in the dialog box. If you have clicked Save, the backup will continue to save the data even after the data has exceeded the specified size of the backup file. However, the system will send an e-mail asking you to cleanup the backup file.
Step 6
16-5
Chapter 16 Setting the Syslog Purge Policy
Purge Settings
Setting the Syslog Purge Policy

You can specify a default policy for the periodic purging of Syslog messages. If you access a table either through immediate reports, report jobs or by any other means, the database locks the table and therefore the table will not be successfully purged. However, during the successive purge operations such a table will be purged. A purge job is enabled by default, and is scheduled to run at 1:00 AM daily. This section contains: Performing a Syslog Forced Purge To specify your default purge policy:
Step 1
Select Admin > Network > Purge Settings > Syslog Purge Settings. The Purge Policy dialog box appears. Specify the number of days in the Purge records older than field. Only the records older than the number of days that you specify here, will be purged. The default value is 7 days. This is a mandatory field.
Step 2
Caution
You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted. If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged.
Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly. Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For example, 02-Dec-2004). This is a mandatory field. Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field. The Job Description field has a default descriptionSyslog Records - default purge job. Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 6
Either click Save to save the purge policy that you have specified or click Reset. to clear the values that you specified and reset the defaults in the dialog box.
You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).
16-6
OL-20721-01
Chapter 16
Purge Settings Setting the Syslog Purge Policy
Performing a Syslog Forced Purge

You can perform a forced purge of Syslog messages, as required. If you access a table through Immediate reports, Report jobs, or by any other means, the database locks the table and therefore the table will not be successfully purged. However, during successive purge operations the locked table will be purged. To perform a Forced Purge:
Step 1
Select Admin > Network > Purge Settings > Syslog Force Purge. The Force Purge dialog box appears. Enter the information required to perform a Forced Purge: Description Enter the number of days. Only the records older than the number of days that you specify here, will be purged. This is a mandatory field. If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged.
Step 2
Field Purge records older than
Scheduling
Run Type
Specify whether the purge is to be Immediate or Once.

If you select Immediate, all the other options will be disabled for you. If you select Once, you can specify the start date and time and also provide the job description (mandatory) and the e-mail ID for the notification after the scheduled purge is complete. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Date
Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy format, for example, 02-Dec-2004. This is a mandatory field. The Date field is enabled only if you have selected Once as the Run Type. Enter the start time, in the hh:mm:ss format (23:00:00). The at field is enabled only if you have selected Once as the Run Type.
at
16-7
Chapter 16 Purging Configuration Management Jobs
Purge Settings
Field
Job Info
Description Enter a description for the forced purge job. The Job Description field is enabled only if you have selected Once as the Run Type. This is a mandatory field.
Job Description
E-mail
Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You can enter more than one e-mail ID separated by commas. The e-mail field is enabled only if you have selected Once as the Run Type. Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 3
Click Submit for the Forced Purge to become effective. To clear the values that you specified and reset the defaults in the dialog box, click Reset.
You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).
Purging Configuration Management Jobs

You can periodically purge the Configuration Management jobs from Admin > Network > Purge Settings > Config Job Purge Settings. This section contains:

Scheduling a Configuration Management Purge Job Enabling a Configuration Management Purge Job Disabling a Configuration Management Purge Job Performing an Immediate Purge for Configuration Management Jobs
The Job Purge option provides a centralized location for you to schedule Purge operations for the following Configuration Management jobs:

Credential Verification JobsPurge all Credential Verification jobs. This also includes credential verification edit jobs. Software Management JobsPurge all Software Management jobs such as Image Import, Image Distribution, etc. Netconfig JobsPurge all NetConfig jobs. Archive Management JobsPurge Archive Management jobs such as Compliance Check, and Deploy Compliance Results. Archive Update JobsPurge Archive Management collection jobs, Default config collection job. Archive Poller JobsPurge Archive Management polling jobs, Default config polling job. Archive Purge Jobs--Purge Archive Management purge jobs, Default archive purge job.
16-8
OL-20721-01
Chapter 16
Purge Settings Purging Configuration Management Jobs
Config Editor JobsPurge all Config Editor jobs. CwConfig JobsPurge all cwcli config jobs such as Get Config, Put Config, etc. Inventory Collector JobsPurge Inventory collection jobs. Inventory Poller JobsPurge Inventory polling jobs. Reports JobsPurge all Reports jobs Reports Archive JobsAll reports that are archived are purged. You can view all reports that are archived in the Archives window (Reports > Report Archives > Inventory and Syslog). NetShow JobsPurge all NetShow jobs.
You cannot purge the jobs that are in the running state. The Job Purge contains the following information: Column Application Status Policy Job ID Description Lists the application for which the Purge is applicable. Whether a Purge job is enabled or disabled. This value is in days. Data older than the specified value, will be purged. You can change this value as required. This is a mandatory field. The default is 180 days. Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not change even when you disable or enable or change the schedule of the Purge job. For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge Now task. Scheduled At Schedule Type Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00. Specifies the type of schedule for the Purge job:

DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises 30 days).
You can select the applications by checking the check boxes next to the application to perform the following tasks using the Job Purge window: Button Schedule Enable Disable Purge Now Description Schedules a Purge job. After you schedule a job, you can enable Purge. After you schedule a job, if you have enabled the Purge job, you can choose to disable it. Perform Immediate Purge. You can select more than one application to purge in a single step. After selecting the applications, click on this button to purge jobs.
16-9
Chapter 16 Purging Configuration Management Jobs
Purge Settings
Scheduling a Configuration Management Purge Job

To schedule a Purge job:
Step 1
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. To create a Purge job, Select Schedule. The Purge Schedule dialog box appears for the selected application.
Step 2
Field
Scheduling
Description Select the frequency at which the job should be run:

Run Type
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date
1.
Click on the date picker icon and select the date, month and year. Your selection appears in the Date field in this format: dd Mmm yyyy (example: 14 Nov 2004).
2. Job Info
Select the time (hh and mm) from the drop-down lists in the at fields.
Days
The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged. You can change this value as required. This is a mandatory field. You can enter only whole numbers for days. You cannot enter fractions of days. Based on the option that you selected, you see a default job description. For example, for Software Management Purge jobs the default description is:
Purge - Software Management Jobs.
Job Description
For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.
Step 3
Click Done. The Purge job appears in the Job Purge dialog box.
Note
You cannot purge the jobs that are in the running state.
16-10
OL-20721-01
Chapter 16
Purge Settings Purging Configuration Management Jobs
Enabling a Configuration Management Purge Job

You can enable only a scheduled Purge job. To schedule a Purge job, see Scheduling a Configuration Management Purge Job. To enable a Purge job:
Step 1
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Click Enable. A confirmation message appears:
There is a purge schedule and it is enabled.
Step 2
Step 3
Click OK. The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Disabling a Configuration Management Purge Job

You can only disable a Purge job that is scheduled and enabled. To schedule a Purge job, see Scheduling a Configuration Management Purge Job and to enable a Purge job, see Enabling a Configuration Management Purge Job. To disable a Purge job:
Step 1
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Click Disable. A confirmation message appears:
There is a purge schedule and it is disabled.
Step 2
Step 3
Click OK. The Status column in the Job Purge window displays Enabled for the selected application Purge job.
16-11
Chapter 16 Performance Purge Jobs
Purge Settings
Performing an Immediate Purge for Configuration Management Jobs

Using this option you can purge application jobs immediately. That is, you can purge Configuration Management jobs without scheduling and enabling the Purge job. For the Purge Now task, the Job ID is not assigned. Also, if a Job ID already exists for that application, the Job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge Now task. To perform an immediate purge:
Step 1
Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Click Purge Now. The Explorer User Prompt dialog box appears. Enter the number of days jobs that have to be purged. The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged. You can change this value as required. You can enter only whole numbers for days. You cannot enter fractions of days. Click OK. The Purge Job Details window appears displaying the purged job details.
Step 2
Step 3
Step 4
Note
You cannot purge the jobs that are in the running state.
Performance Purge Jobs

You can configure LMS to periodically purge job data that you no longer need. This is done using Job Purge. Job Purge provides a centralized location for you to schedule purging for the following LMS jobs:

Quick Report JobsPurge all Quick Report jobs older than the specified number of days. Custom Report JobsPurge all Custom Report jobs older than the specified number of days. Threshold Report JobsPurge all Threshold Report jobs older than the specified number of days. Poller Report JobsPurge all Poller Report jobs older than the specified number of days. Failure Tracker JobsPurge all Failure Tracker jobs older than the specified number of days. TrendWatch jobsPurge all TrendWatch jobs older than the specified number of days. TrendWatch Summary jobsPurge all TrendWatch summary jobs older than the specified number of days. Summarizer JobsPurge all Summarizer jobs older than the specified number of days. Data Purge jobsPurge all Data Purge jobs older than the specified number of days.
16-12
OL-20721-01
Chapter 16
Purge Settings Performance Purge Jobs
Job Purge jobsPurge all Job Purge jobs older than the specified number of days. Maintenance jobsPurge all Maintenance jobs older than the specified number of days.
To schedule Job Purge:

Step 1 Step 2
Select Admin > Network > Purge Settings > Performance Job Purge Settings. Select Job Purge. The Job Purge Settings page appears, displaying Job Purge Schedule dialog box. Table 16-1 describes the fields in the Job Purge Schedule dialog box.
Table 16-1 Job Purge Schedule Fields
Field/Button
Scheduling
Description Specify the type of schedule for job purge:

Run Type
For Daily jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date Specify the date and time for which the purge is scheduled. Select the date by clicking the calendar icon and time from the drop-down list.
Purge Policy
Days
The default setting for purging archived job data is 30 days. That is, job data older than 30 days will be deleted. You can change this value as required. This is a mandatory field. You can enter only whole numbers for days. You cannot enter fractions of days.
Apply (button) Purge Now (button)
Job purge is scheduled at the specified Run Type and Date for the job data older than the days specified in the Days field. Job purge is done immediately for the job data older than the days specified in the Days field.
16-13
Chapter 16 Performance Purge Data
Purge Settings
Step 3

Scheduling Purge Policy
See Table 16-1 for the description of fields that appear in the Job Purge Schedule dialog box.
Step 4
Click Apply to schedule job purge or Purge Now to immediately perform job purge.

If you click Apply, a message appears confirming that the purge settings are applied successfully. If you click Purge Now, a message appears confirming that purge is done successfully and the Job ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
We recommend that you wait for any activity currently running in the system to stop before purging jobs. By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.
Performance Purge Data

You can configure LMS to periodically purge polled data that you no longer need in the database. You can purge data records such as summarization records, Poller failure records, threshold violation records, audit trail records. Cisco Prime LMS polls the device and stores the polled data in the database. Over a period of time, the polled data occupies a large amount of space in the database. To prevent this, LMS stores only the last 24 hours data in the database. Background tasks in LMS summarizes this polled data and categorizes the data as 5-minute summarization record, 30-minute summarization record, 3-hour summarization record and 12-hour summarization record. The summarization of polled data happens every one hour. The summarized data can be purged at regular intervals using the Data Purge option. Data Purge allows you to schedule purging for the following LMS data records:

30 Minute Summarization recordsPurge all 30-minute summarization data records older than the specified number of days. 3 Hour Summarization recordsPurge all 3-hour summarization data records older than the specified number of days. 12 Hour Summarization recordsPurge all 12-hour summarization data records older than the specified number of days. Poller failure recordsPurge all failure data records older than the specified number of days. Threshold violation recordsPurge all threshold violation data records older than the specified number of days. Audit trail recordsPurge all audit trail data records older than the specified number of days. TrendWatch violation recordsPurge all TrendWatch violation data records older than the specified number of days. Status change details recordsPurge all status change details data records older than the specified number of days.
16-14
OL-20721-01
Chapter 16
Purge Settings Performance Purge Data
Note
It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running. To schedule Data Purge:
Step 1 Step 2
Select Admin > Network > Purge Settings > Performance data purge settings. Select Data Purge. The Data Purge Settings page appears, displaying the Data Purge Schedule dialog box. Table 16-2 describes the fields in the Data Purge Schedule dialog box.
Table 16-2 Data Purge Schedule Fields
Field/Button
Purge Schedule
Description Specify the type of schedule to perform Data Purge:

Run Type
HourlyRuns hourly. DailyRuns daily at the specified time. WeeklyRuns weekly on the specified day of the week and at the specified time. MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises 30 days).
By default, Daily is set as the default Run Type schedule for Data Purge. For example, if you have scheduled Run Type as Daily for Data Purge job at 10:00 a.m. on November 1, the next instance of this Data Purge job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 Data Purge job has not been completed before 10:00 a.m. November 2, then the next Data Purge job will start only at 10:00 a.m. on November 3. Date Specify the date and time for which the Data Purge job is scheduled. Select the date by clicking the calendar icon and time from the drop-down list.
16-15
Chapter 16 Performance Purge Data
Purge Settings
Table 16-2
Data Purge Schedule Fields (continued)
Field/Button
Purge Policy
Description The following are the default settings for purging the following data:

Days
5 Minute's Summarization records3 days 30 Minute's Summarization records15 days 3 Hour Summarization records90 days 12 Hour Summarization records365 days Poller failure records1 day Threshold violation records180 days Audit trail records90 days TrendWatch violation records180 days Status change details records15 days
The default data purge settings provides optimal performance of Cisco Prime LMS. You can also change the default purge settings as required. However, the performance of Cisco Prime LMS may not be as expected. You can enter only whole numbers for days. You cannot enter fractions of days. This is a mandatory field. Apply (button) Purge Now (button)
Step 3
Data purge is scheduled at the specified Run Type and Date for the data older than the days specified in the Days field. Data purge is done immediately for the data older than the days specified in the Days field.

Purge Schedule Purge Policy
See Table 16-2 for the description of fields that appear in the Data Purge Schedule dialog box.
Step 4
Click Apply to schedule the data purge or Purge Now to immediately perform the data purge.

If you click Apply, a message appears confirming that data purge settings are applied successfully. If you click Purge Now, a message appears confirming that purge is done successfully and the Job ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.
16-16
OL-20721-01
Chapter 16
Purge Settings View Performance Purge Details
View Performance Purge Details

Cisco Prime LMS allows you to view the details of the data purged using the option Purge Details. To view Data Purge details:
Step 1 Step 2
Select Admin > Network > Purge Settings > Performance Data Purge Summary. Select Purge Details. The Purge Details page appears, displaying Show Purge Details dialog box. Table 16-3 describes the fields in the Show Purge Details dialog box.
Table 16-3 Show Purge Details Fields
Field Details
Description Displays the purge details of the Data Purge job. The following purge information is displayed:

Next Data Purge Job scheduled at No. of Poll Failure records purged No. of Audit Trail records purged No. of Threshold Violation records purged No. of Polled records purged Last Job Purge completed at No. of TrendWatch violation records purged
Value
Details the number of records purged and purge schedule.
16-17
Chapter 16 IPSLA Data Purging Settings
Purge Settings
IPSLA Data Purging Settings

The Purge Settings page allows you to set the Purge period for Historical and Audit reports. You can also set the Purge period from the Setup Center. To access Purge Settings page: Select Admin > Network > Purge Settings > IPSLA data Purge Settings. You can use the Purge Settings option to purge Historical data as well as Audit reports.
Purging Historical Data
LMS purges IPSLA-related historical data automatically everyday, based on the Purge period specified on the Purge Settings page. It purges historical data that is older than the specified Purge period. If the Purge period is not specified, it purges the historical data based on the default values. The minute-based reports are purged daily by default. To purge Historical reports:
Step 1
Select Admin > Network > Purge Settings > IPSLA data Purge Settings. The Purge Settings page appears. Specify the Purge period. For more information, see Table 16-4. Click Apply. A message appears that the Purge settings are updated successfully. Click OK.
Step 2 Step 3
Step 4
16-18
OL-20721-01
Chapter 16
Purge Settings IPSLA Data Purging Settings
Table 16-4
Purging Reports
Granularity Minute
Purge Period Specify the number of days for which you want to keep the minute historical data in the database. The default value is 1 day. Specify the number of days for which you want to keep the hourly historical data in the database. The default value is 32 days. Specify the number of days for which you want to keep the daily historical data in the database. The default value is 180 days. Specify the number of weeks for which you want to keep the weekly historical data in the database. The default value is 12 weeks. Specify the number of months for which you want to keep the monthly historical data in the database. The default value is 12 months. Allows you to purge the Audit reports.The audit reports older than the number of days you specify will be purged. The default purge period for Audit reports is 180 days. This frees disk space and maintains your audit reports at a manageable size.
Hourly
Daily
Weekly
Monthly
Audit Reports Purge Period
16-19
Chapter 16 Configuring the Daily Fault History Purging Schedule
Purge Settings
Configuring the Daily Fault History Purging Schedule

Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform these tasks. Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain only 31 days of data. You can select the time of day that purging begins. By default, purging begins at 00:00.
Before You Begin
Review the information in Performing Scheduling Tasks to ensure that daily purging does not conflict with the other scheduled jobs listed there. Do not use the LMS Job Browser to manage Rediscovery Schedules; use the LMS Daily Purging Schedule interface. If you suspend the Fault History:DataPurge job using the Job Manager, the job is deleted from the LMS Daily Purging Schedule interface, which can be confusing to users.
Step 1 Step 2
Select Admin > Network > Purge Settings > Fault History Purging Schedule. Select the Purge Time:

HourFrom 0 to 23 MinuteFrom 0 to 50 in ten-minute intervals
The default purge time is 00:00.

Step 3
Click Apply.
You can check the status of the Fault History data purge job from the Job Manager page each day after the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type. For more information, see Configuring Fault Management Rediscovery Schedules.
16-20
OL-20721-01
CH A P T E R
17
Debugging Options
Debugging Settings menu allows the administrator to set the debugging settings of various modules in LMS. This section contains:

Configuring Discovery Logging Maintaining Log Files Performance Debugging Settings Config and Image Management Debugging Settings Configuring Logging Fault Debugging Settings Setting Debugging Options for Topology and User Tracking Setting VRF Lite Debugging Options
Configuring Discovery Logging

You can enable the debugging option for components or modules of LMS Device Discovery without restarting the services. When you enable the debugging option for a selected component, the log levels in the csdiscovery.properties file is changed to DEBUG and the debug messages are recorded into the CSDiscovery.log file and ngdiscovery.log. You can only enable or disable the debugging option. You cannot choose to set different log levels such as INFO,WARNING, FATAL and ERROR. The following Device Discovery components can be enabled or disabled for debugging:

Discovery Framework Data Collector Discovery Util System Module Cluster Module ARP Module AUS Module Credential Module
17-1
Chapter 17 Maintaining Log Files
Debugging Options
Neighbor Module Pingsweep Module RouterPeer Module RT Module CSDiscoveryAdaptor Discovery DeviceInfo
The debugging option for all the Device Discovery components is disabled by default. To enable the debugging option for the LMS Device Discovery components:
Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery Logging Configuration page appears. Select one or more Discovery modules or components from the Disabled Modules list box. Click Add to add the components to the Enabled Modules list box. Click Apply. Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will come into effect after 60 seconds.
To disable the debugging option, move the selected component from the Enabled Modules list box to Disabled Modules list box using the Remove button.
Maintaining Log Files

Log files can expand and fill up disk space. You must maintain the log files disk space usage by:

Deleting the unwanted log files from the Cisco Prime installation directory Using the logrot functionality. See Configuring Log Files Rotation for more information. On Solaris/Soft Appliancevar/adm/CSCOpx/log On WindowsNMSROOT\log
Most log files are located in directories in the following locations:

Caution
As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To prevent loss of data, make sure you are not running any critical tasks. This section explains the following:

Maintaining Log Files on Solaris/Soft Appliance Maintaining Log Files on Windows About Cisco Prime Common Services Log Files Viewing and Maintaining LMS Log File Details Fault Management Log Files
17-2
OL-20721-01
Chapter 17
Debugging Options Maintaining Log Files
Maintaining Log Files on Solaris/Soft Appliance

To maintain log files on Solaris/Soft Appliance:
Make sure the new location has sufficient disk space. Log in as the superuser, and enter the root password. Stop all processes, and enter /etc/init.d/dmgtd stop. Perform log maintenance by running logrot. See Configuring Logrot Utility and Running Logrot Script for more information. Verify the procedure was successful by examining the contents of the log files in this location:
/var/adm/CSCOpx/log/*.log
Step 5
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6 Step 7
Restart the system, and enter /etc/init.d/dmgtd start Select Reports > System > Status > Log File to view your log changes.
Maintaining Log Files on Windows

To maintain log files on Windows:
Make sure the new location has sufficient disk space. Go to the command line and make sure you have the correct permissions. Stop all processes by entering:
net stop crmdmgtd
Step 4
Perform log maintenance by running logrot. See Configuring Logrot Utility and Running Logrot Script for more information. Verify the procedure was successful by examining the contents of the log files in the following location: NMSROOT\log\ Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 5
Step 6
Restart the system by entering:

net start crmdmgtd
Step 7
Select Reports > System > Status > Log File to view your log changes.
17-3
Debugging Options
About Cisco Prime Common Services Log Files

The table below lists the filenames and locations of all logs produced by components of Common Services. The normal top-level log file directories refer to /var/adm/CSCOpx/log on Solaris/Soft Appliance and NMSROOT\log on Windows. For example, the path to license.log is C:\Program Files\CSCOpx\log on Windows, /var/adm/CSCOpx/log on Solaris/Soft Appliance. Paths to log files other than those in the normal log directories are listed relative to NMSROOT on each platform. For example, the path to stdout.log is mentioned as /MDC/tomcat/logs/ in the table. Component /Module AAA Serivces
Directory Path /MDC/log/
File core*
Description Logs for Authentication, Authorization and Accounting process Backup and restore logs
Backup and Restore CicoWorks LMS General Log Files
Normal top-level log directories
dbbackup.log, restorebackup.log, restorebackup.log.old error.log perlerr.log Proxy.log event.log
/MDC/Apache/logs/ Normal top-level log directories Normal top-level log directories Normal top-level log directories
Log for General Cisco Prime LMS errors Log for Perl interpreter errors Log for Proxy activity Log for Cisco Prime LMS events Log for all Daemon Manager-controlled processes (On Solaris/Soft Appliance only). Syslogs received from device/machine (On Windows only). CRMLogger debugging information and messages from device/machine (On Windows only). Log for Sybase database operations Log for Database password changes Log to restore the database to factory settings Log for Daemon Manager interactions with Sybase database Database condition log
Normal top-level Solaris/Soft Appliance log daemons.log directory only
Cisco Prime Syslog Service
Normal top-level Windows log directory only Normal top-level Windows log directory only
syslog.log
syslog_debug.log
Database Services
Normal top-level log directories Normal top-level log directories Normal top-level log directories Normal top-level log directories
CmfDbMonitor.log dbpwdChange.log dbrestoreorig.log dmgtDbg.log
/objects/db/win32/
dbcond8.log
17-4
OL-20721-01
Chapter 17
Component /Module Device and Credentials Administration
Directory Path Normal top-level log directories
File dcr.log
Description Logs for Device and Credentials Administration activities Logs to detect and delete Unreachable devices Logs to import and export Device and Credentials Administration
Normal top-level log directories Device and Credentials Administration Import and Export Module Device Center Device Discovery Role Management Disk Space Monitoring Services Event Distribution Services Event Services Grouping Service Normal top-level log directories
DCRDevPoll.log dcrimpexp.log, DCRServer.log (Windows Only), daemons.log (Solaris/Soft Appliance Only) SnmpWalk* SnmpSet* CSDiscovery.log, ngdiscovery.log CSDeviceSelector.log cam.log diskWatcher.log
Normal top-level log directories Normal top-level log directories Normal top-level log directories
Log for SNMP Walk Log for SNMP Set Device discovery logs Device Selector log file Role Management log file Logs storing the disk space information Logs for Event Distribution Services activities Logs for Event Services Log for Grouping Service client Log for Grouping Service server Logs for NameServiceMonitor from JacORB package (On Windows only) Logs for various Jobs
Device Selector Normal top-level log directories /MDC/log/ Normal top-level log directories
Normal top-level log directories
EDS-GCF.log, EDS.log
Normal top-level log directories Normal top-level log directories Normal top-level log directories
ESS.log, JavaDebug.log CMFOGSClient.log CMFOGSServer.log NameServiceMonitor.log, NameServer.log
JacORB
Normal top-level Windows log directory only
Job Services
Normal top-level Windows log directory only Normal top-level log directories Normal top-level log directories Normal top-level log directories
daemons.log (Solaris/Soft Appliance Only), jrm.log (Windows Only) LicenseServer.log license.log lwms.log psu.log
Licensing Messaging Service
License Server activity Product license changes Lightweight Messaging Service activity Log for Software Center related activities
Software Center Normal top-level log directories
17-5
Debugging Options
Component /Module Web Services
Directory Path /MDC/Apache/logs/ Normal top-level log directories /MDC/tomcat/logs/
File access.log, error.log, mod_jk.log ssl.log jasper-YYYYMMDD.log, servlet-YYYYMMDD.log, stderr.log, stdout.log, changeport.log CSRegistryServer.log TomcatMonitor.log
Description Logs for Apache activity Log for Apache activity Logs for all Tomcat activities
Normal top-level log directories Logs for Common Services backend processes Normal top-level log directories Normal top-level log directories
Port change information Log for CSRegistryServer process Log for TomcatMonitor process
Viewing and Maintaining LMS Log File Details

Each LMS module writes log files within the NMSROOT/log folder. Table 17-1 lists the name of the log file, LMS module for which log file is written, the location in Windows where log files is stored, the location in Solaris/Soft Appliance where log files is stored and the purpose of the log file.
Table 17-1 List of Topology and Identity Services Log File Details
Log File ani.log
Module Data Collection
Location in Windows
Location in Solaris/Soft Appliance
Purpose
NMSROOT/log/ani. /var/adm/CSCOpx/l Debugs Data log og/ani.log Collection process. NMSROOT/log/AN IServer.log NMSROOT/log/Ca mpus.log /var/adm/CSCOpx/l Debugs og/dmgtd.log ANIServer process /var/adm/CSCOpx/l Debugs og/Campus.log Topology and Layer 2 Services module of LMS
AniServer.log
ANIServer
Campus.log
LMS Configuration and reports
CampusOGSSer Topology and NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs ver.log Layer 2 Services mpusOGSServer.log og/CampusOGSSer Topology and OGSServer ver.log Layer 2 Services OGSServer process CampusOGSCli OGS client ent.log NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs mpusOGSClient.log og/CampusOGSClie Topology and nt.log Layer 2 Services OGSClient
17-6
OL-20721-01
Chapter 17
Table 17-1
List of Topology and Identity Services Log File Details (continued)
Log File
Module
Location in Windows
Location in Solaris/Soft Appliance
Purpose
campusportal.lo Portal g
NMSROOT/log/cam /var/adm/CSCOpx/l Debugs the pusportla.log og/campusportal.lo Topology and g Layer 2 Services portlets. NMSROOT/log/Cm apps.log /var/adm/CSCOpx/l Debugs all the og/Cmpapps.log UI pages for User Tracking
Cmapps.log
User Tracking UI MACUHIC
macuhic.log
NMSROOT/log/mac /var/adm/CSCOpx/l Debugs uhic.log og/macuhic.log MACUHIC process for Dynamic UT NMSROOT/log/ut.l og /var/adm/CSCOpx/l Debugs the User og/ut.log Tracking module
ut.log utlite.log
User Tracking UTLITE
NMSROOT/log/utlit /var/adm/CSCOpx/l Debugs UTLite e.log og/utlite.log.log Server. NMSROOT/log/ UTMajorAcquisitio n.log NMSROOT/log/ Utm.log /var/adm/CSCOpx/l Debugs og/dmgtd.log UTMajorAcquisi tion process. /var/adm/CSCOpx/l Debugs og/utm.log UTManager process of Dynamic UT /var/adm/CSCOpx/l Debugs VRF og/Vnmclient.log Lite UI /var/adm/CSCOpx/l Debugs VRF og/Vnmcollector.lo Lite Collector process. g /var/adm/CSCOpx/l Debugs the og/VNMDeviceSele device selector ctor.log provided by VRF Lite. /var/adm/CSCOpx/l Debugs VRF og/Vnmserver.log Lite Server process /var/adm/CSCOpx/ Vnmutils.log Debugs utility classes used by VRF Lite client and server.
UTMajorAcquis User Tracking ition.log utm.log UTManager
Vnmclient.log
VRF Lite UI
NMSROOT/log/ Vnmclient.log NMSROOT/log/Vn mCollector.log NMSROOT/log/Vn mDeviceSelector.lo g
Vnmcollector.lo VRF Lite g Collector VNMDeviceSel VRF Lite ector.log Device selector
Vnmserver.log
VRF Lite Server NMSROOT/log/Vn merver.log VRF Lite UI and NMSROOT/log/Vn Server mutils.log
Vnmutils.log
17-7
Debugging Options
Fault Management Log Files

Each Fault Management module writes log files to its own folder within the NMSROOT/log/dfmLogs folder. Table 17-2 lists each Fault Management module, the name of the folder where the log files are stored, the related log files, the maximum log size, and the number of backup logs that are saved.
Note
NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx. When a log file reaches its maximum size, the module backs up the file and starts writing to a new log file. The module appends a number to the backup file, until it reaches the maximum allowed backups. In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file.
02:42 PM 10:22 AM 03:17 AM 4,481,607 5,120,447 5,120,105 TISServer.log TISServer.log.1 TISServer.log.2
By default, Fault Management writes error messages only to log files. You can change the logging level and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings. If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.
Table 17-2 Fault Management Log Files by Module
Function/Module Alerts and Activities Display Inventory Interactor Inventory Collector Polling and Threshold Adapter Detailed Device View Daily Purging Schedule Event Processing Adapters
Folder in NMSROOT\log\dfmLogs Log Files AAD cfi cfi cfi DDV DPS epa AAD.log Interactor.log/Interactor1.log InventoryCollector.log/Inventory Collector1.log
Maximum Size (KB) 1000 1000 35000
No. of Backup Files 3 5 5 5 2 2 5
PollingThresholdAdapter.log/Poll 10000 ingThresholdAdapter1.log DDV.log DPS.log 1000 100
adapterServer.log/adapterServer1. 1000 log dfmEvents.log/dfmEvents1.log EPM.log FHCollector.log FHUI.log DfmLogService.log MultiProcLogger.log licenseCheck.log nos.log DFMOGSServer.log 15000 1000 500 10000 100 5000 30000
2
Event Promulgation Module Fault History Logging Services Processes with multiple threads License (device limit) Notification Services Fault Management Object Grouping Service Server
EPM FH LogService LogService license NOS N/A

1
5 2 2 5 2 2 152
17-8
OL-20721-01
Chapter 17
Debugging Options Performance Debugging Settings
Table 17-2
Fault Management Log Files by Module (continued)
Function/Module Polling and Threshold Manager Polling and Threshold Manager (database) Polling and Threshold Manager (grouping services)
Folder in NMSROOT\log\dfmLogs Log Files PTM PTM PTM PTMClient.log PTMServer.log PTMDB.log PTMOGS.log PTMPTA.log Rediscovery.log DCRAdapter.log DeviceManagement.log TISServer.log vgm.log
Maximum Size (KB) 1000 1000 1000 1000 100 1000 1000 1000 1000
No. of Backup Files 5 5 5 5 2 2 2 2 3
Polling and Threshold Manager (Polling PTM and Threshold Adapter) Rediscovery Schedule Device and Credentials Repository Adapter Device Management Inventory Service View Group Management Rediscovery TIS TIS TIS VGM
1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance. 2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.
Table 17-3
Incharge Log Files
Function/Module Inventory
Folder in NMSROOT\obj\smarts\local\logs Incharge engine
Log Files DFM.log/DFM1.log
Performance Debugging Settings

You can use this option to configure and manage log level settings in Device Performance Management function of LMS. You can set log level modes (such as Fatal, Error, Warn, Info, Debug) either for all Device Performance Management modules or at a module level. Device Performance Management module log files are stored at these locations:

On Windows: $NMSROOT\log\, where $NMSROOT is the Cisco Prime LMS installation directory. On Solaris/Soft Appliance: /var/adm/CSCOpx/log/
When a log file reaches its maximum file size of 10000 KB, the module backs up the file and starts writing to a new log file. The maximum number of backup log files stored for each application is two.
17-9
Chapter 17 Performance Debugging Settings
Debugging Options
This section contains IPSLA Debugging Settings To set log levels:

Step 1 Step 2
Select Admin > System > Debug Settings > Performance Debugging Settings. Select Log Level Settings. The Set Application Logging Levels dialog box appears. Select the application module from the drop-down list. The sub-module for the selected application module appear in the Module field. Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance Management modules are logged with appropriate log level message. The logging levels are:

Step 3
Step 4
Fatal Error Warn Info Debug
The logging level is set as Info, by default. Table 17-4 describes the fields in the Set Application Logging Levels dialog box and also provides information on the files to which these logs are stored.
Table 17-4 Set Application Logging Levels Fields
Application Module All UI
Sub-module Poller Management Template Management Threshold Setup TrendWatch Setup Report Management Report Job Browser Admin Pages Trap Group Management Syslog Group Management Live Graph LMS Portlets Device Center
Log File upm_ui.log
Description Set logging level for the entire system Set logging level for Device Performance Management User Interface modules
LMSLiveGraph.log LMSPortal.log upm_ui.log
17-10
OL-20721-01
Chapter 17
Debugging Options Performance Debugging Settings
Table 17-4
Set Application Logging Levels Fields
Application Module UPMProcess
Sub-module Polling Engine Instance Querying Threshold Monitor Device Access Layer Device Management UPMProcess PollerUPMProcess TemplateUPMProcess ThresholdUPMProcess IfAdmin Status
Log File upm_process.log
Description Set logging level for Device Performance Management (UPMProcess) modules
UPMProcess.log upm_process.log
IfAdminStatus.log Set logging level for Device Performance Management For example, HumReportJob_1003_479.log Job modules upm_summarizer.log upm_purge.log HumReportJob_<JobId>_<InstanceId>.log For example, HumReportJob_1003_479.log upm_ctm.log Set logging level for UPMCTMOperations modules HumReportJob_<JobId>_<InstanceId>.log
JOBS
Report Jobs Summarization Job Purge Job Failure Tracker Job
UPMCTMOperations
UPM CTM Operations
Step 5
Click Apply to set the logging level or Reset to apply the default logging level. A message appears confirming that the logging levels are successfully updated.
IPSLA Debugging Settings

You can use the Log Level Settings option to set the log levels for IPSLA Performance Management. You can either set the log levels for all the modules at a time or individual modules in IPSLA Performance Management. By default, the log level is INFO for all the modules after installation. The log files are stored at the following location:

Windows: NMSROOT\log, where NMSROOT is the Cisco Prime installation directory. Solaris/Soft Appliance: /var/adm/CSCOpx/log.
To set the log level:

Step 1
Select Admin > System > Debug Settings > IPSLA Debugging Settings. The Log Level Settings page appears. Select either All or Module Level from the Application drop-down list.
Step 2
17-11
Chapter 17 Performance Debugging Settings
Debugging Options
Step 3
Select the appropriate log level from the Logging Level drop-down list. For more information, see Table 17-5. Click Apply to set the log levels. A message appears that the log levels have been successfully updated. To clear the settings, click Cancel. Click OK.
Table 17-5 IPSLA Log Level Settings
Step 4
Step 5
Field Module
Description Select one of the following from the drop-down list.

Set Application Logging Levels All Module Level FATAL ERROR WARN INFO DEBUG
Logging Level
Select one of the following logging levels from the drop-down list.

Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.
Table 17-6 Modules and Log File Names
Modules in IPSLA Performance Management IPMCLI IPMServer IPMClient IPMJob IPM OGS IPM CTM Operations IPMPortal IPMPoller IPMBase IPM TS
Log File Names ipmcli.log ipmserver.log ipmclient.log jobid.log, jobid.subjobid.log collectorGroup.log, IPMOGSClient.log, IPMOGSServer.log ipm_ctm.log ipmportal.log ipmpoller.log ipm_base.log TS_IPSLA.log
17-12
OL-20721-01
Chapter 17
Debugging Options Config and Image Management Debugging Settings
Config and Image Management Debugging Settings

You can use this option to set the logging levels for LMS packages. You can set the log levels for all LMS packages, or at a package (application) level. Log files are stored at these locations:

On Windows: NMSROOT/log, where NMSROOT is the Cisco Prime installation directory. On Solaris/Soft Appliance: /var/adm/CSCOpx/log
To set the log levels:

Step 1
Select Admin > System > Debug Settings > Config and Image Management Debugging settings. The Set Application Logging Levels dialog box appears. Select the Application from the drop-down list. Select the appropriate log level from the Logging Level drop-down list. The fields in the Set Application Logging Levels dialog box are:
Step 2 Step 3
Application All ArchiveMgmt BugToolkit
Module
Log File Names -
Description Changes the logging level for the entire system. Changes the logging level for Archive Management. Changes the logging level for Bug Toolkit. Changes the logging level for Change Audit. Changes the logging level for Change Audit UI. Changes the logging level for CLI Framework. Changes the logging level for Config CLI. Changes the logging level for NetConfig CLI. Changes the logging level for Config Editor. Changes the logging level for Configuration Jobs. Changes the logging level for Configuration Job Browser. This log file is used for config purge jobs
Archive Service Archive Client
dcmaservice.log dcmaclient.log bugtoolkit.log
Bug Toolkit
ChangeAudit
Change Audit
ChangeAudit.log
Change Audit User ChangeAuditUI.log Interface cli.log ConfigCLI.log netcfgcli.log CfgEdit.log logs under %NMSROOT%\files\rme\jobs\Net ConfigJob cjp.log
CLIFramework ConfigCLI
CLI Framework

Config CLI Netconfig CLI
ConfigEditor ConfigJob
Config Editor Config Jobs
ConfigJobManager
Config Job Manager
17-13
Chapter 17 Config and Image Management Debugging Settings
Debugging Options
Application ContractConnection CTMJRrmServer CRI
Module Contract Connection CTM Jrm Server CRI
Log File Names contractcon.log CTMJrmServer.log

Description Changes the logging level for Contract Connections Changes the logging level for CTM JRM Server. Changes the logging level for Common reporting Infrastructure.
cri.log criarvpurge.log crijobpurge.log EssentialsDM.log
DeviceManagement
Device Management User Interface Check Device Attributes User Interface Device Credential Verification Jobs Device Management Operations
Changes the logging level for Device Management. Changes the logging level for Check Device Attributes User Interface Changes the logging level for Device Credential Verification jobs. Changes the logging level for Device Management Operations. Changes the logging level for Device Selector. Changes the logging level for the IC Server. Changes the logging level for Inventory Collection User Interface.
cda.log
log files under %NMSROOT%\files\rme\jobs\ cda\ EssentialsDM_Server.log
DeviceSelector ICServer
Device Selector

RMEDeviceSelector.log IC_Server.log ICServerUI.log
Inventory Collection Service Inventory Collection User Interface Inventory Collection Jobs
Changes the logging level for Creates job logs under %NMSROOT%\files\rme\jobs\ICSe Inventory Collection jobs. rver Changes the logging level for the Installation modules.
Install
Restore Config and CCRImport.log Image Management CCR Config and Image Management PSU Adapter Migration
InventoryPoller
Inventory Poller
Creates job logs under Changes the logging level for %NMSROOT%\files\rme\jobs\InvP Inventory Poller. oller invreports.log MakerChecker.log Changes the logging level for Inventory Reports. Changes the logging level for the Job Approval module.
InvReports MakerChecker
Inventory Reports Maker Checker
17-14
OL-20721-01
Chapter 17
Debugging Options Config and Image Management Debugging Settings
Application NetConfig
Module Netconfig Client
Log File Names netconfigclient.log rmeextnserver.log Tracks the backend functionalities when VRF Lite or IPSLA Performance Management invokes the extension API.
Description Changes the logging level for Netconfig client.
NetShow Portlets
NetShow Client Config and Image Management Portlets Common Config and Image Management Functions Config and Image Management CSTM Server
NetShowClient.log RMEPortlets.log
Changes the logging level for NetShow client. Changes the logging level for Inventory, Config & Image Management Portlets. Changes the logging level for the common Inventory, Config & Image Management functions such as, Job Management tasks, purge tasks, etc. Changes the logging level for CSTM Server. Changes the logging level for the user interface of Software Management and the Software Management job creation workflows. Changes the logging level for Software Management jobs. Changes the logging level for Syslog Analyzer.

RMECommon
rme.log
RMECSTMServer
rme_ctm.log
SoftwareMgmt
Software Management User Interface Software Management Jobs Syslog Analyzer
swim_debug.log
swim_debug.log files under %NMSROOT%\files\rme\jobs\swi m folder SyslogAnalyzer.log AnalyzerDebug.log
SyslogAnalyzer
SyslogAnalyzer.logfor Windows AnalyzerDebug.logfor Solaris/Soft Appliance
Syslog Analyzer User Interface Virtual Switch Client
SyslogAnalyzerUI.log VirtualSwitchClient.log
Changes the logging level for Syslog Analyzer User Interface. Changes the logging level for Virtual Switching System.
VirtualSwitch
17-15
Chapter 17 Config and Image Management Debugging Settings
Debugging Options
Application EnergyWise
Module

Log File Names EnergyWiseUI.log EnergyWiseConfiguration.log EnergyWiseMonitoring.log
Description Changes the logging level for the user interface of EnergyWise Log for provisioning EnergyWise Device and EndPoints. Log for EnergyWise Monitoring jobs. Log for EnergyWise Device Endpoint, and Domain collection. Log for EnergyWise Policy Compliance check. Log for EnergyWise Data Purge Settings Log for applying EnergyWise to Endpoints.
EnergyWise UI EnergyWise Provisioning EnergyWise Monitoring
EnergyWise Device EnergyWiseCollection.log Endpoint, and EnergyWiseNative.log Domain collection EnergyWise Policy Compliance EnergyWise Data Purge Settings Applying EnergyWise Policies to Endpoints EnergyWiseComplianceCheck.log EnergyWiseNativeCompliance.log EnergyWise_Purge.log EnergyWiseNativePolicy.log
To track the port and module group backend evaluation exceptions and changes, the following logs are maintained:
Step 4 Step 5
PMCOGSServer.log PMCOGSClient.log
Click Reset to apply the default logging levels. Click Apply after you set the log levels, A message appears, that the log levels have been successfully updated.
17-16
OL-20721-01
Chapter 17
Debugging Options Configuring Logging
Configuring Logging
You can enable the debugging option LMS components without restarting the services. When you enable the debugging option for the selected component, the log levels in the respective properties file is changed to DEBUG and the debug messages are recorded in the corresponding log files You can only enable or disable the debugging option. You cannot choose to set different log levels such as INFO,WARNING, FATAL and ERROR. To debug Faults, see Fault Debugging Settings To enable the debugging option for the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations. The CS Log Configurations dialog box displays the following details: Item Component Log File(s) Location Description Debug Mode Description List of components for which you can enable or disable the debug option Directory of the log files for the selected application Brief description about the selected application Option to enable or disable the debug mode
Step 2
Select the component from the Component drop-down list box. You can select to enable the debugging option for the available Common Services components. The available components include:

CS Device Groups CS Device Selector CS Home CS Portlets This component is listed in the drop-down list box only when you have installed the LMS Portal application in LMS Server.
Core Admin Module DCR Bulk Import and Export Device Center Device and Credentials Repository Home Page Admin Licensing LMS Setup Center Getting Started This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS Server.
Product Instance Device Mapping SMTP Software Center
17-17
Chapter 17 Fault Debugging Settings
Debugging Options
Step 3
Select the Enable option to enable debugging for the selected application. By default, the Debug Mode is set to disabled.
Note
You can only choose the enable or disable option. You cannot change the log levels to some other value.
Step 4
Click Apply to save the changes. The changes will come into effect after 60 seconds. You can enable the debugging option for only one component at a time.
To disable the debug mode for all the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations. The CS Log Configurations dialog box appears. Click Reset All to disable the debug mode for all the Common Services components. The log levels are restored as they are before enabling the debugging option.
Step 2
Fault Debugging Settings

Fault Management module writes application log files for all major functional modules. By default, Fault Management writes only error and fatal messages to these log files; Fault Management saves the previous three logs as backups. You cannot disable logging. However, you can:

Collect more data when needed by increasing the logging level Return to the default logging level as the norm System Administrator Network Administrator Network Operator
This task can be performed by a user logged in to Fault Management in any of the following roles:

You can also enable debug of the Incharge engine, and execute Incharge Commands. See Enable Incharge Debugging for more information. To set the Fault Management debug settings: Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings page is displayed.
Note
You cannot disable logging. Fault Management will always write error and fatal messages to application log files. For each Fault Management functional module, the Error check box is always selected; you cannot deselect it.
17-18
OL-20721-01
Chapter 17
Debugging Options Fault Debugging Settings
To set all modules to Error, the default logging level:

Step 1
Click the Default button. A confirmation page is displayed. Click OK.
Step 2
To change the logging level for individual modules:

Step 1
For each module that you want to change, select one (or deselect all) of the following logging levels:

WarningLog error messages and warning messages InformationalLog error, warning, and informational messages DebugLog error, warning, informational, and debug messages
Note Step 2
Deselecting all check boxes for a module returns it to Error, the default logging level.
Review your changes. To cancel your changes, click the Cancel button. Otherwise, click the Apply button. When you click Apply it starts to reset the changed logging levels for the Fault Management functional modules.
Enable Incharge Debugging
To do this:
Step 1
Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging Settings page. The Incharge Command Execution page appears. Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module in LMS. The logs are available at:
Step 2
On Windows:
NMSROOT\objects\smarts\local\logs\DFM.log NMSROOT\objects\smarts\local\logs\DFM1.log
/opt/CSCOpx/objects/smarts/local/logs/DFM.log /opt/CSCOpx/objects/smarts/local/logs/DFM1.log
17-19
Chapter 17 Setting Debugging Options for Topology and User Tracking
Debugging Options
Step 3
You can execute any Incharge command in the Command text box, click Run and view the results in the Result column. Some sample commands that you can exceute are:

sm_server brcontrol dmctl s <domain name> geti Routers
Setting Debugging Options for Topology and User Tracking

If you face issues while running LMS, you can enable logging to debug the same. You can set debugging options for the following functions:

Data Collection (see Setting up Debugging Options for Data Collection) Configuration and Reports (see Setting up Debugging Options for Network Reports) Device Groups (see Setting Debugging Options for Device Groups) Topology (see Setting Debugging Options for Topology) User Tracking Server (see Debugging Options for User Tracking Server) Dynamic User Tracking (see Debugging Dynamic Updates) User Tracking Reports (see Debugging Options for User Tracking Reports) Dynamic User Tracking Console (see Debugging Options for Dynamic User Tracking Console) CiscoView (see Debugging Options for CiscoView)
Setting up Debugging Options for Data Collection

You can set the trace, and debugging, for Data Collection as follows:
Step 1
Select Admin > System > Debug Settings > Data Collection. The Debugging Options dialog box appears. Modify the debugging options as specified in Table 17-7.
Table 17-7 Data Collection Debugging Options for Data Collection
Step 2
Field Enable Debug Modules
Description
Usage Notes
Select this option to enable You can select the modules for debugging logging for Data Collection. only if you select this option. Specify the modules on which you need to enable debugging. Click Select to view the available modules and select the modules in which you want to enable debug. For details on Debug modules, see Selecting Data Collection Debug Modules
17-20
OL-20721-01
Chapter 17
Debugging Options Setting Debugging Options for Topology and User Tracking
Table 17-7
Data Collection Debugging Options (continued) for Data Collection
Field File Name
Description
Usage Notes
Name of the log file in The default log file is NMSROOT\log\ani.log which the trace messages are to be recorded. Maximum size of the log file None in lines IP Addresses (IPv4 or IPv6 Addresses) of devices for which you need to log debugging messages. You can enter multiple IP addresses, separated by commas. This field is enabled only when the Device Level Debugging option is enabled.
Maximum File Size (lines) Device IP(s)
Enable Device Level Debugging
Step 3
Click Apply.
17-21
Debugging Options
Selecting Data Collection Debug Modules

Table 17-8 describes the debug modules available for Data Collection in LMS.
Table 17-8 Data Collection Debug Modules
Module framework
Description

Constructs and maintains data in the memory. Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because enabling debugging for this module creates huge logs. topo Provides network topology computation and layouts. Enable debugging for this module if you have problems with Topology computation of devices. vlad

Discovers VTP domains, VLANs, port-in-VLAN configurations Performs VLAN configuration tasks Determines Spanning Tree state
Enable debugging for this module if you have problems with VTP, VLAN reports, and configuration. ccm Discovers Cisco CallManager (CCM). Enable debugging for this module if you encounter issues with data collected for CCM. vmpsadmin

Discovers end-user hosts on the network Records end-user host information in the ANI database Manages requests for scheduling user and host discoveries, ping sweeps, database queries, and updates to user and notes information
Enable debugging for this module if you have problems with User Tracking. dcrp status Provides computation of network discrepancies. Enable debugging for this module if you have problems in Discrepancy reports. Enables status polling on previously discovered devices. Enable debugging for this module if you have problems with device and link status polling. apps Discovers application hosts such as MCS. Enable debugging for this module if you encounter issues with data collected on application hosts. stp Discovers all STP related information from the network. Enable debugging for this module if you have problems with STP reports and configuration.
17-22
OL-20721-01
Chapter 17
Table 17-8
Data Collection Debug Modules (continued)
Module stpeng
Description

Performs STP configuration tasks Provides basic STP analysis for migration from one STP type to another
Enable debugging for this module if you have problems with STP reports and configuration. devices Provides specific information, if any, available for device categories. Enable debugging for this module if you have problems specific to a particular device type. Click OK to save the selected modules or click Cancel to exit.
Setting up Debugging Options for Network Reports

If you need information on Network Reports in LMS, you can enable debugging for the same. To do this:
Step 1
Select Admin > System > Debug Settings > Layer2 Configuration and Reports The debugging page appears. Select the level of debugging. It can be any one of the following:
Step 2
INFO Only informational messages are recorded in the log file. DEBUG All messages related to Configuration and Reports are recorded in the log file. FATAL Messages related to fatal errors are recorded in the log file. This is the default option.
The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\Campus.log
Step 3
Click Apply.
17-23
Debugging Options
Setting Debugging Options for Device Groups

If there are errors related to System-defined or User-defined groups in LMS, you can enable debugging for the same. Its done as follows:
Step 1
Select Admin > System Administration > Debug Settings > Device Groups. The debugging page appears. Select the level of debugging. It can be any one of the following:
Step 2
INFO Only informational messages are recorded in the log file. This is the default option. DEBUG All client side messages are recorded in the log file. FATAL Messages related to fatal errors are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\CampusDeviceSelector.log
Step 3
Click Apply.
Setting Debugging Options for Topology

You can enable debugging for Topology Services client side activities. The debugging information will be available in the Java Console. To display Java Console:
Step 1 Step 2
Select Start > Settings > Control Panel > Java. Select the Advanced tab. The corresponding tree structure is displayed. Go to the tree and select Java Console > Show Console. Click Apply and then OK. The Java console is displayed when you launch Topology Services.
Step 3 Step 4
Note
In case you close the Java Console, to reopen it, close the Topology window and relaunch it.
17-24
OL-20721-01
Chapter 17
To enable debugging:
Step 1
Select Admin > System > Debug Settings > Topology. The debugging page appears. Select the level of debugging. It can be any one of the following:
Step 2
TRACE Only informational messages are displayed in the Java Console. DEBUG All Topology Services client side messages are displayed in the Java Console. ERROR Messages related to all errors are displayed in the Java Console. This is the default option.
Step 3
Click Apply.
To change log level settings:

Close the Topology Services window. Change the settings in the LMS Administration page. Re-launch Topology services.
Debugging Options for User Tracking Server

To debug events related to all User Tracking server side processes:
Step 1
Select Admin > System > Debug Settings > User Tracking Server. The debugging page appears. See Table 17-9 for a description of the fields:
Table 17-9 User Tracking Server Side Debugging Options
Field Enable Debug
Description Check this option to enable logging for User Tracking Server side activities. Specify the modules on which you need to enable debugging.
Usage Notes You can select the modules for debugging only after you select this option. Click Select to view the available modules and select the modules in which debug is to be enabled. Table 17-8 lists the debug modules available for User Tracking Server.
Modules
File Name
Name of the log file in The default log file is NMSROOT\log\ut.log which the trace messages are to be recorded.
17-25
Debugging Options
Table 17-9
User Tracking Server Side Debugging Options (continued)
Field Maximum File Size (lines) Device IP(s)
Description Maximum size of the file in lines IP addresses of devices for which you need to log debugging messages. You can enter multiple IP addresses, separated by commas.
Usage Notes
Enable Device Level Debugging
This field is enabled only when the Device Level Debugging option is enabled.
Step 2
Click Apply.
Selecting User Tracking Server Side Debug Modules

Table 17-8 describes the debug modules available for User Tracking Server in LMS.
Table 17-10 User Tracking Debug Modules
Module user tracking framework
Description Provides user tracking functionality. Enable debugging for this if user tracking fails to discover end hosts as expected.

Constructs and maintains data in the memory. Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because enabling debugging for this module creates huge logs. devices Provides specific information, if any, available for device categories. Enable debugging for this module if you encounter issues specific to a particular device type. Click OK to save the selected modules or click Cancel to exit.
Debugging Dynamic Updates

You can set the debugging options required for Dynamic Updates. Enabling debugging, records all the required information to the log files. To enable debugging Dynamic Updates:
Step 1
Select Admin > System > Debug Settings > Dynamic User Tracking. The debugging page appears. Check Enable Debug to set the options.
Step 2
17-26
OL-20721-01
Chapter 17
Step 3
Select the Service Name from the drop down list in the Service Name field. The framework modules appear in the Module Name column. The framework modules depend on the service that you select.
Step 4
Select the debug level for each module. The debug level options are INFO, DEBUG, and TRACE. INFO logs minimum information required for debugging and is the default option. DEBUG is the next level of debugging. TRACE provides complete debugging information and creates huge logs.
Step 5
Enter the filename for the log file in the Log Filename field.

The default log file for UT LITE is NMSROOT\log\utlite.log The default log file for MACUHIC is NMSROOT\log\macuhic.log The default log file for UTManager is NMSROOT\log\utm.log
The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647. Giving zero or negative values or alphabets results in errors.
Step 6
Click Apply to save the settings.
Dynamic User Tracking modules available for debugging are explained in Table 17-11:
Note
Enabling debugging for these modules creates huge logs, which interferes with the Trap processing capability of LMS. We recommend that you enable debugging for this module only when requested by TAC.
Table 17-11 Dynamic User Tracking Debug Modules
Module UT Lite control plane
Description Handles configuration events related to:

Log level Settings Log file Port number
For example: If you changed the log file from X to Y, but logging still happens in X , enable debugging for this module. listener execution framework execution Listens to data sent by the UTLite script installed in the Windows or Novell server. Checks for the integrity of the data received. Handles code level execution of the data received. Enable debugging for this module to debug Java related errors. Processes and validates the data received. UTLite receives MACAddress, IPAddress and User logged in for the end host. This information is updated to the database only if the endhost has been discovered in last UT Major Acquisition cycle or through Dynamic User Tracking.
17-27
Debugging Options
Table 17-11
Dynamic User Tracking Debug Modules (continued)
Module MACUHIC control plane
Description Handles configuration events related to:

listener execution framework decoder
Listens to SNMP traps sent by devices. Checks for the integrity of the data received. Handles code level execution of data received by MACUHIC. Enable debugging for this module to debug Java related errors. Validates the traps sent by devices by checking whether:

The trap is sent by a device managed by LMS. The SNMP version is correct The data received is duplicate data If the data is sent by a Link port or Access port.
execution
Checks whether:

Dynamic UT does not process traps sent from link ports. Updates the database with information received and forwards it to UTManager for further processing. UTManager control plane Handles configuration events related to:

listener execution framework decoder execution es framework es.snmp es.subnet es.db
Listens to data sent by UTLite and MACUHIC. Checks for the integrity of the data received. Handles code level execution of data received by UTManager. Enable debugging for this module to debug Java related errors. Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping MIB and the other data sent by external systems. Processes the data received and updates the database. Handles queries sent to External Systems. Handles SNMP queries sent to External Systems. Performs subnet calculation based on the information sent by External Systems. Handles database operations.
17-28
OL-20721-01
Chapter 17
Debugging Options for User Tracking Reports

You can debug events related to User Tracking client side activities as follows:
Step 1 Step 2
Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears. Select the level of debugging. It can be any one of the following:
INFO Only informational messages are recorded in the log file. This is the default option. FATAL Messages related to fatal errors are recorded in the log file. DEBUG All User Tracking client side messages are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\Cmapps.log
Step 3
Click Apply. Debugging is enabled for UT client side activities and the messages are recorded in the corresponding log file.
Debugging Options for Dynamic User Tracking Console

This feature helps you to troubleshoot Dynamic User Tracking updates in a detailed way. Dynamic UT consists of three major processes:

UTLite UTManager MACUHIC
Each process monitors different error conditions using circular buffers in the memory. For each error condition, the buffer will have the count of error occurrences and the conditions under which the error occurred. You can write this information from the memory to a file if you need to, and troubleshoot based on that. To enable Dynamic User Tracking Console:
Step 1
Select Admin > System > Debug Settings > Dynamic User Tracking Console. The debugging page appears. Select the Service name from one of the following:

Step 2
UTLite UTM MACUHIC
The error conditions related to that process are listed under the Error Details section.
17-29
Chapter 17 Setting VRF Lite Debugging Options
Debugging Options
Step 3
Select the error condition for which you need details and click Generate. A new file is generated with all the error details and stored in the LMS server. It is also listed under the File list pane.
Step 4
Select a file and:

Click View to see the file contents. Click Download to save the file in your local machine. Click Delete to delete the file from the server. You can delete multiple files at the same time.
Debugging Options for CiscoView

You can set an SNMP and activity trace and/or view the trace log. This option records trace information into the cv.log file, which is located at %NMSROOT%/MDC/tomcat, where %NMSROOT% is the directory in which CiscoView is installed.
Step 1 Step 2
Select Inventory > Tools > CiscoView. Select a device from the device selector, and select Administration > Debug Options And Display Log. The Trace Settings dialog box appears.
Step 3
Select either or both of the following and then click Apply:

SNMP Trace Displays SNMP request and response pairs, MIB instance ID, data value, data type, request method, and time stamp. Activity Trace Displays server activity such as which device and dialog boxes are open.
Step 4
Click View Trace to see the trace activity in a separate window.
Setting VRF Lite Debugging Options

If you face issues while running VRF Lite, you can enable logging to debug the same. You can set debugging options for the following functions:

VRF Lite Server (see VRF Lite Server Debugging Settings) VRF Lite Collector (see VRF Lite Collector Debugging Settings) VRF Lite Client (see VRF Lite Client Debugging Settings) VRF Lite Utility (see VRF Lite Utility Debugging Settings)
You can click Reset All on the Debugging Settings page to reset the debug levels of functions listed.
17-30
OL-20721-01
Chapter 17
Debugging Options Setting VRF Lite Debugging Options
VRF Lite Server Debugging Settings

VRF Lite Server is used to serve all the requests for VRF Lite configurations tasks. The VRF Lite Server effectively controls and handles all VRF Lite configuration tasks that include deployment of VRF Lite configuration details to the selected devices and interfaces using LMS. The VRF Lite Server also fetches the data from the VRF Lite database for report generation. To apply the debugging level to the VRF Lite Server:
Step 1
Select Admin > System > Debug Settings > VRF Lite Server Debugging. The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite Server Debugging Settings is NMSROOT\log\Vnmserver.log. The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.
Table 17-12 Settings in VRF Lite Server Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file. All messages related to VRF Lite Server are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Click Reset to reset the debug levels applied to VRF Lite Server, to default value.
INFO DEBUG ERROR Reset
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.
17-31
Debugging Options
VRF Lite Collector Debugging Settings

VRF Lite Collector collects all the VRF Lite related information from the managed devices on your network. You can get the information on readiness details of the devices on which VRF Lite can be configured. To apply the debugging level to the VRF Lite Collector:
Step 1
Select Admin > System > Debug Settings > VRF Lite Collector Debugging. The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log. The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:
Table 17-13 Settings in VRF Lite Collector Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file. All messages related to VRF Lite Collector are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. Click Reset to reset the debug levels applied to VRF Lite Collector, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.
17-32
OL-20721-01
Chapter 17
Debugging Options Setting VRF Lite Debugging Options
VRF Lite Client Debugging Settings

VRF LiteVRF Lite Client refers to the Graphical User Interface (GUI) pages used to perform VRF Lite tasks. When you use the GUI pages to perform a task, the logs specific to the tasks are recorded. The recorded logs can be debugged using VRF Lite client debugging settings. To apply the debugging level to the VRF Lite Client:
Step 1
Select Admin > System > Debug Settings > VRF Lite Client Debugging. The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log. The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:
Table 17-14 Settings in VRF Lite Client Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file. All messages related to VRF Lite Client are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Click Reset to reset the debug levels applied to VRF Lite Client, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.
VRF Lite Utility Debugging Settings

VRF LiteVRF Lite Client refers to the utility classes used in VRF Lite like DB, JRM and so on. When the utility classes are executed, the logs specific to the utility classes are recorded. The recorded logs can be debugged using VRF Lite utility debugging settings. To apply the debugging level to the VRF Lite Utility:
Step 1
Select Admin > System > Debug Settings > VRF Lite Utility Debugging. The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log. The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:
Table 17-15 Settings in VRF Lite Utility Debugging
Field
Debug Level
Description Only informational messages are recorded in the log file.
INFO
17-33
Debugging Options
Table 17-15
Settings in VRF Lite Utility Debugging (continued)
Field DEBUG ERROR Reset
Description All messages related to VRF Lite Utility are recorded in the log file. Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Click Reset to reset the debug levels applied to VRF Lite Utility, to default value.
Step 2
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.
17-34
OL-20721-01
CH A P T E R
18

This section briefly describes all the LMS tasks. See the Online help for further details. This section explains the following LMS task groups:

Understanding Admin Tasks Understanding Report Tasks Understanding Configuration Tasks Understanding Monitor Tasks Understanding Inventory Tasks Understanding Work Center Tasks
Note
You should enable the Browse Jobs task to schedule any job across LMS.
Understanding Admin Tasks

This section explains the following Admin task groups:

Understanding System Tasks Understanding Trust Management Tasks Understanding Network Tasks Understanding Collection Tasks Light Weight Messaging System Jobs Getting Started Manage Portal
18-1
Chapter 18 Understanding Admin Tasks
Understanding System Tasks

This section explains the following System task groups:

Log Rotation Cisco.com Settings Licensing Software Center Debug Settings System Preferences/Device Management Functions User Management Server Monitoring DBReader Access Group Management Authentication Mode Setup Backup SMTP Default Server
Log Rotation
You can configure log rotation settings and schedule log rotation jobs.
Cisco.com Settings
You can configure Cisco.com Settings like:
Proxy Server Setup You can update the proxy server configuration.
Apply Proxy Server Settings:
You can set up the proxy server details.

Remove Proxy Server Settings:
You can remove the proxy server settings that are already set up.
Cisco.com User Account Setup You can add and modify Cisco.com user login names and password.
Licensing
You can register your software and obtain a product license.
18-2
OL-20721-01
Chapter 18
Understanding LMS Tasks Understanding Admin Tasks
Software Center
This section explains the following Software Center task groups:
Schedule Device Downloads You can schedule device package downloads and specify the time, frequency of the downloads, and specify download policies if you have permissions.
Device Update You can view a list of all Cisco Prime related devices packages on your system, and the count of devices supported. The source location could be Cisco.com or the Server Side Directory.
Check For Updates
You can check for new device updates.

Delete Device Packages
You can delete packages that are outdated or no longer used.
Software Update You can perform the following tasks:

Download Updates
You can download the selected updates from Software Center.

Select Updates
You can select new software packages to update the product.

Debug Settings
This section explains the following Debug Settings tasks:
Layer2 Configuration/Reports and User Tracking Debug Options You can configure the debug options for Layer2 Configuration and Reports and User Tracking. Config and Image Management debugging settings
Loglevel Settings - Defaults/Apply
You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual Config and Image Management packages.
IPSLA Debugging Settings You can view, set or reset the log levels for all the modules of IPSLA Performance Management.
18-3
VRF Lite Debug Settings You can set debugging options for:
VRF Lite Server VRF Lite Collector VRF Lite Client VRF Lite Utility
Common Services Log Configurations You can enable or disable the debugging option for Common Services components without restarting the services.
Fault Debugging Settings You can change the logging level of all the functional modules of Fault Management. Performance Debugging Settings You can configure and manage log level settings of Device Performance Management function of LMS.
System Preferences/Device Management Functions
You can configure system-wide information on the LMS Server. You can also enable or disable LMS functions like:

User Management
This section explains the following User Management tasks:
Local User Setup

Edit User
You can modify a local user in LMS Server, assign roles, and specify the authorization type.
Delete User
You can delete a local user profile from the LMS Server.
Modify My Profile
You can modify your local user profile in LMS Server.

Add User
You can add a local user in LMS Server.

Import/Export Users
You can import local users from the client or from ACS. You can import local users from ACS only through CLI and not from the UI. You can export the local users.
18-4
OL-20721-01
Chapter 18
Notify Users You can broadcast messages to online users. Local User Policy Setup You can setup username and password policies for Cisco Prime local users in LMS. Role Management Setup The Role Management tasks are listed below:
Delete Role
You can delete user-defined roles.

Add Role
You can add user-defined roles.

Edit Role
You can edit user-defined roles.

Import/ Export Roles
You can import roles in the XML format from the client.You can export roles in the XML format. The file will be saved in the client.
Copy Role
You can use this option to copy a role.

Default Role
You can set a role as a default role. When multiple roles are set as default role, the user will be assigned with all the roles selected as default roles.
Server Monitoring
This section explains the following Server Monitoring task groups:
Process
Start Processes
You can start the Cisco Prime processes.

Stop Processes
You can stop the Cisco Prime processes.
Collect Server Information

Create Collect Server Information
You can get the required information about the server. This includes system information, environment, configuration, logs, web server information, device and credentials administration information, and grouping services information.
Delete Collect Server Information
You can delete the collected server information.
DiskWatcher Configuration You can configure disk space threshold level.
18-5
Selftest You can view self test reports to test some basic functions of the server.
Create Self test
You can test the basic functions of server.

Delete Self test
You can delete the collected self test information.

DBReader Access
You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot database issues.
Group Management
The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share groups of devices. This section explains the following Group Management task groups:
Device Groups
Delete Group
You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that are belonging to users removed from Cisco Prime).
Edit Group
You can modify some of the device groups.

Export Group
You can export a selected group or all user-defined groups from all applications, to an output file.
Group Refresh
You can recompute the membership of a group by re-evaluating the group's rule. The membership of Automatic groups is recomputed dynamically.
Create Group
You can create device groups.

Import Group
You can import user-defined device groups from an input XML file.
Group Details
You can view the details of a group.

Authentication Mode Setup
You can use your current authentication database for Cisco Prime authentication and select a login module (Kerberos, TACACS+, RADIUS, and others), and set their options.
Backup
Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or monthly automatic database backups.
18-6
OL-20721-01
Chapter 18
SMTP Default Server
You can specify the default SMTP server.
Understanding Trust Management Tasks

This section explains the following Trust Management task groups:

Multi Server Local Server
Multi Server
You can perform the following multi-server management tasks:
Peer Server Certificate Setup You can add the certificate of another LMS Server into its trusted store. This allows LMS Servers to communicate with one another using SSL.
Delete Peer Certificate
You can delete the peer certificate.

View Peer Certificate
You can view the details of an existing peer certificate.

Add Peer Certificate
You can add the certificate of a peer LMS Server into its trusted store.
System Identity Setup You can setup a System Identity user on servers that are part of a multi-server setup. This user enables communication among servers that are part of a domain.
Peer Server Account Setup You can create users who can log into LMS Servers and perform certain tasks.
Peer Server Accounts Delete
You can delete a secret user set up in the LMS Servers.

Peer Server Accounts Add
You can add a secret user who can programmatically login to multiple LMS Servers and perform certain tasks.
Peer Server Accounts Edit
You can edit a secret user setup in the LMS Servers.
Single Sign-On Setup You can use your browser session to transparently navigate to multiple LMS Servers without authenticating to each server.
18-7
Local Server
Certificate Setup You can create a self-signed certificate from the user interface. Browser-Server Security Mode Setup You can enable browser-server security.
Understanding Network Tasks

This section explains the following Network task groups:

Best Practices Deviation Settings Monitor/ Troubleshoot Notification and Action Settings PSIRT/EOS and EOL Settings Discovery Settings Purge Settings Software Image Management Configuration Job Settings Device Credential Settings Change Audit Settings Resource Browser
Best Practices Deviation Settings
You can customize the Discrepancies Report and Best Practices Deviations Report to display only those discrepancies and Best Practice Deviations about which you want to be notified.
Monitor/ Troubleshoot
This section explains the following Monitor and Troubleshoot tasks:
NAM Configuration You can view, add, edit, or delete the NAM configuration details. Load MIB You can load a MIB file. RMON Configuration You can enable RMON on all ports in selected devices. Fault Poller settings for topology You can configure fault poller settings for Topology.
18-8
OL-20721-01
Chapter 18
This section explains the following Notification and Action Settings tasks:
Performance - Syslog notification You can update, create, edit, or delete a syslog receiver group. IPSLA Syslog Configuration You can view, enable or disable IPSLA syslog configuration. Performance - SNMP Trap notification You can create, edit, or delete a trap receiver group. Fault Syslog Notification You can add, edit, suspend, resume, or delete a syslog notification subscription. Fault - SNMP trap notification You can add, edit, suspend, resume, or delete an SNMP trap notification subscription. ChangeAudit Automated Actions You can define automated actions on creation of change audit record. You can create, edit, delete, enable, disable, export, or import an automated action.
Event Sets You can configure a set of events that you want to monitor. Fault - SNMP trap forwarding You can forward SNMP traps from devices in the LMS inventory Fault - SNMP trap receiving settings You can update SNMP trap receiving port. Fault - Email notification You can add, edit, suspend, or resume a subscription for e-mail notification. You can also delete e-mail notification subscriptions that are no longer useful or are redundant. Syslog Message Filters You can create, edit, delete, enable, disable, export, or import syslog message filter. Fault Notification Customization You can customize names and event severity. Fault - Email subject customization You can customize the e-mail subject for forwarded events. Inventory and Config collection failure notification You can configure the destination server and port to receive trap notification on inventory collection or config fetch failure.
Syslog Automated Actions You can create, edit, delete, enable, disable, export, or import a syslog automated action. Fault Notification Group You can add, edit, or delete fault notification groups.
18-9
PSIRT/EOS and EOL Settings
This section explains the following PSIRT/EOS and EOL Settings task:
PSIRT/EOX reports option You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or End-of-Sale or End-of-Life report.
Discovery Settings
This section explains the following Discovery Settings tasks:
Settings You can:

View Discovery Settings
You can view the summary of device discovery settings.

Configure Discovery Settings
You can configure the settings required to run a discovery job.

Discovery Status
You can view the status of device discovery.

Start Stop Discovery
You can also start or stop a device discovery.
Schedule You can add a device discovery schedule.
Purge Settings
This section explains the following Purge Settings tasks:
Config Job purge settings You can configure the following config job settings:
Job Purge - Schedule/Enable/Disable/Purge Now
You can schedule, enable, or disable purging of configuration management jobs. You can also immediately purge the jobs.
Job Purge
You can purge the config jobs.
Syslog Backup Settings You can set the syslog backup policy. IPSLA data Purge Settings
18-10
OL-20721-01
Chapter 18
You can set the purge period for IPSLA historical data and for audit reports. You can configure the following IPSLA data Purge settings:
Apply IPSLA Purge Settings
You can apply IPSLA purge settings.

IPSLA Purge Settings
You can view IPSLA purge settings

Default IPSLA Purge Settings
You can apply default IPSLA purge settings.
Syslog Force Purge You can perform a forced purge of syslog messages Performance Job Purge Settings You can configure the following performance Job purge settings:
Do Immediate Job Purge
You can immediately purge the performance jobs.

Schedule Job Purge
You can schedule a performance job purge.
Fault History Purging Schedule Configure the daily fault history purging schedule. VRF Lite Purge Settings You can purge VRF Lite jobs or report archives. ChangeAudit Force Purge You can perform a forced purge of change audit. Config Archive Purge Settings You can define the configuration archive purge policy. ChangeAudit Purge Policy You can set the change audit purge policy. Performance data purge settings You can configure the following performance data purge settings:
Do Immediate Data Purge
You can immediately purge the performance data .

Schedule Data Purge
You can schedule a performance data purge.
Syslog Purge Settings You can specify a default policy for the periodic purging of syslog messages. Layer2 Services and User Tracking Report Purge You can purge Layer2 services jobs or report archives.
18-11
Software Image Management
This section explains the following Software Image Management task:
View/Edit Preferences You can set or change software management preferences
Configuration Job Settings
This section explains the following Configuration Job Settings tasks:
Assign Approver Lists You can assign an approver list to the applications Create/Edit Approver Lists You can create, edit, or delete approver lists Approver Details You can specify approver details Approval Policies You can set up job approval for the applications Config Job Policies You can define the default job policies for configuration management applications
Device Credential Settings
This section explains the following Device Credential Settings tasks:
User Defined Fields You can add, rename, or delete the user-defined fields used to store additional information about a device.
Register/Unregister 3rd Party Application in DCR
You can register or unregister third party applications in DCR.

Add User Defined Fields in DCR
You can add a User Defined Field to to store the additional information about a device.
Rename User Defined Fields in DCR
You can rename a User Defined Field.

Delete User Defined Fields from DCR
You can delete a User Defined Field.
Mode Settings You can change DCR mode settings to master, slave or standalone. Verification Settings You can select the credentials that need to be verified while adding devices.
18-12
OL-20721-01
Chapter 18
Change Audit Settings
This section explains the following Network Administration tasks:
Inventory Change Filter You can set inventory change filters. Exception Period You can specify the time when no network changes should occur.
Resource Browser
This section explains the following Resource Browser tasks:
Browse Resources You can view the details of resources and manage resources. Free Resources You can free-up locked resources.
Understanding Collection Tasks

This section explains the following Collection task groups:

Inventory Collection Settings Config Collection Settings Data Collection Settings Syslog Collection Settings Performance Collection Settings User Tracking Collection Settings Fault Collection Settings VRF Lite Collection Settings
Inventory Collection Settings
You can set the default values for inventory, config timeout, and retry settings. This section explains the following Inventory Collection Settings tasks:
Inventory Jobs You can view the Inventory job browser, and view, create, stop, delete, or edit an inventory collection or polling job.
Inventory, Config Timeout and Retry Settings You can edit the inventory, config timeout, and retry settings.
18-13
Config Collection Settings
This section explains the following Config Collection Settings tasks:
Config Archive settings You can configure the Config Archive settings. You can move the configuration archive location, archive the running configuration, or enable or disable the use of shadow directory.
Config Collection Settings You can define the configuration collection setting. You can modify how and when the configuration archive retrieves configurations.
Secondary Credentials Settings You can enable or disable the secondary credentials fallback. Config Transport Settings You can view or define the protocol order for configuration management applications Config Job Timeout Settings You can configure the Job Result Wait Time per device for the Sync Archive jobs.
Data Collection Settings
This section explains the following Data Collection Settings tasks:
Data Collection schedule You can schedule the day and time of Data Collection. Start Data Collection You can start Data Collection. Layer2 Administration Settings You can configure Layer2 administration settings.
Syslog Collection Settings
This section explains the following Syslog collection tasks:
Subscribe/Unsubscribe Collector You can subscribe or subscribe to a Common Syslog Collector. Collector Status/Update You can view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to.
18-14
OL-20721-01
Chapter 18
Performance Collection Settings
This section explains the following Performance collection tasks:
IPSLA application settings You can configure the following IPSLA application settings:
Copy IPSLA Configuration to Running-config
You can view the configured collectors in the running configuration. You can also retain the default settings.
Set a source interface address
You can set a source interface address for the source router. You can also retain the default settings.
Performance Management SNMP timeouts and retry settings You can configure the Performance Management SNMP timeout and SNMP retries. You can also configure other Poll Settings.
User Tracking Collection Settings
This section explains the following User Tracking collection tasks:
User Tracking device trap configuration You can configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.
User Tracking Acquisition Action You can trigger the following acquisitions:
Device based Acquisition Subnet based Acquisition IP Phone Acquisition
User Tracking trap listener configuration You can configure the trap listener to direct the traps through HP Open View (HPOV) or LMS Fault Monitor.
User Tracking Acquisition Settings You can configure User Tracking Acquisition settings to collect usernames during UT Major Acquisition and update the UT table.
User Tracking Acquisition Schedule You can modify UT acquisition schedule. User Tracking Administration Settings You can configure the various User Tracking administration settings.
18-15
Fault Collection Settings
This section explains the following Fault collection tasks:
Fault Management Rediscovery Schedule You can suspend, or resume the Fault Management rediscovery schedule, and add, modify, or delete additional schedules.
Fault Monitoring Device Administration You can rediscover specific devices. Fault Management SNMP timeouts and retries You can modify the Fault Management SNMP timeout and retries. Collection Summary Portlet You can view the report of successful and failed devices for fault discovery in this portlet. Fault Event Forensics Configuration You can enable the Event Forensics collection feature on LMS server to start collecting the event forensics data.
VRF Lite Collection Settings
This section explains the following VRF Lite collection tasks:
VRF Lite SNMP Timeouts and Retries You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions.
VRF Lite Collector Schedule You can schedule the VRF Lite Collector process to run after every Data Collection. You can also add, edit and delete VRF Lite Collector Schedule jobs.
Light Weight Messaging System
The Light Weight Messaging system allows you to perform the following task:
Event Listener You can use this tool to send and receive events.
Jobs
You can perform the following Job tasks:
Browse Jobs You can use the job browser and view the details of individual jobs.
Note
You should enable the Browse Jobs task to schedule any job across LMS. Delete Job You can use the job browser to delete the jobs. Stop Job You can stop the jobs using the job browser.
18-16
OL-20721-01
Chapter 18
Understanding LMS Tasks Understanding Report Tasks
Getting Started
You can perform the Getting Started tasks.

Manage Portal
You can manage all the portlets.
Understanding Report Tasks

This section explains the following Report task groups:

Understanding Fault and Event Report Tasks Understanding Report Archives Tasks Understanding Report Designer Tasks Understanding Inventory Report Tasks Understanding Audit Report Tasks Understanding Technology Report Tasks Understanding Performance Report Tasks Understanding System Report Tasks Understanding Switch Port Report Tasks Schedule Reports in Layer2 Services and User Tracking User Tracking Job Archives Layer2 Services Job Archives Inventory/Syslogs/Change Audit Generate Reports Inventory/Syslogs/Change Audit View All Reports Inventory/Syslogs/Change Audit View Own Reports
18-17
Chapter 18 Understanding Report Tasks
Understanding Fault and Event Report Tasks

This section explains the following Fault and Event report task groups:

Threshold Violation Best Practices Syslogs History
Threshold Violation
You can generate this report which displays threshold violations details for each device based on the polled data.
Thresholds You can create reports based on the threshold configured for the MIB variable. You can create, or view reports for specific threshold MIB variables. These reports are called IPSLA Threshold Violation reports.
TrendWatch Summary You can create consolidated reports based on the TrendWatches configured for the MIB variable. You can create, view summary reports of TrendWatch MIB variables.
Best Practices
You can generate the following Best Practices and Discrepancy reports:
Acknowledge/Unacknowledge Discrepancy You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices. You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best Practise Deviations Report.
Discrepancies You can fix the discrepancies detected in the network. Fix Best Practice Deviation You can the fix Best Practice Deviation detected in the network. Fix Discrepancy You can the fix discrepancies detected in the network. Deviation You can view best practice deviation report.
Syslogs
You can use Custom Reports along with Syslogs to generate GOLD test reports. You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.
18-18
OL-20721-01
Chapter 18
History
You can search fault history database for device issues.
Event History You can view the fault history report for a given event ID. Event Monitor/ Device Fault You can view information on events in device for the past 31 days. Event Monitor is a centralized place where in you can view the event details of all devices and device groups.
Understanding Report Archives Tasks

This section explains the following Report Archives task groups:

IPSLA Inventory and Syslog Layer2 Services and User Tracking
IPSLA
You can manage IPSLA archived reports. You can perform the following tasks:
List Report Archives You can list the IPSLA report archives. Delete Report You can delete the IPSLA report archives.
Inventory and Syslog
You can view the list of the completed report jobs that you own or all report jobs.
Layer2 Services and User Tracking
You can view and delete archived Layer2 Services and User Tracking reports.
Understanding Report Designer Tasks

You can view, modify, or create new report templates for:

User Tracking Syslog and Inventory
User Tracking
Custom Layouts You can view the list of Custom layouts. Custom Reports You can customize the layout and columns displayed in the UT reports to suit your needs.
18-19
Syslog and Inventory
Custom Report Template You can create new report templates customized according to your requirements. You can also view, add and edit, delete existing custom templates, view your own templates or view all templates.
Understanding Inventory Report Tasks

You can generate inventory reports and this section explains the following Inventory Report task groups:

Device Attributes User Tracking Management Status
Device Attributes
You can view device attributes report.

User Tracking
You can create, schedule, and view various UT reports like:
End Host History You can view the login and logout information of the endhosts User Tracking System and Custom Reports You can view User Tracking system and custom reports
Management Status
You can generate device credentials, device and credentials admin reports, and inventory and config Collection Status report.
Inventory and Config Collection Status You can generate the Inventory and Config Collection Status Report which helps you to identify possible causes for Inventory and Configuration collection failure and take timely corrective action.
Understanding Audit Report Tasks

You can generate audit reports like:

System Performance Inventory and Config
System
You can generate system audit report.
18-20
OL-20721-01
Chapter 18
Performance
You can generate performance audit report.

Inventory and Config
You can generate inventory and config audit report.
Understanding Technology Report Tasks

You can generate the following technology reports:

VLAN VRF Lite
VLAN
You can generate VLAN reports for devices, switch clouds, or VTP domains.
VRF Lite
You can generate the following VRF Lite Reports:
VRF Lite and VRF Lite Readiness report You can generate Device Based VRF-Lite reports and VRF Based reports. You can also generate the VRF Lite Readiness report which provides the devices details that comply with the basic hardware and software support available, in contrast to the required support on the devices to configure VRF.
Understanding Performance Report Tasks

This section explains the following Performance Report task groups:

Create Performance Report View Performance Report Poller Device Create IPSLA Report View IPSLA Job Details View IPSLA Report Custom
Create Performance Report
You can generate, or view performance reports like:
Interface Report Displays the Interface availability information of a device during the last 24 hours. It also displays Interface utilization and error rate information for a device interface during the last 24 hours.
IPSLA Detailed Report You can generate various IPSLA detailed reports.
18-21
IPSLA Summary Report You can generate system reports for all collectors based on the report types and granularity after the consolidation of the statistical data.
EnergyWise Device Power Usage Displays the power usage data for each device that is polled for the EnergyWise Device Power Usage template.
EnergyWise Port Power Usage Displays the power usage data for each port that is polled for the EnergyWise Port Power Usage template.
PoE Port Utilization Report Displays the port level utilization for each device polled for the Power Over Ethernet (PoE) Port Utilization template.
PSE Consumption report Displays the power utilization and losses for each device polled for the Power Over Ethernet PSE Consumption template.
IPSLA Audit report Displays all IPSLA related audit changes that occurred in the network during a specified time period.
View Performance Report
You can view performance reports like:

Interface Report IPSLA Detailed Report IPSLA Summary Report EnergyWise Device Power Usage EnergyWise Port Power Usage PoE Port Utilization Report PSE Consumption report IPSLA Audit report
Poller
You can:
View Poller Report You can view Poller Reports based on the template added in a given Poller. Create Poller Job You can create Poller Reports based on the template added in a given Poller.
Device
You can view device availability and performance parameters of a device.
Device Performance You can view performance parameters of a device.
18-22
OL-20721-01
Chapter 18
Create IPSLA Report
You can create IPSLA Reports and IPSLA Threshold Violation Reports. You can also reset the values you entered.
View IPSLA Job Details
You can view details of IPSLA jobs.

View IPSLA Report
You can view IPSLA Reports, IPSLA Report Archives and IPSLA Threshold Violation Reports. You can list and create IPSLA Audit Report.
Custom
You can create, or view custom reports.
Understanding System Report Tasks

You can generate administration and system reports. This section explains the following System task groups:

Data Collection Metrics and Device Support Users ANI Server Analysis Status
Data Collection Metrics and Device Support
You can view the duration of each data collection, and the device count. You can also view the icon, name, and object ID of the supported devices.
Users
You can view information about users currently logged into LMS.
Who is Logged on You can view information on users currently logged into LMS. Permission Report You can view information on roles and privileges.
ANI Server Analysis
You can analyze the ANI server performance.

Status
You can view the status of the processes running on the LMS Server.
Log File You can view information on log file size and file system utilization. Process You can view the status of the processes running on the LMS Server.
18-23
Understanding Switch Port Report Tasks

You can generate reports based on switch port status. This section explains the following Switch Port Report task groups:

User Tracking Switch Port Usage Ports
User Tracking Switch Port Usage
You can view reports on:

Connected PortsThe ports that are administratively UP and are connected to a device will be listed here. Free PortsThe Ports that are administratively UP but are not connected to a device will be listed here. Free Down PortsThe ports that are administratively down will be listed here. Switch Port Capacity Report Lists switches that have crossed utilization threshold limits, along with the value of percentage port utilization.
You can also view the following reports:
Recently Down Ports Displays:

Link ports that were connected to a device in the previous Data collection, but found
unconnected in the current Data Collection.

Access ports that were connected to an endhost in the last UT Major Acquisition cycle, but
found unconnected in the current Data Collection
Reclaim Unused Down Ports Report Displays ports that have been in Unused Down state for a specified interval of time. Reclaim Unused Up Ports Report Displays ports that have been in Unused Up state for a specified interval of time. Switch Port Summary Report Displays the number of Connected, Free, and Free down ports in each switch.
Ports
You can view status of the ports.
Port Attributes You can view information about the status of ports in the network
Schedule Reports in Layer2 Services and User Tracking
You can schedule reports of the Network, Layer 2, and User Tracking function of LMS.
User Tracking Job Archives
You can view archived reports of UT jobs.
18-24
OL-20721-01
Chapter 18
Understanding LMS Tasks Understanding Configuration Tasks
Layer2 Services Job Archives
You can view archived reports of Layer 2 services jobs.

Inventory/Syslogs/Change Audit Generate Reports
You can generate all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View All Reports
You can view all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View Own Reports
You can view all Inventory, Syslog, and Change Audit reports which you have generated.
Understanding Configuration Tasks

This section explains the following Configuration task groups:

Understanding Configuration Archive Tasks Understanding Configuration Tools Tasks Understanding ConfigCLI Tasks Understanding Configuration Workflows Tasks Understanding Configuration Job Browsers Tasks Understanding Compliance Tasks
Understanding Configuration Archive Tasks

This section explains the following Configuration Archive tasks:

Label Configs Summary Views
Label Configs
You can select configuration files from different devices, group and label them. You can manage Label Configs.
Summary
You can view the configuration archival status and summary.
18-25
Chapter 18 Understanding Configuration Tasks
Views
You can search archives using version tree and version summary. The tasks in Views are the following:
Custom Queries You can create a custom configuration query that searches information about the specified configuration files.
Search Archive You can search the archive for configuration containing text patterns for selected devices. Version Summary You can view all archived configurations for selected devices.
Understanding Configuration Tools Tasks

This section explains the following Configuration Tools tasks:

Software Image Management NetConfig/Template Center Config Editor
Software Image Management
Software Repository You can view, add, delete, or update the images that are available in the Software Management repository.
Repository Synchronization You can update the software repository. Software/Patch Distribution You can distribute software images in the network. You can also distribute patches simultaneously to applicable devices.
Jobs You can check the status of a scheduled Software Image Management job. You can view, edit, stop, delete, retry or undo the job.
Upgrade Analysis You can analyze images before distribution.
18-26
OL-20721-01
Chapter 18
NetConfig/Template Center
This section explains the following NetConfig and Template Center tasks:
Assign Tasks You can assign tasks to a valid Cisco Prime user. User Defined Tasks You can create and edit user-defined tasks. Jobs
View
You can view all NetConfig and Template Center jobs.

Create/Configure/Deploy/Import
You can deploy and import configuration templates in LMS. You can also create NetConfig jobs.
Config Editor
This section explains the following Config Editor tasks:
Private Configs You can view changes made to a configuration file in the private work area. Edit Private Configs You can save an edited configuration file in the private work area on the server and retrieve the saved file when required.
Edit Public Configs You can save an edited configuration file in the public work area on the server and retrieve the saved file when required.
Delete Private Configs You can remove a configuration file from the private work area on the server. Delete Public Configs You can remove a configuration file from the public work area on the server. Public Configs You can view changes made to a configuration file in the public work area. Edit Mode Preference You can set up the default editing mode. Config Editor You can open, edit, or print configuration files. Jobs You can create, edit, delete, copy, or stop Config Editor jobs.
18-27
Understanding ConfigCLI Tasks

This section explains the following ConfigCLI tasks:
Delete
You can delete configurations older than a specified date from the configuration archive.
Compare With Baseline and Deploy
You can create a job that compares the given Baseline template with the latest version of the configuration for a device and download the configuration to the device if there is a non-compliance.
List Version
Lists the different versions of configuration files archived in the archival system.
Create Parameter file
You can create a parameter file if the Baseline template containing the parameters is specified.
Compare With Baseline
You can compare the given Baseline template with the latest version of the configuration for a device.
Deploy Baseline
You can deploy the given Baseline template to a device.

Reload
You can reboot the devices, to load the running configuration with their startup configuration.
Get Configuration
You can retrieve the running configuration from the devices and push it to the configuration archive if the running configuration is different than the latest version in the archive.
Run2Start
You can create a job that overwrites the startup configuration of device with running configuration.
Get Change Audit Data
You can get Change Audit data.

Write2Run
You can compare the latest running configuration for the device in the configuration archive with the configuration in the file, to generate a new configuration that is downloaded to the device, so that the configuration specified in the file is available on the running configuration of the device.
Export Configuration
You can retrieve the configuration for a device from the archive and write it to a specific file.
Compare
You can list the difference between versions of a device configuration.
18-28
OL-20721-01
Chapter 18
write2Start
You can erase the contents of the device's startup configuration and then write the contents of the given file as the device's new startup configuration.
Export Configuration-xml
You can retrieve the configuration for a device from the archive and write it to a XML file.
Import Configuration
You can retrieve the configuration from a file, and push it to the device, adding to the device's running configuration.
Get Inventory Data
You can get the inventory data for the devices.

Start2Run
You can merge the running configuration of any devices with their startup configuration to give a new running configuration.
Put Configuration
You can retrieve the configuration from the configuration archive and push it to the device.
Understanding Configuration Workflows Tasks

This section explains the following Configuration Workflows tasks:

VLAN VRF Lite
VLAN
This section explains the following VLAN Workflows tasks:
Configure Port Assignment You can manage ports on your network VLAN. Create/Delete Private VLAN You can create and delete private VLANs Configure Promiscuous Ports You can configure a promiscuous port Create/ Modify Trunk You can create a trunk for a port, or modify trunk attributes. Configure/ Delete VLAN You can create and delete VLANs configured on the devices in the network.
VRF Lite
This section explains the following VRF Lite Workflows tasks:
VRF Configuration You can create, edit, extend, delete and assign Edge VLAN to VRF.
18-29
Understanding Configuration Job Browsers Tasks

This section explains the following Configuration Job Browsers tasks:

Job Approval NetConfig Config Editor
Job Approval
You can approve or reject a job for which you are an Approver. The job will not run until you or another Approver approves it.
NetConfig
You can manage NetConfig jobs.

Config Editor
You can manage Config Editor jobs.
Understanding Compliance Tasks

This section explains the following Configuration Compliance tasks:

Out-of-Sync Summary Compliance Templates
Out-of-Sync Summary
You can generate Out-of-Sync report for device groups.

Compliance Templates
This section explains the following Compliance Templates tasks:
Compliance Check You can run a compliance check. Direct Deploy You can deploy a baseline template using a file system or UI. Templates You can manage a baseline template.
18-30
OL-20721-01
Chapter 18
Understanding LMS Tasks Understanding Monitor Tasks
Understanding Monitor Tasks

This section explains the following Monitor task groups:

Understanding Performance Settings Tasks Understanding Fault Settings Tasks Understanding Threshold Settings Tasks Understanding Troubleshooting Tools Tasks Understanding Monitoring Tools Tasks
Understanding Performance Settings Tasks

You can configure performance settings like:

IPSLA Setup
IPSLA
You can manage IPSLA devices, collectors, operations and outage settings
Devices You can add devices to manage IPSLA functionality. You can:
Enable IPSLA Responder
You can enable IPSLA responder for the selected devices.

Update IPSLA Config
You can update the IPSLA responder enable or disable status. You can also save the latest information configured in a device to the database.
View Devices
You can view all the IPSLA devices managed by LMS.

Edit Device Attributes
You can edit the device attributes like SNMP Retry and SNMP Timeout.
Delete devices
You can delete Adhoc target devices.

Add Adhoc Target
You can add adhoc target devices to the IPSLA Performance Management function in LMS if you want to manage devices from an external source. The Adhoc devices may be either Cisco devices or devices with a unique IP address.
Collectors You can create, edit, delete, monitor, start, list, view, or stop collectors. When you have the authorization to create collectors you can import, export and reconfigure collectors.
18-31
Chapter 18 Understanding Monitor Tasks
Operations You can analyze IP service levels for IP applications and services. You can view operation details, list, create, edit, or delete operations.
Outage Settings You can view, list, create, edit, or delete planned outages.
Setup
You can setup auto monitoring, poller and template management
Automonitor You can change the polling intervals. Pollers You can create and manage pollers. You can:
Edit Poller
You can edit pollers.

Clear Failures
You can clear all the failures recorded in the database for a Poller.
Clear Missed Cycle
You can clear all the polling interval cycles missed for a Poller.
Activate and Deactivate Poller
You can activate an inactive Poller to poll, or stops a Poller from polling.
View Failures
You can view failures that occurred during polling.

Create Poller
You can create a Poller.

List Performance Devices
You can view performance devices.

Delete Poller
You can delete a Poller.

Debug Performance Polling Engine
You can debug performance polling engine.

List / View Pollers
You can list or view Pollers.
Templates You can create, copy, edit, list, delete, export, or import templates to monitor performance parameter.
Device Performance Management Summary You can view the Device Performance Management Summary portlet details. To access any custom role, you should select Device Performance Management Summary.
18-32
OL-20721-01
Chapter 18
Understanding Fault Settings Tasks

You can set up the following fault settings tasks:
Setup You can setup polling parameters, group priorities, and view device fault details.
Apply Changes
You can apply polling and threshold changes.

Polling Parameters
You can configure polling parameters.

Fault Device Details
You can view component details of a device.

Priority Settings
You can set priority for polling and thresholds.
Understanding Threshold Settings Tasks

You can configure pollers, manage templates, configure trendwatch. This section explains the following Threshold Settings tasks:

TrendWatch Performance Fault
TrendWatch
You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.
Performance
You can create, edit, delete, access, or, list and view thresholds for a MIB variable.
Fault
You can view the thresholds that are associated with device groups, trunk port groups, access port groups, and interface groups.
18-33
Chapter 18 Understanding Monitor Tasks
Understanding Troubleshooting Tools Tasks

You can troubleshoot network devices using various tools like NetShow and VRF-Lite. This section explains the following Troubleshooting Tools tasks:

VRF Lite NetShow Connectivity Tools Troubleshooting Workflows
VRF Lite
Ping and Traceroute/Show Commands You can troubleshoot VRFs using Ping or Traceroute, or view the result of the VRF-specific show commands
NetShow
Job Operations You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying failed jobs, stopping jobs, and deleting jobs.
Command Set Operations You can create, edit, or delete user-defined Command Sets. Assigning Command Sets You can assign command sets to network operators. Command Sets You can view the details of an existing Command Set. NetShow Jobs/Show Commands You can run NetShow commands and view NetShow jobs.
Connectivity Tools
You can use the following tools:
Device Center You can launch the troubleshooting page by clicking device IPs. Packet Capture You can capture live data from the Cisco Prime machine to aid in troubleshooting. SNMP Walk You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering information about a certain device.
SNMP Set You can set an SNMP object or multiple objects on a device for controlling the device.
Troubleshooting Workflows
You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network connectivity problems, or diagnose devices.
18-34
OL-20721-01
Chapter 18
Understanding Monitoring Tools Tasks

You can use fault and event monitor tools like:

Fault Monitor Configure Inter-VLAN Routing View Link Bandwidth utilization Configure EtherChannel Device Operation Discover Devices View Trunk Attributes Time Domain Reflectometer Report Device Operation Delete Link Spanning Tree Reports Device Operation Delete Devices Topology Services Spanning Tree Configuration Device Operation Change management IP View Data Extraction Engine
Fault Monitor
You can view all the faults in a common place. It collects information of fault in devices in real-time and display the information by a selected group of devices. You can clear or annotate faults. It allows you to own the fault or clear them.
Configure Inter-VLAN Routing
You can configure Inter-VLAN Routing.

View Link Bandwidth utilization
You can view bandwidth utilization across links, in the Topology maps.
Configure EtherChannel
You can configure EtherChannel.

View Devices at Fault and Event Monitor
You can view devices available at Fault and Event Monitor.

Device Operation Discover Devices
You can discover devices for device operation.

View Trunk Attributes
You can view trunk attributes.

Time Domain Reflectometer Report
You can generate the TDR report that detect faults in a cable. TDR checks and locates open circuits, short circuits, sharp bends, crimps, kinks, impedance mismatches, and other such defects.
18-35
Chapter 18 Understanding Inventory Tasks
Device Operation Delete Link
You can remove a link from the Network Topology View.

Spanning Tree Reports
You can generate Spanning Tree reports

Device Operation Delete Devices
You can delete devices.

Topology Services
You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains discovered in your network, and you can filter, access, or view network information or status.
Spanning Tree Configuration
You can configure Spanning Trees on the network.

Device Operation Change management IP
You can set a preferred management address to be used by LMS for devices which can have multiple IP addresses.
View Data Extraction Engine
You can view Data Extraction Engine.
Understanding Inventory Tasks

This section explains the following Inventory task groups:

Understanding Group Management Tasks Understanding Job Browsers Tasks Understanding Device Administration Tasks Understanding Inventory Tools Tasks
Understanding Group Management Tasks

You can create and manage fault groups, IPSLA collectors groups, or ports and modules groups.
Fault groups You can view, create, edit, delete fault groups, or refresh groups. IPSLA Collector You can view, create, edit, delete or refresh IPSLA collector groups.
18-36
OL-20721-01
Chapter 18
Understanding LMS Tasks Understanding Inventory Tasks
Understanding Job Browsers Tasks

You can view, create, edit, stop, retry, or delete device credentials verification jobs. You can also verify device credentials.
Understanding Device Administration Tasks

You can manage devices and auto update the server. This section explains the following Device Administration tasks:

Add / Import / Manage Devices Add Managed Devices Manage Device State Device Allocation Policy
Add / Import / Manage Devices
You can manage devices in DCR. You can:
View Credentials You can view device information for a single device or for multiple devices. Export Devices You can export a list of device and their credentials. View Reports You can generate the following reports:
Unreachable Devices
Displays the list of devices that are unreachable. To generate this report, select Reports > Inventory > Management Status > Unreachable Devices.
Excluded Devices
Displays the list of devices that should not be added in DCR. To generate this report, select Reports > Inventory > Management Status > Excluded Devices.
Imported Device Status
Displays the information about the devices that are imported into DCR. To generate this report, select Reports > Inventory > Management Status > Imported Device Status.
Known Device List
Displays the complete list and information of all devices in the repository. To generate this report, select Reports > Inventory > Management Status > Known Device List.
Device Administration
Displays the complete device list in DCR. To generate this report, select Reports > Audit > Device Administration.
18-37
Chapter 18 Understanding Work Center Tasks
Add Devices You can add devices, device properties or attributes, and device credentials to the DCR. View Devices You can view devices in DCR. Delete Devices You can delete devices from DCR. You can also schedule device polling job and view the Unreachable device report.
Bulk import You can import multiple devices into DCR. You can also view the Imported device report. Edit Devices You can edit device information for a single device or for multiple devices.
Add Managed Devices
You can manually add managed devices without using the Device Allocation Policy.
Manage Device State
You can view the states of the devices.

Device Allocation Policy
You can configure the device management policy for Device Management.
Understanding Inventory Tools Tasks

You can use tools like:
CiscoView Provides real-time views of networked Cisco Systems devices Mini-RMON Provides web-enabled, real-time, remote monitoring (RMON) information to users to facilitate troubleshooting and improve network availability.
Understanding Work Center Tasks

This section explains the following Work Center task groups:

Understanding Smart Install Tasks Understanding Auto Smartports Tasks Understanding Identity Tasks Understanding EnergyWise Tasks
18-38
OL-20721-01
Chapter 18
Understanding LMS Tasks Understanding Work Center Tasks
Understanding Smart Install Tasks

You can configure and manage images using this plug-and-play configuration and image management feature that provides zero-touch deployment for new switches.
Jobs You can view the status, delete, stop or manage Smart Install jobs. Readiness Assessment You can assess the readiness of your network for Smart Install. Getting Started You can provision Smart Install for Day 1 operations. Configure You can configure, and manage the Smart Install director.
Understanding Auto Smartports Tasks

You can configure, apply and manage Auto Smartports macros on the ASP-capable devices
Getting Started You can provision Auto Smartports for day 1 operations. Jobs You can view the status, delete, stop or manage Auto Smartport reports. Configure You can configure, and enable Auto Smartports on selected interfaces. Readiness Assessment You can view Auto Smartports based device details after assessing the network.
Understanding Identity Tasks

You can create authentication, access control, and user policies to secure network resources and connectivity.
Configure You can configure Identity on Identity-capable devices. Jobs You can view the status, delete, stop or manage Identity jobs. Reports You can generate Identity reports. Getting Started You can provision Identity for Day 1 operations. Readiness Assessment You can view Identity-based device details after assess the network.
18-39
Chapter 18 Understanding Work Center Tasks
Understanding EnergyWise Tasks

You can manage and automate the energy management lifecycle of network.
Readiness Assessment You can view EnergyWise-based device details after assessing the network. Jobs You can view the status, delete, stop or manage EnergyWise jobs. Getting Started You can provision EnergyWise for Day 1 operations. Reports You can generate EnergyWise reports like:
Power Usage
You can generate EnergyWise power usage report.

Cost Savings
You can configure EnergyWise cost savings.
EnergyWise portlets You can view EnergyWise portlets like:

EnergyWise Savings Trend Graph EnergyWise Total Savings Graph EnergyWise Power Consumption Graph
Manage Domains/General Settings You can manage the configured EnergyWise domains. You can configure the time to perform EnergyWise device collection, EnergyWise endpoint collection, and EnergyWise compliance check.
Configure You can configure energy management policies on devices and configure endpoints.
Manage Policies
You can manage the EnergyWise policies.

Manage Endpoint Groups
You can create an endpoint group of IP phones.

Configure Attributes on Endpoints
You can configure EnergyWise attributes.
Settings You can configure EnergyWise collection, cost settings, and data purge settings.
Cost Savings
You can configure EnergyWise cost savings.

Purge
You can configure EnergyWise data purge settings.
18-40
OL-20721-01
CH A P T E R
19
Solaris Patches
LMS 4.1 is installed on global zone of Solaris 10 Operating System by default. Installation of LMS 4.1 in whole-root non-global zone in Solaris 10 is supported. The Solaris system requires the following patches to be installed on the server:

The required patches are mandatory for all LMS features to function properly. Some of the LMS features may not work if the mandatory patches are not installed on your system. The recommended patches are optional.
Administration of CiscoWorks LAN Management Solution 4.0 OL-20721-01
19-1
CH A P T E R
20
About Java Plug-ins

The Java Plug-in improves the performance of certain Cisco Prime applications and allows them to use the latest Java runtime functionality. For such applications, this plug-in speeds up caching and application loading. The first time you start an application that uses the plug-in, you are alerted that the plug-in has not been installed and you are prompted to download and install it. The next time you start the application, it automatically uses the plug-in. You need to install the plug-in only once on your Cisco Prime client system. If you change browsers, you need not reinstall the plug-in. If you are using a Windows 2003, Windows Vista, or Windows 2008 client system, you should restart the system after installing the plug-in. If you are using a Solaris client system, you must restart the browser after installing the plug-in.
Related Topic
Installing or Uninstalling the Java Plug-in
Installing or Uninstalling the Java Plug-in

You can improve the performance of some Cisco Prime applications by downloading and installing the Java Plug-in from the server to your client machines. You can install the Java Plug-in two ways:

From the Online help. By accessing an application that uses the Sun Java Runtime Environment (JRE). You must download and install the plug-in when you start such an application for the first time, if the plug-in is not already installed.
The download and installation procedure differs depending upon your client platform and the browser you are using.
Related Topics

About Java Plug-ins Installation of Java Plug-in on Windows Installation of Java Plug-in on Solaris/Soft Appliance
20-1
Chapter 20 Installation of Java Plug-in on Windows
About Java Plug-ins
Installation of Java Plug-in on Windows

You should use the supported Java Plug-in version 1.6.0_24 for accessing Cisco Prime Applications. We recommend that you uninstall other Java Plug-in versions from the client machine.
Note
You will be asked to install Java Plug-in 1.6.0_24, when you invoke applications that use plug-in. For example, Topology Services. The following procedures are for installing and uninstalling the Java Plug-in on Windows XP Service Pack 3, Windows 2003, Windows 2003 R2, Windows 2008, Windows 2008 R2 and Windows 7 when you start Cisco Prime LMS server.
Before You Begin
Make sure you have 20 MB of free disk space for the download and installation.
Installing the Plug-in
To install the Java Plug-in on Windows:

Step 1 Step 2
Click here to download the executable plug-in file. If you are using the Mozilla browser client, in the Save As window, select a location for the jre-6u24-windows-i586-p_withjacorb.exe file and click Save. If you are using Internet Explorer browser client, you can install the plug-in from the server by choosing the Run this program from its current location, or you can save the jre-6u24-windows-i586-p_withjacorb.exe file on your system and then install it.
After the file is saved, select Start > Run. Enter the pathname of the .exe file and click OK. In the License Agreement window, click Yes. In the Set Up Type window, if you want to change the default location where JPI is installed, choose Custom.
a.
Select Typical if you want to install in the default location with default options (this is the recommended option). The Java Plug-in is installed in the default location. Select Custom if you want to customize your options and click Next. In the Choose Destination window, select the location where you want to install the Plug-in. In the Select Browsers window, we recommend that you leave the default options as is and click Next. Installs the Java Plug-in the specified location.
b. c. d.
Step 6
Close the blank browser window, and click the icon in the application window. The application restarts and runs the Java Plug-in. We recommend that you restart the client machine before using the application.
Step 7
To install the plug-in by starting an application that specifies it:

a. b. c.
Start the application. In the application window, click the icon. In the Plug-in Not Loaded window, click Get the plug-in.
20-2
OL-20721-01
Chapter 20
About Java Plug-ins Installation of Java Plug-in on Solaris/Soft Appliance
If you click No, a blank browser window appears. You must restart the application from Cisco Prime if browser client does not have plug-in already installed.
Uninstalling the Plug-in
To uninstall the Java Plug-in:

Select Start > Settings > Control Panel to display the Add/Remove Programs window. Select the plug-in to be uninstalled (for example, Java 2 Runtime Environment, SE v1.4.2_10) and click Add/Remove. Click OK.
Note
Do not uninstall the Java Plug-in if it is required by any of your applications.

Related Topics

Installation of Java Plug-in on Solaris/Soft Appliance

You should use the supported Java Plug-in version 1.6.0_24 for accessing Cisco Prime Applications. We recommend that you uninstall other Java plug-in versions from the client machine. The following procedures are for installing and uninstalling the plug-in on a Solaris/Soft Appliance client:
1. 2.
Download and install the plug-in. Set the environment variables.
Before You Begin

1. 2.
Make sure you have 120 MB in /usr of free disk space for download and installation. Make sure you have the required patches installed on the Solaris/Soft Appliance client machine before proceeding.
Note
You can obtain the patches from your warranty provider, from SunService (if you have a SunSpectrum contract), or from the SunSolve Recommended & Security Patches web site. Some of the J2SE 1.4.2 patches listed may not be on the SunSolve list of recommended product patches. However, you can find the patch download page by using SunSolve site's search facility. Search for the patch ID number, but do not include the two-digit patch version number. Some patches are also part of larger groups of patches available as patch clusters. See the Recommended & Security Patch Clusters SunSolve site. Each cluster has a readme file, accessible from the web site, which lists the patches it contains.
20-3
Chapter 20 Installation of Java Plug-in on Solaris/Soft Appliance
About Java Plug-ins
3.
After installing the patches, reboot your system.
If you are using a Japanese Solaris/Soft Appliance client, make sure that the SUNWjxcft package is installed on that machine. Cisco Prime applications running under the Java plug-in will not work if this package is not installed on the machine.
Installing the Plug-in
To install the Java Plug-in:

Step 1 Step 2
If you have previously installed Java plug-in software, uninstall it and unset the NPX_PLUGIN_PATH, CLASSPATH, and NPX_JRE_PATH environment variables. Click here to download the tar file. The Save As window appears. Click OK and wait for the download to finish. Uncompress the plugin-16024-sparc.tar.gz file to get the tar file (use gunzip utility or any other equivalent utility). Type the following command to extract the plug-in files: #tar -xf filename
Type su to become superuser and enter your password at the prompt. Change to the directory into which the plug-in files were extracted and install the plug-in. To install the plug-in the default base directory (/usr/j2se), enter: #./pam.sh Select option 1. During installation, you can configure Java Plug-in 1.6.0_24 to work with Mozilla 1.7. Source the corresponding file (/jpi.cshrc or /jpi.profile) before restarting your browser to have the correct environment. Restart your Netscape or Mozilla browser and reconnect to the LMS Server. When you start the application, it runs under the Java plug-in. Verify that the installation worked by selecting Help > About Plug-ins on the Netscape or Mozilla browser. If the Java Plug-in does not appear with all the mime-types enabled, close and then re-open the browser.
Step 9
Uninstalling the Plug-in
Do not uninstall the plug-in if it is required by any of your applications. To uninstall the plug-in:
Step 1 Step 2
Type the following command: # ./pam.sh Select option 2. This will uninstall the Java Plug-in.
Related Topics

About Java Plug-ins Installation of Java Plug-in on Windows
20-4
OL-20721-01
Chapter 20
20-5
A P P E N D I X
CLI Tools
This section explains all the CLI utilities that are available for the administrator in LMS 4.1. This section contains:

Setting Up Local Users Through CLI Changing Cisco Prime User Password Through CLI Managing Processes Through CLI Working With Third Party Security Certificates Setting up Browser-Server Security Backing up Data Using CLI Using LMS Server Hostname Change Scripts Using DCR Features Through CLI Using Group Administration Features Through CLI Deleting Stale Groups Using CLI User Tracking Command Line Interface Using Lookup Analyzer Utility Understanding UTLite User Tracking Debugger Utility Configuring Switches to Send MAC Notifications to LMS Server Administration Command Line Interface
A-1
Appendix A Setting Up Local Users Through CLI
CLI Tools
Setting Up Local Users Through CLI

You can set up the local users through CLI. This feature helps you in:

Adding Local Users Importing Local Users
Adding Local Users

You can add bulk local users through CLI. This feature allows you to specify a file that has information about the local users as an input. The input file you use should be a plain text file.
Note
You can use this CLI command for both system and user-defined roles. Each local user information should be represented in the following format in the text file: Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword where,

Username Local username. The local username is case-insensitive. Password Password for the local user account name. You can leave this field blank in the text file and enter the password in the command line when you run the CLI utility. Note that you should enter the password either in the command line or in the input text file. If you mention the password in both the places, the local user will be added with the password specified in the command line. On adding the user by giving password in the command line prompt, default role will be assigned to the user if the role is missing in the input file.
E-mail E-mail address of the local user. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Roles Roles to be assigned to the local user. You should assign one or more of the following roles to the user separated by comma.
Help Desk Approver System Administrator Network Administrator Network Operator Super Admin
DeviceUnameDevice login username DevicePasswordDevice login password DeviceEnPassword Device enable password.
The following is an example of local user information to be represented in input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System Administrator:admin:roZes123:roZes
A-2
OL-20721-01
Appendix A
CLI Tools Setting Up Local Users Through CLI
To add local users through CLI, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows) Filename Absolute path of the filename containing local users information. Password Common password for all user accounts specified in the input text file. This command line parameter is optional if you have specified the passwords for local users in the input text file. Note that you should enter the password either in the command line or in the input text file. If you specify this parameter, the local users are added to Cisco Prime only with this password irrespective of the password entries specified in the input text file.
where,

For example, enter the following command to add local users mentioned in the input file localuser.txt with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add C:\files\localuser.txt admin
Even if you have entered password for the local users in the localuser.txt file, the local users are added with the password mentioned in the command line.
Importing Local Users

This feature allows you to import local user information to the local server from a remote LMS Server. You can import local users from ACS through CLI. See, Importing Users From ACS for more information. You should have the privileges to import local users from remote LMS Server through CLI. Before you import users from a remote server, you should install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information. To import users from a remote server, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Windows) Protocol Protocol of the remote LMS Server. The supported values are HTTP or HTTPS. Hostname Hostname or IP Address of the remote LMS Server. Portnumber Port Number of the remote LMS Server. Username Remote LMS Server Login Username. Password Remote LMS Server Login Password.
where,
A-3
Appendix A Changing Cisco Prime User Password Through CLI
CLI Tools
For example, enter the following command to import the local users from the remote LMS Server lmsdocpc: NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
Importing Users From ACS

To import users from ACS through CLI, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on Solaris/Soft Appliance) NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on Windows) Filename Ouput of executing CSUtil.exe. Password ACS password which is the default password assigned to all users.
where,

Changing Cisco Prime User Password Through CLI

You can change the Cisco Prime user password using the Cisco Prime user password recovery utility. To change the user password on Solaris/Soft Appliance:
Step 1 Step 2
Enter /etc/init.d/dmgtd stop to stop the Daemon Manager. Set the LD_LIBRARY_PATH manually. The path is to be set as follows:
setenv LD_LIBRARY_PATH /opt/CSCOpx/MDC/lib:/opt/CSCOpx/lib
This environment variable set is applicable to the current working shell only. Now, you can change the password using the Cisco Prime user password recovery utility.
Step 3
Enter NMSROOT/bin/resetpasswd username at the command prompt. Here NMSROOT refers to the Cisco Prime Installation directory. A message appears:
Enter new password for username:
Step 4 Step 5
Enter the new password. Enter /etc/init.d/dmgtd start to start the Daemon Manager.
A-4
OL-20721-01
Appendix A
CLI Tools Managing Processes Through CLI
To change the user password on Windows:

Step 1 Step 2
Enter net stop crmdmgtd to stop the Daemon Manager. Enter NMSROOT\bin\resetpasswd username at the command prompt. A message appears:
Enter new password for username:
Step 3 Step 4
Enter the new password. Enter net start crmdmgtd to start the Daemon Manager.
Managing Processes Through CLI

You can also manage the Cisco Prime processes through CLI. You can perform the following activities through CLI:

Viewing Process Details Through CLI Viewing Brief Details of Processes Viewing Processes Statistics Starting a Process Stopping a Process
Viewing Process Details Through CLI

The pdshow command displays the details of the specified processes or all processes in the CLI prompt.
To display the details of all processes, enter:

/opt/CSCOpx/bin/pdshow (on Solaris/Soft Appliance) pdshow (on Windows)
To display the details of one or more specified processes, enter:

/opt/CSCOpx/bin/pdshow ProcessName1 ProcessName2 (on Solaris/Soft Appliance) pdshow ProcessName1 ProcessName2 (on Windows)
where ProcessName1 and ProcessName2 are the name of the processes. The command displays the process details of one or more processes. See Viewing Process Details for description of each of these items.

Process Name Process State Process ID Process Return Code Process Signal Number Process Start Time Process Stop Time
A-5
Appendix A Managing Processes Through CLI
CLI Tools
The pdshow command additionally displays the following process details. Process Details Core Description Not applicable means the program is running normally. CORE FILE CREATED means the program is not running normally and the operating system has created a file called core*. The core file stores important data about processes. core* refers to the name of the core file. The core file name contains the executable file name of the program and the process ID. For example, the name of the core file created for the Perl module is:
core.perl.51234
Information
Describes what the process is doing and how it is started. Not applicable means the program is not running normally.
During the startup of Daemon Manager, sometimes the pdshow command may display information message requesting you to wait and enter the command again. This happens particularly when the Daemon Manager is busy in running the tasks one by one in the queue. You must enter the command again to view the process details.
Viewing Brief Details of Processes

The pdshow -brief command displays the brief status of all processes or specified processes in tabular format in the CLI prompt.
To display the brief details of all processes, enter:

/opt/CSCOpx/bin/pdshow -brief (on Solaris/Soft Appliance) pdshow -brief (on Windows)

/opt/CSCOpx/bin/pdshow -brief ProcessName1 ProcessName2 (on Solaris/Soft Appliance) pdshow -brief ProcessName1 ProcessName2 (on Windows)
where ProcessName1 and ProcessName2 are the name of the processes. The command displays the following details in tabular format:

Process Name Process State Process ID
For example, if you enter /opt/CSCOpx/bin/pdshow -brief Tomcat Apache in the command prompt, the following output is displayed:
ProcessStatePid *************** Tomcat Program Started - No mgt msgs received13824 Apache Running normally 13847
A-6
OL-20721-01
Appendix A
CLI Tools Managing Processes Through CLI
Viewing Processes Statistics

The pdshow -stat command displays the statistics of all processes or specified processes in tabular format.
Note
You can enter this command only on Solaris systems.
To display the brief details of all processes, enter:

/opt/CSCOpx/bin/pdshow -stat
(on Solaris/Soft Appliance) ProcessName1 ProcessName2 (on Solaris/Soft Appliance)

/opt/CSCOpx/bin/pdshow -stat
where ProcessName1 and ProcessName2 are the name of the processes. The command displays the following details in tabular format in the command line. Process Details Pid %CPU RSS VSZ %MEM NLWP Process Description Process ID CPU usage of a process at a particular time expressed in terms of percentage Resident set size displayed in terms of KB Virtual memory size of process displayed in terms of KB Ratio of resident set size and physical memory expressed in terms of percentage Number of light weight processes of the specified process Name of the process
Starting a Process
You must enter the following commands to start a process through CLI:

/opt/CSCOpx/bin/pdexec pdexec
ProcessName (on Solaris/Soft Appliance)
ProcessName (on Windows)
The dependent processes are started first before the specified process is started. If the process is being restarted after a shutdown, any dependent processes registered with the Daemon Manager is not automatically restarted. Dependent processes are automatically restarted only when the Daemon Manager itself is restarted.
Stopping a Process
You must enter the following commands to stop a process through CLI:

/opt/CSCOpx/bin/pdterm pdterm
ProcessName (on Solaris/Soft Appliance)
ProcessName (on Windows)
The dependent processes are also shut down using this CLI command.
A-7
Appendix A Working With Third Party Security Certificates
CLI Tools
Working With Third Party Security Certificates

Cisco Prime provides an option to use security certificates issued by third party certificate authorities (CAs). You may want to use this option in cases where your organizational policy prevents you from using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a particular CA. You can use these certificates to enable SSL when you need secure access between LMS Server and your client browser. You can do the following:

Uploading Third Party Security Certificates to LMS Server Using the SSL Utility Script to Upload Third Party Security Certificates
Uploading Third Party Security Certificates to LMS Server

You can upload Third Party Security Certificates using the SSL Utility Script. This utility is available at:

NMSROOT\MDC\Apache (On Windows) NMSROOT/MDC/Apache/bin (On Solaris/Soft Appliance)
This utility has the following options: Number Option 1 Display LMS Server certificate information What it Does...
Displays the Certificate details of the LMS Server. For third party issued certificates, this option displays the details of the server certificate, the intermediate certificates, if any, and the Root CA certificate.
Verifies if the certificate is valid. Verifies whether the certificate is in encoded X.509 certificate format. Displays the subject of the certificate and the details of the issuing certificate. Verifies whether the certificate is valid on the server.
Display the input certificate information
This option accepts a certificate as an input and:

Display Root CA Generates a list of all Root CA Certificates. certificates trusted by LMS Server
A-8
OL-20721-01
Appendix A
CLI Tools Working With Third Party Security Certificates
Number Option 4 Verify the input certificate or certificate chain
What it Does... (continued) Verifies whether the server certificate issued by third party CAs, can be uploaded. When you choose this option, the utility:

Verifies if the certificate is in Base64 Encoded X.509Certificate format. Verifies if the certificate is valid on the server Verifies if the server private key and input server certificate match. Verifies if the server certificate can be traced to the required Root CA certificate using which it was signed. Constructs the certificate chain, if the intermediate chains are also given, and verifies if the chain ends with the proper Root CA certificate.
After the verification is successfully completed, you are prompted to upload the certificates to LMS Server. The utility displays an error:

If the input certificates are not in required format If the certificate date is not valid or if the certificate has already expired. If the server certificate could not be verified or traced to a root CA certificate. If any of the intermediate Certificates were not given as input. If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key.
You must contact the CA who issued the certificates to correct these problems before you upload the certificates to Cisco Prime.
A-9
CLI Tools
Number Option 5 Upload single server certificate to LMS Server
What it Does... (continued) You must verify the certificates using option 4 before you select this option. Select this option, only if there are no intermediate certificates and there is only the server certificate signed by a prominent Root CA certificate. If the Root CA is not one trusted by Cisco Prime, do not select this option. In such cases, you must obtain a Root CA certificate used for signing the certificate from the CA and upload both the certificates using option 6. When you select this option, and provide the location of the certificate, the utility:

Verifies whether the certificate is in Base64 Encoded X.509 certificate format. Displays the subject of the certificate and the details of the issuing certificate. Verifies whether the certificate is valid on the server. Verifies whether the server private key and input server certificate match. Verifies whether the server certificate can be traced to the required Root CA certificate that was used for signing.
After the verification is successfully completed, the utility uploads the certificate to LMS Server. The utility displays an error:

If the input certificates are not in required format If the certificate date is not valid or if the certificate has already expired. If the server certificate could not be verified or traced to a root CA certificate. If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key.
You must contact the CA who issued the certificates to correct these problems before you upload the certificates in Cisco Prime again.
A-10
OL-20721-01
Appendix A
CLI Tools Working With Third Party Security Certificates
Number Option 6 Upload a certificate chain to LMS Server
What it Does... (continued) You must verify the certificates using option 4 before you select this option. Select this option, if you are uploading a certificate chain. If you are also uploading the root CA certificate also, you must include it as one of the certificates in the chain. When you select this option and provide the location of the certificates, the utility:

Verifies whether the certificate is in Base64 Encoded X.509 Certificate format. Displays the subject of the certificate and the details of the issuing certificate. Verifies whether the certificate is valid on the server Verifies whether server private key and the server certificate match. Verifies whether the server certificate can be traced to the root CA certificate that was used for signing. Constructs the certificate chain, if intermediate chains are given and verifies if the chain ends with the proper root CA certificate.
After the verification is successfully completed, the server certificate is uploaded to LMS Server. All the intermediate certificates and the Root CA certificate are uploaded and copied to the Cisco Prime TrustStore. The utility displays an error:

If the input certificates are not in required format. If the certificate date is not valid or if the certificate has already expired. If the server certificate could not be verified or traced to a root CA certificate. If any of the intermediate certificates were not given as input. If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key.
You must contact the CA who issued the certificates to correct these problems before you upload the certificates in Cisco Prime again. 7 Modify Certificate This option allows you to modify the Host Name entry in the LMS Certificate. You can enter an alternate Hostname if you wish to change the existing Host Name entry.
A-11
CLI Tools
Using the SSL Utility Script to Upload Third Party Security Certificates
To upload the certificates:
Step 1
Stop the Daemon Manager from the Cisco Prime CLI: On Windows:
Enter net stop crmdmgtd Enter /etc/init.d/dmgtd stop
Step 2
Navigate to the directory where the SSL Utility script is located. On Windows:
a. b.
Go to NMSROOT\MDC\Apache Enter NMSROOT\bin\perl SSLUtil.pl Go to NMSROOT/MDC/Apache/bin Enter NMSROOT/bin/perl SSLUtil.pl
a. b. Step 3 Step 4
Select option 4, Verify the input Certificate or Certificate Chain. Enter the location of the certificates (server certificate and intermediate certificate). The script verifies if the server certificate is valid. After the verification is complete, the utility displays the options. If the script reports errors during validation and verification, the SSL Utility displays instructions to correct these errors. Follow the instructions to correct those errors and then try to upload the certificates.
Step 5
Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed by a Root CA certificate. Or Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and intermediate certificates. Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime Daemon Manager. The utility displays a warning message if there are hostname mismatches detected in the server certificate being uploaded, but you can continue to upload the certificate.
Step 6
Enter the following required details:

Location of the certificate Location of intermediate certificates, if any.
SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime requirements for security certificates.
Step 7
Restart the Daemon Manager for the new security certificate to take effect. Enable SSL to establish a secured connection between LMS Server and your client browser, if you have not enabled already.
A-12
OL-20721-01
Appendix A
CLI Tools Setting up Browser-Server Security
Setting up Browser-Server Security


Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms
Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
To enable Browser-Server Security from CLI:
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache. Enter NMSROOT\bin\perl ConfigSSL.pl -enable Press Enter.

If you have the required security certificates available on the server, Cisco Prime enables SSL. If you do not have the security certificates on the server, Cisco Prime prompts you to create your own self-signed certificate and enter the details required to create a self-signed certificate.
Step 5
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA). The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS Server from your client browser.
Step 6 Step 7
Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI:
a. b.
Enter net stop crmdmgtd Enter net start crmdmgtd
Step 8

If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with port number 443. The port numbers mentioned above are applicable for LMS Server running on Windows.
A-13
Appendix A Setting up Browser-Server Security
CLI Tools
Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms
To enable Browser-Server Security from CLI:
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache\bin. Enter ./ConfigSSL.pl -enable Press Enter.

If you have the required security certificates available on the server, Cisco Prime enables SSL. If you do not have the security certificates on the server, Cisco Prime prompts you to create your own self-signed certificate and enter the details required to create a self-signed certificate.
Step 5
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA). The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS Server from your client browser.
Step 6 Step 7
a. b.
Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start
Step 8

If your LMS Server is integrated with any Network Management Station (NMS) in your network using the integration utility (NMIM), you must perform the integration every time you enable or disable SSL in the LMS Server. This is required to update the application registration in NMS. For more information, see the Integration Utility Online Help.
Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
To disable Browser-Server Security from CLI:
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache. Enter NMSROOT\bin\perl ConfigSSL.pl -disable Press Enter.
A-14
OL-20721-01
Appendix A
CLI Tools Setting up Browser-Server Security
Step 5 Step 6
a. b.
Enter net stop crmdmgtd Enter net start crmdmgtd
Step 7

The port numbers mentioned above are applicable for LMS Server running on Windows.
Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms
To disable Browser-Server Security from CLI:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Go to the command prompt. Navigate to the directory NMSROOT\MDC\Apache\bin. Enter ./ConfigSSL.pl -disable Press Enter. Log out from your Cisco Prime session, and close all browser sessions. Restart the Daemon Manager from the LMS Server CLI:
a. b.
Enter /etc/init.d/dmgtd stop Enter /etc/init.d/dmgtd start
Step 7

If your LMS Server is integrated with any Network Management Station (NMS) in your network using the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL in the LMS Server. This is required to update the application registration in NMS. For more information, see Integration Utility Online Help.
A-15
Appendix A Backing up Data Using CLI
CLI Tools
Backing up Data Using CLI

To back up data using CLI on Windows and Solaris/Soft Appliance: On Windows, run: NMSROOT\bin\perl NMSROOT\bin\backup.pl BackupDirectory [LogFile] [Num_Generations] On Solaris/Soft Appliance, run: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl BackupDirectory [LogFile] [Num_Generations] where,

BackupDirectoryDirectory that you want to be your backup directory. This is mandatory. LogFile Log file name that contains the details of the backup Num_GenerationsMaximum backup generations to be kept in the backup directory.
To back up only selective data using CLI on Windows and Solaris/Soft Appliance: On Windows, run: NMSROOT\bin\perl NMSROOT\bin\backup.pl -dest=BackupDirectory -system [-log=LogFile] -gen=Num_Generations] On Solaris/Soft Appliance, run: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl -dest=BackupDirectory -system [-log=LogFile] [-gen=Num_Generations] where,

-dest=BackupDirectoryDirectory -systemCommand -log=LogFile
where the backed up data to be stored. This is mandatory.
line option that allows you to back up only the selected system configurations from all applications instead of backing up the complete databases. This is mandatory. Log file name that contains the details of the backup. backup generations to be retained in the backup directory.
-gen=Num_GenerationsMaximum
Using LMS Server Hostname Change Scripts

When you change the hostname of the LMS Server, you need to change the hostname related entries in the Cisco Prime directories and files, registry entries, and databases. LMS provides a CLI utility to update the new hostname information in the LMS related directories and files, registry entries, and databases, after you have changed your hostname. You can use the hostnamechange.pl script to update the hostname changes in all files, database entries and registry entries.
Caution
Make sure that you run this command after you have changed your hostname and the appropriate entries specific to the operating system are updated.
A-16
OL-20721-01
Appendix A
CLI Tools Using LMS Server Hostname Change Scripts
Prerequisites
Before running the hostname change script, you should do the following:
Step 1
Update the hostname entries specific to operating system in your machine. On Solaris:

/etc/hosts - Modify loghost to the new hostname. /etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname. /etc/nodename or the appropriate interface file - Modify nodename to the new hostname. For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you through the server-renaming process. You can also do this when you change the hostname in the hosts, hostname.hme0, and nodename files in the /etc directory.
On Soft Appliance: To change the hostname in Soft Appliance operating system:

a. b. c. d. e.
Login to vSphere client. Select the server where you want to Run hostnamechange.pl. Login to the selected server as system admin. Stop the daemons before changing the hostname in CARS CLI, by runing the command /etc/init.d/dmgtd stop in shell mode. Enter config terminal in the console. Config prompt appears. Enter hostname <new host name> Exit from the configure prompt. Enter write memory.
f. g.
On Windows: To change the hostname in Windows operating system:

a.
Right-click the My Computer icon from the desktop and click System Properties. Or Click Start > Settings > Control Panel > System. The System Properties dialog box opens. Click the Computer Name tab. Click Change... on the Windows 2008 machine to open the Computer Name Changes dialog box. Enter the new hostname in the Computer Name field. Click OK to go back to System Properties dialog box. Click Apply to apply the changes.
b. c. d. e. f. Step 2
Restart the machine. You must restart the machine when you:
Update the operating system specific hostname entries. (on Solaris/Soft Appliance)
Step 3
Stop the Daemon Manager by entering the following commands:
A-17
Appendix A Using LMS Server Hostname Change Scripts
CLI Tools
Step 4 Step 5
net stop crmdmgtd
(on Windows)
Run the hostname script without command line options. See Running the Hostname Change Script for more information. Start the Daemon Manager by entering the following commands:

/etc/init.d/dmgtd start net start crmdmgtd
(on Solaris/Soft Appliance)
(on Windows)
A-18
OL-20721-01
Appendix A
CLI Tools Using LMS Server Hostname Change Scripts
Running the Hostname Change Script

You can either:
Run the hostname change script without specifying any command line options After you have restarted your system, ensure that you stop the Daemon Manager and then enter the following command to run the hostname change CLI utility.
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl (on Windows) NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl (on Solaris/Soft Appliance)
Or
Run the hostname change script with command line options Use this option to change the hostname only if the previous attempt of running this script had failed and the hostname changes were unsuccessful. You need not restart your machine to run the hostnamechange.pl CLI utility with command line options Enter the following command to run the hostnamechange.pl CLI utility:
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl -ohost Old_ Hostname -nhost
New_Hostname -domain Domain (on Windows)

NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl -ohost Old_Hostname -nhost
New_Hostname -domain Domain (on Solaris/Soft Appliance) where, Old_ Hostname Old Hostname of the LMS Server New_Hostname New Hostname of the LMS Server Domain Domain name of the LMS Server. Entering domain name is optional. The hostnamechange.pl script performs the following:
1.
Updates the new hostname of LMS Server in the following files:

/opt/CSCOpx/lib/classpath/md.properties (on Solaris/Soft Appliance) /var/sadm/pkg/CSCOmd/pkginfo (on Solaris) NMSROOT\lib\classpath\md.properties (on Windows)
2.
Changes ASName to the new hostname of LMS Server in the following files:
/opt/CSCOpx/lib/classpath/sso.properties (on Solaris/Soft Appliance) NMSROOT\lib\classpath\sso.properties (on Windows)
3.
Updates the hostname in the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager\CurrentVersion\Environment The CLI utility looks for all the instances of hostname under these registry entries, and replaces them with the new hostname.
4. 5.
Changes the hostname in regdaemon.xml (NMSROOT/MDC/etc/regdaemon.xml). Changes the hostname in web.xml (NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml).
A-19
Appendix A Using LMS Server Hostname Change Scripts
CLI Tools
6.
Creates a file NMSROOT/conf/cmic/changehostname.info, with the information on the updated hostname in the format: OldhostName:NewhostName OldhostNamePrevious hostname as registered with CCR(regdaemon.xml) NewhostNameCurrent hostname as registered with CCR(regdaemon.xml) The entries for hostname in regdaemon.xml and changehostname.info should be identical. The changehostname.info file resides in the LMS Server until you restart the Daemon Manager. This file will not be available in LMS Server after the Daemon Manager is restarted.
7.
Deletes NS_Ref file on the following directories:

NMSROOT\lib\csorb (on Windows) /opt/CSCOpx/lib/csorb (on Solaris/Soft Appliance)
The NS_Ref file is restored in LMS Server after the Daemon Manager is restarted.
8. 9.
Starts the LMS 4.1 database and updates the database table entries with the new hostname. After updating the database table entries, it stops the LMS 4.1 database. Detects and displays the details of the certificate in the LMS Server.
If the certificate is a third party certificate, you should regenerate your certificate with the new
hostname. Or
If the certificate is a self-signed certificate, the script allows you to regenerate the certificate.
You can enter y to re-generate the certificate with the new hostname or n to re-generate the certificate later. See Creating Self Signed Certificates for details. After you have completed running the script, ensure that you:
Start the Daemon Manager by entering the following commands:

/etc/init.d/dmgtd start (on Solaris/Soft Appliance) net start crmdmgtd (on Windows)
Redo the integration, if you have integrated any third party network management application to Cisco Prime, using Integration Utility. Re-import the certificates and redo the Multi-Server setup if the machine is part of a Multi-Server setup. For example, if you are changing the hostname of a machine that is configured as a Slave, then it needs to reregister with the Master. If you are changing the hostname of a machine that is configured as a Master, then all its Slaves need to be updated with the new Master hostname.
If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some cases.
A-20
OL-20721-01
Appendix A
CLI Tools Using DCR Features Through CLI
Using DCR Features Through CLI

Using Command Line Interface, you can add, delete, and modify devices, and change the DCR modes. You can also view the list of attributes that can be stored in DCR, and view the current DCR mode. The dcrcli provided with LMS helps you perform these tasks using CLI. The Display Name and the Host Name/Domain Name combination must be unique for each device in DCR. A device will be considered duplicate if:

The Display Name of a device is the same as that of any other device The Host Name/Domain Name combination of a device is the same as that of any other device Auto Update Device ID is the same as that of any other device (in case of AUS managed device) Cluster and Member Number, together is same as that of any other device (in case of Cluster managed device)
dcrcli operates in both the Shell and Batch modes. The Shell mode is interactive whereas the Batch mode runs the specified command and exits to the prompt after the command is run. You can set DCRCLIFILE environment to point to the file where LMS password is present. If you set DCRCLIFILE variable, password will not be asked when you run dcrcli in shell or batch mode. The password file should contain an entry in the format username password. Make sure that there is only one blank space between the username and the password in the password file. For example, if admin is the username and the password for the Cisco Prime user, the password file must contain the following entry:
admin admin
This section has the following:

Viewing the Current DCR Mode Using CLI Viewing Device Details Changing DCR Mode Using CLI
Viewing the Current DCR Mode Using CLI

To view the current DCR mode in Shell mode:
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username. Enter lsmode It lists the DCR ID, the DCR Group ID, the current DCR mode, and the associated Master and Slaves.
To view the current DCR mode in Batch mode:

Step 1 Step 2
Go to NMSROOT/bin Enter dcrcli -u Username cmd=lsmode
A-21
Appendix A Using DCR Features Through CLI
CLI Tools
Viewing Device Details

To view device details using dcrcli in Shell mode:
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username. Enter details id=DeviceID This lists all the details about the device with the ID you have specified. For example,
detail id=54341
lists the details for the device with device ID 54341.
To view device details using dcrcli in Batch mode:

Step 1 Step 2
Go to NMSROOT/bin Enter dcrcli -u Username cmd=detail id=DeviceID
Changing DCR Mode Using CLI

To change mode to Master in Shell mode:
Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username Enter setmaster The DCR mode gets changed to Master.
To change mode to Master in Batch mode:

Step 1 Step 2
Go to NMSROOT/bin Enter dcrcli -u Username cmd=setmaster
To change mode to Standalone in Shell mode:

Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username Enter setstand The DCR mode gets changed to Standalone.
A-22
OL-20721-01
Appendix A
CLI Tools Using Group Administration Features Through CLI
To change mode to Standalone in Batch mode:

Step 1 Step 2
Go to NMSROOT/bin Enter dcrcli -u Username cmd=setstand
To change mode to Slave in Shell mode:

Enter NMSROOT/bin/dcrcli -u username. Enter the password corresponding to the username Enter setslave master=value You have to specify the Master for this slave. The DCR mode gets changed to Slave. For example,
setslave master=1.2.1.3 port=443
To change mode to Slave in Batch mode:

Step 1 Step 2
Go to NMSROOT/bin Enter dcrcli -u Username cmd=setslave master=value
Using Group Administration Features Through CLI

You can use OGSCli command line utility to:

Export Groups to an output XML file Import Groups to Grouping Server from an input XML file
You should have Network Administrator, System Administrator, or Super Admin privileges to use OGSCli command line utility. OGSCli runs in only Batch mode. It runs the specified command and exits to the prompt after the command is run. This section explains:

Exporting Groups Through CLI Importing Groups Through CLI
A-23
Appendix A Using Group Administration Features Through CLI
CLI Tools
Exporting Groups Through CLI

To export groups through CLI:
Step 1 Step 2
Go to the command prompt. Enter either one of the following:
NMSROOT/bin/OGSCli.sh -u CiscoWorks_Username (on Solaris/Soft Appliance)
Or
NMSROOT\bin\OGSCli -u CiscoWorks_Username (on Windows)
where, NMSROOT is the directory where you have installed CiscoWorks. CiscoWorks_Username is the login username of a CiscoWorks user. For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems. The system prompts you to enter your Cisco Prime password.
Step 3
Enter your Cisco Prime password. The system prompts you to enter a task name, import or export. The default task is export. Enter export. The system prompts you to enter an output file name. Enter a file name for export output file with its absolute path name. If you do not enter file name with its absolute path name, the export file will be stored on \nmsroot\bin. A warning message appears indicating that the selected file will be overwritten with the new information on exported groups. The system uses the file name that you have entered to generate the output XML file irrespective of whether the file exists on the server. You should have the required directory-level permissions where you want to save the output XML file. You must either enter y to continue or n to exit. The system prompts you to enter an export group hierarchy. Enter All or the export group hierarchy name. Default value is All. For example, you can enter the group hierarchy name as /CS@doc-pc2/User Defined Groups/Group1. The system generates an export format XML file and stores on the specified directory on the server.
Step 4
Step 5
Step 6
A-24
OL-20721-01
Appendix A
CLI Tools Using Group Administration Features Through CLI
Importing Groups Through CLI

To import groups through CLI:
Step 1 Step 2
Go to the command prompt. Enter either one of the following:
NMSROOT/bin/OGSCli.sh -u CiscoWorks_Username (on Solaris/Soft Appliance)
Or
NMSROOT\bin\OGSCli -u CiscoWorks_Username (on Windows)
where, NMSROOT is the directory where you have installed CiscoWorks. CiscoWorks_Username is the login username of a CiscoWorks user. For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems. The system prompts you to enter your Cisco Prime password.
Step 3
Enter your Cisco Prime password. The system prompts you to enter a task name, import or export. The default task is export. Enter import. The system prompts you to enter the input XML filename. Enter the input XML filename with its absolute path name. The system lists the groups to be imported from the source XML file. Enter your choices using the item numbers displayed for the listed groups. You can enter one or more item numbers separated by comma. The system lists the Grouping Server locations where you can import the groups. Enter your choices using the item numbers displayed for the listed Grouping Servers. You can enter one or more item numbers separated by comma. You must enter 1 to import the selected groups to all listed servers. A message appears indicating whether the import of groups is successful. See Exporting Groups for the possible causes for the import groups job to fail.
Step 4
Step 5
Step 6
Step 7
A-25
Appendix A Deleting Stale Groups Using CLI
CLI Tools
Deleting Stale Groups Using CLI

You can delete groups that belonged to users removed from Cisco Prime. To delete a stale group, you must run the DeleteStaleGroups utility. To run the DeleteStaleGroups utility: On Windows:
Step 1 Step 2
Enter NMSROOT\bin Enter DeleteStaleGroups -user username -pfile passwordfile -staleuser StaleUser
Step 1 Step 2
Enter NMSROOT/bin Enter DeleteStaleGroups.sh -user username -pfile passwordfile -staleuser StaleUser
The explanation for these optional entries are as follows:

-user:
Current user who has the necessary privileges to delete groups. Absolute Path of the text file with Cisco Prime login password of the current user, in one line. The user whose group has to be deleted.
-pfile:
-staleuser:
If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale groups will be deleted.
User Tracking Command Line Interface

You can run User Tracking commands from the command line in Solaris/Soft Appliance and Windows 2000. Enter ut -cli options -u username -p password. The options can be one or more of those shown in Table A-1.

Use the -prompt command if you do not want to enter your password from the command line. Using -prompt prevents other users from running ps and seeing your password. The -host option is required when you run the CLI command on a remote LMS Server.
A-26
OL-20721-01
Appendix A
CLI Tools User Tracking Command Line Interface
Table A-1
User Tracking CLI Commands
Option
-prompt
Arguments No keywords or arguments.
Function This command is required if you do not enter your password from the command line. If -prompt is specified, User Tracking prompts you to enter your password.
-help
No keywords or arguments. {enable | disable}
Prints the command line usage. Enables the Ping Sweep option so that the ANI Server pings every IP address on known subnets before discovery. The default is the last setting used. User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not display the IP addresses. In larger subnets, the ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources. To perform Ping Sweep on larger subnets, you can:
-ping
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the
arp time-out interface configuration
command on devices running Cisco IOS.
Use any external software, which will enable you to ping the host IP addresses. This ensures that when you run User Tracking Acquisition, the ARP cache of the router contains the IP addresses.
-performMajorAcquisition
No keywords or arguments.
Acquires data about all users and hosts on the network and updates the LMS database. This option starts an acquisition but does not wait for it to complete.
A-27
Appendix A User Tracking Command Line Interface
CLI Tools
Table A-1
User Tracking CLI Commands (continued)
Option
-query
Arguments
Function
This option takes one of Queries the Topology and Layer 2 services module the following database and updates the User Tracking table. arguments: all name dupMAC dupIP hub Gets all User Tracking entries. Similar to All Host Entries or a simple query in the GUI. Runs the named advanced or simple query, created earlier in the GUI. Finds duplicate MAC addresses. Finds duplicate IP addresses. Finds ports with multiple MAC addresses (hubs). Gets all IP Phone entries. Runs the named advanced query, created earlier in the GUI. Uses the specified main table layout while performing a query to fetch User Tracking display entries. Uses the specified IP phone table layout while performing a query to fetch IP phone display entries.
-queryPhone
all name
-layout
layout_name layout_name
-layoutPhone
-host
ANI Server device name Specifies the host name or IP address of the LMS or IP Address Server. Use this argument when you need to run the CLI command on a remote LMS Server.
-port
ANI Server web port number filename
Specifies the web server port number of the ANI Server. The default is 1741. Exports data to a text file. You must first specify the -query option to fetch the data that you want to export.
-export
-import
filename filename
Imports lost or deleted UserName and Notes fields from the last exported file. Imports MACs and converts them to OUI and adds the MACs to the Acceptable OUI List. For example:
cd NMSROOT/bin ut -cli -importMACToAcceptableOUI filename -u username -p password
-importMACToAcceptableOUI
-stat
No keywords or arguments. No keywords or arguments.
Displays statistical information, such as time of last acquisition, acquisition status, number of records in the User Tracking database, and so on. Enables trace and debug messages for the User Tracking client application.
-debug
A-28
OL-20721-01
Appendix A
CLI Tools User Tracking Command Line Interface
Table A-1
User Tracking CLI Commands (continued)
Option
-wireless
Arguments No keywords or arguments.
Function Displays detailed information on Wireless clients connected to the network. If you enter this option along with the export option, data can be exported to a text file. For example:
NMSROOT/campus/bin ut -cli -wireless -export c:/sample -u username -p password
-switchPortCapacity -switchPortreclaimreport -switchPortSummary
For complete details on this, see Exporting Switch Port Usage Report. For complete details on this, see Exporting Switch Port Usage Report For complete details on this, see Exporting Switch Port Usage Report
For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility
A-29
Appendix A User Tracking Command Line Interface
CLI Tools
Exporting Switch Port Usage Report

Switch Port Capacity report lists switches whose utilization percentage falls in the specified range. Switch Port Reclaim reports lists:
Ports that are administratively up or down and Ports that were previously connected to an endhost or a device but are unconnected at least for a period of one day.
Switch port usage reports can be generated from the command prompt as given in Table A-2:
Table A-2 Switch Port Reports from the Command Prompt
Purpose Switch Port Capacity Report To generate reports where the utilization is less than the specified percentage (for all devices managed by LMS) To generate reports where the utilization is less than the specified percentage (for specific devices) To generate reports where the utilization is greater than the specified percentage (for all devices managed by LMS) To generate reports where the utilization is greater than the specified percentage (for specific devices)
Command NMSROOT/campus/bin ut -cli

-switchPortCapacity lessthan -export
60 -devices all c:/sample -u username -p password
NMSROOT/campus/bin ut -cli 60 -devices 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password

-switchPortCapacity lessthan
NMSROOT/campus/bin ut -cli
-switchPortCapacity greaterthan -export
60 -devices all c:/sample -u username -p password
NMSROOT/campus/bin ut -cli
-switchPortCapacity greaterthan 60 -devices 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli between the specified range (for all devices -switchPortCapacity between 10 60 -devices all managed by LMS) -export c:/sample -u username -p password To generate reports where the utilization falls NMSROOT/campus/bin ut -cli between the specified range (for specific -switchPortCapacity between 10 60 -devices devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password
A-30
OL-20721-01
Appendix A
CLI Tools Using Lookup Analyzer Utility
Table A-2
Switch Port Reports from the Command Prompt
Purpose Switch Port Reclaim Report
Command Generates reports for unused ports that are in up or down state.
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli (for all devices managed by LMS) -switchPortReclaimReport type up days 2 -devices all -export c:/sample -u username -p password To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli (for specific devices) -switchPortReclaimReport type up days 2 -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password To generate Reclaim Unused Down Ports report (for all devices managed by LMS) NMSROOT/campus/bin ut -cli
-switchPortReclaimReport type down days -devices all -export
2 c:/sample -u username -p
password To generate Reclaim Unused Down Ports report (for specific devices) NMSROOT/campus/bin ut -cli 2 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password
-switchPortReclaimReport type down days -devices
Switch Port Summary Report To generate Switch Port Summary report for all devices To generate Switch Port Summary report for select devices
Generates reports that gives the number of Connected, Free, and Free down ports in each switch. NMSROOT/campus/bin ut -cli
-switchPortSummary -devices all -export
c:/sample -u username -p password NMSROOT/campus/bin ut -cli -switchPortSummary -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password
Note
The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in Windows, replace all forward slash (/) with reverse slash (\). The report generated by the above options is saved as a file in the CSV format, at the specified location. You can generate various Switch Port Usage reports, select Reports > Switch Port.
Using Lookup Analyzer Utility

Lookup Analyzer is a utility used to analyze the performance of DNS servers and provide the following information:

DNS Server Efficiency for each DNS Server Overall Summary of DNS Servers
A-31
Appendix A Using Lookup Analyzer Utility
CLI Tools
Namelookup related settings in ut.properties file Issues found and recommendations to overcome them
For Solaris/Soft Appliance: The utility file is NMSROOT/campus/bin/LookupAnalyzer.sh If dir is the directory where the file is present, run the following command to run the utility: dir# ./LookupAnalyzer For Windows: The utility file is NMSROOT\campus\bin\LookupAnalyzer.bat If dir is the directory where the file is present, run the following command to run the utility: dir> LookupAnalyzer Example output of the Lookup Analyzer script:
Host IP: 172.20.123.74, DNS Server: 64.104.76.247, Time taken: 35, Status: FAILURE Host IP: 172.20.123.74, DNS Server: WINS, Time taken: 22, Status: FAILURE Host IP: 10.77.209.254, DNS Server: 64.104.128.248, Time taken: 18, Status: FAILURE .. .. DNS Server : 64.104.128.248 Success Count: 12 Failure Count: 76 Failure % : 86 % Total Time : 1 secs 561 ms Min Time : 0 ms Max Time : 52 ms Avg Time : 17 ms Server Efficiency(successCount/totalTime): 7.0 -------------------------------DNS Server : 64.104.76.247 Success Count: 0 Failure Count: 76 Failure % : 100 % Total Time : 2 secs 729 ms Min Time : 0 ms Max Time : 61 ms Avg Time : 35 ms Server Efficiency(successCount/totalTime): 0.0 -------------------------------DNS Server : WINS Success Count: 0 Failure Count: 76 Failure % : 100 % Total Time : 750 ms Min Time : 0 ms Max Time : 23 ms Avg Time : 9 ms Server Efficiency(successCount/totalTime): 0.0 -------------------------------Overall Summary ----------------Success Count: 12 Failure Count: 76 Failure % : 86 % ----------------Current Namelookup Related Settings --------------------------------UTMajorUseDNSSeperateThread: false UT.nameResolution: both
A-32
OL-20721-01
Appendix A
CLI Tools Understanding UTLite
UT.nameResolution.threadCount: 1 UT.nameResolution.winsTimeout: 2000 UT.nameResolution.threadThresholdPercentage: 10 UT.nameResolution.dnsTimeout: 2000 UTMajorUseDNSCache: false nameserver.usednsForUT: true DB.dsn: ani --------------------------------ISSUES/RECOMMENDATIONS ----------------------Issue #1: Failure Percent is greater than 20% Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured Issue #2: DNS reverse lookup is NOT done as separate process Recommendation: Enable UTMajorUseDNSSeperateThread=true in ut.properties Issue #3: Name Resolution DNS server order is not optimal Recommendation: Change dns server order as 64.104.128.248=7.0, 64.104.76.247=0.0, WINS=0.0, Other Recommendations: * If hostnames in your network are less likely to change often, set UTMajorUseDNSCache=true * If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout, UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage * Optimal timeout values are: UT.nameResolution.winsTimeout=0, UT.nameResolution.dnsTimeout=48
The script can also be run by setting properties in the ut.properties file.
Understanding UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active Directory, and Novell servers. To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell servers. You can also install UTLite in an Active Directory server. UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at the rate of 150 traps per second, with a default buffer size of 76800. If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400. To increase the buffer size:
Enter pdterm UTLITE at the command line to stop the UTLite process. Open utliteuhic.properties located at NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\ Set Socket.portbuffersize=102400 Enter pdexec UTLITE at the command line to start the UTLite process.
Caution
Increasing the buffer size beyond 102400 results in performance degradation of UTLite.
A-33
Appendix A Understanding UTLite
CLI Tools
To receive UTLITE events:

Step 1 Step 2
Open utliteuhic.properties located at NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\ Change the property of URTlite state by changing the value from "URTlite.state=disable" to "URTlite.state=enable". Or You can change the property of URTlite state by launching LMS. Select the Acquisition Settings option from Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings page appears. In the Acquisition Settings page, check the Get user names from hosts in NT and NDS domains and click Apply.
The UTLite script is supported on these platforms:

Windows NT Windows 2000 Windows XP Windows 2003 Windows Vista Novell Directory Services (NDS) Solaris HP-UX AIX Installing UTLite Script on Active Directory Installing UTLite Script on Windows Installing UTLite Script on NDS Uninstalling UTLite Scripts From Windows Uninstalling UTLite Scripts From Active Directory Uninstalling UTLite Scripts From NDS
The UTLite script is not supported on these UNIX hosts:


A-34
OL-20721-01
Appendix A
Installing UTLite Script on Active Directory

You must install the UTLite script on the Active Directory server and update the servers logon script to get user logon information from Active Directory hosts. You must have Administrator privileges on the Active Directory server to install the UTLite logon script. To install the script:
Step 1
Copy the required files to the Active Directory server:

a. b.
Log into the Active Directory server as Administrator. Obtain the UTLite files from the Server Configuration: NMSROOT\campus\bin\UTLite33.exe NMSROOT\campus\bin\UTLiteNT.bat where NMSROOT is the directory in which you installed Cisco Prime.
c.
Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder. NETLOGON is located at: %SystemRoot%\sysvol\sysvol\domain DNS name\scripts, where %SystemRoot% is usually c:\winnt and domain DNS name is the DNS name of the domain
Step 2
Edit the UTLiteNT.bat file:

a. b.
Open the UTLiteNT.bat file. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the Campus Manager server:
start
%WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236
If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings. Edit the logon script files to run the UTLiteNT.bat file when users log into the network by adding this line:
UTLiteNT.bat
Step 3
Update the domain controller logon script for each Windows domain that you add. The first time users log into the network after you edit this script, UTLite33.exe is copied to the local WINDIR directory on their Windows client system.
A-35
Appendix A Understanding UTLite
CLI Tools
Installing UTLite Script on Windows

You must install the UTLite script on the primary domain controller and update the domain controller logon script to get user logon information from Windows hosts. Do this once for each domain. You must have Administrator privileges on the primary domain controller to install the UTLite logon script. To install the script:
Step 1
Copy the required files to the primary Windows domain controller:

a. b.
Log into the Windows primary domain controller as Administrator. Obtain the UTLite files from the Server Configuration: C:\Program Files\CSCOpx\campus\bin\UTLite33.exe C:\Program Files\CSCOpx\campus\bin\UTLiteNT.bat where C:\Program Files\ is the directory in which you installed Cisco Prime. Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder. NETLOGON is located at %SYSTEMROOT%\system32\Repl\Import\Scripts, where, SYSTEMROOT% is the root directory for the Windows operating system files.
c.
Step 2
Edit UTLiteNT.bat file.

a. b.
Open the UTLiteNT.bat file. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the LMS Server:
start
If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings.
Step 3
Edit the logon scripts. Edit users logon script files to run the UTLiteNT.bat file when users log into the network by adding this line:
UTLiteNT.bat
Step 4
Update the domain controller logon script for each Windows domain that you add. The first time users log into the network after you edit this script, UTLite33.exe is copied to the local WINDIR directory on their Windows client system.
Installing UTLite Script on NDS

You must install the UTLite script on the Novell Server and update the domain controller logon script, to get user logon information from Windows hosts. You only need to do this once for each domain. You must have ZenWorks installed and running on the Novell Server, and you must be using NDS 5.0 or later.
A-36
OL-20721-01
Appendix A
To install the script:

Copy the required files to the Novell Server. Log into the Novell Server as Administrator. Obtain the UTLite files from the LMS Server:

C:\Program Files\CSCOpx\campus\bin\UTLite33.exe C:\Program Files\CSCOpx\campus\bin\UTLiteNDS.bat where C:\Program Files\ is the directory in which you installed Cisco Prime.
Create a folder in \\Novell Server Name\SYS\public and copy UTLiteNDS.bat and UTlite33.exe to the folder. Edit the UTLiteNDS.bat file: Open the UTLiteNDS.bat file. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the LMS server:
start
If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings. Edit the logon scripts.
Enter \\Novell_Server_Name\SYS\public\NaL.exe at the command prompt. Click NWAdmin32 to run the Novell Netware Administrator program. Right-click on the users or organizational units whose logon scripts you want to modify and select Details. Click Login Script and enter: @\\%FILE_SERVER%\sys\public\your_folder_name\UTLiteNDS.bat where your_folder_name is the name of the folder you created in Step 1.
Uninstalling UTLite Scripts From Windows

If you choose not to have LMS server automatically collect user names, follow these instructions to properly remove the UTLite scripts. To uninstall the script:
Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller. Remove the call to run UTliteNT.bat from users' logon scripts. Delete UTLite33.exe from the WINDIR directory of all Windows clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.
A-37
Appendix A User Tracking Debugger Utility
CLI Tools
Uninstalling UTLite Scripts From Active Directory

If you choose not to have LMS server automatically collect user names, follow these instructions to properly remove the UTLite scripts. To uninstall the script:
Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server. Remove the call to run UTliteNT.bat from users' logon scripts. Delete UTLite33.exe from the WINDIR directory of all Windows clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.
Uninstalling UTLite Scripts From NDS

If you choose not to have LMS server automatically collect user names, you must perform these steps to properly remove the UTLite scripts. To uninstall the script:
Remove UTLiteNDS.bat and UTLite33.exe files from the Novell Server. Remove the line added to the login scripts for all users and organizational units. Delete UTLite33.exe from the WINDIR directory of all clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.
User Tracking Debugger Utility

The User Tracking Debugger Utility is a command line tool to help debug common problems with User Tracking. This section contains:

Understanding Debugger Utility Using Debugger Utility
Understanding Debugger Utility

The utility displays a report on the reasons why User Tracking failed to discover end hosts on specific ports. In many cases, User Tracking may not perform as expected. This may be because of problems in other LMS applications. For instance LMS Server may have devices that are not discovered or inadequate VLAN discovery in Topology Services. You can run the utility to troubleshoot problems, or provide the report and log generated by the utility when you contact TAC for help in diagnosing problems.
A-38
OL-20721-01
Appendix A
CLI Tools Configuring Switches to Send MAC Notifications to LMS Server
The debugger utility uses the data collected by LMS Server and reports the reasons for the missing ports in User Tracking. This tool also has an SNMP component embedded which runs an SNMP query for the table as a part of verification for SNMP failure. For example, SNMP bugs in Catalyst operating system because of which User Tracking may fail to discover devices. This generates an Action Report that you can use to analyze the data. The Debugger Utility:
1. 2. 3. 4.
Checks the switch ports in a sequential order. Reports violation of basic rules for each of the missing ports such as link ports and trunk ports. Checks for SNMP retrieval of data, if the ports pass the validity check. Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.
Using Debugger Utility

The Debugger Utility is available at $NMSROOT/campus/bin/ (where $NMSROOT is the directory where you have installed CiscoWorks). To run the Debugger Utility, run the command:
utdebug -switch
switch-ip -port port1[,port2 ...] [-export filename]
where, switch is the switch to which the end hosts are connected. ports are the ports on the switch which have missing end hosts User Tracking.
-export
filename specifies that the debug messages be stored in the file specified. If this option is not used, the messages are displayed on the console.
For example, utdebug -switch 10.29.6.12 -port 5/12 utdebug -switch 10.29.100.10 -port Fa0/10 utdebug -switch 10.29.6.14 -port Gi6
Configuring Switches to Send MAC Notifications to LMS Server

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. Even if the device is managed with SNMPv3, Network Topology, Layer-2 Services, and User Tracking, it processes only SNMPv1/SNMPv2 traps. You can configure the ports only through Command Line Interface (CLI). If you do not have Configuration Management functionality enabled on your LMS Server, you have to manually configure the switches for the switches to send MAC Notifications to the LMS server. Ensure that you have configured System Identity User under Admin > Trust Management > Multi Server > System Identity Setup and the same username and password is configured under Admin > System > User Management > Local User Setup. For a list of commands to be run on each device, see the Appendix Commands to Enable MAC Notification Traps on Devices. For complete list of devices supported by LMS, see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/device_suppo rt/table/lms41sdt.html
A-39
Appendix A Administration Command Line Interface
CLI Tools
Administration Command Line Interface

This section describes how to administer LMS database from the command line. This is explained in the following topics:

Replacing Corrupted Database Re-initializing the Database Deleting all Active Entries from User Tracking, and Restarting Servers Deleting all Inactive Entries from User Tracking, and Restarting Servers Deleting all History Entries from User Tracking, and Restarting Servers Deleting all User Tracking Entries, and Restarting Servers Restoring the Original Data in the Server Restoring Data from Another Server Performance Tuning Tool
This section also explains SNMP Configuration on Devices

Replacing Corrupted Database
If you have a corrupted database, you can use the database administration tools to restore the database from a previous backup. However, if you do not have a previous backup, you must re-initialize the database. When you run this command, if Data Collection is running, it is automatically stopped and then restarted when the database initialization is complete.
Caution
If you re-initialize the database, information from discovered devices will be lost. However, user and host information is retained. Replace the database only if recommended by a Cisco technical representative.
Note
Your login determines whether you can use this option.

Re-initializing the Database
From the command prompt or shell window, enter:

On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl On Windows: perl NMSROOT\campus\bin\reinitdb.pl The following message appears:
This will erase all data from the database. Are you sure [y/n] ?
If you enter y, it erases all data (database tables Wbu*...) from the server.
A-40
OL-20721-01
Appendix A
CLI Tools Administration Command Line Interface
Deleting all Active Entries from User Tracking, and Restarting Servers

On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -active On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -active
where active entries are hosts that are currently logged in

Deleting all Inactive Entries from User Tracking, and Restarting Servers

On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -inactive On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -inactive
where inactive entries are hosts that are currently not logged in
Deleting all History Entries from User Tracking, and Restarting Servers

On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -history On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -history
where history entries are complete entries. That is, hosts that have a login and logout in the past.
Deleting all User Tracking Entries, and Restarting Servers

On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -all On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -all
Restoring the Original Data in the Server

On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -restore On Windows: perl NMSROOT\campus\bin\reinitdb.pl -restore
Note
Before executing the -restore command, you should stop the daemon manager and start again manually. For details, see Using Daemon Manager.
Restoring Data from Another Server
When you take database backup for LMS in one server and restore it in another server, the NMSROOT logfile location may not be the same in both servers. In that case, LMS will log messages to the log file stored in the default NMSROOT location in the restored machine. where NMSROOT is the root directory where you installed CiscoWorks.
A-41
CLI Tools
Performance Tuning Tool
When you get out of memory errors in LMS, the following command can be used to tune the performance: NMSROOT/bin/perl NMSROOT/campus/bin/CMPTT.pl ProcessName HeapSize MaxPermSize
ProcessName should be either one of the following:

ANIServer UTMajorAcquisition
Heap size should be multiples of 512 and should not exceed 1536 MB. Ensure you have enough swap space in the server before tuning the heap size. MaxPermSize will set the JVM MaxPermSize option to 64m.
SNMP Configuration on Devices

SNMP v3 Device Configuration Settings
LMS supports the following Authentication protocols for SNMP v3:

md5 SHA des 3des aes128 aes192 aes256.
LMS supports the following Privacy protocols for SNMP v3:

For using various LMS features in devices running SNMPv3, you must make specific configurations on the devices. The commands that need to be configured are:

Configuring MIB Views Configuring Access Groups Configuring Device with Context Name Configuring a New User Configuring Password for a User Relating a User to a Group Configuring Privacy Protocol
Configuring MIB Views
For Catalyst devices, enter the following command:

set snmp view campusview 1.3.6.1 included nonvolatile
For IOS devices, enter the following command:

snmp-server view campusview
oid-tree included
A-42
OL-20721-01
Appendix A
CLI Tools Administration Command Line Interface
Configuring Access Groups
You must set the access rights for a group with a certain security model in different security levels. For Catalyst devices, enter the following command:
set snmp access campusgroup security-model v3 authentication read campusview write campusview nonvolatile

snmp-server group campusgroup v3 auth read campusview write campusview access
access-list
Configuring Device with Context Name
For Catalyst devices, enter the following commands:

set snmp access campusgroup security-model v3 authentication read campusview write campusview context vlan- prefix nonvolatile
Context exact is also supported. The following is an example:

set snmp access campusgroup security-model v3 authentication read campusview write campusview context vlan-1 exact nonvolatile

snmp-server group campusgroup v3 auth context vlan-1 read campusview write campusview
IOS image versions prior to12.4 support only exact context name. IOS image versions 12.4 or higher, support both exact or prefix context names. You need to configure the device with and without context name, since Data Collection manages the device without context name and User Tracking requires context name to contact the device.
Configuring a New User

set snmp user campususer authentication md5

snmp-server user campususer campusgroup v3 auth md5 password1
Configuring Password for a User

set snmp user campususer authentication md5 password1

snmp-server user campususer campusgroup v3 auth md5 password1
A-43
CLI Tools
Relating a User to a Group
Using a specified security model you can relate a user to a group. For Catalyst devices, enter the following command:
set snmpw group campusgroup user campususer security-model v3 nonvolatile

snmp-server user campususer campusgroup v3
Configuring Privacy Protocol
For Catalyst devices:

set snmp user campususer authentication md5 password1privacy des password2
For IOS devices:

snmp-server user campususer campusgroup v3 auth md5 password1 priv des password2
Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs
Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device, associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS. You can enable it by creating a view and by including and excluding MIBs as mentioned in the below configuration:
snmp-server view <view-name> iso included snmp-server view <view-name> internet included snmp-server view <view-name> internet.6.3.15 excluded snmp-server view <view-name> internet.6.3.16 excluded snmp-server view <view-name> internet.6.3.18 excluded snmp-server view <view-name> cTapMIB excluded snmp-server view <view-name> internet.6.3.16.1.1 included
In LMS, by default the property vacmContextNameEnabled in ANIServer.properties under NMSROOT/campus/ect/cwsi has the value 0. This value has to be changed to 1 and then restart the daemons.
Note
The device side configuration has to be done on all the devices in the network before changing the property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.
A-44
OL-20721-01
A P P E N D I X

This section provides the following information for the Administration module of LMS:

Troubleshooting Guidelines Frequently Asked Questions
Troubleshooting Guidelines
This section provides guidelines on the following:

Troubleshooting User Tracking Troubleshooting the Cisco Prime LMS Server
Troubleshooting User Tracking

Use the information in Table B-1 to troubleshoot the User Tracking application.
Table B-1 Troubleshooting User Tracking
Symptom
Probable Cause
Possible Solution For more details, see
User Tracking cannot discover any There may not be information in the LMS database. users or hosts or User Tracking cannot display any IP phones. User Tracking cannot discover certain users or hosts. The device might not be part of DCR and you must run Device Discovery and Data Collection. The LMS server might not have discovered one or more devices to which users and hosts are connected.
Discovering Devices in Inventory Management with Cisco Prime LAN Management Solution 4.1 Administering Data Collection Check the CiscoWorks topology for the missing devices Ensure that CDP and SNMP are enabled on the devices, rediscover these devices, Verify that they appear on the topology view.
1. 2. 3.
B-1
Appendix B Troubleshooting Guidelines
Table B-1
Troubleshooting User Tracking (continued)
Symptom User Tracking cannot discover certain IP phones.
Probable Cause The LMS server might not have discovered the specific Media Convergence Server (MCS) that runs the instance of Cisco CallManager to which the IP phones are registered.
Possible Solution
1.
Check the CiscoWorks topology for the missing MCS that runs the instance of Cisco CallManager to which the phones are registered. Ensure that Cisco CallManager is shown as a service running on the MCS and is discovered by the LMS Server. Rediscover all IP phones.
2.
3.
User Tracking table does not contain device name, IP address, and subnet information for some hosts.
User Tracking cannot find the most recent network information. Network changes are not currently reflected in ARP information (routers) or bridge tables (switches). User Tracking does not perform Ping Sweep on large subnets; for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and the User Tracking may not display the IP addresses. In larger subnets, the ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources.
Enable Ping Sweeps when User Tracking performs Discovery. Ping Sweeps are enabled by default. To perform Ping Sweep on larger subnets, you can either:
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the arp time-out interface configuration command on devices running Cisco IOS. Or Use any external software, which will enable you to ping the host IP addresses. This will ensure that when you run User Tracking Acquisition, the ARP cache of the router contains the IP addresses.
You have:
A complete Device Discovery process has not run since you added your Made changes to the network. changes. Run User Tracking Major User Tracking Major Acquisition is not Acquisition. a full network discovery. The process The changes do not appear in discovers only the user and host data in the User Tracking display. your network. Changes that you make to your network might not appear after a User Tracking Major Acquisition.
1. 2. 3.
Run Device Discovery. Run a complete Data collection. Generate a new report after data collection is complete to see the changes.
Troubleshooting the Cisco Prime LMS Server

Use these tools and suggestions to diagnose problems with the Cisco Prime LMS server:

Verifying Server Status Troubleshooting Suggestions
B-2
OL-20721-01
Appendix B
Troubleshooting and FAQs Troubleshooting Guidelines
Verifying Server Status

There are several tools that enable you to gather and analyze information about your Cisco Prime LMS Server. See Table B-2 and Table B-4.
Table B-2 Server Status
Task Perform self test.
Purpose
Action
Administrative Tasks Runs self-tests and Select Admin > System > Server Monitoring > generates a report with the Selftest. results. Checks whether back-end Select Admin > System > Server Monitoring > processes are in an interim Processes. state. Provides system information, environment, configuration, logs, and web server information. Select Admin > System > Server Monitoring > Collect Server Information Or Enter the following command:

All Users Check process status. Collect server information.
NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows) NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance)
B-3
Appendix B Troubleshooting Guidelines
Table B-2
Server Status
Task MDC Support
Purpose The MDC Support utility collects:

Action For Windows go to, NMSROOT\MDC\bin and run the command:

MDCSupport.exe
Log files
Configuration settings The utility creates a tar file in NMSROOT\MDC\etc directory. Memory information If \etc directory is full, or if you want to preserve the Complete system data collected previously by not over writing the tar related information file, you may create another directory by running the Process status following command: Host environment MDCSupport.exe Directory information For Solaris/Soft Appliance, It also collects any other 1. Set the LD_LIBRARY_PATH environment relevant data, into a variable to /opt/CSCOpx/MDC/lib: deliverable tar /opt/CSCOpx/lib: (compressed form) file to support the MDCs 2. Go to /opt/CSCOpx/MDC/bin and run the installed. command:./mdcsupport The MDC Support utility also queries CCR for any other support utilities registered, and run them. Other MDCs need to register their own support utilities that will collect their relevant data. The utility creates a tar file in CSCOpx/MDC/etc directory. If \etc directory is full, or if you want to preserve the data collected previously by not over writing the tar file, create another directory by running the following command:
./mdcsupport
Directory
Before you close the command window, ensure that the MDC Support utility has completed its action. If you close the window prematurely, the subsequent instances of MDCSupport Utility will not function properly. If you happen to close the window, delete the mdcsupporttemp directory from NMSROOT\MDC\etc directory, for subsequent instances to work properly.
B-4
OL-20721-01
Appendix B
Troubleshooting and FAQs Troubleshooting Guidelines
Troubleshooting Suggestions
Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.
Table B-3 Troubleshooting Suggestions
Symptom
Authorization required. Please log in with your username and password. Daemon Manager could not start. The port is in use.
Probable Cause Incompatible browser causing cookie failure (unable to retrieve cookie). The operating system has not yet reallocated the port. LMS cannot recover forgotten passwords.
Possible Solutions Verify that you have Accept all cookies enabled. Refer to the installation documentation for supported Internet Explorer and Mozilla Firefox software and setup procedures.
Make sure all Cisco Prime processes are terminated (/usr/ucb/ps -auxww | grep CSCO). Wait five to ten minutes, then try to restart the Daemon Manager. A system administrator-level user must either change the password or delete the user account and add it again.
1. 2.
User has forgotten his password.
You are logged out of Changes in the login the Cisco Prime module configuration file Server. might not be correct. Authentication server might be down and there were no fallback logins set.
Log into Cisco Prime LMS Server. Enter the following commands:
NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl
(on Windows)
NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

3.
Restart Daemon Manager. Stop all processes. Enter the log file maintenance commands:
NMSROOT\cgi-bin\admin\ (on Windows) NMSROOT/cgi-bin/admin/ (on Solaris/Soft Appliance)
The Log File Status Files need to be backed up so that file size will be window displays files that exceed their reset to zero. limit.
1. 2.
3.
Restart all processes.
B-5
Appendix B Frequently Asked Questions
Table B-3
Troubleshooting Suggestions (continued)
Symptom Error message in the logfile: Connection

Refused. Check the Device is SSH supported or not.
Probable Cause Device is not SSH enabled or the server is not authorized to initiate SSH connection.
Possible Solutions
1. 2.
Check whether the device is up or not. Try connecting to the device with a commercial SSH client. If you are able to connect, go to step 3. If you are not able to connect, check whether the device is running SSH enabled (K2 or K9) image.

If it is not the correct image, download the appropriate image to the device. If you have the correct image, check whether you have created RSA key pairs in the device. Creating RSA keys will enable SSH in the device.
3.
Check whether your server or network is authorized to initiate SSH connections to device.
While launching the The Group Administration Start the Group Administration server from the user interface or from the Group server is either not running CLI. Administration page, or yet to be up. To start the server from the user interface: the following error 1. Select Admin > System > Server Monitoring > Processes. message is displayed: The Process Management Dialog Box appears.
Error in communicating with Group Administration Server.
2. 3.
Check the CMFOGSServer check box in the Process Management dialog box Click Start.
To start the server from the CLI, enter: NMSROOT/bin/pdexec CMFOGSServer where NMSROOT is the Cisco Prime LMS Installation directory. See Installing and Migrating to Cisco Prime LAN Management Solution 4.1 for troubleshooting tips on Cisco Prime installation.
Frequently Asked Questions

This section provides FAQs on the following:

User Tracking FAQs VRF Lite FAQs Cisco Prime LMS Server FAQs Fault Management FAQs Device Performance Management FAQs IPSLA Performance Management FAQs
B-6
OL-20721-01
Appendix B
Troubleshooting and FAQs Frequently Asked Questions
User Tracking FAQs

This section lists the FAQs on User Tracking:

Q.Why are outdated entries appearing in my User Tracking table? Q.How does User Tracking acquisition process differ from that of the LMS Server? Q.How does User Tracking user and host acquisition process work? Q.Why is User Tracking not performing Ping Sweeps on some subnets? Q.How long does User Tracking maintain data? Q.Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP) devices? Q.Where does User Tracking log errors? Q.Why am I getting a parse error when trying to parse some of the output files?
Q. Why are outdated entries appearing in my User Tracking table? A. Outdated entries result when: A user or host is assigned to new VLAN/port/VTP domain. A power failure occurred. A workstation has been switched off or removed from the network.
User Tracking does not automatically delete outdated end-user host entries. To delete these entries:
Manually delete selected entries.
Or
Configure delete interval for purging old records more than the given number of days. Select Admin > Network > Purge Settings > User Tracking Purge Policy Q. How does User Tracking acquisition process differ from that of the LMS Server? A. User Tracking is a LMS client application. The LMS Server provides several types of global
discoveries, including:
Device and physical topology acquisition, resulting in baseline network information such as
device identity, module and port information, and physical topology. This type of acquisition is required for logical, user, and path acquisition.
User acquisition, resulting in information about users and hosts on the network.
The LMS Server stores this information in the database. User Tracking discovers the host and user information in the LMS server database, correlates this information, and displays it in the User Tracking Reports. For more information about the various acquisition processes, see Various Acquisitions in User Tracking.
B-7
Q. How does User Tracking user and host acquisition process work? A. Before collecting user and host information, LMS must complete Data Collection. After the
completion of Data Collection User Tracking performs steps described in Table B-4.
Table B-4 User Tracking User and Host Acquisition Process
Process Performs Ping Sweeps
Description Pings all IP addresses on all known subnets, if you have Ping Sweeps enabled (the default). This process updates the switch and router tables before User Tracking reads those tables. This ensures that User Tracking displays the most recent information about users and hosts.
Obtains MAC addresses from Reads the switch's bridge forwarding table. switches The bridge forwarding table provides the MAC addresses of end stations, and maps these MAC addresses to the switch port on which each workstation resides. Obtains IP and MAC addresses from routers Obtains hostnames Obtains usernames Records discovered information Reads the Address Resolution Protocol (ARP) table in routers to obtain the IP and corresponding MAC addresses. Performs a Domain Name Service (DNS) lookup to obtain the hostname for every IP address. Attempts to locate the users currently logged in to the hosts and tries to obtain their username or login ID. Records the discovered information in the LMS database.
Q. Why is User Tracking not performing Ping Sweeps on some subnets? A. The criterion for whether or not User Tracking performs Ping Sweeps on a subnet is the number of
hosts in the subnet: You must check if you have excluded the subnets from Ping Sweep. If a subnet has 256 or fewer hosts, User Tracking performs Ping Sweeps on that subnet. User Tracking does not perform Ping Sweeps on the subnets, which have more than 256 hosts. If Ping Sweeps are not performed, User Tracking still obtains information from the router and switch mapping tables during a discovery. For more details on Ping Sweep, see Notes on Ping Sweep Option.
Q. How long does User Tracking maintain data? A. It depends on the delete interval you have set. For more details, see Deleting User Tracking Purge
Policy Details.
Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in
the network connected to non-CDP devices.
B-8
OL-20721-01
Appendix B
Q. Where does User Tracking log errors? A. User Tracking major acquisition errors are logged in the User Tracking error log. Data Collection
errors are logged in the respective log file. The log files are located at Solaris/Soft Appliance : /var/adm/CSCOpx/log Windows: NMSROOT\log Where NMSROOT is the directory where you have installed Cisco Prime.
Q. Why am I getting a parse error when trying to parse some of the output files? A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most
of the XML parsers do not support these characters and hence fail to parse them. To overcome this, you have to manually search for those elements with special characters and append CDATA as given in the example below: If there is an element
<checksum> o </checksum>
Change it to:
<checksum> <![CDATA[o ]]> </checksum>
VRF Lite FAQs

This section lists the FAQs on VRF Lite:

Q.What is VRF Lite ? Q.What is Network Virtualization? Q.What are the pre-requisites to manage a device using VRF Lite? Q.The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired device is not listed in the device selector for the VRF Lite configuration workflows. What is the reason for a device not listed in the device selector? Q.What are the different categories in which the devices are managed by Virtual Network Manager? Or what criteria are used by Virtual Network Manager to categorize the devices in the network? Q.Sometimes, while performing VRF Lite configuration, I get the following message: Q.What are the details of the VRF Lite log files? In which location are the VRF Lite log files located? Q.When is the VRF Lite Collection process triggered? Q.After the completion of the Data collection process, the VRF Lite Collector failed to run, What is the reason for failure? Q.How can I configure SNMP timeout and retries details for VRF Lite? Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the Create VRF Lite and Extend VRF Lite workflows ? Q.How do I enable the debug messages for Virtual Network Manager? Q.Why are some port-channels not discovered in VRF Lite? Q.What are the processes newly introduced for VRF Lite ? Q.What is tested number of devices support in VRF Lite? Q.What are the property files associated with VRF Lite?
B-9
Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why are values for the IP Address and SubnetMask fields empty? Q.What is protocol order for configuration workflows? Q.What is protocol ordering for troubleshooting? Q.If you configure commands to be deployed to two different devices, will the commands be deployed parallelly or serially? Q.Which VRF Lite configuration jobs that are failed can be retried? Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page? Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?
Q. What is VRF Lite ? A. Virtual Routing and Forwarding Lite (VRF Lite) is the one of the simplest form of implementing
virtualization technology in an Enterprise network. A Virtual Routing and Forwarding is defined as VPN routing/forwarding instance. A VRF Lite consists of an IP Routing table, a derived forwarding table, a set of interfaces that use the forwarding table and set of routing protocols that determine what goes into the forwarding table. VRF Lite is an application that allows you to pre-provision, provision and monitor Virtual Routing and Forwarding-Lite (VRF Lite) technology on an enterprise network.
Q. What is Network Virtualization? A. Virtualization deals with extending a traditional IP routing to a technology that helps companies
utilize network resources more effectively and efficiently. Using virtualization, a single physical network can be logically segmented into many logical networks. The virtualization technology supports multiple virtual routing instances of a routing table to exist within a single routing device and work simultaneously.
Q. What are the pre-requisites to manage a device using VRF Lite? A. The pre-requisites to manage a device in VRF Lite are: 1. 2. 3.
The device must be managed by LMS. The device must either be L2/L3 or L3 device The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite. The device must have the necessary hardware support. For more information on hardware support, see http://www.cisco.com/en/US/partner/products/sw/cscowork/ps563/products_device_support_table s_list.html. If the device hardware is not supported then the device will be classified as Other devices If a device supports MPLS VPN MIB, it is classified as a capable device. VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB, VRF Lite will not manage VTP Clients.
4. 5.
B-10
OL-20721-01
Appendix B
Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the reason for a device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration. A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management with Cisco Prime LAN Management Solution 4.1. If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN Configuration then a device will not be listed in the Device Selector, if a device is not participating in the selected VRF Lite. In the Readiness Report, a device listed as a supported device may be because it is not managed by LMS. You can check if a device is managed by using the Device Management State Summary (Inventory > Device Administration > Manage Device State). In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not participating in the selected VRF Lite. In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3 devices that are not participating in the selected VRF Lite.
Q. What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
A. Virtual Network Manager identifies the devices based on the minimum hardware and software
support required to configure VRF Lite on the devices. Based on the available hardware and software support in the devices, Virtual Network Manager classifies the devices into following categories:
VRF Lite Supported Devices Represents the devices with required hardware and software
support available to configure VRF Lite on the devices.

VRF Lite Capable Devices Represents the devices with required hardware support available.
But the device software must be upgraded to support MPLS VPN MIB. For information on the IOS version that supports MPLS VPN MIB, refer http://tools.cisco.com/ITDIT/MIBS/MainServlet. VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite Capable devices as these devices do not have the required MPLS VPN MIB support.
Other Represents the devices without required hardware support to configure VRF Lite.
SysOID of the device needs to be checked.
B-11
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with display name(s) are already locked as they are used by configuration workflows. You cannot configure these devices. Wait for some time Or Ensure the devices are not used by configuration workflows and free the devices from Admin > Network > Resource Browser. Or Selected Device(s) are locked as they are used by configuration workflows. You cannot configure these devices. Wait for some time OR Ensure the devices are not used by configuration workflows and free the devices from Admin > Network > Resource Browser. Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations. Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located? A. The following are the details of the VRF Lite log files: 1. 2. 3. 4.
Vnmserver.log This log file logs the messages pertaining to the VRF Lite Server process. Vnmcollector.log This log file logs the messages pertaining to the VRF Lite collection. Vnmclient.log This log file logs the messages related to the User Interface. Vnmutils.log This log file logs the messages pertaining to the utility classes used by VRF Lite client and server.
The above-mentioned VRF Lite log files are located in the following location: In Solaris/Soft Appliance : /var/adm/CSCOpx/log/ In Windows: NMSROOT\logs
Q. When is the VRF Lite Collection process triggered? A. Manually:
You can manually schedule to run the VRF Lite Collection process by: Providing the setting details using Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule option. Automatically: If you enable the Run VRF Lite Collector After Every Data Collection in the VRF Lite Collector Schedule page. The VRF Lite Collection process will be automatically triggered after the completion of Data Collection. You can reach the VRF Lite Collector Schedule page using Admin > Collection Settings > VRF Lite > VRF Lite Collection Settings page.
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?

A. Check if the Run VRF Lite Collector After Every Data Collection option is enabled in the VRF
Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin > Network > VRF Lite Collection Settings page.
Q. How can I configure SNMP timeout and retries details for VRF Lite? A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF
Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six seconds and retry attempt of 1 second.
B-12
OL-20721-01
Appendix B
Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the
Create VRF Lite and Extend VRF Lite workflows ?

A. The VLAN to VRF Lite Mapping page lists the links connecting the source and the destination
device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the following procedure
1. 2.
An SVI, VRF Lite searches for free VLANs in the range 1- 1005 An SI, VRF Lite searches for free VLANs in the range 1006-4005
Q. How do I enable the debug messages for Virtual Network Manager? A. You can enable the debugging levels for a particular module using
Admin > System > Debug Settings > VRF Lite Client Debugging Options. Admin > System > Debug Settings > VRF Lite Collector Debugging Admin > System > Debug Settings > VRF Lite Server Debugging Admin > System > Debug Settings > VRF Lite Utility Debugging
You can manually change the name and the size of the log file. The configuration log files are available under NMSROOT/MDC/tomcat/webapps/vnm/WEB-INF/classes. The changes made will be reflected after approximately 60 seconds.
Q. Why are some port-channels not discovered in VRF Lite? A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only
802.1Q
Q. What are the processes newly introduced for VRF Lite ? A. To run VRF Lite , VRF Lite Server process is newly introduced in the application. The VRF Lite
Collector process is executed as a Job.

Q. What is tested number of devices support in VRF Lite? A. In an Enterprise network, VRF Lite is tested to support the configuration of 32 VRFs with VRF Lite
configuration supported in 550 devices in your network. However, at a given time, you can select up to 20 devices and configure VRF Lite using the Create, Edit and Extend VRF Lite workflow.
Q. What are the property files associated with VRF Lite? A. The following property files are associated with VRF Lite: 1. 2. 3.
NMSROOT/vnm/conf/VNMClient.properties This property file is used to provide the settings for Purge and Home page auto Refresh NMSROOT/vnm/conf/VNMServer.properties This property file is used to provide the SNMP and VRF Lite Server settings. NMSROOT/vnm/conf/VRFCollectorSnmp.conf This property file stores the SNMP Timeout and Retries that you have configured.
Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why
are values for the IP Address and SubnetMask fields empty?

A. If the physical interface that links two devices is not configured with an IP Address, then the IP
Address and the SubnetMask fields are empty.
B-13
Q. What is protocol order for configuration workflows? A. Configuration workflow uses the protocol order similar to ordering used by NetConfig in Resource
Manager Essentials. Choose the NetConfig as Application Name from using Admin > Collection Settings > Config > Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. What is protocol ordering for troubleshooting? A. Troubleshooting VRF Lite workflow uses the protocol ordering similar to ordering used by NetShow
in Resource Manager Essentials. Choose the NetShow as Application Name from using Admin > Collection Settings > Config > Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. If you configure commands to be deployed to two different devices, will the commands be deployed
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
with-in a single device, will be deployed in serial manner.

Q. Which VRF Lite configuration jobs that are failed can be retried? A. You can retry all the VRF Lite Configuration jobs which are failed. VRF Lite Configuration jobs are
the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration workflow.
Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page? A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management.
This button is enabled only when IPSLA Performance Management is enabled in the local server.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite? A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF
Lite wont put the list of VLANs allowed on a trunk The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the selected devices.
Cisco Prime LMS Server FAQs

The following sections lists the Frequently Asked Questions (FAQs) of Cisco Prime LMS application.

General Security Software Center Event Distribution Services and Event System Services Backup and Restore Database Apache and Tomcat
B-14
OL-20721-01
Appendix B
General
The section lists you the general FAQs on LMS:

Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly? Q.Why cannot I start my Cisco Prime application? Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine? Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access? Q.Do I need to change the Cisco Prime configuration after changing the IP address? Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it for a while? Q.How do I change the port for osagent in Windows? Q.How do I change port for osagent in Solaris? Q.How do I ensure that jrm is running fine? Q.How do I change the casuser password in Windows? Q.How do I change the Cisco Prime user password? Q.How do I enable debugging for Session Management Services? Q.What does a diskWatcher process do? Q.Cisco Prime Time is not synchronized with System time. What should I do? Q.How can I increase the timeout value of Cisco Prime LMS user interface? Q.How should I change the syslog port of Cisco Prime from 514 to another number? Q.What should I do when Daemon Manager and multiple processes are not started on a Windows machine? Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running it for a while? Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime? Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets? Q.What are the specific ports required for Internet HTTP features? Q.Why is the display name not available in the home page after importing? Q.How do you ensure to register using a template and launch the links properly? Q.I am getting timeout exception in cmdsvc (command service library) during a device connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
A. You can change the IP address on the server, and then access it using the new IP address.
B-15
To change the IP address on Windows:

Step 1
Click Start > Settings > Network and Dial-up Connections > Local Area Connection. The Local Area Connection Status dialog box appears. Click Properties. The Local Area Connection Properties dialog box appears. Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/IP) Properties dialog box appears. Select the radio button Use the following IP address. Change the IP address as required, in the IP address field. For the subnet mask and default gateway values, enter the ipconfig command at the command prompt. The subnet mask and default gateway values appear. Enter these values in the Subnet mask and Default gateway fields. Click OK to go back to Local Area Connection Status dialog box. Click OK. Restart the server.
Step 2
Step 3
Step 4 Step 5
To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP address of the required interface. For example, at the command prompt, you can enter:
ifconfig
interfacename inet ipv4address
where the variable interfacename represents the name of the interface and ipv4address represents the new IP address.
Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime? A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE.
To do so:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Launch Internet Explorer and click Tools > Internet Options. Click the Security tab and select Trusted Sites. Add the Cisco Prime LMS Server to the trusted zone. Clear the selection in Require server verification for all sites in this zone. Click OK to return to the Security tab. Click the Custom level button from the Security level for this zone panel. Select the Enable option for scripting of Java applets. Click OK to return to the Security tab. Click Apply.
B-16
OL-20721-01
Appendix B
Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets? A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by
default. To re-enable the Telnet protocol:

Click Start > Run. The Run dialog box opens. In the Open box, enter: Regedit, then click OK. The Registry Editor opens. Go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl. Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl, create a new key named FEATURE_DISABLE_TELNET_PROTOCOL. Add a DWORD value named iexplore.exe and set the value to 0 (decimal). Close the Registry Editor. Restart the browser, the Telnet protocol is enabled
Step 4
Q. What are the specific ports required for Internet HTTP features? A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and
Cisco.com, including the Software Center interactions.

Q. Why is the display name not available in the home page after importing? A. The probable causes for this problem could be: There is a mismatch between the hostname in the template imported and the hostname specified
in the UI during importing.

The application imported from a remote server does not belong to the server from which it is
imported.
Q. How do you ensure to register using a template and launch the links properly? A. Before you register through a template, you should ensure that: The host is reachable. Port information specified is correct and reflects the current port of the bundle. The application is available and can be launched by entering the application URL in the browser. Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly? A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We
recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function properly.
B-17
Q. Why cannot I start my Cisco Prime application? A. If you cannot start your Cisco Prime application and see error messages, it may be because the web
server may not be running. This may occur although pdshow indicates that those processes are running. You need to check how your machine resolves its server name and IP address. The Cisco Prime CORBA applications require name resolution to work properly. Domain Name Service (DNS) is mandatory for Cisco Prime CORBA applications to work properly. Configure the name resolution mechanism and restart the Cisco Prime LMS Server to access the application correctly.
Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine? A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH
tag is disabled in the browser. To enable the META-REFRESH tag in the browser:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Click Tools > Internet Options. The Internet Options dialog box opens. Click the Security tab. Select the Internet zone. Click Custom level... The Security Settings dialog box opens. In the Miscellaneous options, select the Enable option for Allow Meta Refresh field. Click OK, and then Apply to update the settings. Close the IE 7 or IE 8 open windows. Launch a new IE 7 or IE 8 window and login into LMS.
Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access? A. There are several reasons why you are locked out. It is probably caused by the changes made using
the Select Login Module option. You must replace the incorrect login module with a default configuration, log into Cisco Prime, and return to the login module to correct one or more of the following:
Session Time out Change from SSL mode to non-SSL mode Change from non-SSL mode to SSL mode Log out from any other Cisco Prime application Visit other sites and then return to Cisco Prime
Do not alter the existing technologies in the default configuration file. If all of the parameters listed are correct, see Troubleshooting Suggestions.
Q. Do I need to change the Cisco Prime configuration after changing the IP address? A. You need not change the Cisco Prime configuration whenever you change the IP address. Cisco
Prime uses hostname for most of the communication. Only devices need to point to the new IP address. However, after changing the IP address, you must reboot the system on a Solaris server and restart the Daemon Manager on a Windows server. This is to make the changes effective.
B-18
OL-20721-01
Appendix B
Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it
for a while?
A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and
windows registry entries. You can use the hostnamechange.pl CLI utility to update the new host name information in files and windows registry entries. See Using LMS Server Hostname Change Scripts for more information.
Q. How do I change the port for osagent in Windows? A. Before you change the port for osagent in Windows: Ensure that the daemons are not running.
Enter the following command to stop the Daemon Manager:

net stop crmdmgtd
Backup your Windows registry.
To change the port for osagent in Windows, run the following script at the command prompt: NMSROOT\bin\perl NMSROOT\bin\ChangeOSAGENTPort.pl Port_Number where, Port_Number refers to any unused port number between 1026 to 65535. The script completes the following:
Updates the value of the following registry entries with the new port numbers.
HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current
Version > Daemon > RmeOrb

Version > Daemon > RmeGatekeeper

Version > Environment

Changes the value of the port number to new port number in NameServer and NameServiceMonitor processes. Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file with the new port numbers.
Reboot the server and start the Daemon Manager after you have completed running the script.
Q. How do I change port for osagent in Solaris? A. Before you change the port for osagent in Solaris: Ensure that the daemons are not running.
Enter the following command to stop the Daemon Manager:

Make sure that no CSCO processes are running. Back up NMSROOT/objects/dmgt/dmgtd.conf file.
To change the port for osagent in Solaris, run the following script at the command prompt: NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_Number where, Port_Number refers to any unused port number between 1026 to 65535.
B-19
The script completes the following:

Changes the value of the port number to new port number in NameServer and NameServiceMonitor processes. Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file with the new port numbers. Updates the new port number in /etc/services file. Updates the entry in /var/sadm/pkg/CSCOmd/pkginfo file.
Reboot the server and start the Daemon Manager after you have completed running the scripts.
Q. How do I ensure that jrm is running fine? A. To check whether jrm is working on Windows, at the command prompt enter:
cwjava -cw
NMSROOT com.cisco.nm.cmf.jrm.jobcli
To check whether jrm is working on Solaris, at the command prompt enter:

cwjava -cw
NMSROOT com.cisco.nm.cmf.jrm.jobcli
If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are
running.
If you do not get the above message, contact the technical assistance center with the error
message.
If your jrm in down or inaccessible, youll get a message while accessing the UIs. Q. How do I change the casuser password in Windows? A. You can change the casuser password using resetCasuser.exe. It can be run only by an administrator
or casuser. To change the casuser password:

Step 1
Enter NMSROOT\setup\support resetCasuser.exe at the command prompt You can:

1. 2. 3.
Randomly generate the password Enter the password Exit.
Step 2
Enter 2, and press Enter. It prompts you to enter the password. Confirm the password.
Step 3
Note
You must know the password policy. If the password entered does not match the password policy, it exits.
Q. How do I change the Cisco Prime user password? A. See Changing Cisco Prime User Password Through CLI for details.
B-20
OL-20721-01
Appendix B
Q. How do I enable debugging for Session Management Services? A. To enable debugging for Session Management Services: Step 1
Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml. You should edit the following section of the file:

<context-param> <param-name>DEBUG</param-name> <param-value>false</param-value> <description>mice debug enabling</description> </context-param>
Step 2
Change <param-value>false</param-value> to <param-value>true</param-value>.
Q. What does a diskWatcher process do? A. The diskWatcher process monitors disk space availability on the Cisco Prime LMS Server.
This process calculates the disk space information of a drive (in Windows machine) or a file system (in Solaris machine) at regular intervals and stores them in diskWatcher.log file. See Configuring Disk Space Threshold Limit for more information.
Q. Cisco Prime Time is not synchronized with System time. What should I do? A. You should complete the following: a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine. b. Set the TZ=standard_timezone. For example, you can specify TZ=MET. c. Save the TIMEZONE file. d. Reboot the machine.
Now the system displays the modified time zone information. If you need to change the time zone to daylight, you change only the time and date but not the TIMEZONE.
Q. How can I increase the timeout value of Cisco Prime LMS user interface? A. You can configure the timeout value in the following file.
NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml where NMSROOT is your Cisco Prime Installation directory. You should change the value of an XML tag by name session-timeout. You should specify the value in minutes. The default timeout value is set to 2 hours. You cannot disable this option as this may increase the load in the server.
Q. How should I change the syslog port of Cisco Prime from 514 to another number? A. You can change the syslog port by modifying the value of CrmLogPort registry key located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters. After you have changed the syslog port, you need to restart the syslog service.
B-21
Q. What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
A. Sometimes, Windows may prevent to run some processes for security reasons.
You should do the following on a Windows 2003 Operating system:

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Right-click the My Computer icon on your desktop and click Properties to open the System Properties dialog box. Click the Advanced tab. Click Settings from the Performance panel to open the Performance Options dialog box. Click the Data Execution Prevention tab. Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove the programs from the blocked list. Click OK to close the Performance Options dialog box. Click OK to close the System Properties dialog box. Reboot the server.
Q. I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available
in the following directory: $NMSROOT/objects/cmf/data To change the default timeout and delay values:
Step 1 Step 2
Go to the directory $NMSROOT/objects/cmf/data Open the cmdsvc.properties file. Various timeout and delay values are listed in the file. Remove the Hash symbol (#) to uncomment a particular timeout or delay value. Remove the existing timeout or delay value. Enter new timeout or delay value. Save the cmdsvc.properties file.
Security
The following are the FAQs on LMS Security:

Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This makes the process tedious. Is there a way to reduce the number of dialog boxes and steps? Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a security alert related to the site's security certificate. It asks for my input to proceed further. Why? Q.My server certificate for Cisco Prime has expired. What should I do?
B-22
OL-20721-01
Appendix B
Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the problem? Q.What are the minimum and maximum length of user account names? How do I control them? Q.What are the rules to enter a valid username and password? Q.Where is the SSL log present? Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
A. Yes. You have the following options: If you are using Self-signed certificates in Internet Explorer, install the certificate in the
browsers trusted certificate stores, if you are confident about the identity of the server.
Use a server certificate issued by a prominent third party certificate authority (CA). Configure the hostname in your server certificate properly, and use the same hostname to invoke
Cisco Prime.
Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior
(Microsoft Internet Explorer or Mozilla Firefox), to ensure proper security. This appears if any of the following conditions is not satisfied:
The certificate of the server (Cisco Prime Server in this case) must be issued by trusted
Certificate Authority.
The date of the certificate must be valid. (Each certificate is assigned a validity period. It can
range from 21 days to 5 years).

The name of the certificate and name of the page (or the name typed in the address bar of the
browser) are the same. To view the certificate information:

Click View Certificate, in the alert box for Internet Explorer. Click Examine Certificate in the alert box for Mozilla Firefox.
The server should be invoked with the name same as the Issued to' field of the certificate. To install the certificate in Internet Explorer:
Step 1
Click View Certificate in the alert box. The Certificate dialog box displays the Certificate information. Click Install Certificate.
Step 2
Q. My server certificate for Cisco Prime has expired. What should I do? A. If you are using a self-signed certificate, you can create a new certificate using the Create Self
Signed Certificate option. For more information, see Creating Self Signed Certificates. If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.
B-23
Note
Before you perform any certificate management operationscreating or modifying certificates, back up the certificate files, the server private key in particular, and keep them in a safe location.
Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this: Step 1 Step 2
Login as Admin. Select Admin > System > Authentication Mode Setup. The Select Login Module dialog box appears. Select a login module from the Available Login Modules list box and Click on Edit Options. The Login Module Options dialog box appears. Select the radio button True and click Finish. This enables the Debug option. Enabling debug mode allows the login module to add the detailed progress and failure information to log files. The log files are located at: NMSROOT/MDC/Tomcat/logs/stdout.log For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the failure. For example, if the Usersroot configuration is incorrect, then the login module cannot match the complete DN string with any entries in the Active Directory database. It indicates which portion of the DN matched and which portion did not match. You can verify your Active Directory setup and the entries for the Usersroot. In some cases, the log file contains error messages with NameError. This indicates that either you entered a wrong user ID or there is some spelling error in the Usersroot configuration.
Step 3
Step 4
Q. What are the minimum and maximum length of user account names? How do I control them? A. The minimum length of a user account name is 5 characters. The maximum length of a user account
name is 255 characters. You can control the length of user account names using the Local User Policy Setup page. See Setting up Local User Policy for more information.
Q. What are the rules to enter a valid username and password? A. The username can contain the alphabets in lower and upper cases, numerals, hyphens (-),
underscores (_), periods (.), tilde (~), commercial At character (@), number sign (#), Apostrophe ('), solidus or leading slash (/), trailing slash (\), and space. The username should start with alphabets, numerals and underscore characters. The password can contain the alphabets, numerals, leading and trailing spaces, and any special characters. The length of username and password can span from 5 to 256 characters.
B-24
OL-20721-01
Appendix B
Q. Where is the SSL log present? A. The SSL log is present in the NMSROOT directory, where NMSROOT is your Cisco Prime
Installation directory.
Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages? A. You should check whether the casuser is assigned with the required local security policies.
To check whether the casuser is assigned with the required policies:

Step 1 Step 2
Click Start > Settings > Control Panel> Administrative Tools. Click the Local Security Policy shortcut from the Administrative Tools folder. The Local Security Policy window opens. Click Local policies > User Rights Assignment in the Local Security Policy window. Check whether the casuser is assigned with the following privileges:

Step 3 Step 4
Access this computer from the network Log on as a batch job
If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again. Enter the following commands to run the resetCasuser utility:

NMSROOT/CSCOpx/setup/support/resetCasuser (On Solaris/Soft Appliance) NMSROOT\CSCOpx\setup\support\resetCasuser.exe (On Windows)
where NMSROOT refers to the Cisco Prime Installation directory. The other possible solutions are:

Remove or disable the anti-virus software Restart Daemon Manager Uninstall or disable IIS Log on as a batch job Disable Cisco Security Agent Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so, kill the stray processes from the Task Manager or stop them from the Services panel. Ensure that the casuser or administrator has the read permission for the CSCOpx, CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.
Software Center
The following are the FAQs on Software Center:

Q.How do I find out which devices are supported by a particular application? Q.What are the prerequisites for downloading Software Updates from Cisco.com? Q.Does the Software Center list only the software updates that are not installed in this machine? Q.What should I do if I see errors when using Software Center or having issues with LMS not correctly working with supported devices?
B-25
Q. How do I find out which devices are supported by a particular application? A. Select Admin > System > Software Center > Software Update. Under Applications Installed,
click the application name to see a list of the supported devices. See Selecting Software Updates for more information.
Q. What are the prerequisites for downloading Software Updates from Cisco.com? A. You should check for the following: Valid Cisco.com credentials are configured during Server administration Valid proxy details are configured and Cisco Prime support basic authentication of proxy server.
See Downloading Software Updates for more information.

Q. Does the Software Center list only the software updates that are not installed in this machine? A. The Software Center module lists all software updates including those that are installed. However,
it performs the filtering for device updates.

Q. What should I do if I see errors when using Software Center or having issues with LMS not correctly
working with supported devices?

A. Under rare circumstances, internal LMS files that contain information on which device support
packages are installed and which devices are supported, become corrupted. If such files become corrupted, you may notice one or more of the following symptoms:
"HTTP 500" error occurs while trying to view package information from Admin > System >
Software Center > Device Update. One possible exception is: java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:259) at com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.getPackageMap(Unknown Source) at com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.perform(Unknown Source)
The following errors will be seen in NMSROOT\log\psu.log:
[ <date time > ] ERROR range: -1 [CreateMaps : removeDupEntries] :String index out of
Devices shown as supported in "Supported Devices Table for CiscoWorks LAN Management
Solution" and may have been working previously, show as not supported/unknown and displays device icons in Device Selectors with a question mark (?) in one or more areas of LMS.
Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards
> Device Status > Collection Summary) fails for all devices of a particular model, but succeeds for other devices with identical configuration, yet different models.
Specific models of devices are not available in Device Selectors to have reports, jobs or other
functionality run on them, however Inventory Collection and/or Config Archive has succeeded for them. This is frequently seen with Configuration related functionality. To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files which store information on which device support packages are installed and devices they support. Run the following script: NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance) or NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)
B-26
OL-20721-01
Appendix B
where NMSROOT is your Cisco Prime installation directory. If issues persist after running this script, contact the Cisco Technical Asssistance Center for further assistance.
Event Distribution Services and Event System Services

The following are the FAQs on Event Distribution Services and Event System Services:

Q.How do I change the ESS port? Q.Why do the EDS process is not starting? Q.How should I configure EDS in a multi-homed machine?
Q. How do I change the ESS port? A. You can change the ESS port by running the following commands: NMSROOT/objects/ess/conf/Ports2Alternate.pl NMSROOT/objects/ess/conf/Ports2Primary.pl
where NMSROOT is the default installation directory of Cisco Prime.

Q. Why do the EDS process is not starting? A. You should check: If the hostname is correct and is not changed recently. If the osagent is in use in port 42342.
B-27
If the osagent is not in use, you should:

Step 1 Step 2
Stop the Daemon Manager. Run the ChangeOSAGENTPort.pl script to change the port number. Enter the following command: NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_number where, NMSROOT Cisco Prime Installation directory Port_number Osagent port Restart the Daemon Manager.
Step 3
Q. How should I configure EDS in a multi-homed machine? A. To run Cisco Prime LMS and configure EDS on a multi-homed machine, you must all the IP
Addresses in DNS.
Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other
network?
A. This could because the domain name of the Cisco Prime LMS server may not be resolved.
To access the CORBA services in a server that is not DNS resolvable, you must:
Change the value of attribute jacorb.dns.enable in orb.properties file from on to off. Regenerate the self-signed certificate with IP address instead of hostname. Restart the Daemon Manager.
Backup and Restore

The following are the FAQs on Backup and Restore:

Q.What kind of directory structure does Cisco Prime use when backing up data? Q.What should I do when backup fails and displays a Backup.LOCK file exists error message? Q.Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
Q. What kind of directory structure does Cisco Prime use when backing up data? A. Cisco Prime uses a standard database structure for backing up all suites and applications. See
Table B-5 for a sample directory structure on Cisco Prime LMS Server.
Table B-5 Sample Backup Directory
Directory Path /tmp/1 /tmp/2/cmf
Description Number of backups Application or suite
Usage Notes 1, 2, 3... Backs up Cisco Prime LMS Server applications.
B-28
OL-20721-01
Appendix B
Table B-5
Sample Backup Directory (continued)
Directory Path
Description
Usage Notes Application data is stored in the datafiles.txt which are compiled into the tar file. Includes the following files for each database:

/tmp/1/cmf/fileb Cisco Prime LMS Server ackup.tar application tar files /tmp/1/cmf/data base Cisco Prime LMS Server database directory
xxx_DbVersion.txt xxx.db (database files) xxx.log (database log files) xxx.txt (database backup manifest file)
where xxx is the name of the database.

Q. What should I do when backup fails and displays a Backup.LOCK file exists error message? A. You should try removing the Backup.LOCK file from the Cisco Prime installation directory and start
backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI for more information.
Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts? A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the
Daemon Manager to run the backup.pl scripts. See Backing up Data Using CLI and Restoring Data for more information.
Database
The following are the FAQs on Database:

Q.How can I find the version of a Sybase Database? Q.What if the database is inaccessible?
Q. How can I find the version of a Sybase Database? A. Run the following command:
opt/CSCOpx/objects/db/bin64/dbsrv10 v
Q. What if the database is inaccessible? A. If the server is not able to connect to the database, the database might be corrupt or inaccessible.
This can occur if processes are not running. Try the following:
Step 1 Step 2
Log in to Cisco Prime LMS server as admin. Select Admin > System > Server Monitoring > Processes. A list of Cisco Prime back-end processes appears. You can check if there are any failed process appear in the list. Select Admin > System > Server Monitoring > Selftest.

Step 3
Click Create to create a report. Click Display to display the report.
B-29
Select Admin > System > Server Monitoring > Collect Server Information. Click Product Database Status to get detailed database status. Contact the Cisco TAC or your customer support to get the information you need to access the database and find out details about the problem. After you have the required information, perform the following tasks for detecting and fixing database errors.
Depending upon the degree of corruption, the database engine may or may not start. For certain corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed. Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires the database engine to be running. To detect database corruption:
Step 1 Step 2
Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows). Stop the Daemon manager if it is already running:

/etc/init.d/dmgtd stop net stop crmdmgtd
(on Windows)
Step 3
Make sure no database processes are running and there is no database log file. For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is /opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Step 4 Step 5
Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris machines. If not, change the ownership of these files to user casuser and group casusers. Run the commands on the command prompt:
cd
NMSROOT/objects/db/conf
NMSROOT/bin/perl configureDb.pl action=validate dsn=cmf The dbvalid command displays a list of tables being validated. The Validation utility scans the entire table, and looks up each record in every index and key, defined on the table. If there are errors, the utility displays a message such as:
Validating DBA.xxxx run time SQL error -- Foreign key parent_is has invalid or duplicate index entries 1 error reported
If the above command reports any error, you may try:
Restoring from a previous good backup or Reinitializing database
Caution
All the current data will be lost.
To do this, you have to run the following command: NMSROOT\bin\perl NMSROOT\bin\dbRestoreOrig.pl dsn=dsn dmprefix=dmprefix
B-30
OL-20721-01
Appendix B
For LMS, dsn is cmf and dmprefix is Cmf.
Apache and Tomcat

The following are the FAQs on Apache and Tomcat:

Q.How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the same system? Q.Why does the Apache process not come up after installation or why does the process go down suddenly? Q.How do I change web server port numbers? Q.How should I enable or disable web server SSL mode from the command line? Q.How do I increase Tomcat heap size? Q.How do I validate a Server certificate? Q.How do I modify a certificate which is not self-signed? Q.What is the maximum number of connections allowed by Cisco Prime to access the web interface? Q.What version of Tomcat is installed on my server?
Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
A. The new installer detects IIS web server running on the machine and prompts you to enter a different
port number for Cisco Prime LMS Server to avoid the conflict.
Q. Why does the Apache process not come up after installation or why does the process go down
suddenly?
A. This could be a problem with the Apache configuration syntax or the validity of the server
certificate. You should first check the Apache configuration syntax. To do this: On Windows: Go to NMSROOT\MDC\Apache\bin and run the command Apache.exe -t -d .
Note
Do not omit the . On Solaris/Soft Appliance: Go to NMSROOT/MDC/Apache/bin and run the command ./web_server t If the Apache configuration syntax is correct, a message appears:
Syntax OK
If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL Utility Script.
B-31
Q. How do I change web server port numbers? A. To change the web server port numbers, you must run separate commands for both Windows and
Solaris. On Solaris: You can change the web server port numbers for the webservers. You can also change both the HTTP and HTTPS port numbers. To change the port numbers you must login as Cisco Prime LMS Server administrator, and run the following command at the prompt: NMSROOT/MDC/Apache/bin/changeport If you run this command without any command line parameter, Cisco Prime displays:
*** CiscoWorks Webserver port change utility *** Usage: changeport <port number> [-s] [-f]
where port numberThe new port number that should be used

-sChanges -fForces
the SSL port instead of the default HTTP port
port change even if Daemon Manager detection FAILS.
Note
Do not use this option by default. Use it only when Cisco Prime instructs you to.
For example, you can enter:

changeport 1744Changes
the Cisco Prime web server HTTP port to use 1744.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number. If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs > CiscoWorks > CiscoWorks). You have to manually invoke the browser, and specify the URL, with the changed port number. The restrictions that apply to the specified port number are:

Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number. The specified port should not be used by any other service or daemon. The utility checks for active listening ports, and ports listed in /etc/services. If there is any conflict, it rejects the specified port. The port number must be a numeric value in the range 1026 65535. Values outside this range, and non-numeric values are not allowed. If port 443 is specified for any of the web servers, that web server process is started as root. This is because ports lower than 1026 are allowed to be used only by root in Solaris. However, according to Apache behavior, only the main web server process run as root, and all the child processes run as casuser:casusers. Only the child processes serve the external requests. The main process that runs as root monitors the child processes. It does not accept any HTTP requests. Owing to this, Apache ensures that a root process is not exposed to the external world, and thus ensures security.
If you do not want Cisco Prime processes to run as root, do not use the port 443. When you run the utility with the appropriate options, it displays messages on the tasks it performs.
B-32
OL-20721-01
Appendix B
This utility lists all the files that are being updated. Before updating, the utility will back up all affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories. It also creates a new file called index.txt. This text file contains information about the changed port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443. When you run the utility with the appropriate options, it displays messages on the tasks it performs. This utility lists out all the files that are being updated. Before updating, the utility will back up all affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories. It also creates a new file index.txt. This text file contains information about the changed port and a list of all files that are backed up and their actual location in the Cisco Prime directory.
A sample backup maybe similar to:

/opt | `--/CSCOpx | `--/conf | `--/backup | |--README.txt (Note the purpose of this directory as it is initially empty) | `--/AAAtpaG03_Ciscobak (Autogenerated unique backup directory). | |--index.txt (The backup file list) |--httpd.conf (Webserver config file) |--md.properties (CiscoWorks config elements) |--mdc_web.xml (Common Services application config file) |--regdaemon.key (Common Services config registry key file) |--regdaemon.xml (Common Services config registry data file) |--rootapps.conf (CiscoWorks daemons using privileged ports) |--services (The system /etc/services file) `--ssl.properties (CiscoWorks config elements for SSL mode)
Note
All of the above files and the unique directories are stored with read only permission to casuser:casusers. To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write permissions. The change port utility displays messages to the console during execution. These messages contain information about the directory where the backup files are being stored. These messages are also logged to a file, changeport.log. This file is saved to the directory: /var/adm/CSCOpx/log/changeport.log This file contains the date and time stamps to indicate when the log entries were created. On Windows: You can change the web server port numbers for the LMS Webserver. You can also change both the HTTP and HTTPS port numbers. To change the port numbers you must have administrative privileges. Run the following command at the prompt: NMSROOT\MDC\Apache\changeport.exe
B-33
If you run this utility without any command line parameter, Cisco Prime displays the following usage text:
*** Common Services Webserver port change utility *** Usage: changeport <port number> [-s] [-f]
where: port numberThe new port number that should be used

-sChange -fForce
the SSL port instead of the default HTTP port
port change even if Daemon Manager detection fails.
Note
Do not use this option by default. Use it only when Cisco Prime instructs you to.
For example, you can enter:

changeport 1744To
change the Cisco Prime web server HTTP port to use 1744.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number. If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs > CiscoWorks > CiscoWorks). You have to manually invoke the browser and specify the URL, with the changed port number. The restrictions that apply to the specified port number are:

Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number. The specified port should not be used by any other service or daemon. The utility checks for active listening ports, and if any conflict is found, the utility rejects the specified port. There is no reliable way to determine whether any other service or application is using a specified port. If the service or application is running and actively listening on a port, it can be easily detected. However, if the service is currently stopped, there is no way that the utility can determine what port it uses. This is because on Windows there is no common port registry equivalent to /etc/services as in Solaris.
The port number must be a numeric value in the range 1026 65535. Values outside this range, and non-numeric values are not allowed.
When you run the utility with the appropriate options, it displays messages on the actions it is performing.Cisco Prime It lists out all the files that are being updated. Before updating, the utility backs up all the affected files in CSCOpx\conf\backup, and creates, appropriate, unique, sub-directories. It also creates a new file called index.txt. This text file contains information about the changed port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory. A sample backup may be similar to:
[drive:] | `--\Program Files | `--\CSCOpx | `--\conf |
B-34
OL-20721-01
Appendix B
`--\backup | |--README.txt (Notes the purpose of this dir as it is initially empty) | `--\skc03._Ciscobak (Autogenerated unique backup directory). | |--index.txt (The backup file list) |--httpd.conf (Webserver config file) |--md.properties (CiscoWorks config elements) |--mdc_web.xml (Common Services application config file) |--regdaemon.key (Common Services config registry key file) |--regdaemon.xml (Common Services config registry data file) `--ssl.properties (CiscoWorks config elements for SSL mode)
Note
All the above files and the unique directories are stored with read only permissions. Only the administrator and casuser have write permissions, to ensure the security of the backup files. The change port utility displays messages to the console during execution. These messages contain information about the directory where the backup files are being stored. These messages are also logged to a file, changeport.log. This file is saved to the directory: NMSROOT\log\changeport.log This log file contains the date and time stamps to indicate when the log entries were created.
Q. How should I enable or disable web server SSL mode from the command line? A. To enable or disable the web server SSL mode:
Step 1 Step 2
Stop the Daemon Manager. Run the ConfigSSL.pl script. Enter the commands:

NMSROOT/bin/perl ConfigSSL.pl -enable (to enable the web server SSL mode from the command line) NMSROOT/bin/perl ConfigSSL.pl -disable (to disable the web server SSL mode from the command line)
Step 3
Start the Daemon Manager.
Q. How do I increase Tomcat heap size? A. To increase Tomcat heap size: Step 1
Stop the Daemon Manager.
On Solaris/Soft Appliance: Run /etc/init.d/dmgtd stop On Windows: Run net stop crmdmgtd
Step 2
Run NMSROOT/bin/perl NMSROOT/bin/ModifyTomcatHeap.pl max heap in MB
B-35
Step 3
Start the Daemon Manager.
On Solaris/Soft Appliance: Run /etc/init.d/dmgtd stop On Windows: Run net start crmdmgtd
If Tomcat is already configured for higher memory than what you specify when you run the command, the following message is displayed:
INFO: Tomcat is already configured with a higher heap value.
Q. How do I validate a Server certificate? A. To do this: Step 1
Navigate to the directory where the SSL Utility Script is located. On Windows:
a. b.
Go to NMSROOT\MDC\Apache Enter NMSROOT\bin\perl SSLUtil.pl Go to NMSROOT/MDC/Apache/bin Enter NMSROOT/bin/perl SSLUtil.pl
a. b.
After you have entered this command, the system displays a set of options.
Step 2 Step 3
Select the fourth option Verify the input Certificate/Certificate Chain by entering 4. Enter the location of the server certificate NMSROOT/MDC/Apache/conf/ssl/server.crt The script verifies if the server certificate is valid. If the script reports errors during validation and verification, you have to regenerate the certificate by running SignTool.pl from the above directory.
Step 4
Enter NMSROOT/bin/perl SignTool.pl [-SSL=true | -SSL=false]
Note
NMSROOT is the directory where Cisco Prime is installed.
Q. How do I modify a certificate which is not self-signed? A. LMS does not allow modifying certificates other than the self-signed certificates. Q. What is the maximum number of connections allowed by Cisco Prime to access the web interface? A. Tomcat, the servlet engine, shipped with Cisco Prime handles a maximum of 500 connections or http
requests.
B-36
OL-20721-01
Appendix B
Q. What version of Tomcat is installed on my server? A. To find out the version of Tomcat installed on your server, you should: Step 1 Step 2 Step 3 Step 4
Navigate to the NMSROOT/MDC/tomcat/server/lib directory. Unzip the catalina.jar file available in this directory. Navigate to the location where you have extracted this jar file. Open the Serverinfo.properties file under the orgapachecatalinautil directory. This file displays the version of Tomcat installed on the Cisco Prime LMS Server.
Fault Management FAQs

The following section lists the frequently asked questions about Fault Management.

Q.How do I enable Incharge debugging, and execute Incharge commands? Q.What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event Trap Forwarding? Does LMS support both of these methods? Q.How can I receive Syslog messages from the LMS server? Q.How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
Q. How do I enable Incharge debugging, and execute Incharge commands? A. Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging
Settings page appears. Click the Enable Incharge Debugging, and execute Incharge Commands link. See, Enable Incharge Debugging for more information.
Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event
Trap Forwarding? Does LMS support both of these methods?

A. Yes, LMS supports both ways of Trap forwarding.
Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. When LMS receives certain SNMP traps, it analyzes the data found in fields such as Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap message. If needed, LMS changes the property value of the object property. These are Processed Traps. To configure Processed event/alert trap forwarding, select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap notifications if there is a threshold violation in the LMS managed devices. For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN Management Solution 4.1
B-37
Q. How can I receive Syslog messages from the LMS server? A. To receive Syslog messages from a LMS server: Step 1 Step 2
Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog notification Point it to any Solaris machine and run the following:

/etc/init.d/syslog start tail -f /var/adm/messages
Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x? A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla
Plugins directory. To create the link, go to the command prompt and enter:
Step 1 Step 2
cd /plugins ln -s /plugin/sparc/ns610/libjavaplugin_oji.so
Include the period at the end. For Netscape 6.x/7.x or Mozilla browsers, restart your browser. In Netscape, go to Help > About Plug-ins to confirm that the Java Plug-in is loaded.
Device Performance Management FAQs

Q. Can I set log levels for individual application modules? Where are these log files stored? A. Yes. You can set log levels for all Device Performance Management modules. Log files are stored
at these locations:

On Windows: NMSROOT\log\, where NMSROOT is the Cisco Prime DPM installation directory. On Solaris/Soft Appliance: /var/adm/CSCOpx/log/ Report specific logs are stored under DPMReportJobs under the log directory.
B-38
OL-20721-01
Appendix B
IPSLA Performance Management FAQs

This section provides the FAQs on IPSLA Performance Management:

Q.How can I enable debugging in IPSLA Performance Management? Q.I have problems while migrating the IPSLA Performance Management data. What should I do?
Q. How can I enable debugging in IPSLA Performance Management? A. Do the following: Step 1
Select Admin > System > Debug Settings > IPSLA Debugging Settings. The IPSLA Debugging Settings page appears. Select the module and log level from the Module and Logging Level drop-down lists. The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG. Click Apply.
Step 2
Step 3
Q. I have problems while migrating the IPSLA Performance Management data. What should I do? A. Check the following log files for information: restorebackup.log migration.log ipmclient.log ipmserver.log
B-39
A P P E N D I X

Cisco Prime Data Extraction Engine (DEE) is a utility to export User Tracking, Topology, and Discrepancy application data. This utility provides servlet and command line access to User Tracking, Topology and Discrepancy) and allows you to extract data in Extensible Markup Language (XML) format. This chapter contains:

Overview of Data Extraction Engine The cmexport Command cmexport User Tracking cmexport Topology Command cmexport Discrepancy Command cmexport Manpage
Overview of Data Extraction Engine

Data Extraction Engine (DEE) is a utility that provides servlet access to User Tracking, Layer 2 topology, and discrepancy data. It also includes a command line utility that you can use to fetch user tracking data, Layer 2 topology, and discrepancy data for devices discovered by LMS server. This utility supports the following features:
Generating user tracking data in XML format: Allows you to access servlet and command line utilities that can generate user tracking data for devices discovered by LMS Server.
Generating Layer 2 topology data in XML format: Allows you to generate the latest Layer 2 topology data including information on neighbor devices. Elements in XML file are created at the device level.
Generating discrepancy data in XML format: Allows you to use discrepancy APIs to retrieve latest discrepancy data from LMS server.
C-1
Appendix C The cmexport Command
Archiving XML Data: Data generated through CLI is archived at the following locations:
Table C-1
Data Archive Locations
For User Tracking Layer 2 Topology Discrepancy
Location PX_DATADIR/cmexport/ut/timestamput.xml PX_DATADIR/cmexport/L2Topology/ timestampL2Topology.xml PX_DATADIR/cmexport/Discrepancy/ timestampDiscrepancy.xml
where PX_DATADIR is either %NMSROOT%/files folder (on Windows) or /var/adm/CSCOpx/files directory (on Solaris/Soft Appliance). NMSROOT is the directory where you installed LMS; timestamp is the time at which the log was written in YearMonthDateHourOfDayMinuteSecond format. You can also specify a directory to store the output. This utility does not delete the files created in the archive. You should delete these files when necessary. While generating data through the servlet, the output appears at the client terminal.
Generating user tracking and configuration data in XML format using the Servlet: Allows you to generate and download the user tracking, topology and discrepancy XML files using the servlet. You must upload a payload XML file, which contains the cmexport and utexport command options and Cisco Prime user credentials. You should write your own script to invoke the servlet with a payload of this XML file. If the credentials are correct and options are valid, the servlet returns the exported file in XML format.
The cmexport Command

cmexport is the Cisco Prime LMS command line interface for exporting discrepancy and Layer 2 topology data details into XML format. This section contains the following topics:

Running cmexport Command cmexport Arguments and Options
Running cmexport Command


Command Line Syntax Commands
C-2
OL-20721-01
Appendix C
Data Extraction Engine The cmexport Command
Command Line Syntax
The command line syntax of the utility is in the following format:

cmexport
command arguments options
where:

cmexport
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2 topology, and discrepancy data details into XML format.
command specifies the core operation that is to be performed. arguments are the additional parameters required for each core command. options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options are not important. However, you must enter the core command immediately after cmexport.
Commands
Table C-2 lists the command part of the cmexport syntax.

Table C-2 Command Descriptions
Core Command
ut l2topology discrepancy
Description Generates User Tracking data in XML format. Generates layer 2 topology data in XML format. Generates discrepancy data in XML format.
You must invoke the cmexport command with one of the core commands specified in the above table. If you do not specify any core commands, cmexport can only execute the -v or -h options:

Option -v displays the version of the cmexport utility Option -h (or null option) lists the usage information for this utility.
cmexport Arguments and Options


Mandatory Arguments Optional Arguments Function-Specific Options Displaying Help Uses of cmexport
C-3
Appendix C The cmexport Command
Mandatory Arguments
The arguments that must be specified with all functions are:

-u -p
userid: Specifies the Cisco Prime userid. password: Specifies the password for Cisco Prime userid. store your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must
You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. You must enter the password in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. If there are duplicate entries the password that matches the first user name is considered.
Note
If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Optional Arguments
The arguments you can specify with any function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, logging will not occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command output is displayed in the standard output.
C-4
OL-20721-01
Appendix C
Data Extraction Engine The cmexport Command
Function-Specific Options
DEE supports the following function-specific option:
-f
filename
If used with:
User Tracking function Specifies the name of the file to which the user tracking information is to be exported. Topology function Specifies the name of the file to which the layer 2 topology information is to be exported. Discrepancy function Specifies the name of the file to which the discrepancy information is to be exported.
Displaying Help
To display help for cm export Enter the following at a CLI prompt: cmexport -h. This displays a list of options for cmexport. On Solaris, you can also enter the following at a CLI prompt:
man cmexport
Uses of cmexport
If you enter:
cmexport ut
{u userid} p password host -f filename.xml
User Tracking XML output for host will be generated and it is stored in the file filename.xml. If you want to export the latest topology details for all Layer 2 devices enter:
cmexport L2Topology {u
userid} p password -f filename.xml
If you want to export the latest discrepancy details, enter:

cmexport Discrepancy { u
userid} p password -f filename.xml
Notations
The notations followed in describing the command line arguments are explained below: {argument}Argument is a mandatory parameter. [argument]Argument is an optional parameter. argumentArgument is a variable. argument 1 | argument 2Either argument 1 or argument 2 may be specified but not both. Table C-3 lists the notations part of the cmexport syntax.
C-5
Appendix C cmexport User Tracking
Table C-3
Notations Descriptions
Command
ut
Description
cmexport ut {-u userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ]
l2topology discrepancy
{-u userid} [-p password] [-f filename] {-u userid} [-p password] [-f filename] [-v | -h] the version of the cmexport utility.
empty
-vDisplays -hLists
the options available and function of each option.
cmexport User Tracking

This topic describes the cmexport User Tracking command, and the various options available to you. It contains the following sections:

Name Synopsis Description Mandatory Arguments Accessing Help Examples
Name
cmexport ut:
CiscoWorks cmexport user tracking function
Synopsis
cmexport ut: { -u
userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ]
C-6
OL-20721-01
Appendix C
Data Extraction Engine cmexport User Tracking
Table C-4
Command Descriptions
Argument host-options
Can be one of the Following -query queryname -query queryname -view viewname -layout layoutname -layoutlayoutname -view viewname -query queryname -layout layoutname -query queryname -layout layoutname -view viewname
phone-options
-queryPhone
queryname
-layoutPhone layoutname
-queryPhone
queryname --layoutPhone layoutname
options
-f filename
-d
debuglevel
-l logfile
Description
User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined schema.
Mandatory Arguments
The options that must be specified with the cmexport ut function are:

-u -p
userid: Specifies the Cisco Prime userid. password: Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space.
C-7
Appendix C cmexport User Tracking
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
-host:
Specifies host data to be exported. Specifies phone data to be exported.
-phone:
Options
The options you can specify with the ut function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option, an XML file of the format timestamput.xml is stored in the following directory: PX_DATADIR/cmexport/ut
-view Specifies the format in which the user tracking XML data is to be presented. It supports two optional arguments:
a. switch: User Tracking data is displayed based on the type of switch. b. subnet: User Tracking data is displayed based on the subnet in which they are present.
The -view options are not case sensitive.
-query queryname User Tracking host data is exported in XML format for the query provided in queryname. This option must be used with the -host argument. For this option:
Create a Custom report for end hosts from the mega menu:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layout layoutname User Tracking host data is exported in XML format for the layout provided in layoutname. This option must be used with the -host argument. For this option:
Create a Custom layout for end hosts in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
C-8
OL-20721-01
Appendix C
Data Extraction Engine cmexport Topology Command
-queryPhone queryname User Tracking phone data is exported in XML format for the query given in queryname. This option must be used with the -phone argument. For this option:
Create a Custom report for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layoutPhone layoutPhone User Tracking phone data is exported in XML format for the layout given in layoutPhone. This option must be used with the -phone argument. For this option:
Create a Custom layout for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
Accessing Help
Enter the following in the CLI:

cmexport -h:
Displays a list of options for cmexport. Displays a list of options for the cmexport ut command.
cmexport ut -h:
On Solaris, you can also enter the following in the CLI:

man cmexport
Examples
Considering userid: admin, password: admin, queryname: host1Query, layoutname: host1Layout, queryphone: phone1Query, layoutphone: phone1Layout, filename: file1.xml, we can have the following:
cmexport cmexport cmexport cmexport cmexport cmexport cmexport ut ut ut ut ut ut ut -u -u -u -u -u -u -u admin admin admin admin admin admin admin -p admin -host -p admin -phone -p admin -host -query host1Query -layout all -p admin -host -query host1Query -layout layoutname -p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout -p admin -host -f file1.xml -view switch -host
cmexport Topology Command


Name
cmexport
L2Topology: CiscoWorks cmexport layer 2 topology function
C-9
Appendix C cmexport Topology Command
Synopsis
cmexport l2topology
{-u userid} [ -p password ] [ options ]
Table C-5
Command Description
Argument options
can be one of the following -f filename -d debuglevel -l logfile
where cmexport l2topology -h lists the options available and function of each option.
Description
Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport L2Topology function are: The options that you must specify with the cmexport L2Topology function are:

-u -p
userid: Specifies the Cisco Prime user ID. password
Specifies the password for Cisco Prime user ID. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space.
C-10
OL-20721-01
Appendix C
Data Extraction Engine cmexport Topology Command
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
Options
The options you can specify with the layer 2 topology function are:
-d
debuglevel
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option an XML file of the format timestampL2Topology.xml is stored in the following directory: PX_DATADIR/cmexport/L2Topology
Accessing Help

cmexport -h:
Displays a list of options for cmexport. Displays a list of options for the cmexport l2topology command.
cmexport l2topology -h:
On Solaris, you can also enter the following at a CLI:

man cmexport
Examples
Considering userid: admin, password: admin, filename: file1.xml, you can have the following:
cmexport L2Topology -u admin -p admin cmexport L2Topology -u admin -p admin -f file1.xml cmexport L2Topology -u admin -l file.log
C-11
Appendix C cmexport Discrepancy Command
cmexport Discrepancy Command


Name
cmexport Discrepancy:
CiscoWorks cmexport Discrepancy function.
Synopsis
cmexport discrepancy
{-u userid} [ -p password ] [ options ]
where
Table C-6 Command Description
Argument options
Can be one of the Following -f filename -d debuglevel -l logfile
cmexport discrepancy -help
lists the options available and the function of each option.
Description
Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport Discrepancy function are:

-u -p
userid: Specifies the Cisco Prime userid. password
Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
C-12
OL-20721-01
Appendix C
Data Extraction Engine cmexport Discrepancy Command
The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
Options
The options you can specify with the Discrepancy function are:
-d
debuglevel
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the following directory: PX_DATADIR/cmexport/Discrepancy
Accessing Help

cmexport -h:
Displays a list of options for cmexport. Displays a list of options for the cmexport discrepancy command.
cmexport discrepancy -h:

man cmexport
Examples
Considering userid: admin, password:admin, filename: file1.xml, you can have the following:
cmexport Discrepancy -u admin -p admin cmexport Discrepancy -u admin -p admin -f file1.xml cmexport Discrepancy -u admin -d 2
C-13
Appendix C cmexport Manpage
cmexport Manpage
This sections contains:

Command Line Syntax Commands Arguments and Options Accessing Help
Command Line Syntax

The command line syntax of the utility is in the following format:
cmexport
command arguments options
where:

cmexport
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2 topology, and discrepancy data details into XML format.
command specifies the core operation that is to be performed. arguments are the additional parameters required for each core command. options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options is not important. However, you must enter the core command immediately after cmexport.
Commands
Table C-7 Command Description
Core Command ut l2topology discrepancy
Description Generates User Tracking data in XML format. Generates Layer 2 topology data in XML format Generates discrepancy data in XML format
You must invoke the cmexport command with one of the core commands specified in the above table. If no core command is specified, cmexport can execute the -v or -h options only:

Option -v displays the version of the cmexport utility. Option -h (or null option) lists the usage information of this utility.
C-14
OL-20721-01
Appendix C
Data Extraction Engine cmexport Manpage
Arguments and Options

This sections contains:

Mandatory Arguments Function-Specific Options
Mandatory Arguments
The options that must be specified with all functions are:
-u
userid: Specifies the Cisco Prime userid.
Optional Arguments The options you can specify with any function are:
-p
password
Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.
Note
-d
debuglevel
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command output will be displayed in the standard output.
C-15
Appendix C DEE Developers Reference
Function-Specific Options
The following function-specific option is supported
-f
filename
If used with the:

User Tracking functionSpecifies the name of the file to which the user tracking information is to be exported. Topology functionSpecifies the name of the file to which the layer 2 topology information is to be exported. Discrepancy functionSpecifies the name of the file to which the discrepancy information is to be exported.
Accessing Help

cmexport -h:
Displays a list of options for cmexport. Displays a list of options for the cmexport command.
cmexport command -h:

man cmexport
DEE Developers Reference

The cmexport command exports data to XML format, as per the schema defined. When you need data only for a few columns, remove the unwanted columns in the schema file. The schema files are available in the following path in the LMS Server: NMSROOT/campus/bin (Solaris/Soft Appliance) NMSROOT\campus\bin (Windows) The following are the schemas used for exporting the user tracking data in XML format:

Schema for User Tracking Data User Tracking Schema for Switch Data User Tracking Schema for Phone Data User Tracking Schema for Subnet Data Schema for Topology Data Schema for Discrepancy Data Using Servlet to Export Data from LMS
C-16
OL-20721-01
Appendix C
Data Extraction Engine DEE Developers Reference
Schema for User Tracking Data

<?xml version="1.0" encoding="UTF-8" ?>  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="UTDetails"> <xs:complexType> <xs:sequence> <xs:element name="CMServer" type="xs:string" /> <xs:element name="CreatedAt" type="xs:string" /> <xs:element name="SchemaVersion" type="xs:string" /> <xs:element name="Heading" type="xs:string" /> <xs:element name="Query" type="xs:string" /> <xs:element name="Layout" type="xs:string" /> <xs:element ref="UTData" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="UTData"> <xs:complexType> <xs:sequence> <xs:element name="Index" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Subnet" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="PrefixLength" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="ParentVLAN" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="dot1xEnabled" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="associatedRouters" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="discrepancyEnabled" type="xs:string" minOccurs="0" maxOccurs="1" /> <xs:element name="bestPracticesDeviationEnabled" type="xs:string" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
C-17
User Tracking Schema for Switch Data

<?xml version="1.0" encoding="UTF-8"?>  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="UTDetails"> <xs:complexType> <xs:sequence> <xs:element name="CMServer" type="xs:string"/> <xs:element name="CreatedAt" type="xs:string"/> <xs:element name="SchemaVersion" type="xs:string"/> <xs:element name="Heading" type="xs:string"/> <xs:element name="Query" type="xs:string"/> <xs:element name="Layout" type="xs:string"/> <xs:element ref="SwitchUTData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SwitchUTData"> <xs:complexType> <xs:sequence> <xs:element name="DeviceName" type="xs:string"/> <xs:element name="DeviceIP" type="xs:string"/> <xs:element name="UTData" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="UTData"> <xs:complexType> <xs:sequence> <xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Subnet" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PrefixLength" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
C-18
OL-20721-01
Appendix C
User Tracking Schema for Phone Data

<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="UTDetails"> <xs:annotation> <xs:documentation>It gives the Phone details</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="CMServer" type="xs:string"/> <xs:element name="CreatedAt" type="xs:string"/> <xs:element name="SchemaVersion" type="xs:string"/> <xs:element name="Heading" type="xs:string"/> <xs:element name="PhoneQuery" type="xs:string"/> <xs:element name="PhoneLayout" type="xs:string"/> <xs:element ref="PhoneData" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="PhoneData"> <xs:complexType> <xs:sequence> <xs:element name="PhoneNumber" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="CCMAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Status" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PhoneType" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PhoneDescr" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
User Tracking Schema for Subnet Data

<?xml version="1.0" encoding="UTF-8"?>  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="UTDetails"> <xs:complexType> <xs:sequence> <xs:element name="CMServer" type="xs:string"/> <xs:element name="CreatedAt" type="xs:string"/> <xs:element name="SchemaVersion" type="xs:string"/> <xs:element name="Heading" type="xs:string"/> <xs:element name="Query" type="xs:string"/> <xs:element name="Layout" type="xs:string"/> <xs:element ref="SubnetUTData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SubnetUTData">
C-19
<xs:complexType> <xs:sequence> <xs:element name="SubnetId" type="xs:string"/> <xs:element name="UTData" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="UTData"> <xs:complexType> <xs:sequence> <xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PrefixLength" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
Schema for Topology Data

<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="CMData"> <xs:complexType> <xs:sequence> <xs:element name="CMServer" type="xs:string"/> <xs:element name="CreatedAt" type="xs:string"/> <xs:element name="SchemaVersion" type="xs:string"/> <xs:element name="Heading" type="xs:string"/> <xs:element ref="Layer2Details" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Layer2Details"> <xs:complexType> <xs:sequence> <xs:element ref="Device" minOccurs="0" maxOccurs="unbounded"/>
C-20
OL-20721-01
Appendix C
</xs:sequence> </xs:complexType> </xs:element> <xs:element name="Device"> <xs:complexType> <xs:sequence> <xs:element name="DeviceName" type="xs:string"/> <xs:element name="IPAddress" type="xs:string"/> <xs:element name="DeviceState"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="Reachable"/> <xs:pattern value="UnReachable"/> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="DeviceType" type="xs:string"/> <xs:element ref="Neighbors" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Neighbors"> <xs:complexType> <xs:sequence> <xs:element ref="Neighbor" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Neighbor"> <xs:complexType> <xs:sequence> <xs:element name="NeighborIPAddress" type="xs:string"/> <xs:element name="NeighborDeviceType" type="xs:string"/> <xs:element name="Link" type="xs:string"/> <xs:element name="LocalPort" type="xs:string"/> <xs:element name="RemotePort" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
Schema for Discrepancy Data

<?xml version="1.0" encoding="UTF-8" ?>  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="CMData"> <xs:complexType> <xs:sequence> <xs:element name="CMServer" type="xs:string" /> <xs:element name="CreatedAt" type="xs:string" /> <xs:element name="SchemaVersion" type="xs:string" /> <xs:element name="Heading" type="xs:string" /> <xs:element ref="Discrepancies" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Discrepancies"> <xs:complexType> <xs:sequence> <xs:element ref="Best-Practices-Deviation" minOccurs="0" maxOccurs="unbounded" />
C-21
<xs:element ref="Network-Discrepancy" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Best-Practices-Deviation"> <xs:complexType> <xs:sequence> <xs:element name="Details" type="xs:string" /> <xs:element name="Type" type="xs:string" /> <xs:element name="Severity"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="High" /> <xs:pattern value="Medium" /> <xs:pattern value="Low" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="Description" type="xs:string" /> <xs:element name="FirstFound" type="xs:string" /> <xs:element name="Acknowledged" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Network-Discrepancy"> <xs:complexType> <xs:sequence> <xs:element name="Details" type="xs:string" /> <xs:element name="Type" type="xs:string" /> <xs:element name="Severity"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="High" /> <xs:pattern value="Medium" /> <xs:pattern value="Low" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="Description" type="xs:string" /> <xs:element name="FirstFound" type="xs:string" /> <xs:element name="Acknowledged" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
Using Servlet to Export Data from LMS

The servlet allows you to access DEE features using simple scripts. You can invoke DEE functions by running the script that connects to the LMS server and retrieves the data. You can send the commands to export user tracking, topology, and discrepancy data (cmexport and utexport) as HTTP or HTTPS requests to a special LMS server URL. This URL identifies a servlet that accepts the request and authenticates the requesting user identity and credentials before authorizing the information exchange.

To export User Tracking data, use UTExportServlet. To export Discrepancy and Layer 2 Topology data, use CMExportServlet.
C-22
OL-20721-01
Appendix C
To invoke cmexport and utexport commands, the servlet requires a payload file that contains details such as:
User credentials The command you want to execute. Optional details such as log and debug options as inputs in XML format.
The servlet then parses the payload file encoded in XML, performs the operations, and returns the results in XML format. You must create the payload file to include the input details and submit it when you ask for servlet access. Typically, servlet access is used when you need to use the data export feature from a client system. To use DEE export features, you can write a script to upload the payload file and perform the data export functions. See the following sample scripts:

Sample Perl Script (test.pl) to Access the Servlet Sample Java Code to Access the Servlet HTTP Mode HTTPS Mode
For example, if you are using the script test.pl, you can invoke the servlet in either of these modes:

HTTP Mode
For Discrepancy and Layer 2 topology data export, enter:

perl test.pl http://campus-server:1741/campus/servlet/CMExportServlet payload.xml
For User Tracking data export, enter:

perl test.pl http://campus-server:1741/cmapps/UTExportServlet payload.xml
HTTPS Mode
For Discrepancy and Layer 2 topology data export, enter:

perl test.pl https://campus-server/campus/servlet/CMExportServlet payload.xml
For User Tracking data export, enter:

perl test.pl https://campus-server/cmapps/UTExportServlet payload.xml
Sample Perl Script (test.pl) to Access the Servlet

#!/opt/CSCOpx/bin/perl use LWP::UserAgent; $| = 1; $temp = $ARGV[0] ; $fname = $ARGV[1] ; if ( -f $fname ) { open (FILE,"$fname") || die "File open Failed $!"; while ( <FILE> ) { $str .= $_ ; } close(FILE); } url_call($temp);
C-23
#-- Activate a CGI: sub url_call { my ($url) = @_; my $ua = new LWP::UserAgent; $ua->timeout(5000); my $hdr = new HTTP::Headers 'Content-Type' => 'text/html'; my $req = new HTTP::Request ('GET', $url, $hdr); $req->content($str); my $res = $ua->request($req); my $result; if ($res->is_error) { print "ERROR : ", $res->code, " : ", $res->message, "\n"; $result = ''; } else { $result = $res->content; if($result =~ /Authorization error/) { print "Authorization error\n"; } else { print $result ; }
} }
Sample Java Code to Access the Servlet

import import import import import java.io.*; java.net.URL; java.net.HttpURLConnection; java.lang.String; java.lang.Byte;
class CMExportServletRun { static void main (String args[]) { try { URL url = new URL("http://localhost:1741/campus/servlet/CMExportServlet"); String payload = "adminadminut_hostdee.log1"; HttpURLConnection con; InputStream is; //opens connection to servlet con = (HttpURLConnection)url.openConnection(); con.setRequestMethod("POST"); con.setRequestProperty("Content-type", "text/xml"); con.setDoOutput(true); con.setUseCaches(false); OutputStream bos = new BufferedOutputStream(con.getOutputStream()); PrintWriter out = new PrintWriter(bos); out.println(payload); out.flush(); out.close();
C-24
OL-20721-01
Appendix C
//prints out response from CMExportServlet byte [] strBytes=new byte[10]; int noOfBytes = 0; is = con.getInputStream(); BufferedReader bfr = new BufferedReader(new InputStreamReader(is)); String str = null ; while ( ( str = bfr.readLine()) != null ) { System.out.println(str); } } catch (Exception e) { System.out.println(e.toString()); } } }
Payload File
The payload file is an XML file that contains inputs required for the DEE servlet to process requests for data export. Schema for the payload XML file is given in Schema for Payload File. Table C-8 describes the elements in the schema.
Table C-8 Elements in the Schema
Element username password command view
Description Cisco Prime user name. Password for Cisco Prime username. Command inside this tag can be ut_host, ut_phone, l2topology or discrepancy. Use this option when you specify ut_host. This is optional. This specifies the presentation of the User Tracking data in the hierarchical format with either switch or subnet as the root.
queryname
User Tracking host data is exported in XML format for the query provided in queryname. You can use this option when you specify ut_host User Tracking host data is exported in XML format for the layout provided in layoutname. You can use this option when you specify ut_host User Tracking phone data is exported in XML format for the query given in queryphone. You can use this option when you specify ut_phone
layoutname
queryphone
C-25
Table C-8
Elements in the Schema (continued)
Element layoutphone
Description User Tracking phone data is exported in XML format for the layout given in layoutPhone. You can use this option when you specify ut_phone Optional. Debug messages can be collected only if log file is specified in the log option. The debug level could be 1 or 2. You can set the value to: 1For basic debug information. 2For detailed debug information. This is optional.
debug
This section also describes:

Sample Payload File Schema for Payload File
Sample Payload File

<payload> <username>username</username> <password>password</password> <command>ut_host</command> <debug>1</debug> <view></view> </payload>
Schema for Payload File
You can use the following schema for creating the payload file in XML format.
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="payload"> <xs:complex Type> <xs:sequence> <xs:element name="username" type="xs:string"/> <xs:element name="password" type="xs:string"/> <xs:element name="command" type="xs:string"/> <xs:element name="view" type="xs:string"/> <xs:element name="queryname" type="xs:string"/> <xs:element name="layoutname" type="xs:string"/> <xs:element name="queryphone" type="xs:string"/> <xs:element name="layoutphone" type="xs:string"/> <xs:element name="debug" type="xs:string"/> </xs:sequence> </xs:complex Type> </xs:element>
C-26
OL-20721-01
A P P E N D I X
Understanding Cisco Prime Security

The Cisco Prime LMS Server provides some of the security controls necessary for a web-based network management system. It also relies heavily on the end users own security measures and controls to provide a secure computing environment for Cisco Prime applications. The Cisco Prime LMS Server provides and requires three levels of security to be implemented to ensure a secure environment:

General SecurityPartially implemented by the client components of Cisco Prime and by the system administrator. Server SecurityPartially implemented by the server components of Cisco Prime and by the system administrator. Application SecurityImplemented by the client and server components of the Cisco Prime applications.
For more information on security related features, see Setting up Security. The following sections describe the general and server security levels.
General Security
The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network management applications. Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure than the standard computing model that only requires a system login to execute applications. The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco Prime applications and data. However, Cisco Prime applications can change the behavior and security of your network devices. Therefore, it is critical to limit access to applications and servers as follows:

Limit access to personnel who need access to applications or the data that the applications provide. Limit Cisco Prime LMS Server logins to just the systems administrator. Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.
D-1
Appendix D Server Security
Server Security
The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the code and data files that reside on the server. The following Cisco Prime LMS Server security control elements apply:

ServerImposed Security System Administrator-Imposed Security
ServerImposed Security
The Cisco Prime LMS Server has many dimensions, such as:

Files, File Ownership, and Permissions Runtime Remote Connectivity Access to Systems Other Than the Cisco Prime LMS Server Access Control
Files, File Ownership, and Permissions

The following describes the file ownership and permissions.
UNIX SystemsCisco Prime must be installed by a user with root privilege. It should be installed as the user, casuser with a casusers group. If the system administrator needs to work on causer files, a user with a name chosen by the system administrator, must be created and added to the causers group. All files and directories are owned by casuser with group equal to casusers. Temporary files are created as the user casuser with permissions set to read-write for the user casuser and read for members of group casusers. The only exception to this rule is the log files created by the Cisco Prime web server and diskWatcher. The Cisco Prime web server and diskWatcher must be started as root. Therefore, their log files are owned by the user root with group=casusers.
Windows SystemsCisco Prime must be installed by the administrator and must be installed as the user casuser.
If it is a new installation, the system displays a message prompting you to either create or to
cancel the process. You can enter the password or it can be automatically generated.
If it is not a new installation, the system displays a message prompting you to either continue
resetting the password or to retain the old password. The Cisco Prime LMS Server uses the password but the casuser user is not intended as a general user of the Windows system. No user is required to log on the Windows system as casuser. All files and directories are owned by the user casuser. Read and write access are restricted to the user casuser and the administrator. Temporary files are created as the user casuser with permissions set to read-write for the user casuser. The Cisco Prime LMS Server relies on the security mechanisms of the NTFS filesystem to provide access control on Windows systems. If Cisco Prime is installed on a FAT filesystem, most security assumptions made about controlled access to files and network management data are not valid.
D-2
OL-20721-01
Appendix D
Understanding Cisco Prime Security Server Security
Runtime
This describes the runtime activities.
UNIX SystemsTypically Cisco Prime back-end processes are run with permissions set to the user ID of the binary file. For example, if user Joe owns an executable file, it will be run by the Cisco Prime daemon manager under the user ID of Joe). The exception are files owned by the root user ID. To prevent a potentially harmful program from being run by the daemon manager with root permissions, the daemon manager will run only a limited set of Cisco Prime programs that need root privilege. This list is not documented to preclude any user from trying to impersonate these programs. All back-end processes are run with a umask value of 027. This means that all files created by these programs are created with permissions equal to rwxr-x, with an owner and group of the user ID and group of the program that created it. Typically this will be casuser and group=casusers. Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web servers child processes or the servlet engine, which all run as the user casuser. Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser have access to the directories that these services read and write to. The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the Resource Manager Essentials Software Management application to run image download jobs.
WindowsCisco Prime back-end processes are run with permissions set to the user casuser. Some of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID. These processes include:
Daemon manager Web server Servlet engine Rcp/rsh service TFTP service Corba service Database engine
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control of the web server and the servlet engine that run as the user localsystem. The local system user has special permissions on the local system but does not have network permissions. Cisco Prime provides several services for RCP, TFTP communication with devices. These services are targeted for use by Cisco Prime applications, but can be used for purposes other than network management. The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager Essentials Software Image Manager application. Jobs run by the at command, run with system level privileges.
D-3
Remote Connectivity
The remote connectivity details for Windows and Solaris are:

UNIX SystemsThe Cisco Prime daemon manager only responds to requests to start, stop, register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server. Windows SystemsThe Cisco Prime daemon manager only responds to requests to start, stop, register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
Access to Systems Other Than the Cisco Prime LMS Server

The access details for UNIX and Windows are:
UNIX SystemsSystems used by the Cisco Prime LMS Server as remote sources of device information for importing into the LMS Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information. Windows SystemsSystems used by the Cisco Prime Server as remote sources of device information for importing into the LMS Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information.
Access Control
The access control details are:
UNIX SystemsThe UNIX user casuser is a user ID that is not typically enabled for login. Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies the installation process and ensures limited access to the Cisco Prime Server. This is because casuser is not a valid login ID as there is no password assigned to it. However, the casuser user on UNIX systems can perform system and possibly network-wide operations that could be harmful to the system or the network.
Windows SystemsThe user casuser, created as part of the install process, has no special permissions or considerations on a system so it is a safe user ID under which to run the Cisco Prime Server and application code. The localsystem user can perform harmful system operations. Therefore, consider that by using the localsystem user ID to run some of the backend processes, the localsystem user ID cannot perform network operations.
Note
The system administrator should review and adopt the security recommendations in System Administrator-Imposed Security.
D-4
OL-20721-01
Appendix D
System Administrator-Imposed Security

To maximize Cisco Prime LMS Server security, follow these security guidelines:

Do not allow users other than the systems administrator to have a login on Cisco Prime LMS Server. Do not allow the Cisco Prime LMS Server file systems to be mounted remotely with NFS or any other file-sharing protocol. Limit remote access (for example, FTP, RCP, RSH) to Cisco Prime LMS Server to those users who are permitted to log into Cisco Prime LMS Server. Place your network management servers behind firewalls to prevent access to the systems from outside of your organization. Change the database password after installation and periodically based on your companys security policies. Back up the security certificates in a safe location, if you are using SSL in Cisco Prime LMS Server.
Connection Security
The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection between the client browser and management server, and Secure Shell (SSH) to provide secure access between the management server and devices.
Security Certificates
Security certificates are similar to digital ID cards. They prove the identity of the server to clients. Certificates are issued by Certificate Authorities (CAs) such as VeriSign or Thawte. A certificate vouches for the identity and key ownership of an individual, a computer system (or a specific server running on that system), or an organization. It is a general term for a signed document. Typically, certificates contain the following information:

Subject public key value. Subject identifier information (such as the name and e-mail address). Validity period (the length of time that the certificate is considered valid). Issuer identifier information. The digital signature of the issuer. This attests to the validity of the binding between the subject public key and the subject identifier information.
A certificate is valid only for the period of time specified within it. Every certificate contains Valid From and Valid To dates, which are the boundaries of the validity period. For example, a user's certificate verifies that the user owns a particular public key. The server certificate for the server named myserver.cisco.com verifies that a specific public key belongs to this server. Certificates can be issued for a variety of functions such as web user authentication, web server authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code signing.
D-5
Cisco Prime LMS Server supports security certificates for authenticating secure access between client browser and management server. Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates. For more information, see Creating Self Signed Certificates.
Terms and Definitions

The following explains the terms and corresponding definitions in Cisco Prime:

Secure Socket Layer (SSL) Public Key, Private Key Secure Shell (SSH) PKCS#8 Base64- Encoded X.509 Certificate Format Certificate Authority Cisco Prime TrustStore or KeyStore
Secure Socket Layer (SSL)

Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys.
Public Key, Private Key

Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is shared quite freely, the private key is never given out. Each public-private key pair works together. Data encrypted with the public key can only be decrypted with the private key.
Secure Shell (SSH)

Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are currently available: SSH Version 1 and SSH Version 2.
PKCS#8
Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography, developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple, Microsoft, DEC, Lotus, Sun and MIT. The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation of OSI standards. The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509 standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13 and #14 are currently being developed. PKCS #8 describes a format for private key information. This information includes a private key for some public-key algorithm, and optionally a set of attributes.
D-6
OL-20721-01
Appendix D
Base64- Encoded X.509 Certificate Format

X.509 certificate format is an emerging certificate standard. It is part of the OSI group of standards. X.509 certificates are very clearly defined using a notation called ASN.1 (Abstract Syntax Notation 1) which specifies the precise kinds of binary data that make up the certificate. ASN.1 can be encoded in many ways, but the emerging standard is an encoding called DER (Distinguished Encoding Rules), which results in a compact binary certificate. For e-mail exchange purposes the binary certificate is often Base64 encoded, resulting in an ASCII text document that looks like the following:
-----BEGIN CERTIFICATE----MIIC4jCCAkugAwIBAgIEA0E1UDANBgkqhkiG9w0BAQBhMC VVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYNQ2lz Y28gU3lzdGVtczENMAsGA1UECxMERU1CVTEqMCgG0ZXN0 MiBDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTAyMDas3DA4 NTgwOVowgYIxCzAJBgNVBAYTAklOMQswCQYDVQQIQ2hl bm5haTEMMAoGA1UEChMDSENMMQ0wCwYDVQQLEtzZGlu YWthci1wYzEhMB8GCSqGSIb3DQEJARYSc2RpbmFrYXfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV1o9PyO7txr5vme FU/f9tp5To/HaLIWHVx9zpihPnVuKaepp8kcEXO8Sed8crXeU8BP 9qHoIswGn1oJEGFXm9gs5uupJyAgeDd6O9eCuQbiSKgE1sFGFSL xNGQJZbCrQIDAQABo2UwYzARBglghkgBhvhCAQEEB/BAQD -----END CERTIFICATE-----
Cisco Prime requires the Certificates to be uploaded in this format.
Note
Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you confirm with the CA the format of the certificate, and request specifically for Base64 Encoded X.509Certificates formats.
Certificate Authority
A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA then issues a certificate.
Cisco Prime TrustStore or KeyStore

Cisco Prime TrustStore or KeyStore is the location where Cisco Prime maintains the list of Certificates that it trusts. The KeyStore location is:

NMSROOT\MDC\Apache\conf\ssl (on Windows) NMSROOT/MDC/Apache/conf/ssl (on Solaris/Soft Appliance)
D-7
A P P E N D I X
Commands to Enable MAC Notification Traps on Devices

This appendix provides information on the list of commands that needs to run on each device to enable MAC Notification traps. This appendix contains the following:

Overview of Dynamic Updates Configuring Switches With MAC Notification Commands Device Operating System Version-Specific Commands List of Commands to Enable MAC Notification Traps on Devices
Overview of Dynamic Updates

Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps sent by devices to Network Topology, Layer 2 Services and User Tracking . These traps are sent as and when there are changes to the network. You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification traps when a host is connected to or disconnected from that port. If you do not have Configuration Management enabled on your LMS server, you have to manually configure the switches, for the switches to send MAC Notifications to the LMS server. To manually configure the switches:
Step 1 Step 2
Choose Admin > Trust Management > Multi Server > System Identity Setup. Renter the password for the System Indentity user.
Ensure that the System Indentity User user name and password are are valid, also under Admin > System > User Management > Local User Setup.
See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more information.
E-1
Appendix E Configuring Switches With MAC Notification Commands
Configuring Switches With MAC Notification Commands

The list of commands that needs to be run on the devices are stored on the built-in XML file namely, MACCommands.XML in a hierarchical manner. The list of commands available are:

Global commands Device Family-specific commands Device Type-specific commands Device Operating System version-specific commands
While configuring, Network Topology, Layer 2 Services and User Tracking selects the commands for each device based on the fallback rule in the following order:
1. 2. 3. 4.
Device Operating System version-specific commands Device Type-specific commands Device Family-specific commands Global commands
If a device OID matches an OS version, the Device OS version-specific commands should be selected to configure the device. Otherwise, the Device Type-specific commands should be selected. If a device OID could not find a specific match on both Device OS version-specific commands and Device Type-specific commands, the Device-Family specific commands should be selected. The Global commands are selected for configuring the device when there is no match of Device OS version-specific, Device Type-specific, or Device Family-specific commands available for the device. The device is considered as an unknown device type when there is no match of any of the command sets available. In other words, for an unknown device type, command set will not be generated.
Device Operating System Version-Specific Commands

A device OID finds a match from the OS versions first, in the XML file. A range of OS versions for which the command set remains the same, are indicated in the osversion tag in the XML file. The range of OS versions are represented using brackets [ ] and parantheses ( ). Brackets [ ] indicate an inclusive list of OS versions. Parantheses ( ) indicate an exclusive list of OS versions. The following are the examples for OS version ranges:

[12.2(40),12.2(43)) denotes all OS versions between 12.2(40) and 12.2(43) including 12.2(40) and excluding 12.2(43). [,12.2(40)] denotes all OS versions prior to 12.2(40) and including version 12.2(40). [12.1(19)EA1,12.2(46)SE) denotes all OS versions 12.1(19)EA1 and later, and prior to 12.2(46)SE.
E-2
OL-20721-01
Appendix E
Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices
List of Commands to Enable MAC Notification Traps on Devices

Table E-1 explains the list of commands that needs to be run on the devices.
Table E-1 List of Commands to Enable SNMP Traps in Devices
Device Family default
Device Type -
SysOID -
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification added:snmp trap mac-notification removed
OS Version -
E-3
Appendix E List of Commands to Enable MAC Notification Traps on Devices
Table E-1
List of Commands to Enable SNMP Traps in Devices (continued)
Device Family
Device Type
SysOID -
Global Command Set mac address-table notification change:mac address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification change:mac address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notificatio
OS Version -
C3750-STACK -
C3750-STACK 1.3.6.1.4.1.9.1.516
snmp trap mac-notification added:snmp trap mac-notification removed
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
snmp trap mac-notification change added:snmp trap mac-notification change removed
12.2(52)SE
E-4
OL-20721-01
Appendix E
Table E-1
Device Family (continued)
Device Type
SysOID
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
OS Version [,12.1(19)EA1)
C3750-STACK NME16ES1GP 1.3.6.1.4.1.9.1.663
[12.1(19)EA1,12 .2(46)SE)
NME16ES1GP 1.3.6.1.4.1.9.1.702
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-5
Table E-1
Device Family
Device Type
SysOID 1.3.6.1.4.1.9.1.664
C3750-STACK NMEX23ES1 GP (continued)
[12.1(19)EA1,12 .2(46)SE)
NMEXD24ES 1SP
1.3.6.1.4.1.9.1.665
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-6
OL-20721-01
Appendix E
Table E-1
Device Family
Device Type
SysOID 1.3.6.1.4.1.9.1.666
C3750-STACK NMEXD48ES 2SP (continued)
[12.1(19)EA1,12 .2(46)SE)
C3550-24ME
1.3.6.1.4.1.9.1.574
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-7
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.589
C3750-STACK C3550-24ME
[12.1(19)EA1,12 .2(46)SE)
C3550-24ME
1.3.6.1.4.1.9.1.590
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-8
OL-20721-01
Appendix E
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.591
[12.1(19)EA1,12 .2(46)SE)
C3550-24ME
1.3.6.1.4.1.9.1.592
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-9
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.688
[12.1(19)EA1,12 .2(46)SE)
C3750-24P
1.3.6.1.4.1.9.1.536
mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-10
OL-20721-01
Appendix E
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.530
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.511
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-11
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.512
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.513
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-12
OL-20721-01
Appendix E
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.514
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.535
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-13
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.602
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.603
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-14
OL-20721-01
Appendix E
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.604
C3750-STACK C3750P
[12.1(19)EA1,12 .2(46)SE)
C3750
1.3.6.1.4.1.9.1.624
[,12.1(19)EA1)
[12.1(19)EA1,12 .2(46)SE)
E-15
Table E-1
Device Type
SysOID 1.3.6.1.4.1.9.1.656
C3750-STACK C3750
[12.1(19)EA1,12 .2(46)SE)
C3550
mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
C3550-24
1.3.6.1.4.1.9.1.366
[,12.1(11)EA1)
C3550-48
1.3.6.1.4.1.9.1.367
[,12.1(11)EA1)
E-16
OL-20721-01
Appendix E
Table E-1
Device Family C3550 (continued)
Device Type C3550-12T
SysOID 1.3.6.1.4.1.9.1.368
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
C3550-12G
1.3.6.1.4.1.9.1.431
[,12.1(11)EA1)
C3550-24FX
1.3.6.1.4.1.9.1.453
[,12.1(11)EA1)
C3550-24DC
1.3.6.1.4.1.9.1.452
[,12.1(11)EA1)
C3550-24PWR 1.3.6.1.4.1.9.1.485
[,12.1(11)EA1)
E-17
Table E-1
Device Type C3560-24PS
SysOID 1.3.6.1.4.1.9.1.563
C3560-48PS
1.3.6.1.4.1.9.1.564
[,12.1(11)EA1)
C3560G-24PS
1.3.6.1.4.1.9.1.614
[,12.1(11)EA1)
C3560G-24TS
1.3.6.1.4.1.9.1.615
[,12.1(11)EA1)
C3560G-48PS
1.3.6.1.4.1.9.1.616
[,12.1(11)EA1)
E-18
OL-20721-01
Appendix E
Table E-1
Device Type C3560G-48TS
SysOID 1.3.6.1.4.1.9.1.617
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
C3560E
1.3.6.1.4.1.9.1.930
C3560E
1.3.6.1.4.1.9.1.956
C3560E
1.3.6.1.4.1.9.1.1015 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
E-19
Table E-1
Device Type 3000
SysOID 1.3.6.1.4.1.9.1.909
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
OS Version -
3000
1.3.6.1.4.1.9.1.910
3000
1.3.6.1.4.1.9.1.911
3000
1.3.6.1.4.1.9.1.912
E-20
OL-20721-01
Appendix E
Table E-1
Device Type 3000
SysOID 1.3.6.1.4.1.9.1.918
OS Version -
3000
1.3.6.1.4.1.9.1.919
3000
1.3.6.1.4.1.9.1.920
3000
1.3.6.1.4.1.9.1.921
E-21
Table E-1
Device Type 3000
SysOID 1.3.6.1.4.1.9.1.922
OS Version -
3000
1.3.6.1.4.1.9.1.947
3000
1.3.6.1.4.1.9.1.948
3000
1.3.6.1.4.1.9.1.949
E-22
OL-20721-01
Appendix E
Table E-1
Device Type 3000
SysOID 1.3.6.1.4.1.9.1.999
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
OS Version -
3000
1.3.6.1.4.1.9.1.1000 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification 1.3.6.1.4.1.9.1.1001 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification 1.3.6.1.4.1.9.1.1002 mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
3000
3000
E-23
Table E-1
Device Family C3550 (continued) -
Device Type C3000IE
SysOID 1.3.6.1.4.1.9.1.958
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification -
OS Version -
C3000IE
1.3.6.1.4.1.9.1.959
C3500XL
C3508GXL C3512XL C3524XL C3548XL
1.3.6.1.4.1.9.1.246 1.3.6.1.4.1.9.1.247 1.3.6.1.4.1.9.1.248 1.3.6.1.4.1.9.1.278
C3524PWRXL 1.3.6.1.4.1.9.1.287
E-24
OL-20721-01
Appendix E
Table E-1
Device Family C2970
Device Type -
SysOID -
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
OS Version -
C2970G-24T
1.3.6.1.4.1.9.1.527
[,12.1(19)EA1)
C2970G-24TS
1.3.6.1.4.1.9.1.561
[,12.1(19)EA1)
371098-001
1.3.6.1.4.1.11.2.3.7. mac-address-table 11.33.3.1.1 notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification 1.3.6.1.4.1.9.1.781 mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
[,12.1(19)EA1)
ME-3400G-12 CS-D
[,12.1(19)EA1)
E-25
Table E-1
Device Type ME-3400G-12 CS-A
SysOID 1.3.6.1.4.1.9.1.780
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
C2960-24TC-S 1.3.6.1.4.1.9.1.928
[,12.1(19)EA1)
ME-3400G-2C 1.3.6.1.4.1.9.1.825 S-A
[,12.1(19)EA1)
C2960G-48TC -L
1.3.6.1.4.1.9.1.697
12.2(35)SE5
12.2(44)SE6
ME-3400
1.3.6.1.4.1.9.1.873
E-26
OL-20721-01
Appendix E
Table E-1
Device Type ME-3400 ME-3400 ME-3400 C2960 C2960 C2960 C2960 C2960 C2960 C2960 C2975 C2975
SysOID
Global Command Set
OS Version -
1.3.6.1.4.1.9.1.1007 1.3.6.1.4.1.9.1.1008 1.3.6.1.4.1.9.1.1009 1.3.6.1.4.1.9.1.929 1.3.6.1.4.1.9.1.927 -
1.3.6.1.4.1.9.1.1005 1.3.6.1.4.1.9.1.1006 1.3.6.1.4.1.9.1.950 1.3.6.1.4.1.9.1.951 1.3.6.1.4.1.9.1.952 -
1.3.6.1.4.1.9.1.1067 1.3.6.1.4.1.9.1.1068 mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification -
C2900XL
C2908XL C2900XL (continued) C2924XL C2924CXL C2924XLV C2924CXLV C2912XL C2924MXL C2912MFXL
1.3.6.1.4.1.9.1.170 1.3.6.1.4.1.9.1.183 1.3.6.1.4.1.9.1.184 1.3.6.1.4.1.9.1.217 1.3.6.1.4.1.9.1.218 1.3.6.1.4.1.9.1.219 1.3.6.1.4.1.9.1.220 1.3.6.1.4.1.9.1.221
C2924XL-LRE 1.3.6.1.4.1.9.1.369 C2912XL-LRE 1.3.6.1.4.1.9.1.370
E-27
Table E-1
Device Family C2950
Device Type -
SysOID -
Global Command Set mac address-table notification:mac address-table notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
OS Version -
C2950-12
1.3.6.1.4.1.9.1.323
[,12.1(11)EA1)
C2950-24
1.3.6.1.4.1.9.1.324
[,12.1(11)EA1)
E-28
OL-20721-01
Appendix E
Table E-1
Device Type C2950C-24
SysOID 1.3.6.1.4.1.9.1.325
C2950T-24
1.3.6.1.4.1.9.1.359
[,12.1(11)EA1)
C2950G-24
1.3.6.1.4.1.9.1.428
[,12.1(11)EA1)
C2950G-12
1.3.6.1.4.1.9.1.427
[,12.1(11)EA1)
C2950G-48
1.3.6.1.4.1.9.1.429
[,12.1(11)EA1)
E-29
Table E-1
Device Type
SysOID
C2950G-24DC 1.3.6.1.4.1.9.1.472
C2950-24SX
1.3.6.1.4.1.9.1.480
[,12.1(11)EA1)
C2955C-12
1.3.6.1.4.1.9.1.489
[,12.1(11)EA1)
C2955S-12
1.3.6.1.4.1.9.1.508
[,12.1(11)EA1)
C2955T-12
1.3.6.1.4.1.9.1.488
[,12.1(11)EA1)
E-30
OL-20721-01
Appendix E
Table E-1
Device Type C2950ST-8LR E
SysOID 1.3.6.1.4.1.9.1.483
C2950ST-24L RE
1.3.6.1.4.1.9.1.482
[,12.1(11)EA1)
C2940-8TT
1.3.6.1.4.1.9.1.540
[,12.1(11)EA1)
C2940-8TF
1.3.6.1.4.1.9.1.542
[,12.1(11)EA1)
C2950-48SX
1.3.6.1.4.1.9.1.560
[,12.1(11)EA1)
E-31
Table E-1
Device Type CIGESM-18T T
SysOID 1.3.6.1.4.1.9.1.592
Global Command Set mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification set cam notification enable:set snmp trap enable macnotification:set snmp trap HOST COMMUNITY version TRAPVERSION port PORT mac-address-table notification change:mac-address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
C6000
set cam notification added enable INTERFACE:set cam notification removed enable INTERFACE snmp trap mac-notification change added:snmp trap mac-notification change removed
C6006 C6009 C6509 C6506 C6509SP C6513 C6503 C6000-IOS -
1.3.6.1.4.1.9.5.38 1.3.6.1.4.1.9.5.39 1.3.6.1.4.1.9.5.44 1.3.6.1.4.1.9.5.45 1.3.6.1.4.1.9.5.47 1.3.6.1.4.1.9.5.50 1.3.6.1.4.1.9.5.56 -
E-32
OL-20721-01
Appendix E
Table E-1
Device Family C6000-IOS (continued)
Device Type
SysOID
Global Command Set set cam notification enable:set snmp trap enable macnotification:set snmp trap HOST COMMUNITY port PORT
Interface Command Set set cam notification added enable INTERFACE:set cam notification removed enable INTERFACE -
OS Version -
catalyst6000IO 1.3.6.1.4.1.9.1.657 S catalyst6006IO 1.3.6.1.4.1.9.1.280 S catalyst6009IO 1.3.6.1.4.1.9.1.281 S Cisco C6506-IOS 1.3.6.1.4.1.9.1.282
catalyst6509IO 1.3.6.1.4.1.9.1.283 S catalyst6509sp IOS 1.3.6.1.4.1.9.1.310
catalyst6513IO 1.3.6.1.4.1.9.1.400 S ciscoWSC6503 1.3.6.1.4.1.9.1.449 ciscoWSC6509 1.3.6.1.4.1.9.1.534 neba catalyst6509V E Cisco C6503-IOS C4000 1.3.6.1.4.1.9.1.832 1.3.6.1.4.1.9.1.449 -
C4003 C4912G C2948G C4006 C2980G C2980G-A C4503 C4506 C2948G-GE-T X
1.3.6.1.4.1.9.5.40 1.3.6.1.4.1.9.5.41 1.3.6.1.4.1.9.5.42 1.3.6.1.4.1.9.5.46 1.3.6.1.4.1.9.5.49 1.3.6.1.4.1.9.5.51 1.3.6.1.4.1.9.5.58 1.3.6.1.4.1.9.5.59 1.3.6.1.4.1.9.5.62
E-33
Table E-1
Device Family C4000-IOS
Device Type -
SysOID -
Global Command Set mac-address-table notification change:mac-address-table notification change interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification mac address-table notification change:mac address-table notification change interval 15:snmp-server enable traps mac-notification:snmp-serve r host HOST version 1 COMMUNITY udp-port 1431 mac-notification mac-address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification
Interface Command Set snmp trap mac-notification change added:snmp trap mac-notification change removed
OS Version -
cisco4000 cisco4900M cisco4948
1.3.6.1.4.1.9.1.448 1.3.6.1.4.1.9.1.917 1.3.6.1.4.1.9.1.626
12.2(53)SG
cisco4948-10G 1.3.6.1.4.1.9.1.659 E cisco4948-10G 1.3.6.1.4.1.9.1.875 E cisco4948-10G 1.3.6.1.4.1.9.1.877 E cisco4948-10G 1.3.6.1.4.1.9.1.874 E cisco4948-10G 1.3.6.1.4.1.9.1.876 E C4506-IOS 1.3.6.1.4.1.9.1.502
C4900ME -
C4900ME
1.3.6.1.4.1.9.1.788
E-34
OL-20721-01
Appendix E
Table E-1
Device Family C2400ME
Device Type -
SysOID -
Global Command Set mac address-table notification:mac-address-tabl e notification interval 15:snmp-server enable traps MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification -
OS Version -
C2400ME C2350
1.3.6.1.4.1.9.1.735
1.3.6.1.4.1.9.1.1104 -
E-35
INDEX
A
access connection security, understanding control, security and access ports customizable groups system defined groups Role Management roles on NDG basis, assigning admin application settings purge settings setting log level administering LMS
3-1 3-2 3-23 3-6 16-19 17-12 8-27 2-13 5-44 5-43 D-4 D-5
default credential set, editing default credential set policies
4-26 4-28 4-29 4-34
default credential set policies, creating default credential set policies, deleting
default credential set policies, Display name policy type example 4-32 default credential set policies, examples
4-31
default credential set policies, host name policy type example 4-33 default credential set policies, IP range policy type example 4-31 default credential set policies, ordering default credential sets device polling settings mode, changing
4-15 4-21 4-22 4-22 4-22 4-24 4-17 4-16 4-35
Master-Slave configuration, prerequisites unreachable devices deletion user-defined fields, adding user-defined fields, deleting user-defined fields, renaming Display Settings and DCR
A-5 4-1
Daemon Manager, using
database password, changing processes, back-end processes processes, managing processes, starting processes, stopping processes, viewing restoring data DCR default credentials
4-23 4-23 3-21 3-3
processes, managing through CLI

3-6 3-6 3-4
administering LMS ANI data collection, using best practices in discovery scheduling data collection, scheduling
3-5 6-3 6-3
processes, viewing specific state processes
debugging options
17-22
user and host acquisition, using delete interval, modifying purge policy, specifying schedule, modifying Administering VRF Lite Setting VRF Lite Debugging Options
17-31 7-18 7-20 7-20 7-23
end host user information, importing

15-1
default credentials,using
default credentials,using in multi-server setup 4-24 default credential set,configuring default credential set,deleting
4-25 4-27
subnet discovery, configuring
IN-1
Index
VRF Lite Client Debugging Settings VRF Lite Server Debugging Settings VRF Lite Utility Debugging Settings Using VRF Lite Administration
17-34 17-32 17-34 17-33
content engine commands IOS commands setting up

8-29 8-36 8-34
8-35 8-34
content service switch commands
VRF Lite Collector Debugging Settings Modifying VRF Lite SNMP Timeouts and Retries 8-19 Scheduling VRF Collector Administering VRF Using VRF Administration admin setting application log level purge log file
8-27 8-27 8-17 8-18
directory, moving using

8-29
shadow directory, enabling and disabling automated actions, defining in Change Audit creating deleting editing
11-9 11-11 11-14 11-13 11-13 11-13
8-37
copying IP SLA configuration

17-12 8-28
enabling, disabling exporting, importing in Syslog Analysis creating deleting editing

6-3 10-37 10-42 10-39
managed source interface

16-19
Alerts and Activities display

17-8, 17-9
ANI data collection administration, using best practices in discovery scheduling data collection, scheduling debugging options applications Job Approval licensing licensing information, viewing licensing procedure obtaining a license updating licenses application settings running-config archive purging
8-27 8-28 3-30 3-30 3-31 3-30 12-13 17-22 6-1 6-3
enabling, disabling example of verifying

10-43
10-41
exporting, importing
10-44
10-42
SNMP settings, modifying
B
backing up data back-up data directory structure of using CLI using CLI
A-16 B-27 B-27 3-18
sample CMF backup directory backing up selective data

A-16 16-5
managed source interface

8-27
backup policy, setting
Archive Management (part of Configuration Management)

16-2 8-32
Base64-encoded X.509 certificate format, definition browser-server security. See SSL
D-7
configurations, modifying credentials, entering security, modifying

8-29 8-33
Catalyst commands
8-34
IN-2
OL-20721-01
Index
C
cautions regarding admin password, guest password
2-6 17-2
Cisco Prime processes and Fault Monitor collecting information on locked out of MDC support
B-18 B-4 B-3 11-5 3-16
Cisco Prime LMS Server, troubleshooting

B-3
backups, and the Cisco Prime Daemon Manager changing Change Audit purge settings data restoration from a backup
3-21 16-6
process status, checking self-test, performing

B-3 3-2 3-2
resetting purge policy in Syslog Analyzer restarting Daemon Manager on Solaris restarting Daemon Manager on Windows certificates terms and definitions in
D-6
Cisco Prime LMS Server back-end process Cisco Prime LMS Server Processes
3-6, A-5
3-6
Cisco Prime Trust Store or KeyStore, definition

D-7
D-7
Base64-encoded X-509 certificate format CA (certificate authority) PKCS#8 SSH SSL

D-6 D-6 D-5 D-6 D-6 D-7 D-7
cmexport command (see under Data Extraction Engine) C-2 cmf as part of database path, explanation of LMS user log-in information collector group assigning membership defining rules operation based
5-67 5-72 5-69 1-8 B-18
Cisco Prime TrustStore or KeyStore public key, private key
understanding Change Audit, using
membership details
5-74
automated actions, defining creating deleting editing

11-11 11-14 11-13
11-9 11-10
refreshing membership setting properties viewing

5-71 5-65
5-73
Automated Action window details
viewing group details viewing summary

11-13 11-13 5-70 5-60
5-71
enabling, disabling exporting, importing exception periods creating defining deleting editing
11-8 11-7 11-9 11-9
collector group rules archive purging
Configuration Management, using

16-2 8-42
collection settings, defining job policies, configuring defining default policies
12-3 12-4 12-6
scenarios, job password configured

11-8
enabling and disabling maintenance tasks

11-3
transport protocols, configuring order, defining

8-48 8-46
forced purges, performing purge policy, setting changing event names

10-5 11-4
11-5
requirements for use configuring
subnet discovery for User Tracking

2-41
7-20
Cisco.com connection, managing
connection security, understanding
D-5
IN-3
Index
security certificates terms and definitions
D-5 D-6 D-7
inaccessible, troubleshooting purging

16-20 3-23
B-28 B-18
path includes "lms," explanation

D-7 D-7
Base64-encoded X.509 certificate format CA (certificate authority) PKCS#8 SSH SSL connectivity tasks
B-3 B-3 B-3 D-6 D-6 D-6 D-6
database password, changing available formats Solaris Windows DCR administering default credentials
3-23 3-24 3-24
Data Extraction Engine (see DEE)
C-1
4-23 4-17 4-16
checking process status MDC support copying IP SLA creating user-defined collector groups Server portlets job information status log space usage customizable groups access port device editing interface restrictions trunk port
5-44 5-46 5-44 5-45 5-44 5-44 1-6 5-44 1-8 8-27 B-4
device polling settings mode, changing

4-15
collecting server information performing a self-test

B-3
Master-Slave configuration, prerequisites unreachable devices deletion user-defined fields, adding user-defined fields, deleting
4-21 4-22 4-22 4-22 8-24 8-25
5-65
user-defined fields, renaming changes, effect on Fault Monitor Fault Management discovery and log file
17-9
DCR (Device and Credential Repository) CLI interface, using A-20 DCR mode, changing importing using listing attributes
A-22 A-20 A-20 A-20 A-21
listing default credential sets viewing current DCR mode viewing device details DDV log file
17-8 17-21 A-21
(see also groups)
D
Daemon Manager, using restarting on Solaris restarting on Windows Daily Purging Schedule log file database
debugging options, setting

3-2 3-2 3-2
DEE (Data Extraction Engine) cmexport command about

C-2
C-1
function-specific options mandatory arguments optional arguments running

C-2 C-4 C-4
C-5
17-8 16-20
managing
IN-4
OL-20721-01
Index
cmexport Discrepancy comand cmexport L2topology command cmexport manpage

C-14 C-6 C-16
C-12 C-9
searching devices Simple Search selecting devices Fault Monitor
4-7 4-8
Advanced Search
4-7 4-6
cmexport ut command developers reference
Discrepancy data schema Topology data schema
C-21 C-22
changing event names
10-5
exporting data from LMS, servlet

C-20 C-17
Fault Monitor Object Grouping Services Server, log file 17-8 discovery DCR synchronization and events that trigger log file
17-9 8-24 8-24 8-24 8-25
User Tracking data schema
User Tracking phone data schema User Tracking subnet data schema User Tracking switch data schema overview Default deleting device groups
5-19 4-22 4-24 C-1
C-19 C-19 C-18
rediscovery
Rediscovery Schedule discovery, scheduling discrepancy reporting

4-1 14-1
user-defined fields from DCR device groups, managing customizable deleting groups rules
5-53 6-4 6-4 5-44 5-60 5-59 5-46
physical discrepancies duplexity, interface

5-55
14-2 3-42
disk space, threshold configuring
group membership Device Poller
E
editing device group details local user profile e-mail configurations (Notification Services) E-Mail Notification Subscriptions E-Mail Subject Customization notifications (Notification Services) SMTP server
10-22 3-31 10-16 10-3 10-13 10-13 5-17 2-13
adding critical devices devices, discovery scheduling adding deleting editing

4-1 4-2 4-3 4-2
viewing status devices, managing
4-3, 4-4
forwarding traps to Fault Monitor importing using CLI log files rediscovering Device Selector Device Selector settings
4-10 A-22 17-8, 17-9 8-24
ESS (Event Service Software) changing the port for in Solaris events changing names log files Event Processing Adapters Event Promulgation Module
17-8 17-8 10-5 B-26
See also Software Center
IN-5
Index
Event Sets (see Notification Services) expired server certificate, how to handle exporting automated actions in Syslog Analysis message filters, in Syslog Analyzer
11-13 10-48 B-23
summaries
5-56
system defined Fault Monitor user defined editing creating deleting groups
5-19 5-6 5-46 5-43
Groups, administering
F
Fault History log file filters Inventory change report filters, setting creating deleting editing
10-46 10-48 10-47 10-47 10-48 11-21 10-45 17-8 D-2
details modifying viewing editing

5-17 5-20 5-20 5-17 5-17
file ownership, and permissions
message filters in Syslog Analyzer, defining
exporting
sample export file exporting from UI

5-21
Group Administration importing

5-21
5-4 5-16
enabling, disabling exporting, importing forced purges in Change Audit

11-5 16-7
group membership, assigning importing from UI multi-server setup refreshing

5-18 5-8 5-23 5-4 5-7
in Syslog Analyzer
properties, specifying rules, defining
G
group administration groups creating
5-46, 5-50 5-44 5-46 5-45 5-64 5-63
composite group rule example composite rule examples

5-11 5-10 5-10 5-12
5-11
group administration process
example for IP range range operator simple rule

5-9 5-3
customizable editing deleting details editing restrictions

5-60 5-57
simple group rule example single server scenario single server setup syntax checking
5-3 5-9, 5-10
5-11
5-46, 5-47 5-45
system- and user-defined attributes system defined attributes

5-13
5-13
managing, overview membership rules

5-53
5-56, 5-58, 5-59
IN-6
OL-20721-01
Index
H
HP OpenView
10-23 7-30
J
Java Plug-in, version to use Job Approval, using approver lists assigning
12-16 12-15 12-18 12-13 12-14 B-17
HPOV as primary listener
approver details, specifying
I
IBM SecureWay Directory, changing login module to 2-27 images IOS images, and recommendation filters importing devices and credentials using CLI interfaces customizable groups system defined groups Inventory change report filters, setting inventory effect of DCR changes log files Inventory Collector Inventory Interactor Inventory Service Inventory, using collection or polling schedule, changing Inventory Job Browser job details, viewing inventory collection log file overview IOS images, and recommendation filters
11-19 17-9 8-24 8-1 8-7 8-12 17-8 17-8 17-9 8-24 11-21 5-44 5-43 A-22 11-19 11-13
creating, editing setting up

12-16 12-14
jobs, approving and rejecting task workflow Job Browser, using jrm, checking
B-20
importing automated actions in Syslog Analysis
Job Browser (see under Inventory)

12-1
8-1
K
KerberosLogin, changing login module to
2-28
L
licensing Cisco Prime applications license information, viewing licensing procedure obtaining a license updating licenses local user policy setup
3-30 3-30 3-31 2-4 3-30
collection jobs, creating and editing

8-6 8-7
locked out of Cisco Prime LMS Server, troubleshooting B-18 log files, maintaining on UNIX
17-3 17-3 3-41
polling jobs, creating and editing
on Windows
logrot utility, configuring logrot utility, running login module setting to non-ACS
2-26 3-41
(see also discovery)
Cisco Prime Local, changing to KerberosLogin, changing to
2-27 2-27
IP Address range operator, See range operator
IBM SecureWay Directory, changing to

2-28
IN-7
Index
local NT system, changing to
2-30 2-29 2-30 2-34
NetShow Administering NetShow settings defining default job policies defining protocol order purging jobs
12-11 17-17 12-13 12-12 12-10
Local UNIX system, changing to MS Active Directory, changing to Netscape Directory, changing to Radius, changing to log level setting logrot utility configuring running logs configuring
17-19 17-8, 17-9 3-41 3-41 17-12 2-35 2-36
TACACS+, changing to
setting log levels credentials, masking NetView

10-23
NMS, integrating with Fault Monitor Notification Services
10-23
Notification Groups (see Notification Services) configuring notifications, overview E-Mail Configurations E-Mail Notifications
17-8 10-13 3-31, 10-3 10-13 17-9 10-6
Fault Monitor log files incharge log files Lookup Analyzer, using
log file (for Logging Services)

A-30
E-Mail Notification Subscriptions E-Mail Subject Customization event names, customizing

10-5
10-16
M
managed source interface managing LMS resources
3-34 12-13 8-28
Event Sets log file
10-6
17-8 5-46, 10-7 10-3, 10-9
Notification Groups subscriptions

10-2
SNMP Trap Notifications Syslog Notifications
Masking credentials of show commands message filters, in Syslog Analysis creating deleting editing
10-46 10-48 10-47 10-47 10-48 3-34 10-45
10-3, 10-17
O
online users, messaging Solaris Windows
2-30 B-19 B-19 3-34
enabling, disabling exporting, importing messaging online users
osagent, changing the port for
MS Active Directory, changing login module to multi-server mode, and security

2-15
overview authentication using login modules overviews Common Syslog Collector Syslog Analyzer overviews of
8-49 8-49 2-24
N
NetConfig, using job password
12-13 2-34
DEE (Data Extraction Engine)
C-1
Netscape Directory, changing login module to
IN-8
OL-20721-01
Index
P
peer server certificates setting up
2-18 14-2 7-18
log file for multiple thread processes, managing PSUCLI

13-10 A-5
17-8
protocols, used by Cisco Prime device packages, installing
10-22
physical discrepancy reports ping sweep options, modifying PKCS#8, definition polling log files adapter database manager log files adapter database manager Administration Creating Groups Attributes Examples
5-32 5-34 5-29 17-8 17-8 17-8 17-8 D-6
13-12 13-14 13-14
device packages, listing dependents device packages, uninstalling device updates, downloading software updates, downloading software updates, querying
13-12 13-13
device packages, listing device packages
13-13
13-11
grouping services
17-8
17-8
public key, definition purge settings

16-19
D-6
polling and thresholds
historical data purging messages
16-19
cautions regarding changing purge values in Change Audit

17-8 11-5 16-6
grouping services
17-8
in Syslog Analyzer forced purges in Change Audit purge policies, setting

5-30
port and module groups

5-27 5-28
11-5 16-7
in Syslog Analyzer in Change Audit
Defining Rule Expression
11-4 16-6
in Syslog Analyzer
Properties Deleting Groups Editing Groups
Selecting Group Source

5-41 5-40 5-38
5-29
R
Radius, changing login module to range operator rediscovery
5-39 5-10 2-35
Viewing Group Details ports access ports trunk ports

5-43, 5-44
DCR synchronization and events that trigger log file

17-9 8-24 8-24
8-25
occupied by Cisco Prime

5-43, 5-44
10-22
Rediscovery Schedule (see also discovery)

3-35
preferences for system, modifying private key, definition processes Cisco Prime
3-16 D-6
Rediscovery Schedule page (see also rediscovery) refreshing group membership
8-21
5-73 D-4
remote connectivity, security and
IN-9
Index
Remote server and other portlets object finder reports discrepancy reporting understanding user tracking switch port usage reports, exporting resources, managing in LMS restoring data LMS data solaris windows LMS portlets Audit Trail Information Job Approval
1-10 1-11 1-10 3-21 3-22 3-34 A-28 14-1 14-2 1-12
S
Secure Shell (SSH), definition security access control, and understanding general server
D-2 2-1 2-23 D-1 D-1 D-4 D-5 D-6
physical discrepancies
14-1
certificates, understanding
security, setting up
Authentication mode, setting up Cisco.com login, setting up login module setting to non-ACS multi-server mode setting up
2-18 2-41 2-15 2-26 2-41
3-21 3-22
peer server certificates proxy server, setting up SSL

2-2
Syslog Collectors Information properties file COLLECTOR_PORT COUNTRY_CODE DEBUG_FILES DEBUG_LEVEL

8-56 8-54
RSAC (Remote Syslog Analyzer Collector)
security levels, understanding
2-7
enabling from the Cisco Prime Server

8-55
2-3
DEBUG_CATEGORY_NAME
8-55 8-55
enabling from the CLI SSO (Single Sign-On) mode changing

2-22 2-19
A-13, A-14
DEBUG_MAX_BACKUPS DEBUG_MAX_FILE_SIZE FILTER_THREADS PARSER_FILE

8-56 8-55 8-56
8-55 8-55
enabling
user management local user profile, modifying peer server, setting up users, adding
2-10 A-2 2-16 2-13
QUEUE_CAPACITY
READ_INTERVAL_IN_SECS SUBSCRIPTION_DATA_FILES SYSLOG_FILES TIMEZONE rules, group

5-53 8-27 D-3 8-54 8-54 8-54
8-55 8-56
users, setting up through CLI Self Signed certificates server, configuring AAA mode, setting up applications, licensing licensing information, viewing licensing procedure obtaining a license
3-30 3-30 2-23 2-14 3-33
self-test information, collecting
TIMEZONE_FILE running-config
authentication using login modules

3-30
2-24
runtime security, understanding
IN-10
OL-20721-01
Index
updating licenses certificate setup

2-14
3-31
server security, understanding administrator-imposed

2-41 D-5
D-2
Cisco.com login, setting up LMS, administering backing up data

3-1 3-18
connection
D-5 D-5 D-6
security certificates terms and definitions

3-2
Daemon Manager, using processes, managing resources, managing

3-3
server-imposed
A-5
D-2 D-4 D-2
access control other systems

3-31 3-42
processes, managing through CLI

3-34
files, file ownership, permissions

D-4 D-4
server information, collecting disk space, threshold configuring log files, maintaining List of log files on UNIX
17-3 17-3 17-17 17-3
remote connectivity runtime setting log level job purge

D-3 17-12
Setting system preferences

16-8 17-14 8-10 8-11
on Windows login module
log level settings
logging, configuring
LMS device attributes setting up, local user modify profile security levels
2-13 2-7 2-6
LMS secondary credentials

2-26
setting to non-ACS peer server certificates setting up

2-18
proxy server, setting up Self-signed certificates changing enabling

2-22 2-19
2-41
user accounts
security. See security, setting up

2-14
setting up, local user policy setting up, local users SMTP server, default SNMP MAC notification listener
3-35 2-6 3-31
2-4
SSO (Single Sign-On) mode
7-29 7-29 7-27
system preferences, modifying user management adding

2-10
SNMP trap listener, configuring SNMP traps on ports, enabling SNMP traps
adding through CLI
import remote users

local user policy setup peer server, adding users, local, setting up
2-4
2-8, A-3 2-13
integrating SNMP trap receiving with other NMS 10-23 SNMP Trap Notifications trap forwarding port trap receiving port Software Center event log
13-1 13-10 13-9 13-8 10-25 10-24 10-3, 10-9
local user profile, modifying

2-16 A-2
setting up through CLI

2-13
server certificate for Cisco Prime, expiration, how to handle B-23 server information, collecting (LMS)
3-31
scheduled job
device downloads, scheduling device updates, checking

13-6
IN-11
Index
device updates, performing packages, deleting

13-7
13-4
exporting, importing backup policy, setting

13-4
10-42
16-5 8-50
software updates, downloading software updates, performing software updates, selecting Software Center CLI utility Software Management, using administration tasks
11-14
Common Syslog Collector, subscribing to collector status, viewing

13-2 8-50
13-2
list of applications installed, viewing

13-3 13-10
procedure forced purges message filters creating deleting
8-51 16-7 10-45
10-46 10-48 10-47 10-47 10-48
preferences, viewing and editing preferences, viewing and editing protocol order, selecting Solaris, changing ports in for ESS
B-26 B-19 2-2 2-3 11-18
11-15
editing
11-15
enabling, disabling exporting, importing

11-19
recommendation filters, and IOS images
overview
8-49 10-3, 10-17
Syslog Notifications
System Admin dashboard portlets critical message window system administration databases, purging logging, configuring SMTP default server
16-20 10-22 1-3
for osagent
SSL, enabling on the server from the CLI SSL, definition changing enabling
2-22 2-19 A-13, A-14 D-6
from the Cisco Prime LMS Server
devices from traps to Fault Monitor

17-19 3-31 10-25 10-24
SSO (Single Sign-On) mode
SNMP trap forwarding port SNMP trap receiving port

B-17
starting Cisco Prime applications, troubleshooting subscriptions (see Notification Services) Syslog Analyzer purge policy caution regarding changing values setting
16-6 8-50 8-50 16-6
system defined groups Fault Monitor System Preferences Loading MIB Files Poll Settings Purging Data Purging Jobs
8-26 16-15 16-13 17-9 15-2 9-2 5-43
(see also groups)
status, viewing procedure
collector status, viewing

8-51
Setting Log Levels
Syslog Analyzer and Collector, using automated actions creating deleting editing example
10-37 10-42 10-39 10-41
Setting Report Publish Path Syslog Receiver Group
10-30 10-32 10-34 10-33 10-35
Creating Syslog Reveiver Group Deleting Syslog Reveiver Group Editing Syslog Reveiver Group Filtering Syslog Reveiver Group Trap Receiver Group
10-25
enabling, disabling
10-43
IN-12
OL-20721-01
Index
Creating Trap Receiver Group Deleting Trap Reveiver Group Editing Trap Receiver Group Filtering Trap Reveiver Group Viewing Audit Trail Log Report Viewing Purge Details
16-17
10-26 10-29 10-27 10-30 10-25, 10-30
database inaccessability ESS port change Solaris FAQs list Apache and Tomcat
B-29 B-26 B-28 B-18
path includes "cmf"
T
TACACS+, changing login module to
2-36 D-6 D-7
Backup-restore Database Security

B-28
B-27
EDS and ESS

B-22
B-26
terms and definitions in security certificates Base64-encoded X.509 certificate format CA (certificate authority) PKCS#8 SSH SSL thresholds log files adapter database manager topology groups system-defined groups creating, based on subnet transport protocols, configuring order, defining traps forwarding from devices to Fault Monitor SNMP (see SNMP traps) troubleshooting back-up data, directory structure of Cisco Prime applications, starting Cisco Prime LMS Server locked out of, diagnosing server status, verifying
B-18 B-3 B-27 B-17 8-48 8-46 5-24 17-8 17-8 17-8 D-6 D-6 D-6 D-6 D-7 D-7
Software Center jrm

B-20
B-25 B-17
Java Plug-in, which version to use osagent port change Solaris Windows suggestions User Tracking
B-19 B-19 B-4
outdated entries in User Tracking table Troubleshooting and FAQs trunk ports customizable groups system defined groups
5-44 7-22 B-38
B-7
grouping services
17-8
end host discovery on trunk ports

5-43
U
UNIX systems changing login module to local UNIX system log files, maintaining on
10-22 17-3 2-29
requirements for use
user accounts setting up Cisco.com local

2-13 2-41
user and host acquisition administration delete interval, modifying

7-20 7-23
end host user information, importing ping sweep options, modifying

7-18
IN-13
Index
purge policy, specifying schedule, modifying

7-18
15-1
viewing application license information

7-20 3-30
subnet discovery, configuring user-defined collector groups user defined groups editing
5-46 5-65
collector group group details views
5-71 5-71
collector group details

5-17
membership details
7-18 7-8
5-72
User Tracking acquisition schedule, modifying acquisition settings, modifying command-line interface DHCP snooping Dynamic updates FAQs error logging
B-9 B-8 7-25 7-24 7-24 A-25
log file
17-9 5-46
view groups
VNM Administration, using SNMP settings, modifying

8-19
Dynamic User Tracking
W
warnings regarding
length of time data is maintained non-CDP devices MACUHIC

7-25 7-3 7-3 B-8
configuration change detection schedule, and purging 16-2 Windows 2003 or Windows NT systems log files, maintaining on Windows systems
7-13 7-11 17-3
Major Acquisition Minor Acquisition
properties from the backend, configuring User Tracking Debugger Utility understanding using using
7-2 7-2 A-29 7-10 A-38 A-37 A-37
changing the port for osagent jrm, running

B-19 B-20
properties that support duplicate MAC address
UT data, accessing UT data, importing various acquisitions User Tracking Utility installing
UT in DHCP environment
7-3
UTLite script, installing UTLite script, uninstalling UTLite, understanding

A-32
A-35 A-37
V
verifying Cisco Prime LMS Server status
B-3
IN-14
OL-20721-01

Cisco Prime LMS 4 1 Admin Ug

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Prime LMS 4 1 Admin Ug

Uploaded by

Copyright:

Available Formats

Administration of Cisco Prime LAN Management Solution 4.

Text Part Number: OL-20721-01

xxiii xxiii xxiii xxiv xxvi

Document Conventions Product Documentation

Obtaining Documentation and Submitting a Service Request Notices

OpenSSL/Open SSL Project i-xxvii License Issues i-xxvii

Overview of Administration How the guide is organized? Administration Tasks

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Administering LMS Server Using Daemon Manager

Administration of Cisco Prime LAN Management Solution 4.1

Device Performance Management Module Processes Fault Management Processes 3-16

Configuring a Default SMTP Server

Modifying System Preferences Configuring Log Files Rotation

Configuring Disk Space Threshold Limit Configuring TFTP

Effects of Third Party Backup Utility and Virus Scanner

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

5-1 5-2 5-3

Groups - Components and Basic Concepts

Administration of Cisco Prime LAN Management Solution 4.1

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Administering Data Collection Scheduling Data Collection

Modifying Data Collection SNMP Timeouts and Retries

Data Collection Critical Device Poller

User Tracking and Dynamic Updates

Administration of Cisco Prime LAN Management Solution 4.1

Administering Collection Settings

Modifying Fault Management SNMP Timeout and Retries

Fault Monitoring Device Administration Device Management Functions

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Administration of Cisco Prime LAN Management Solution 4.1

Monitoring and Troubleshooting Settings Loading MIB Files Configuring NAM

Configuring Fault Poller Settings For Topology

Notification and Action Settings Customizing LMS Events

Understanding Notifications and Subscriptions

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Administering Change Audit and Software Management Setting Up Preferences

Performing Change Audit Tasks Performing Maintenance Tasks

Administration of Cisco Prime LAN Management Solution 4.1

Using Job Browser

Enabling Approval and Approving Jobs Using Job Approval

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Using Simple Search

Working With Software Center

Understanding Discrepancies and Best Practices Deviations

Administration of Cisco Prime LAN Management Solution 4.1

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

16-1 16-1 16-2

Purging Reports Jobs and Archived Reports

View Performance Purge Details IPSLA Data Purging Settings

Configuring the Daily Fault History Purging Schedule

Configuring Discovery Logging

Fault Debugging Settings

Administration of Cisco Prime LAN Management Solution 4.1

Understanding LMS Tasks

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Required and Recommended Solaris Patches

About Java Plug-ins

20-1 20-1 20-2 20-3

Installing or Uninstalling the Java Plug-in Installation of Java Plug-in on Windows

Installation of Java Plug-in on Solaris/Soft Appliance

Administration of Cisco Prime LAN Management Solution 4.1

Administration of Cisco Prime LAN Management Solution 4.1 OL-20721-01

Troubleshooting and FAQs