Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 V

Home , NetShow, Security Account Manager

Preface

Administration in Cisco Prime LAN Management Solution (LMS) 4.2 groups all the activities and tasks that a user with Network or System Administrator privileges needs to perform. This preface details the related documents that support the Admin feature, and demonstrates the styles and conventions used in this guide. This preface contains: • Audience • Document Conventions • Product Documentation

Audience

This guide is for users who are skilled in network administration and management, and for network operators who use this guide to make configuration changes of devices using LMS. The network administrator or operator should be familiar with the following: • Basic Network Administration and Management • Basic Solaris System Administration • Basic Windows System Administration • Basic Soft Appliance System Administration • Basic LMS Administration

Document Conventions

Table 1 describes the conventions followed in the user guide.

Table 1 Conventions Used

Item Convention Commands and keywords boldface font Variables for which you supply values italic font Displayed session and system information screen font Information you enter boldface screen font

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 v

Table 1 Conventions Used (continued)

Item Convention Variables you enter italic screen font Menu items and button names boldface font Selecting a menu item in paragraphs Option > Network Preferences Selecting a menu item in tables Option > Network Preferences

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Product Documentation

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Table 2 describes the product documentation that is available.

Table 2 Product Documentation

Document Title Available Formats Administration of Cisco Prime LAN Management • On Cisco.com at Solution 4.2 (this document) http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/ user/guide/admin/admin.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Context-sensitive online help Select an option from the navigation tree, then click Help. Getting Started with Cisco Prime LAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/ user/guide/getting_started/ lms42_getstart_guide.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Configuration Management with Cisco Prime • On Cisco.com at LAN Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/ user/guide/configuration/config.html • PDF version part of Cisco Prime LMS 4.2 Product DVD.

Administration of Cisco Prime LAN Management Solution 4.2 vi OL-25947-01

Table 2 Product Documentation (continued)

Document Title Available Formats Monitoring and Troubleshooting with Cisco • On Cisco.com at Prime LAN Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/us er/guide/lms_monitor/lms_mnt.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Inventory Management with Cisco PrimeLAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/us er/guide/inventory/inventory.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Technology Work Centers in Cisco Prime LAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/us er/guide/workcenters/wcug.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Reports Management with Cisco PrimeLAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/us er/guide/reports/lms42_reports_guide.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Installing and Migrating to Cisco Prime LAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/in stall/guide/install.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Navigation Guide for Cisco Prime LAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/N avigation/guide/lms42_nav_guide.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Open Database Schema Support in Cisco Prime • On Cisco.com at LAN Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/da tabase_schema4.2/guide/dbviews.html • PDF version part of Cisco Prime LMS 4.2 Product DVD.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 vii

Table 2 Product Documentation (continued)

Document Title Available Formats Release Notes for Cisco Prime LAN Management • On Cisco.com at Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/re lease/notes/lms42rel.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Supported Devices Table for Cisco Prime LAN • On Cisco.com at Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/ ciscoworks_lan_management_solution/4.2/de vice_support/table/lms42sdt.html • PDF version part of Cisco Prime LMS 4.2 Product DVD. Documentation Roadmap for Cisco Prime LAN Printed document part of Software kit Management Solution 4.2

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

Administration of Cisco Prime LAN Management Solution 4.2 viii OL-25947-01

Notices

The following notices pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected].

OpenSSL License: Copyright © 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”. 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1 Notices

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Original SSLeay License: Copyright © 1995-1998 Eric Young ([email protected]). All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])”. The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related. 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])”.

Administration of Cisco Prime LAN Management Solution 4.2 2 OL-25947-01 Notices

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3 Notices

Administration of Cisco Prime LAN Management Solution 4.2 4 OL-25947-01

CHAPTER 1

Overview of Administration

This guide is intended for Local Area Network (LAN) administrators and management professionals who perform LAN configurations and monitor LAN performance. The Admin menu groups all the activities and tasks that a user with Network or System Administrator privileges can perform. This section explains: • How the guide is organized? • Administration Tasks • Understanding the System Dashboard

How the guide is organized?

The Administration user guide is organized as follows:

Table 1-1 Administration User Guide

Chapter Description Chapter 1, “Overview of Administration” Provides information on the organization of Administration with Cisco Prime LMS user guide, and describes the System Dashboard portlets in LMS. Chapter 1, “Setting up Security” Describes the security mechanisms that help to prevent unauthenticated access to LMS server, Cisco Prime applications, and data. LMS provides features for managing security while operating in single-server and multi-server modes. Chapter 1, “Administering LMS Server” Describes how to use administrative features to ensure that the server is performing properly. You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the Cisco Prime LMS Server. Chapter 1, “Administering Discovery Describes how to configure discovery settings, and perform administrative tasks Settings and Device and Credential Repos- in DCR. itory”

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-1 Chapter 1 Overview of Administration How the guide is organized?

Table 1-1 Administration User Guide (continued)

Chapter Description Chapter 1, “Managing Groups” Describes how to use the Grouping feature in LMS. LMS 4.2 has a more robust device grouping which can support 600 device groups. The other grouping services that are available in LMS are: • Fault Group • IPSLA Collector Group • Port and Module Group Chapter 1, “Administering Data Collec- Describes how to use Data Collection. tion” Chapter 1, “User Tracking and Dynamic Describes how to use User Tracking and Dynamic Updates. Updates” User Tracking allows you to track end stations. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.which Chapter 1, “Administering Collection Describes how to configure the various collection settings in LMS. Settings” Chapter 1, “Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform ing Settings” to monitor and troubleshoot your network using LMS. Chapter 1, “Notification and Action Describes how to configure the the administrative tasks involved in setting up no- Settings” tification, syslog settings. You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs. Chapter 1, “Administering Change Audit Describes how to perform Change Audit tasks and set your preference to and Software Management” download images. Chapter 1, “Managing Jobs” Describes how to manage jobs in LMS, and set up job approval for certain modules in LMS. Chapter 1, “Working With Software Describes how to use the Software Center to check for software and device Center” support updates, download them to their server file system along with the related dependent packages, and install the device updates. Chapter 1, “Discrepancies and Describes how to use the Discrepancies Reporting module of LMS to view the Best Practices Deviations” discrepancies and best practices deviations in your network. Chapter 1, “Report Setting” Describes how to configure some settings for generating reports and set a report publish location. Chapter 1, “Purge Settings” Describes how to configure the purge settings of all modules in LMS. Chapter 1, “Debugging Options” Describes how to configure the debugging settings of all modules in LMS. You can also view the details of all the log files. Chapter 1, “Understanding LMS Tasks” Describes all LMS tasks. Appendix 1, “CLI Tools” Describes all the CLI utilities that are available for the administrator in LMS 4.2. Appendix 1, “Troubleshooting and FAQs” Provides troubleshooting and FAQs. Appendix 1, “Data Extraction Engine” Describes how to export User Tracking, Topology, and Discrepancy application data using Data Extraction Engine

Administration of Cisco Prime LAN Management Solution 4.2 1-2 OL-25947-01 Chapter 1 Overview of Administration Administration Tasks

Table 1-1 Administration User Guide (continued)

Chapter Description Appendix 1, “Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS. Security” Appendix 1, “Commands to Enable MAC Provides information on the list of commands that needs to run on each device Notification Traps on Devices” to enable MAC Notification traps

Administration Tasks

The System Administration tasks are grouped into: • Authentication Mode Setup • Backup • Cisco.com Settings • Debug Settings • Group Management • License Management • Log Rotation • Server Monitoring • SMTP Default Server • Device Management Functions • Software Center • System Preferences • User Management The Network Administration tasks are grouped into: • Change Audit Settings • Discovery Settings • PSIRT, EOS and EOL Settings • Configuration Job Settings • Device Credential Settings • Best Practises Deviation Settings • Display Settings • Monitor and Troubleshoot • Notification and Action Settings • Purge Settings • Resource Browser • Software Image Management The Collection Settings are grouped into: • Config

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-3 Chapter 1 Overview of Administration Administration Tasks

• Data Collection • Fault • Inventory • Performance • Syslog • User Tracking • VRF Lite Apart from the system administration and network administration tasks, you can also perform: • Trust Management – Local Server – Multi Server • Job Management – Job Browser – Job Approval The two dashboards in the Admin menu are: • System Dashboard. For more information, see Understanding the System Dashboard • Device Status Dashboard. This section is explained in the Inventory Online Help.

IPv6 Support in LMS LMS provides IPv6 Support for the following features:

Administration of Cisco Prime LAN Management Solution 4.2 1-4 OL-25947-01 Chapter 1 Overview of Administration Administration Tasks

Application IPv6 Supported Features Common Services The following features in Common Services support IPv6: • Device Discovery Common Services Device Discovery allows you to discover devices from IPv6 networks, using CDP and Ping Sweep on IP Range Device Discovery modules. • DCR and Grouping Services DCR supports IPv6 and stores the expanded format of IPv6 Addresses that are discovered by the CDP and Ping Sweep on IP Range modules. • Device Polling The device polling feature allows you to poll device using IPv6 address. • Device Selector The device selector feature allows you to search a device using IPv6 address either in a compressed format or in a expanded format. • Configuring Default Credentials You can define a default credential policy type based on the standard IPv6 Address format (6 octets separated by periods). You can now create group rules based on IPv6 management addresses. LMS supports IPv6 Addressing scheme in the following Device Discovery pages: • Seed Device Setting Page • SNMP Settings Page • Filter Settings Page In the Device Troubleshooting home page, the existing IP Address field supports IPv6 Addresses.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-5 Chapter 1 Overview of Administration Administration Tasks

Application IPv6 Supported Features Inventory, Config and The following features/technologies in Inventory, Config and Image Image Management Management support IPv6: • Assigning an IPv6 Address to a Layer 3 device or VLAN • Retrieving software files from a device • Distributing different versions of software to a device • Scheduling retrieval of software from a device • Retrieving configuration files from a device • Distributing a new configuration to a device • Distributing a historical configuration file to a device • Scheduling distribution of configuration files to a device • Provisioning Auto Smart Ports on ASP-capable devices • Medianet • Provisioning Identity on Identity-capable devices • Configuring Syslogs • IPv6 sorting in Work Center Grids. CiscoView CiscoView allows you to enter an IPv6 Address of a device to display the device view for configuring and remote monitoring.

Administration of Cisco Prime LAN Management Solution 4.2 1-6 OL-25947-01 Chapter 1 Overview of Administration Administration Tasks

Application IPv6 Supported Features Network Topology, The following features in Network Topology, Layer 2 Services and User Layer 2 Services and Tracking support IPv6: User Tracking • Data Collection The following tasks related to Data Collection are supported in the IPv6 environment: – SNMP Timeout and Retry configuration for IPv6 devices – Viewing Data Collection Metrics and reports for IPv4/IPv6 devices – Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks – Device-based debugging for IPv6 devices • Topology The following tasks related to Topology are supported in the IPv6 environment: – Setting an IPv6 Address as the preferred Management Address from Topology view – Cross-launching Inventory, Config and Image Management and CiscoView from Topology Services - Device Dashboard and Add to Critical Poller – Selecting IPv6 devices for Device Type Topology Filter • Network Topology, Layer 2 Services and User Tracking Reports IP Address fields in all these reports except User Tracking reports can now display IPv6 Addresses. You can sort the reports based on IP Addresses (IPv4 and IPv6). • VLAN Configuration The following VLAN related configurations are supported in the IPv6 environment: – Configure VLAN – Delete VLAN – Create Private VLAN – Delete Private VLAN – Configure Port Assignment – Configure Promiscuous Ports – Create Trunk – Modify Trunk Attributes Monitoring and LMS supports IPv6 Addressing scheme in Device Performance Troubleshooting Management.

Note In LMS, IPv6 support is provided for Dual stack devices.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-7 Chapter 1 Overview of Administration Understanding the System Dashboard

Understanding the System Dashboard

The System Dashboard has the following portlets:

Note The data in these portlets does not appear based on any role-based authorization, both device-level or user-level authorization.

• Cisco Prime Product Updates • Critical Message Window • Device Credentials and AAA Information • Log Space Usage • Process Status • System Backup Status • User Login Information • Job Information Status • Audit Trail Information • Job Approval • Syslog Collectors Information • Supported Device Finder Portlet • VRF Collector Summary • Collection Summary Portlet

Cisco Prime Product Updates

You can view the recent updates and announcements of Cisco Prime products using Cisco Prime Product Updates.

Critical Message Window

In the Critical Message Window portlet, you can view the alerts for Cisco Prime Drive Utilization and for processes that are down. For details, see Utilizing Space in the Cisco Prime Drive. For instance, if the usage of the drive exceeds the specified limit, the alerts appear. You can click the help link to view the details, and can reduce drive utilization. You must configure the refresh time in the portlets. You can also get information about: • Authentication mode fallback Authentication mode from which the user fallbacks to the Local Authentication module. This message appears when the user is in fallback mode. • License expiration

Administration of Cisco Prime LAN Management Solution 4.2 1-8 OL-25947-01 Chapter 1 Overview of Administration Understanding the System Dashboard

• Single Sign On (SSO) master unreachability, which is applicable only for a slave server.

Utilizing Space in the Cisco Prime Drive

You can use the space in Cisco Prime LMS drive in the following ways: • Delete the unwanted log files from the NMSROOT directory. • Use the log rotate functionality, to rotate the logs to other drives. • Remove unwanted files from the NMSROOT drive.

Note The Authentication modes appear in the Critical Message Window portlet (in red) if you do not have full privileges in the Device Credential and AAA Information portlet.

Table 1-2 lists the Critical Message Window portlet details.

Table 1-2 Critical Message Window Portlet

Details Description Cisco Prime Drive Utilization Displays the utilization of the drive for Windows, Solaris and Soft Appliance. For Windows: Drive is where the product is installed. For example, 'C' drive in case of "C/Program Files/CSCOpx" For Solaris/Soft Appliance: The portlet displays the File System utilization of the following: /opt - Product Installed location /var - Log file details location. Processes xyz are down. Displays the processes that are down. For example:ESS, EssMonitor, Proxy All the processes that are down are displayed in red in the and so on. portlet. However, when Fault processes such as DFMCTMStartup and Data Purge are down, they are not displayed in the Critical Message Window portlet.

Device Credentials and AAA Information

The Device Credentials and AAA Information portlet allows you to view the information about the device credentials, admin settings, security settings, and device polling status. The security settings enable you to view the security settings in LMS such as the Authentication mode, and Single sign-on configuration. Table 1-3 lists the Device Credentials and AAA Information portlet details.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-9 Chapter 1 Overview of Administration Understanding the System Dashboard

Table 1-3 Device Credentials and AAA Information Portlet

Field Description Authentication Mode Mode selected to authenticate the LMS server when logging into the LMS application. For example, TACACS+, MS Active Directory. • If the status is displayed in green, authentication is successful in the local or external server. • The status is in red when you log into the Cisco Prime application in fallback mode. Authorization Mode Mode used to authorize the user after authentication. From LMS 4.0, only the Local Authentication mode is used to authenticate users, and authorize them to access Cisco Prime LMS. ACS mode is not available. Single Sign On (SSO) Mode SSO mode such as Stand alone and Master/Slave. No. of Devices Number of devices. Click on the number to view the DCR Device Management page details. DCR Mode DCR mode such as Standalone, Master, Slave. For more information about DCR mode, see DCR Architecture in Inventory Management Online Help. For more information on changing the DCR mode, see Changing DCR Mode. Device Polling Status Device Polling Status Status of the device polling. The status can be either enabled or disabled. If the status is enabled, then it displays the scheduled jobs along with the Job ID. For example Job ID: 1034. Device Polling Frequency Polling frequency of the devices. This frequency can be: • Every 6 hours • Every 12 hours • Daily • Weekly • Monthly Total Unreachable Devices Total number of devices that are not reachable. Click the unreachable device link to view the report. Next Polling Schedule Time at which the next polling is scheduled.

Log Space Usage

In Log Space Usage portlet, you can manage the reports on log file size. The Log Space Usage portlet also displays details of all log files, including the Tomcat and Apache log files. You must configure the refresh time in the portlets. Table 1-4 lists the Log Space Usage portlet details.

Administration of Cisco Prime LAN Management Solution 4.2 1-10 OL-25947-01 Chapter 1 Overview of Administration Understanding the System Dashboard

Table 1-4 Log Space Usage Portlet

Field Description Log File Name of the log file such as syslog.log, EDS.log upm_base.log, and so on. The asterisk (*) displayed along with some log file name denotes that there are multiple files available. Directory Displays the location of the logfile. For instance, var/adm/CSCOpx/log. File Size Current size of the log file in kilo bytes.

You can click the portlet name in the title bar of the portlet to navigate to Log File status report page (Reports > System > Status > Log File). For more information on the list of log files, see Maintaining Log Files.

Process Status

In Process Status portlet, you can manage all the activities or jobs. Table 1-5 lists the Process Status portlet details.

Table 1-5 Process Status Portlet

Field Description State Status of the process, such as Failed to start, Running normally and Shutdown. No. of Process Number of processes in each state.

You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page (Reports > System > Status > Process). You can click the link displayed in the portlet to start or stop the process.

System Backup Status

In the System Backup Status portlet, you can view the details such as the current backup schedule, last backup status, last backup location and the time when the last backup was completed. You should back up the database regularly so that you have a safe copy of the database. You cannot back up the database while restoring it. Whenever you perform a backup, all the databases of the installed applications are backed up. LMS provides a single backup and restore facility to back up and restore all applications installed on the LMS server. You cannot backup or restore individual portal databases without the LMS backup utility. See, Backing up Data Using CLI for more information on the backup utility. To schedule system backups at regular intervals, select Admin > System > Backup. Table 1-6 lists the System Backup Job Details portlet fields.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-11 Chapter 1 Overview of Administration Understanding the System Dashboard

Table 1-6 System Backup Job Details Portlet

Field Description Backup Schedule Date and time at which the backup was scheduled. You can click the link corresponding to the Backup Schedule to view/schedule the respective Backup Job details. Last Backup Completed at Date and time when the last backup was completed. Last Backup Status Status of the last backup. Last Backup Location Location of the last backup.

You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.

User Login Information

In the User Login Information portlet, you can view the information on users currently logged into LMS server. You must configure the refresh time in the portlets. Table 1-7 lists the User Login Information portlet details.

. Table 1-7 User Login Information Portlet

Field Description No. of Logged-in Users Number of users who have logged in. You can click the number of logged-in users to view the Who is Logged on Report page (also available from Reports > System > Users > Who is Logged On). Users Log-in details of all users and the number of sessions opened by each user.

Note You can send broadcast messages to logged-in users by clicking the Send Message to all users link displayed in the User Login Information and the users will receive the message within 60 seconds by default.

You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report page. For more information on setting up local users, see Setting up Local Users.

Job Information Status

In the Job Information Status portlet, you can view the status of up to 20 jobs of the installed applications. You can click the portlet name in the title bar of the portlet to navigate to the Job Browser page. You must configure the refresh time in the portlets.

Administration of Cisco Prime LAN Management Solution 4.2 1-12 OL-25947-01 Chapter 1 Overview of Administration Understanding the System Dashboard

Table 1-8 lists the Job Information Status portlet details.

Table 1-8 Job Information Status Portlet

Field Description Job ID Unique ID assigned to the job by the system, when the job is created. The Job IDs are displayed in ID.No.of.Instances format in periodic jobs. For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job whose ID is 1002. When you click the Job ID, the job details, if available, are displayed. Job Type Type of the job. For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job. Status Status of the scheduled jobs that are completed. The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected. The status of the succeeded jobs are displayed in green and the Failed, Crashed, Cancelled, and Rejected jobs are displayed in red. Job Description Description of the job provided by the job creator. It can contain alphanumeric characters. Owner Name of the user who created the job. Scheduled At Date and time at which the job is scheduled to run.

Audit Trail Information

In the Audit Trail Information portlet, you can view the details of the changes made to the LMS application by the user. You must configure the refresh time in the portlets. Table 1-9 lists the Audit Trail Information portlet details.

Table 1-9 Audit Trail Information Portlet

Field Description User Name Name of the person who performed the change. This is the name entered when the person logged in. It can be the name under which the LMS application is running, or the name under which the Telnet connection is established. Application Name Name of the LMS component involved in the network change. For example, Change Audit, Device Management, ICServer, NetConfig, and NetShow. Creation Time Date and the time at which the changes were performed on the LMS server. Description Brief summary of the change that occurred on the LMS server.

You can click the portlet name in the title bar to navigate directly to the Report Generator page.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-13 Chapter 1 Overview of Administration Understanding the System Dashboard

Job Approval

In Job Approval portlet, you can view the list of all jobs. To configure Job Approval portlet, see Configuring the Job Approval portlet. Table 1-10 lists the Job Approval portlet details.

Table 1-10 Job Approval Portlet

Field Description Job ID ID of the job that has been given for approval. The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so on, the job IDs are in the number x format. The x represents the number of instances of the job. For example, 1001.3, indicates that this is the third instance of the job ID 1001. Click the Job ID hyperlink to view the job details. Job Description Description of the job. Job Schedule Date and time for which the job is scheduled.

The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it, the job is moved to its rejected state and will not run. For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other instances are also considered as approved. You are notified by e-mail, when a job approved by you is created. This portlet enforces the approval process by sending job requests through e-mail to people on the approved list. You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details page in LMS. In the Job Approval portlet, you can view the list of Job details. You can configure the Job Approval portlet to set the number of records to be displayed in the portlet, and refresh time both manually and automatically.

Configuring the Job Approval portlet To configure the Job Approval portlet:

Step 1 Click the Configuration icon. You can: Step 2 Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Step 3 Select the number of records to be displayed in the portlet from the Show Last Records drop-down list. Step 4 Click Save to view the portlet with the configured settings.

Administration of Cisco Prime LAN Management Solution 4.2 1-14 OL-25947-01 Chapter 1 Overview of Administration Understanding the System Dashboard

Syslog Collectors Information

Syslog Collectors Information portlet displays the list of remote Syslog collectors subscribed to the LMS servers. It contains the syslog collector information such as the name of the remote syslog, analyzer name, status and the number of packets received. Syslog Collector is a service to receive, filter and forward syslogs to one or more Syslog servers. In this way the collectors reduces traffic on the network as well as the processing load on the server. By default you can only view the remote Syslog analyzer name, status and the number of packets received. However, you can configure the portlet for you to view the other details in the portlet such as the number of packets that are filtered, invalid, dropped, or forwarded. Table 1-11 lists the Syslog Collectors Information portlet details.

Table 1-11 Syslog Collectors Information Portlet

Field Description Name Host name or the IP address on which the collector is installed. Status Status of the Remote Syslog Collector. For example, whether it is connected. Received Number of packets received.

To configure Syslog Collectors Information:

Step 1 Move the mouse over the title bar of the Syslog Collector Step 2 Click the configuration icon. You can: • Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items in the portlet get refreshed at the changed Refresh frequency. • Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to view the respective columns in the Syslog Collector portlet. – Filtered—Number of filtered messages. Filters are defined with the option Message Filters option. See Defining Syslog Message Filters for more information. – Invalid—Number of invalid Syslog messages. – Dropped—Number of Syslog messages dropped. – Forwarded—Number of forwarded Syslog messages. Step 3 Click Save to view the portlet with the configured settings.

Supported Device Finder Portlet

The Supported Device Finder portlet enables you to view the details of the devices that are supported in various LMS applications. By default the Supported Device Finder portlet is added to the System View. This portlet enables you to: • Locate the supported devices in the LMS applications

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-15 Chapter 1 Overview of Administration Understanding the System Dashboard

• Get the latest updates on devices that are supported and those that will be supported in the upcoming releases. • Raise a request through mail to support a new device that is not supported. You can search the support of devices added to the DCR using the following search options: • IP Address • Host Name • Device Name • Model Name • SysObjectID To search using Supported Device Finder portlet:

Step 1 There are three scenarios when the device is not supported: • If the device is not supported in the current installation the following message appears:

The device is not supported, click here for more information. • If the requested device is supported in later releases, and not available with your present installation, the following message appears: Not supported in Installed version <>. Support available in version << version number>>

Note If the device is not currently supported with your existing package, you can install the latest IDU from Cisco.com to get the device support.

• If the requested device is not supported in any releases, the following message appears:

The device is not supported, click here for more information.

Step 2 Click the click here link and a popup box appears: The popup box has the following information: • OK button to raise a request for the unsupported device. • Disclaimer: Please note that all efforts will be made to provide support to this request, however we are unable to commit to a time-line at this moment. • Links to the latest device updates • Link to the Supported Devices Table Step 3 Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or Model name. The SysobjectID or the Model Name appears based on the entries made in the portlet. The default mail client is launched. The To field and Subject field has the following address and entries: • To field: [email protected] • Subject field: Request for new Device Support. For example, <> The body lists the application names. Step 4 Enter Yes against the respective application names for which device support is required.

Administration of Cisco Prime LAN Management Solution 4.2 1-16 OL-25947-01 Chapter 1 Overview of Administration Understanding the System Dashboard

Step 5 Click Send to send a request.

IP Address You can use the IP Address option to search the devices that are supported in the LMS application. To search using the IP Address:

Step 1 Select the IP Address from the drop-down list. Step 2 Enter an IP Address in the IP Address field and click Submit. All applications are displayed, regardless of whether they are installed or not. The supported servers are also displayed. • If the requested device is supported in the later releases and you have not installed it, the following support details are displayed: Supported in LMS 3.2. Click here to download • If the requested devices is in the roadmap of next recent releases, the following supported details message is displayed. Support expected by Sept ‘08. • If the requested device is not supported in any release, the following supported details are displayed. Click here to send a request to support team.

Host Name You can use the Host Name option to search the devices that are supported in the LMS applications. To search using the Host Name:

Step 1 Select the Host Name from the drop-down list. Step 2 Enter a Host Name in the Host Name field and click Submit.

Note The valid Host Name characters are A-Z, a-z, 0-9, _.

All LMS functions are displayed. The supported servers are also displayed. The LMS applications are: • Inventory, Config and Image Management • Network Topology, Layer 2 Services and User Tracking • Fault Management • IPSLA Performance Management • Device Performance Management For more information on the server supported details, see Step 2 of IP Address.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-17 Chapter 1 Overview of Administration Understanding the System Dashboard

Device Name You can use the Device Name option to search the devices that are supported in the LMS applications. To search using the Device Name:

Step 1 Select the Device Name from the drop-down list.

Note The valid Device Name characters are A-Z, a-z, 0-9, _.

Step 2 Enter a Device Name in the Device Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.

SysObjectID You can use the SysObjectID option to search the devices that are supported in the LMS application. To search using the SysObjectID:

Step 1 Select the SysObjectID from the drop-down list. Step 2 Enter a SysObjectID in the SysObjectID field and click Submit. All LMS functions are displayed, regardless of whether they are installed or not. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.

Model Name You can use the Model Name option to search the devices that are supported in the LMS application. To search using the Model Name:

Step 1 Select the Model Name from the drop-down list. Step 2 Enter a Model Name in the Model Name field and click Submit. All LMS functions are displayed. The supported servers are also displayed. For more information on the server supported details, see Step 2 of IP Address.

Note You can also use a wildcard search, (*), to search for the model name.

VRF Collector Summary

In the VRF Collector Summary portlet, you can view details of the VRF collection, number of VRFs discovered, number of VRF-supported and VRF-capable devices.

Administration of Cisco Prime LAN Management Solution 4.2 1-18 OL-25947-01 Chapter 1 Overview of Administration Understanding the System Dashboard

Table 1-12 lists the VRF process summary portlet details.

Table 1-12 VRF Process Summary Portlet

Field Description VRF Collector Status Status of the VRF Collector. The two states are: • Running—Indicates that the VRF collector is running. • Idle—Indicates that the VRF collector is not running. VRF Collector Last Completion Time Indicates the time when the VRF collection is completed. Total VRFs Discovered Total number of VRFs discovered. Click the number to launch the Virtual Network Manager Report. VRF Supported Devices [H/W and S/W Number of VRF-supported devices. These devices have both VRF-supported Supported] hardware and software. Click the number to launch the VRF Readiness report. VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but S/W Update Required] these devices do not have the supported IOS image for VRF. Click the number to launch the VRF Readiness report.

Collection Summary Portlet

In the Collection Summary portlet, you can view details of the different collectors in LMS. Table 1-13 lists the Collection Summary portlet details.

Table 1-13 Collection Summary Portlet

Field Description Collector Name Name of the Collector. The various collectors in LMS are: • Inventory Collection • Config Archive • EnergyWise Collection • Device Discovery • Fault Discovery • Topology Data Collection • UT Major Acquisition • VRF Collection Succeeded Indicates if the respective collection has completed successfully. Note In Inventory Collection, Succedded will give the count of devices that were successfully inventory collected at least once. In Config Archive, partial success state devices will not be shown in Succeeded or Failed columns.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 1-19 Chapter 1 Overview of Administration Understanding the System Dashboard

Table 1-13 Collection Summary Portlet (continued)

Field Description Failed Indicates if the respective collection has failed. Note In Inventory Collection, Failed will give the count of devices that are recently failed. A device which was previously successfully inventory collected and recently failed will have entry in both the columns. We should not compare this with DCR device count. Last Completion Time Indicates the time when the collection is completed. Current Status Status of the Collector. The two states are: • Running—Indicates that the collector is running. • Idle—Indicates that the collector is not running. Schedule Click the Schedule link next to the respective collector to launch the corresponding page. You can now schedule the collector.

To configure this portlet:

Step 1 Move the mouse over the title bar of the Collection Summary Portlet. Step 2 Click the configuration icon. Step 3 Select the Auto Refresh check box. Step 4 Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items in the portlet get refreshed at the changed Refresh frequency. Step 5 Click Save to view the portlet with the configured settings.

Note The data in the above portlets is not populated based on device-level or user-level authorization. Role-based access control is not applicable to the portlets.

Note From LMS 4.2.2, the Collection Summary Portlet page will display the total number of managed devices in LMS server. The customer can view the detailed list of the devices managed by the LMS server by clicking the Managed Device count link on the Collection Summary Portlet page.

Administration of Cisco Prime LAN Management Solution 4.2 1-20 OL-25947-01

CHAPTER 2

Setting up Security

LMS 4.2 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS applications, and data. LMS provides features for managing security while operating in single-server and multi-server modes. You can specify the user authentication mode using the Authentication Mode Setup. This chapter explains the following: • Managing Security in Single-Server Mode • Managing Security in Multi-Server Mode • Setting up the Authentication Mode • Managing Roles • Managing Cisco.com Connection • Support Settings

Managing Security in Single-Server Mode

You can configure the following in Single-Server mode: • Browser-Server Security Mode Setup: LMS 4.2 Server uses Secure Socket Layer encryption to provide secure access between the client browser and management server and also among the management server and the devices. You can enable or disable SSL depending on your need to use secure access between the client browser and management server. • Local User Policy Setup: Set up username and password policies for local users using this option. • Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a user, or view a user’s settings using this option. • Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections between the client browser and the management server. You can set up browser-server security, add and modify users, and create self signed certificate using the features that come under Single-Server Management in the Security Settings user interface. The Single-Server Management page displays the mode of server security and the information on self signed certificate.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-1 Chapter 2 Setting up Security Managing Security in Single-Server Mode

To open the Single-Server Management page:

Step 1 Select Admin > Trust Management > Local Server The Browser-Server Security Mode Setup page appears. Step 2 Click Single-Server Management in TOC. The Single-Server Management page displays the mode of server security and the information on self signed certificate.

This section contains the following: • Setting up Browser-Server Security • Setting up Local User Policy • Setting up Local Users • Creating Self Signed Certificates

Setting up Browser-Server Security

LMS provides secure access between the client browser and management server. It does this using SSL (Secure Socket Layer). SSL encrypts the transmission channel between the client, and server. LMS provides secure access between the client browser, and management server. SSL is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys. You can enable SSL if you want to open the LMS application in secure mode. If you want to open the LMS application in non-secure mode (http), you can disable SSL. The login pages always open in SSL mode, irrespective of the Browser-Server security mode. LMS Server uses certificates for authenticating secure access between the client browser and the management server. To enable SSL from the client browser, you must have the necessary security certificates on your computer. See Creating Self Signed Certificates for more information. You can enable or disable the Browser Server Security using LMS Server GUI or Command Line Interface CLI. This section has the following: • Enabling Browser-Server Security From the LMS Server • Disabling Browser-Server Security From the LMS Server

Administration of Cisco Prime LAN Management Solution 4.2 2-2 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Enabling Browser-Server Security From the LMS Server

To enable Browser-Server Security:

Step 1 Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup. The Browser-Server Security Mode Setup dialog box appears. Step 2 Select the Enable option to enable SSL. Step 3 Click Apply. Step 4 Log out from your Cisco Prime session and close all browser sessions. Step 5 Restart the Daemon Manager from the LMS Server CLI: On Windows: a. Enter net stop crmdmgtd b. Enter net start crmdmgtd On Solaris/Soft Appliance: a. Enter /etc/init.d/dmgtd stop b. Enter /etc/init.d/dmgtd start Step 6 Restart the browser and the Cisco Prime session. When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes: • The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. • Change the port number suffix from 1741 to 443. If you do not make the above changes, LMS Server will automatically redirect you to https mode with port number 443. The port numbers mentioned above are applicable for LMS Server running on Windows. On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a different port during LMS Server installation.

Disabling Browser-Server Security From the LMS Server

To disable Browser-Server Security:

Step 1 Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup. The Browser-Server Security Mode Setup dialog box appears. Step 2 Select the Disable option to disable SSL. Step 3 Click Apply. Step 4 Log out from your Cisco Prime session, and close all browser sessions.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-3 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Step 5 Restart the Daemon Manager from the LMS Server CLI: On Windows: a. Enter net stop crmdmgtd b. Enter net start crmdmgtd On Solaris/Soft Appliance: a. Enter /etc/init.d/dmgtd stop b. Enter /etc/init.d/dmgtd start Step 6 Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes: • The URL should begin with http instead of https to indicate that connection is not secure. • Change the port number suffix from 443 to 1741. The port numbers mentioned above are applicable for LMS Server running on Windows. On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a different port during LMS Server installation.

Setting up Local User Policy

You can setup username and password policies for Local Authentication users in LMS. With the new local user policy, you can: • Start the local username with a number • Include special characters in local username • Specify the length of local username • Specify the length of local user password • Include at least characters from lowercase, uppercase, digits and special characters in password. The password should not be: • Same as the username, or the username in reverse • Have the same character repeated three times, in sequence • A variant of the word Cisco You can apply only one local user policy at a time. You cannot define policies for each local user. The local user policy you set up applies to all users including the administrative users. The local usernames that begin with numbers and contain special characters are not subject to the security limitations of authentication and authorization in LMS Servers integrated with pluggable authentication modules such as Active Directory.

Administration of Cisco Prime LAN Management Solution 4.2 2-4 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

To set up local user policies:

Step 1 Select Admin > System > User Management > Local User Policy Setup. The Local User Policy Setup page appears. Step 2 Select Allow Special Characters in username to allow special characters in the username. You can include the following special characters in the username:

Special Character Description ~ Tilde @ Commercial At character # Number sign _ Underscore ' Apostrophe - Hyphen / Solidus or Leading slash \ Trailing slash .Period space Non-breaking space

Note You can add the special characters including hyphen and period in local username only when you have selected this check box. You cannot start a local username with special characters except _ (Underscore).

Step 3 Select Allow Username to start with numbers to allow the first character of a local username to be a numeral. You can enter any number between 0 to 9 in the username as the first character if you have enabled this option. Step 4 Enter the minimum and maximum length of username of local users. The default minimum length is 5 characters and the default maximum length is 256 characters. You can enter any number between 1 and 256 in the minimum and maximum fields. Ensure that you do not enter a number in minimum username length field that is greater than the number in maximum username length field. Step 5 Enter the minimum and maximum length of password of local users. The default minimum length is 5 characters and the default maximum length is 256 characters. You can enter any number between 1 and 256 in the minimum and maximum fields. Ensure that you do not enter a number in minimum password length field that is greater than the number in maximum password length field. Step 6 Click Apply to save the changes.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-5 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Setting up Local Users

Local User Setup feature helps you to: • Import users • Export users • Modify your profile • Add a local user • Edit user profiles • Delete local users You can also set up local users and reset Cisco Prime password through CLI. This section explains: • About User Accounts • Understanding Security Levels • Importing and Exporting Local Users • Importing Local Users Using CLI • Importing Users From ACS • Adding and Modifying a Local User • Adding Local Users Using CLI • Assigning Roles on NDG Basis • Modifying Your Profile

About User Accounts

Several Cisco Prime network management and application management operations are potentially disruptive to the network, or to the applications themselves, and must be protected. To prevent such operations from being used accidentally or maliciously, Cisco Prime uses a multi-level security system that allows access only to certain features, to users who can authenticate themselves at the appropriate level. LMS provides two predefined login IDs for which the password is specified during installation: • guest—After authentication and authorization, user will have the default role. After a fresh installation, the default role is Help Desk. You can change the default roles, see Managing Roles for more information. • admin—This login provides the user access to all Cisco Prime tasks. However, as an administrator, you can create additional unique login IDs for users in your company.

Note The LMS Server Administrator can set the passwords for admin and guest users during installation. Contact the LMS Server Administrator if you do not know the password for admin.

Administration of Cisco Prime LAN Management Solution 4.2 2-6 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Understanding Security Levels

System administrators determine user security levels when users are granted access to Cisco Prime. When users are granted logins to the Cisco Prime application, they are assigned one or more roles. A role is a collection of privileges that dictate the type of system access you have. A privilege is a task or operation defined within the application. The set of privileges assigned to you, defines your role and dictates how much and what type of system access you have. The user role or combination of roles, dictates the tasks that are presented to the users. For information on tasks that can be performed with each role, see Permissions Report (Reports > System > Users > Permission). See also About Cisco Prime Pluggable Authentication. Other roles are displayed, depending on your applications.

Importing and Exporting Local Users

You can import local users from the client. If you want to import local users to the local server from a remote LMS Server, you must first import the file from the remote server to the client and then use the import function from the LMS UI.

Note When you import local users, if there are no roles associated with the users, the default role will be associated with them.

You can also export the local users to an output file. You can import local users from the client through CLI. See, Importing Local Users Using CLI for more information. You can import local users from ACS through CLI. See, Importing Users From ACS for more information. Before you import users from the client, you must install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-7 Chapter 2 Setting up Security Managing Security in Single-Server Mode

To import users from a remote server:

Step 1 Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Step 2 You can do one of the following: • Import: – Click Import Users. You can import only files in the XML format. – Click Browse and select a file from the client. – Click Submit. To return to the Local User Setup page, click Cancel. • Export: – Select the users for whom you want to export information. If you want to select all the users, you can check the check box next to the User field. – Click Export. The files exported are in XML format. A message appears prompting you to open or save the LMSuserExport.xml file. This file is saved in the client. Click Cancel to return to the Local User Setup page.

Importing Local Users Using CLI

This feature allows you to import information about local users to the local server, from a remote LMS Server. You should have the privileges to import local users from the remote LMS Server through CLI. Before you import users from a remote server, you should install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information. To import users from a remote server, enter the following commands: • NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Solaris/Soft Appliance) • NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Windows) where, • Protocol — Protocol of the remote LMS Server. The supported values are HTTP or HTTPS. • Hostname — Hostname or IP address of the remote LMS Server. • Portnumber — Port Number of the remote LMS Server. • Username — Remote LMS Server login Username. • Password — Remote LMS Server login Password. For example, enter the following command to import the local users from the remote LMS Server lmsdocpc: NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin

Administration of Cisco Prime LAN Management Solution 4.2 2-8 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Importing Users From ACS

To import users from ACS through CLI, enter the following commands: • NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on Solaris/Soft Appliance) • NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on Windows) where, • Filename — Output of executing CSUtil.exe. • Password — Default password assigned to all the importing users. To execute CSUtil.exe follow the steps below:

Step 1 Go to Start > Run in the ACS server. Step 2 Enter services.msc in the Run command and click OK It will list all the services registered. Step 3 Select CSAuth and right click to get the Stop option. Step 4 Click Stop to stop the CSAuth service Step 5 Execute the command /bin/CSUtil.exe -q -d from CLI. The output file which we got by running the CSUtil.exe should be given as the input while importing users.

Log Files The information on the users added or imported into the LMS Server is stored in the following files, when you use the import local user CLI commands: • /var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance) • NMSROOT\log\AddUser.log (on Windows) The AddUser.log file registers the information on the number of users added or imported into LMS Server, number of duplicate users, error messages, and other information that you can use for troubleshooting.

Adding and Modifying a Local User

You can add more users into Cisco Prime as required. You can add only one user at a time through the user interface. See Adding Local Users Using CLI for adding bulk users. You can delete Stale Users From Cisco Prime LMS Portal. See Deleting Stale Users From LMS Portal for more details. To add or edit a user:

Step 1 Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Step 2 Click Add or Edit.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-9 Chapter 2 Setting up Security Managing Security in Single-Server Mode

The User Information dialog box appears with the following fields:

Field Description Username Enter the username. The value is case-insensitive. You can control the length of the username, start the username with a number, or include special characters in the local username. To do this, you must set up the username and password policy in the Local User Policy Setup page. See Setting up Local User Policy for information. Password Enter the password. You can control the length of the password when you set up policies for local users. See Setting up Local User Policy for information. Verify Password Re-enter the password. E-mail Enter the e-mail ID. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. Authorization Type Select the radio button corresponding to the authorization type. You can choose from: • Full Authorization–Select this radio button to enable full authorization to the user. • Enable Task Authorization–Select this radio button to enable a role, and the privileges and tasks associated with the roles, to the user. After you select this option, you have to select the desired role from the list of Roles. This is applicable for all devices. • Enable Device Authorization–Select this radio button to enable authorization to device groups. After you select this option, you have to: – Select the device group from the Device Group. – Select the role you want to associate with the device group. The user group can perform the tasks that are assigned to the chosen roles on the chosen device groups. Roles Select the check box corresponding to the role to specify the roles to be assigned to the user from the Roles pane. The user group can perform the tasks that are assigned to the chosen role on all devices and device groups. The following roles are available: • Help Desk • Approver • Network Operator • Network Administrator • System Administrator • Super Admin Network Level Login Enter the network device login credentials for LMS to communicate with the Credentials network devices. Username Enter the username.

Administration of Cisco Prime LAN Management Solution 4.2 2-10 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Field Description Password Enter the password. Verify Password Re-enter the password. Enable Password Enter the enable password. Verify Password Re-enter the enable password.

Step 3 Click OK. To return to the Local User Setup page, click Cancel.

Adding Local Users Using CLI

You can add bulk local users through CLI. This feature allows you to specify a file that has the information about the local users as an input. The input file you use should be a plain text file.

Note You can use this CLI command for both system and user-defined roles.

Each local user information should be represented in the following format in the text file: Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword where, • Username — Local username. The local username is case-insensitive. • Password — Password for the local user account name. You can leave this field blank in the text file and enter the password in the command line when you run the CLI utility. Note that you should enter the password either in the command line or in the input text file. If you mention the password in both the places, the local user will be added with the password specified in the command line. On adding the user by giving password in the command line prompt, default role will be assigned to the user if the role is missing in the input file. • E-mail — E-mail address of the local user. This is mandatory if you assign the approver role to the local user. Otherwise, this is optional. • Roles — Roles to be assigned to the local user. You should assign one or more of the following roles to the user separated by comma. – Help Desk – Approver – System Administrator – Network Administrator – Network Operator – Super Admin • DeviceUname—Device login username • DevicePassword—Device login password • DeviceEnPassword —Device enable password.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-11 Chapter 2 Setting up Security Managing Security in Single-Server Mode

The following is an example of local user information to be represented in the input text file: admin123:admin123:[email protected]:Help Desk,System Administrator:admin:roZes123:roZes

To add local users through CLI, enter the following commands: • NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft Appliance) • NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows) where, • Filename — Absolute path of the filename containing local users information. • Password — Common password for all user accounts specified in the input text file. This command line parameter is optional if you have specified the passwords for local users in the input text file. Note that you should enter the password either in the command line or in the input text file. If you specify this parameter, the local users are added to Cisco Prime only with this password irrespective of the password entries specified in the input text file. For example, enter the following command to add local users mentioned in the input file localuser.txt with the password admin: C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add C:\files\localuser.txt admin

Log Files The user information added or imported into the LMS Server is stored in the following files, when you use the import local user CLI command: • /var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance) • NMSROOT\log\AddUser.log (on Windows) The AddUser.log file registers the information on the number of users added or imported into LMS Server, number of duplicate users, error messages and other information that you can use for troubleshooting.

Deleting Stale Users From LMS Portal This section describes how to delete stale users from LMS Portal. When you delete the user names from Cisco Prime Common Services application, they are deleted only from the Common Services database and not from LMS Portal database. The usernames remain in LMS Portal as stale users.

Administration of Cisco Prime LAN Management Solution 4.2 2-12 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

To delete stale users from LMS Portal:

Step 1 Go to the following link: http://server-name:portno/cwportal/c/portal/StaleUserDeletion. Step 2 In the URL, enter a server name and launch the URL in the browser window. The Portal Stale User Deletion page is displayed. Step 3 Click the Delete Stale Users button. The stale users are deleted from the Portal database.

Assigning Roles on NDG Basis

You can choose to assign any number of role and device group combinations for a selected user or user group to operate on Network Device Groups. You should note the following to assign roles on a NDG basis: • If you have assigned a Network Device Group to your AAA client (LMS Server and network devices), you must assign that device group to a role. You cannot have role and device group combinations assigned to a user without assigning the Network Device Group to your AAA client. • You can assign only one role to a user, to operate on an NDG. • If a user requires privileges other than those associated with the current role, to operate on an NDG, a custom role should be created. All necessary privileges to enable the user to operate on the NDG should be given to this role. For example, if a user needs to have Approver and Network Operator privileges to operate on NDG1, you can create a new custom role with Network Operator and Approver privileges, and assign the role to the user to operate on NDG1. • You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen. To assign the proper role, the network access server (NAS) should be added to device groups other than DEFAULT.

Modifying Your Profile

To edit your profile:

Step 1 Select Admin > System > User Management > Local User Setup. The Local User Setup page appears. Step 2 Click Modify My Profile to modify the credentials of the logged in user and the network device login credentials. Step 3 Enter the user login details like username, password, and e-mail address. The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-13 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Step 4 Enter the network device login credentials for LMS to communicate with the network devices. Enter the values for username, password, and enable password. Step 5 Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.

Creating Self Signed Certificates

Cisco Prime allows you to create security certificates that enable SSL communication between your client browser and management server. Self signed certificates are valid for five years from the date of creation. When the certificate expires, the browser prompts you to install the certificate again from the server where you have installed Cisco Prime.

Note If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break. The peers need to re-import the certificate in this scenario.

This section explains the following: • Creating a Self Signed Certificate From the User Interface • Working With Third Party Security Certificates

Administration of Cisco Prime LAN Management Solution 4.2 2-14 OL-25947-01 Chapter 2 Setting up Security Managing Security in Single-Server Mode

Creating a Self Signed Certificate From the User Interface

To create a certificate from the user interface:

Step 1 Select Admin > Trust Management > Local Server > Certificate Setup. The Certificate Setup page appears. Step 2 Enter the values required for the fields described in the following table: Field Usage Notes Country Name Two character country code. State or Province Two character state or province code or the complete name of the state or province. City Two character city or town code or the complete name of the city or town. Organization Name Complete name of your organization or an abbreviation. Organization Unit Name Complete name of your department or an abbreviation. Server Name DNS name, IP Address, or hostname of the computer. Enter the server name with a proper and resolvable domain name. This is displayed on your certificate (whether self-signed or third party issued). Local host or 127.0.0.1 should not be given. Email Address E-mail address to which the mail has to be sent.

Step 3 Click Apply to create the certificate. The process generates the following files: • server.key—Private key of the server. • server.crt—Self- signed certificate of the server. • server.pk8—Private key of the server in PKCS#8 format. • server.csr—Certificate Signing Request (CSR) file. You can use the CSR file to request a security certificate, if you want to use a third party security certificate. If the certificate is not a Self signed certificate, you cannot modify it. To return to the Cisco Prime home page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-15 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

Working With Third Party Security Certificates

Cisco Prime provides an option to use security certificates issued by third party certificate authorities (CAs). You may want to use this option in cases where your organizational policy prevents you from using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a particular CA. You can use these certificates to enable SSL when you need secure access between LMS Server and your client browser. You can upload Third Party Security Certificates using the SSL Utility Script. See Working With Third Party Security Certificates.

Managing Security in Multi-Server Mode

Communication among peer servers that are part of a multi-server domain has to be secure. In multi-server mode the server is configured as DCR Master/Slave or Single Sign-On Master/Slave. In a multi-server scenario, secure communication between peer LMS Servers is enabled using certificates and shared secrets. You must copy certificates between the LMS Servers. You should also generate a shared secret on one server, and configure it on the other servers that need to communicate with the server. The shared secret is tied to a particular Cisco Prime user (for authorization). You can configure the following in Multi-Server mode: • Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform certain tasks. These users should be set up to enable communication among multiple LMS Servers. • System Identity Setup: Enables communication among multiple LMS Servers based on a trust model addressed by Certificates and shared secrets. System Identity setup should be used to create a trust user on slave or regular servers for communication to happen in multi-server scenarios. • Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This allows LMS Servers to communicate with one another using SSL. • Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple LMS Servers without authenticating to each server. The Current Multi-Server Settings page displays the mode of server security and the information on self signed certificate. To open the Current Multi-Server Settings page:

Step 1 Select Admin > Trust Management > Multi Server. Step 2 Click Current Multi-Server Setting in TOC. The Current Multi-Server Settings page displays the Single Sign-On details.

Administration of Cisco Prime LAN Management Solution 4.2 2-16 OL-25947-01 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

This section has the following information that helps you to understand better, the features that enable secure communication between peer servers in a multi-server domain: This section contains: • Setting up Peer Server Account • Setting up System Identity Account • Setting up Peer Server Certificate • Enabling Single Sign-On

Setting up Peer Server Account

Peer Server Account Setup helps you create users who can login to LMS Servers and perform certain tasks. These users should be set up to enable communication among multiple LMS Servers. Users created using Peer Server Account Setup can authenticate processes running on remote LMS Servers. You can add a Peer Server user, edit user information and role, and delete a user. To add a Peer Server user:

Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup. The Peer Server Account Setup page appears. Step 2 Click Add. The Peer Server Account Setup page appears. Step 3 Enter the username in the Username field. Step 4 Enter the password in the Password field. Step 5 Re-enter the password in the Verify field. Step 6 Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

To edit Peer Server user information:

Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup. Step 2 Click Edit. The Peer Server Account Setup page appears. Step 3 Enter the password in the Password field. Step 4 Re-enter the password in the Verify field. Step 5 Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-17 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

To delete a Peer Server user:

Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup. The Peer Server Account Setup page appears. Step 2 Select the check box corresponding to the user you want to delete. Step 3 Click Delete. The confirmation dialog box appears. Step 4 Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

Setting up System Identity Account

Communication between multiple LMS Servers is enabled based on a trust model addressed by certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are part of a multi-server setup. This user enables communication among servers that are part of a domain. There can be only one System Identity User for each machine. The System Identity User you configure must be a Peer Server User. The System Identity User you create must be a local user with all privileges. You can either configure the System Identity User with the predefined Super Admin role or with a custom role created with all privileges. If you change the System Identity User later, you must ensure that you add the local user with all privileges in Cisco Prime. Cisco Prime installation program allows you to have the admin user configured as the default System Identity User. For the admin user to work as a System Identity User, the same password should be configured on all machines that are part of the domain, while installing Cisco Prime on the machines part of that domain. If this is done, the user admin serves the purpose of System Identity user. See Installing and Migrating to Cisco Prime LAN Management Solution 4.2 for details. If you create a System Identity User, the default System Identity User, admin, is replaced by the newly created user. While you create the System Identity User, LMS checks whether: • The user is a Local User with all privileges. If the user is not present, or if the user does not have all privileges, an error message appears. • The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User. For peer to peer communication to work in a multi-server domain, you have to configure the same System Identity User on all the machines that are part of the domain. For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on all the other servers, S2, S3, and S4, to enable communication between them. See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage of this features.

Administration of Cisco Prime LAN Management Solution 4.2 2-18 OL-25947-01 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

To add a System Identity user:

Step 1 Select Admin > Trust Management > Multi Server > System Identity Setup Step 2 Enter the username in the Username field. Step 3 Enter the password in the Password field. Step 4 Re-enter the password in the Verify field. Step 5 Click Apply. Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. The System Identity User password you specify in Master and Slave should be the same. We recommend that you have the same user name and password across Master and Slave.

Setting up Peer Server Certificate

You can add the certificate of another LMS Server into its trusted store. This will allow one LMS Server to communicate with another using SSL. If a LMS Server needs to communicate with another LMS Server, it must possess the certificate of the other server. You can add certificates of any number of peer LMS Servers to the trusted store of each server. You must add peer server certificates if LMS Servers are configured with Self-Signed Certificates. If the certificates have been signed by popular CAs such as Verisign, and GlobalSign. this is not compulsory. However we recommend that you add peer server certificates to avoid any possible problems with SSL communication. You can setup peer server certificates from the client browser and from a browser session on the server where LMS Server is installed. Ensure that there are no mismatches in the date and time settings between the servers. In case you find any date or time mismatch, you need to correct it before proceeding. If you change the date or time of the peer server, you must regenerate the self signed certificate of the peer server. To add peer LMS Server certificates:

Step 1 Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. The Peer Server Certificate page appears with a list of certificates imported from other servers. Step 2 Click Add. Step 3 Enter the IP address/hostname of peer LMS Server in the corresponding fields. If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address. Step 4 Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the peer LMS Server is 443. Step 5 Click OK. To return to the Peer Server Certificate page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-19 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

To delete peer certificates:

Step 1 Select the check box corresponding to the certificate you want to delete. Step 2 Click Delete. The confirmation dialog box appears. Step 3 Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.

You can also view the details of the client certificates. For this, select the check box corresponding to the certificate and click View.

Enabling Single Sign-On

With Single Sign-On (SSO), you can use your browser session to transparently navigate to multiple LMS Servers without authenticating to each of them. Communication among multiple LMS Servers is enabled based on a trust model addressed by Certificates and shared secrets. This section explains: • Single Sign-On Setup • Navigating Through the Single Sign-On Domain • Changing the Single Sign-On Mode

Single Sign-On Setup

The following tasks need to be done initially: • One of the LMS Servers should be set up as the Authentication Server (AS). • Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is maintained by the certificate management framework in LMS. • Each LMS Server should setup a shared secret with the authentication server. The System Identity user password acts as a secret key for Single Sign-On. The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server (RS) is called the Slave. You must perform the following tasks if the server is configured either as Master or as Slave: • Configure the System Identity User and password in both Master and Slave. The System Identity User name and password you specify in Master and Slave should be the same. • Configure the Master Self Signed Certificate in Slave. Single Sign-On uses System Identity user password as the secret key to provide confidentiality and authenticity between Master and Slave. We recommend that you have the same user name and password for both Master and Slave. The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise it would not be considered as a valid certificate.

Administration of Cisco Prime LAN Management Solution 4.2 2-20 OL-25947-01 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

Single Sign-On is used only for authentication and not for authorization. In Single Sign-On, authentication always takes place from the Single Sign-On Master server (Authentication Server-AS). Hence, you need to provide the username and password as configured in Single Sign-On AS. Authorization happens at the respective servers. If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active Directory (AD), and AS is configured for Local Authentication, then authentication happens as per the credentials in Local Authentication (AS) and vice versa. For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is Local Authentication: When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS) and you get authenticated according to the username and password configured in AD. However, authorization happens only in server B. The privileges for the logged in user in any server within the Single Sign-On domain will depend upon the user roles configured in that server. If the user is present only in the Single Sign-On Authentication Server and not in the Regular Server, then that user gets authenticated according to the credentials in the authentication server, but has only HelpDesk privileges in the Regular Server. We recommend that you: • Add the user across all servers within the Single Sign-On domain. • Assign appropriate roles to the user, in each of the LMS Servers. See Setting up System Identity Account for more information on how to set up System Identity User. Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and authenticity between Master and Slave. The System Identity User password you specify in Master and Slave should be the same. We recommend that you have the same user name and password across Master and Slave. To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it would not be considered as a valid certificate.

Navigating Through the Single Sign-On Domain

The Authentication Server and all Regular Servers that are configured on this Authentication Server forms an Single Sign-On domain. If you login to any of the servers that are part of the same Single Sign-On domain, you can launch any other server that is part of the domain. You can navigate through the Single Sign-On domain in two ways: • Registering Server Links • Launching a New Browser Instance

Registering Server Links You can register the links of the servers’ part of the Single Sign-On domain, in any of the servers, using the Link registration feature. The registered links will appear either under Third Party or Custom tools, depending on what you specify during registration. If you click on the registered link, it launches the page corresponding to the registered link.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-21 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

You must specify the URL, with the context while registering the server link. For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as: http://ABC:1741/cwhp/cwhp.applications.do If ABC is running in HTTPS mode, you have to specify the URL as: https://ABC:443/cwhp/cwhp.applications.do In the above example, clicking on the registered link will launch the Cisco Prime home page of server ABC.

Launching a New Browser Instance After logging into any of the servers that are part of the Single Sign-On domain, you can open a new browser instance from that server, and provide the URL of any other server of the Single Sign-On domain, to which you need to navigate.

Note We recommend that you do not use the IP address of the servers that are part of Single Sign-On or localhost, while specifying the URL.

For example, suppose ABC and XYZ are part of an Single Sign-On domain.

Step 1 Login to ABC. Step 2 Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser window. Step 3 Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new browser instance. This launches the Cisco Prime home page of XYZ, directly.

Changing the Single Sign-On Mode

The LMS server can be configured for Single Sign-On. It can also be configured to be in Standalone mode (Normal mode, without Single Sign-On). When the server is configured for Single Sign-On, it can either be in: • Master mode—The Single Sign-On Authentication Server does the authentication and sends the result to the Regular Server. Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular servers. Login requests for all the Single Sign-On regular servers will be served from the Master. • Slave mode—Single Sign-On Regular server for which authentication is done at the Master. While logging into regular server, if the authentication server is not reachable, the following message appears: SSO unreachable

Administration of Cisco Prime LAN Management Solution 4.2 2-22 OL-25947-01 Chapter 2 Setting up Security Managing Security in Multi-Server Mode

Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If the server is configured as an Single Sign-On Regular server (Slave), you should provide the following details: • Master server name The Master server name must be DNS resolvable. If you change the name of the Single Sign-On Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution to reflect in the Slave. If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master server, you must ensure that you enter either the fully qualified domain name or hostname of the Master consistently in all the Slave servers. Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave and hostname of the Master in another Single Sign-On Slave of the same Master server. • Login Port of the Master (443) To change the Single Sign-On mode to Standalone:

Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign-On mode. Step 2 Select Standalone (Normal) radio button. Step 3 Click Apply. To return to the Cisco Prime home page, click Cancel.

To change the Single Sign-On mode to Master:

Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign On mode. Step 2 Select the Master (SSO Authentication Server) radio button. Step 3 Click Apply. To return to the Cisco Prime home page, click Cancel.

To change the SSO mode to Slave:

Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup. The Single Sign-On Setup page shows the current Single Sign-On mode. Step 2 Select the Slave (SSO Regular Server) radio button. Step 3 Enter the Master server name and port number. If you select the Slave mode, ensure that you specify the Master server name and port. The default port is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-23 Chapter 2 Setting up Security Setting up the Authentication Mode

Step 4 Click Apply. It checks if: • The System Identity user password of the Slave matches that of the Master. • The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common Name (CN) in the certificate matches with the Master server name. • The Master is up and running on the specified port. In case any of these checks fail, you are prompted to perform these steps before proceeding. To return to the Cisco Prime home page, click Cancel.

Setting up the Authentication Mode

Depending on your LMS Server platform (UNIX or Windows), different login modules that provide Authentication, Authorization, and Accounting services are available. This feature allows you to select login modules and set their options. The LMS Server provides mechanisms used to authenticate users for Cisco Prime applications. However, many network managers already have a means of authenticating users. To use your current authentication database for Cisco Prime authentication, you can select a login module (TACACS+, RADIUS, and others). This section contains the following topics: • Authentication Using Login Modules - Overview • Cisco Secure ACS Support for LMS Applications • Setting the Login Module to Pluggable Authentication Modules After you select and configure a login module, all authentication transactions are performed by that module. To assign a user to a different role, such as the System Admin role, you must configure the user locally. Such users must have the same user ID locally, as they have in the alternative authentication source. Users log in with the user ID and password associated with the current login module.

Authentication Using Login Modules - Overview

Cisco Prime login modules allow administrators to add new users using a source of authentication other than the native LMS Server mechanism (that is, the Local Authentication login module). This section contains: • About Cisco Prime Pluggable Authentication • Understanding Fallback Options • Debugging

Administration of Cisco Prime LAN Management Solution 4.2 2-24 OL-25947-01 Chapter 2 Setting up Security Setting up the Authentication Mode

About Cisco Prime Pluggable Authentication By default, Cisco Prime LMS uses LMS Server authentication (Local Authentication) to authenticate users, and authorize them to access Cisco Prime LMS. After authentication, your authorization is based on the privileges that have been assigned to you. A privilege is a task or an operation defined within the application. The set of privileges assigned to you, defines your role. It dictates how much, and what type of system access you have. The LMS Server authorization scheme has the following default or predefined roles. You can also create user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing Roles for more information. The predefined roles are listed here in order from the least privileged to most privileged: • Help Desk — Can access network status information only. Can access persisted data on the system and cannot perform any action on a device, or schedule a job that will reach the network. • Approver — Can approve all LMS tasks. • Network Operator — Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network. • Network Administrator — Can perform all Network Operators tasks. Can perform tasks that result in a network configuration change. • System Administrator — Can perform all Cisco Prime system administration tasks. • Super Admin — Can perform all Cisco Prime operations including administration and approval tasks. By default, this role has full privileges. The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role). The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role).

Understanding Fallback Options Fallback options allow you to access the software if the login module fails, or you accidentally lock yourself or others. There are three login module fallback options. These are available on all platforms. The following table gives you the details:

Option Description Allow all Local Authentication users to fallback to All users can access Cisco Prime using the Local the Local Authentication login. login if the current login module fails and only if PAM is unreachable.

Warning Selecting this option allows local authentication for users when the external authentication server is unreachable.

Only allow the following user to fallback to the Specified users can access Cisco Prime using the Local Authentication login if preceding login Local login if the current login module fails. Use fails: username. commas between user names. Allow no fallbacks to the Local Authentication No access is allowed if the current login module login. fails.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-25 Chapter 2 Setting up Security Setting up the Authentication Mode

Debugging Cisco Prime allows you to enable debugging on the current login module so that you have additional information in the log files that you can use for troubleshooting. Turn debugging on only when requested to do so by your customer service representative. Enabling debugging does not alter the behavior of the modules. Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the following locations: • NMSROOT/MDC/tomcat/logs/stdout.log (on Solaris/Soft Appliance) • NMSROOT\MDC\tomcat\logs\stdout.log (on Windows) where NMSROOT is the Cisco Prime installation directory.

Cisco Secure ACS Support for LMS Applications

Cisco Prime LMS supports TACACS+ mode of authentication. To use this mode, you must have a Cisco Secure ACS (Access Control Server), installed on your network. LMS 4.2 supports the following versions of Cisco Secure ACS: • Cisco Secure ACS 4.2 for Windows Server • Cisco Secure ACS 5.x for Windows Server • Cisco Secure Appliance 4.2 • Cisco Secure Appliance 5.x

Note Cisco Secure ACS also supports RADIUS mode of authentication.

Setting the Login Module to Pluggable Authentication Modules

The Login Module defines how authorization and authentication are performed and how the login modules are changed. This section explains the following: • Changing Login Module to Local Authentication • Changing Login Module to Local Unix System • Changing Login Module to Local NT System • Changing Login Module to MS Active Directory • Changing Login Module to RADIUS • Changing Login Module to TACACS+ To set the login module:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 The Authentication Mode Setup page displays the current login module, and the available login modules. The available login modules are:

Administration of Cisco Prime LAN Management Solution 4.2 2-26 OL-25947-01 Chapter 2 Setting up Security Setting up the Authentication Mode

• Local Authentication • Local Unix System • Local NT System • MS Active Directory • RADIUS • TACACS+

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-27 Chapter 2 Setting up Security Setting up the Authentication Mode

The login username is case sensitive when you use the following login modules: • Local Unix System • RADIUS (only on Solaris) • TACACS+ (only on Solaris) Step 3 Select a login module. Step 4 Click Change. The Login Module Options popup window appears. Step 5 Enter the corresponding login module information. See the respective login module section for login module options. Step 6 Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to Local Authentication To change the login module to Local Authentication:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 Select the Local Authentication radio button. Step 3 Click Change. The Login Module Options popup window appears. Step 4 Set the Debug option to False. Set it to True for debugging purposes, when requested by your customer service representative. Step 5 Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to Local Unix System This option is available only on Unix systems. To change the login module to Local Unix System:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 Select the Local Unix System radio button. Step 3 Click Change. The Login Module Options popup window appears with the following details:

Field Description Selected Login Module Local UNIX System. Description Cisco Prime native Solaris module.

Administration of Cisco Prime LAN Management Solution 4.2 2-28 OL-25947-01 Chapter 2 Setting up Security Setting up the Authentication Mode

Field Description Debug Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Local Authentication module if the alternative service fails.

Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to Local NT System This option is available only on Windows To change the login module to Local NT System:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 Select Local NT System radio button. Step 3 Click Change. The Login Module Options popup window appears with the following details:

Field Description Selected Login Module Local NT System. Description Cisco Prime native NT login module. Debug Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Domain Set to localhost. Login fallback options Set the option for fallback to the Local Authentication module if the alternative service fails.

Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to MS Active Directory The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP). Before a user logs in, the user account should be set up in the LDAP server. When you change the login module to MS Active Directory, you should configure any one of the following options to integrate LMS Server with Active Directory server for authentication services: • Distinguished Name (DN) A distinguished name is made up of three parts, Relative Distinguished Name Prefix (RDN-Prefix), User login, and Usersroot.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-29 Chapter 2 Setting up Security Setting up the Authentication Mode

You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to RDN-Prefix when the user logs into Cisco Prime. For example, a distinguished name could be represented as: cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and Usersroot is ou=org1 dc=embu, dc=cisco. A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers). You can specify more than one usersroot value. Each usersroot value should be separated by a semicolon. • User Principal Name (UPN) User principal name is composed of two parts, User login and User Principal Name Suffix (UPN-Suffix). The User Principal Name suffix configured in Cisco Prime is appended to the login name when the user logs into Cisco Prime. The second part of the UPN, the UPN suffix, identifies the domain in which the user account is located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name created by an administrator and used just for log in purposes. For example, a User Principal Name could be represented as [email protected], where user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix. • Domain name You should configure the Active Directory domain name in Cisco Prime that contains a set of users which needs to be integrated, for a domain based authentication. For example, if you want the users of MyDomain domain in MS Active Directory server to be authenticated in LMS Server, you should specify MyDomain in this field. Each domain also has a pre-Windows 2000 domain name for use by computers running operating systems released earlier than Windows 2000 operating systems. Similarly each user account has a pre-Windows 2000 user login name. The user account in the DomainName\UserName format used to log into the operating systems released earlier than Windows 2000 operating systems is called Security Account Manager (SAM) account. You can also configure SAM account in the LDAP server and enter the same name in Cisco Prime when you change the login module to Microsoft Active Directory. When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime attempts to authenticate the Active Directory server using the User Principal Name string. When both the Distinguished Name based authentication and the User Principal Name based authentication fails, LMS Server tries to authenticate using the Domain name. To change login module to MS Active Directory:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 Select MS Active Directory radio button. Step 3 Click Change.

Administration of Cisco Prime LAN Management Solution 4.2 2-30 OL-25947-01 Chapter 2 Setting up Security Setting up the Authentication Mode

The Login Module Options popup window appears with the following details:

Field Description Selected Login Module Name of the login module (MS Active Directory) you have selected in the Authentication Mode setup page. Description Brief description about the login module you have selected. For the MS Active Directory login module, the description displayed is Cisco Prime MS Active Directory module. Server Name of the LDAP server. Default set to ldap://ldap.company.com. Usersroot User objects in MS Active Directory. Default set to cn=users, dc=servername, dc=company, dc=com. For example, if users in the Active Directory have ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN) strings, you should specify the same in this field to integrate the LMS Server with the MS Active Directory server. You can also enter multiple usersroot values separated by semicolon. For example, you can enter ou=myDept, dc=myCompany, dc=com; ou=Dept1, ou=Dept2, dc=myCompany, dc=com. When you integrate your LMS Server with MS Active server, you should configure this field for a Distinguished Name based authentication. If you are using Windows 2008 Active Directory, you have to provide the complete Usersroot information (including cn=Username). This is because Windows 2008 Active Directory implementation has disabled anonymous search requests. Otherwise, if your Active Directory Server allows anonymous binds, you need to specify only dc=servername, dc=company, dc=com. RDN-Prefix String prefixed with login username to form a Relative Distinguished Name (RDN). Default is set to cn=. For example when you have configured this field as cn= and log into the server as MyUser, the RDN formed is cn=MyUser. When you integrate your LMS Server with MS Active server, you must configure this field for a Distinguished Name based authentication. UPN-Suffix String suffixed with login username, usually the domain in which the user account is located to form a User Principal name. You should configure this field for a UPN based authentication. For example, if the UPN of Active Directory users who need to be integrated with Cisco Prime are [email protected], [email protected], and [email protected], you should mention @mydept.mycompany.com in this field.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-31 Chapter 2 Setting up Security Setting up the Authentication Mode

Field Description AD-Domain Active Directory domain. You should configure this field for a domain based authentication. Users of the specified domain in MS Active Directory server are authenticated when you integrate the LMS Server with MS Active Directory server. Debug Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Local Authentication module if the alternative service fails. You can set any of the following options: • Allow all Local Authentication users to fallback to the Local Authentication login. • Allow only the specified users to fallback to the Local Authentication login. When you select this option, you should enter one or more Local Authentication usernames separated by commas. This is the default login fallback option. • Do not allow any fallback to the Local Authentication login.

Note Important configuration guidelines are listed below: • You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You cannot leave all the three fields blank. • To allow only particular group of users to log into LMS, do not configure UPN-Suffix, and AD-Domain.

Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.

After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with an Active Directory username and the corresponding password. MS Active Directory server provides authentication services to LMS Server by the default simple authentication mechanism. To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:

Step 1 Edit the Account Options of a user in the MS Active Directory Server and enable the Store password using reversible encryption option. Step 2 Reset the password of the user to authenticate properly. Step 3 Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is your Cisco Prime Installation directory. You must change the following line in the cam.properties file from:

Administration of Cisco Prime LAN Management Solution 4.2 2-32 OL-25947-01 Chapter 2 Setting up Security Setting up the Authentication Mode

#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5 to LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5 If you want the secure authentication mechanism to fallback to simple authentication mechanism, you must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property. You must change the following line in the cam.properties file from: #LDAP_FALLBACK_AUTHENTICATION_NEED=True to LDAP_FALLBACK_AUTHENTICATION_NEED=True Step 4 Save the changes to the cam.properties file.

Note You need not restart the Daemon Manager.

Digest-MD5 authentication supports only User Principal Name and Security Account Manager user accounts. You cannot log into LMS Server with the User login name. Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same name. For example, to assign the System Administrator privileges to a MS Active Directory users User1 and User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.

Changing Login Module to RADIUS To change login module to RADIUS:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 Select the RADIUS radio button.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-33 Chapter 2 Setting up Security Setting up the Authentication Mode

Step 3 Click Change. The Login Module Options popup window appears with the following details:

Field Description Selected Login Module RADIUS. Description Cisco Prime RADIUS module. Server Set to module type servername, radius.company.com. Port Set to 1645. Attempt to override it only if your authentication server was configured with a non-default port. Key Enter the secret key. Debug Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Local Authentication module if the alternative service fails.

Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to TACACS+ To change login module to TACACS+:

Step 1 Select Admin > System > Authentication Mode Setup. The Authentication Mode Setup page appears. Step 2 Select TACACS+ radio button. Step 3 Click Change. The Login Module Options popup window appears with the following details:

Field Description Selected Login Module TACACS+. Description Cisco Prime TACACS+ login module. Server Set to module type tacacs.company.com Port Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port. Secondary Server Set to module type tacacs.company.com. This is the secondary fallback server. Secondary Port Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port.

Administration of Cisco Prime LAN Management Solution 4.2 2-34 OL-25947-01 Chapter 2 Setting up Security Setting up the Authentication Mode

Field Description Tertiary Server Set to module type tacacs.company.com. This is the tertiary fallback server. Tertiary Port Set to 49. The listed port number is the default for this protocol. Attempt to override it only if your authentication server was configured with a non-default port. Key Enter the secret key. Debug Set to False, by default. Set to True for debugging purposes, when requested by your customer service representative. Login fallback options Set the option for fallback to the Local Authentication module if the alternative service fails.

Note The values True or False should not be entered in the Server, Secondary Server and Tertiary Server fields, the corresponding Port fields or the Key field.

Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.

After you change the login module, you do not have to restart Cisco Prime. The user who logs in after the change, automatically uses the new module. Changes to the login module are logged in the following files: • NMSROOT/MDC/Tomcat/logs/stdout.log (On Solaris/Soft Appliance) • NMSROOT\MDC\Tomcat\logs\stdout.log (On Windows) where NMSROOT is your Cisco Prime Installation directory.

Resetting Login Module

To reset the login module of LMS Server to Local Authentication:

Step 1 Stop the Daemon Manager using: • net stop crmdmgtd (On Windows) or • /etc/init.d/dmgtd stop (On Solaris/Soft Appliance) Step 2 Run the following script: • NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl (On Windows) or • NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl (On Solaris/Soft Appliance) where NMSROOT is your Cisco Prime Installation directory.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-35 Chapter 2 Setting up Security Managing Roles

Step 3 Start the Daemon Manager using: • net start crmdmgtd (On Windows) or • /etc/init.d/dmgtd start (On Solaris/Soft Appliance) This resets the login module to Local Authentication mode. Step 4 Enter a username in the User ID field. Step 5 Enter the corresponding password in the Password field. Step 6 Click Login or press Enter. You are now logged into LMS Server.

Managing Roles

After authentication, your authorization is based on the privileges that have been assigned to you. A privilege is a task or an operation defined within the application. The set of privileges assigned to you, defines your role. The LMS authorization scheme provides you with the following system-defined roles. • Help Desk — Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network. • Approver — Can approve all tasks. • Network Operator — Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network. • Network Administrator — Can perform all Network Operators tasks. Can perform tasks that result in a network configuration change. • System Administrator — Can perform all Cisco Prime system administration tasks. • Super Admin — Can perform all Cisco Prime operations including the administration and approval tasks. This role has full privileges. You can select a role and set it as the default role. After installing LMS 4.2, Help Desk will be the default role. If you do not want to use the system-defined roles, you can create custom roles and associate tasks to them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool, see, Removing Custom Roles Using CLI. To manage roles:

Step 1 Select Admin > System > User Management > Role Management Setup. The Role Management Setup Page appears with the available roles, their descriptions, and the default role.

Note You cannot edit, delete, or export system-defined roles.

Administration of Cisco Prime LAN Management Solution 4.2 2-36 OL-25947-01 Chapter 2 Setting up Security Managing Roles

Step 2 You can do the following:

Button Description Add Click Add to add user-defined roles. The Role Management Page appears. To add a role: 1. Enter the role name and description. 2. Select the tasks that have to be assigned to the new role. The task can be identified using the search option. The search uses the task name and the task description to perform a complete search. The search results and All tab contents are synchronized. Any selections made on search results will reflected in all tab. For more details see Searching LMS Tasks. 3. Click OK to add the new role or click Cancel to return to the Role Management Setup Page. For more information on the various tasks in LMS 4.2, see Understanding LMS Tasks. Edit Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit a role: 1. Modify the role description if required. 2. Select or deselect the check box corresponding to the required tasks. 3. Click OK to save the changes, or click Cancel to return to the Role Management Setup Page. Delete To delete a role: 1. Select one or more user-defined roles and click Delete to delete the roles. 2. Click OK to confirm or Cancel to return to the Role Management Setup Page. If the deleted role is assigned to any user, then it will remove the association of this role with the user. Copy You can use this option to modify a system-defined role. To copy a role: 1. Select a role from the roles and click Copy. The Role Management Page appears. 2. Enter the role name and description. 3. Select or deselect the check box corresponding to the tasks. 4. Click OK to add the new role, or click Cancel to return to the Role Management Setup Page. Export You can export roles only in the XML format. The file will be saved in the client. To export roles: Select the user-defined roles that you want to export and click Export. A message appears prompting you to open or save the LMSRoleExport.xml file.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-37 Chapter 2 Setting up Security Managing Roles

Button Description Import You can import roles only in the XML format. To import roles: 1. Click Import. 2. Click Browse and select a file from the client. 3. Specify if you want to to overwrite, merge or backup the existing roles when you import roles: 4. Click Submit to import the roles or Cancel to return to the Role Management Setup Page. You can choose to: • Overwrite—Roles with the same names will be overwritten. • Merge—Roles with the same names will be updated with details of the existing role and details of the imported role. • Backup—Roles with the same names will be overwritten. The existing role will be renamed as CopyOf. Set as Default Default role will be assigned to users who: • Do not have any role assigned to them. • Have logged in using an external authentication server, like PAM, and are not available in the local database. When multiple roles are set as default role, the user will be assigned with all the roles selected as default roles. If there is no default role configured, then authorization will fail for users who: • Do not have any role assigned to them. • Have logged in using an external authentication server, like PAM, and are not available in the local database. To set a default role: 1. Select a role from the roles listed in the Role Management Setup Page. 2. Click Set as Default. The selected roles will be the default roles. Clear Default Click Clear Default to clear the default role. After you clear the default role, authorization will fail for any user assigned without this role.

Note After adding roles you must assign one or more roles to your users, select Admin > System > User Management > Local User Setup.

Searching LMS Tasks To search the LMS tasks,

Step 1 Specify the exact task name or the first few characters of the task name in the search text box and click the search icon. The task name is case-insensitive. For example enter admin or *admin or admin* or *change* in the search text box.

Administration of Cisco Prime LAN Management Solution 4.2 2-38 OL-25947-01 Chapter 2 Setting up Security Managing Cisco.com Connection

• admin – will search for the task and task description that contains the exact term admin. • *admin – will search for the task and task description that ends with the term admin either in task name or description. • admin* – will search for the task and task description that begins with the term admin either in task name or description. • *change* – will search for the task and task description that contains the term change. If there are no search results generated, then a pop-up window appears.

Note You are not allowed to use any other wildcard character apart from *.

Step 2 Click the Search Results tab to see the corresponding search result. In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree will be in the expanded state. You will note that when you select or unselect a particular set of tasks in the Search Results tab, the same set of tasks will be automatically selected or unselected in the All tab.

Removing Custom Roles Using CLI You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles. To do this: On Windows, run: NMSRoot\bin\ResetToFactoryRole.pl On Solaris/Soft Appliance, run: NMSRoot/bin/ResetToFactoryRole.pl

Managing Cisco.com Connection

Certain Software Center features require Cisco.com access. This means that Cisco Prime must be configured with a Cisco.com account, which is to be used when downloading new and updated packages. This section explains: • Setting up Cisco.com User Account • Setting Up the Proxy Server To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings > Connection Management. The Cisco.com Connection Management page displays the current Proxy Server settings.

Setting up Cisco.com User Account

This feature lets you add and modify Cisco.com user login names and password. To set up Cisco.com login account:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 2-39 Chapter 2 Setting up Security Support Settings

Step 1 Select Admin > System > Cisco.com Settings. Step 2 Click User Account Setup in the TOC list. The User Account Setup page appears. Step 3 Enter your Cisco.com Username, and Cisco.com Password. Step 4 Re-enter the password in the Verify Password field. Step 5 Click Apply.

Setting Up the Proxy Server

You can update the proxy server configuration using the Proxy Server set up option. To update your proxy server configuration:

Step 1 Select Admin > System > Cisco.com Settings. Step 2 Click Proxy Server Setup in the TOC list. The Proxy Server Setup page appears. Step 3 Enter the Proxy Server host name or IP address, and the port number. Optionally, you can enter the Username and Password for accessing the proxy server. If you have entered your password, re-enter the same password in the Verify Password field. Step 4 Click Apply.

Support Settings

From LMS 4.2.2, Cisco Prime LAN Management Solution will support the Support Settings feature to allow user to set the following two types of interactions: • Enabling interactions directly from the LMS server • Enabling interactions only through client system For more information on creating a new service request and updating an existing service request, see Creating/Updating Support Case section in Getting Started with Cisco Prime LAN Management Solution 4.2.

Administration of Cisco Prime LAN Management Solution 4.2 2-40 OL-25947-01

CHAPTER 3

Administering LMS Server

LMS includes several administrative features to ensure that the server is performing properly. You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the LMS Server. • Using Daemon Manager • Managing Processes • Backing Up Data • Backup for Cisco Prime Infrastructure • Licensing Cisco Prime LMS • Compliane and Audit Manager (CAAM) Server License This chapter has the following information: • Using Daemon Manager • Managing Processes • Backing Up Data • Licensing Cisco Prime LMS • Configuring a Default SMTP Server • Collecting Server Information • Collecting Self Test Information • Messaging Online Users • Managing Resources • Collecting Server Information • Collecting Self Test Information • Messaging Online Users • Managing Resources • Modifying System Preferences • Configuring Log Files Rotation • Modifying System Preferences • Configuring Disk Space Threshold Limit • Effects of Third Party Backup Utility and Virus Scanner

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-1 Chapter 3 Administering LMS Server Using Daemon Manager

• Configuring TFTP • Cisco Prime Integration Application Settings

Using Daemon Manager

The Daemon Manager provides the following services: • Maintains the startup dependencies among processes. • Starts and stops processes based on their dependency relationships. • Restarts processes if an abnormal termination is detected. • Monitors the status of processes. The Daemon Manager is useful to applications that have long-running processes that must be monitored and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start transient jobs. Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you start the Daemon Manager. If the System resources are less than the resources required to install the application, the Daemon Manager restart displays warning messages that are logged into dmgtd.log. You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server when SSL is enabled in LMS.

Restarting Daemon Manager on Solaris/Soft Appliance To restart Daemon Manager on Solaris/Soft Appliance:

Step 1 Log in as root. Step 2 Enter /etc/init.d/dmgtd stop to stop the Daemon Manager. Step 3 Enter /etc/init.d/dmgtd start to start the Daemon Manager.

Restarting Daemon Manager on Windows To restart Daemon Manager on Windows:

Step 1 Go to the command prompt. Step 2 Enter net stop crmdmgtd to stop the Daemon Manager. Step 3 Enter net start crmdmgtd to start the Daemon Manager.

Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute before you start the Daemon Manager. If the System resources are less than the required resources to install the application, Daemon Manager restart displays warning messages that are logged into syslog.log.

Administration of Cisco Prime LAN Management Solution 4.2 3-2 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Managing Processes

Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The process management tools enable you to manage these backend processes to optimize or troubleshoot the LMS Server. You can do the following activities: • View the details of all processes • Filter and show only processes of a specific state • Start the processes • Stop the processes All mandatory processes are started when you start the system. See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS. You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for more information.

Note Your role and privileges determine whether you can use this option.

This section contains the following: • Process States • Viewing Process Details • Viewing Processes of a Specific State • Starting a Process • Stopping a Process

Process States The state of the Cisco Prime backend processes fall under either one of the following categories:

State Description Running normally Processes are started and are running normally. Sometimes, you find the state of a few processes as follows: Program started - No mgt msgs received This indicates that the processes are started automatically at boot and are running normally. Never started Processes that cannot start automatically and are to be started by operator or administrator. Failed to run Processes that failed to start because of an error in the system. Administratively Processes that are stopped by the system or by the administrator. shutdown

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-3 Chapter 3 Administering LMS Server Managing Processes

State Description Transient Terminated Terminated transient processes. Processes that are created or started by Daemon Manager whenever required are called transient processes. Waiting to Initialize Processes that are yet to run normally and are in initialization phase.

Viewing Process Details To view Process details:

Step 1 Select Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. You can see the following information of a Cisco Prime process in the Process Management window:

Column Description ProcessName Name of the process. Describes how the process is registered. See LMS Back-end Processes for more information on process description. For information on suite-specific processes, see the relevant Online help. You cannot view the details of Apache and Tomcat processes or restart them from the user interface. But you can view the details of these processes in Process Status report (Reports > System > Status > Process). ProcessState Process status and a summary of the log file entries for the process. If the process fails, this column is highlighted in red. ProcessId Unique number by which the operating system identifies each running program. ProcessRC Return code. 0 represents normal program operation. Any other number represents an error. See the error log for details. ProcessSigNo Signal number. 0 represents normal program operation. Any other number is the last signal delivered to the program before it terminated. ProcessStartTime Time and date on which the process was started. ProcessStopTime Time and date on which the process was stopped.

Step 2 Click the ProcessName link of a process to view its details. The Process Details popup window appears with the following information:

Column Description Process Name of the process. Path File Location. Flags Flags used to register the process with the Daemon Manager. Startup Method used to start the process (manual or automatic). Dependencies Other processes that are running, and that are required for this process to run.

Administration of Cisco Prime LAN Management Solution 4.2 3-4 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Step 3 Click OK.

You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the updated information of the processes.

Viewing Processes of a Specific State To view processes of a specific state:

Step 1 Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Step 2 Select a process state from the Show Only process state. You can select any one of the following process states: • Never started • Waiting to initialize • Running normally • Failed to run • Transient terminated • Administrator has shut down this server • Program started — No mgt msgs received See Process States for description of each of these process states. The details of processes of the selected state appears.

Starting a Process To start a process:

Step 1 Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Step 2 Select the check box corresponding to the process. Step 3 Click Start.

Stopping a Process To stop a process:

Step 1 Select Admin > System > Server Monitoring > Processes. The Process Management page appears. Step 2 Select the check box corresponding to the process.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-5 Chapter 3 Administering LMS Server Managing Processes

Step 3 Click Stop.

LMS Back-end Processes

The back-end processes in the LMS Server are required to manage application specific activities and jobs. Table 3-1 lists the back-end processes in LMS Server, their description and dependent processes. In LMS 4.2, Compliance and Audit Manager (CAAM) Server is added as a new back-end process. Log files for most of the processes are located in the following locations: • On Solaris/Soft Appliance—var/adm/CSCOpx/log • On Windows—NMSROOT\log, where NMSROOT is your Cisco Prime default installation directory. You can also manage the Cisco Prime processes through CLI. You can perform the following activities through CLI: • Viewing Process Details Through CLI • Viewing Brief Details of Processes • Viewing Processes Statistics • Starting a Process • Stopping a Process This section contains: • Server Back-end Processes • Inventory, Config and Image Management Processes • Network Topology, Layer 2 Services and User Tracking Processes • IPSLA Performance Management Processes and Dependency Processes • Device Performance Management Module Processes • Fault Management Processes

Server Back-end Processes

Table 3-1 lists the LMS 4.2 Server Back-end processes and their dependency processes.

Administration of Cisco Prime LAN Management Solution 4.2 3-6 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Normal Process Dependent Pro- Process Name Description State cess Log Files Apache Apache web server used on both UNIX Program started - TomcatMonitor NMSRoot\MDC\ and Windows systems. This hosts the No mgt msgs Apache\logs base Cisco Prime home page and all received (On Windows) major applications. /opt/CSCOpx/MDC/ You cannot view the details of this Apache/logs process or restart this process from the (On Solaris/Soft Ap- user interface (from Process Manage- pliance) ment page).

CmfDbEngine Sybase database instance used by the Program started - None NMSRoot/MDC/log/ base Cisco Prime framework. No mgt msgs daemons.log received (On Solaris/Soft Appliance only) CmfDbMonitor Monitors the CmfDbEngine process and Running CmfDbEngine NMSRoot\log\ periodically checks for connectivity and normally CmfDbMonitor.log SQL errors. (On Windows) /var/adm/CSCOpx/log /CmfDbMonitor.log (On Solaris/Soft Ap- pliance) CMFOGSServer Device grouping service in CS that Program started - CmfDbMonitor, NMSRoot\log\ provides grouping capability based on No mgt msgs EssMonitor, CMFOGSServer.log device attributes stored in DCRServer. received DCRServer (On Windows) /var/adm/CSCOpx/log /CMFOGSServer.log (On Solaris/Soft Ap- pliance) CSDiscovery Transient process created by Daemon Transient Termi- — NMSRoot\log\ Manager. This process initiates Device nated CSDiscovery.log Discovery. (On Windows) /var/adm/CSCOpx/log /CSDiscovery.log (On Solaris/Soft Ap- pliance)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-7 Chapter 3 Administering LMS Server Managing Processes

Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Normal Process Dependent Pro- Process Name Description State cess Log Files CSRegistryServer Registry Server for other CS processes Running — NMSRoot\log\ such as DCRServer and CMFOGSServer normally CSRegistryServer.log and provides the backbone for inter-pro- (On Windows) cess communication for DCRServer and /var/adm/CSCOpx/log CMFOGSServer. /daemons.log Sometimes, the Tomcat process may start (On Solaris/Soft Ap- this process. In such cases, the process pliance) status is displayed as follows: Administrator has shut down this server You can ignore this error message. DCRServer Device List and Credential Repository Running TomcatMonitor, NMSRoot\log\ Server that provides the repository for normally CmfDbMonitor, DCRServer.log shared device list and credentials to be EssMonitor (On Windows) used across applications. /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance) DCRDevicePoll Transient process created by Daemon Transient Termi- — NMSRoot\log\ Manager. This process initiates Device nated DCRDevicePoll.log Polling. (On Windows) /var/adm/CSCOpx/log /DCRDevicePoll.log (On Solaris/Soft Ap- pliance) diskWatcher Monitors disk space availability on the Running — NMSRoot\log\ LMS Server. normally diskWatcher.log (On Windows) See Configuring Disk Space Threshold Limit for more information. /var/adm/CSCOpx/log /diskWatcher.log (On Solaris/Soft Ap- pliance) EDS Legacy Event Distribution engine. This Running NameService- NMSRoot\log\ is currently used by some applications to normally Monitor EDS.log send and receive event messages. (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance)

Administration of Cisco Prime LAN Management Solution 4.2 3-8 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Normal Process Dependent Pro- Process Name Description State cess Log Files EDS-GCF EDS - Generic Consumer Framework Running EDS, CmfDb- NMSRoot\log\ process. It is an extension to EDS that normally Monitor EDS-GCF.log allows Generic Event Consumers to (On Windows) provide a pluggable event interface. /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance) ESS Event Services Software. The new Program started - — NMSRoot\log\ESS.log engine that handles distribution of events No mgt msgs (On Windows) between processes. This is slated to received /var/adm/CSCOpx/log eventually replace EDS. /daemons.log (On Solaris/Soft Ap- pliance) EssMonitor Monitors ESS process to check if events Running ESS NMSRoot\log\ related functionality works properly. normally EssMonitor.log This process shuts down automatically (On Windows) when the ESS process fails or does not /var/adm/CSCOpx/log function properly. /daemons.log (On Solaris/Soft Ap- pliance) EventFramework Event management bus, LMS uses this to Program started - EssMonitor No log files facilitate event transmissions between No mgt msgs daemons. received FDRewinder Enables the rotation of log files function- Never started — /var/adm/CSCOpx/log ality using logrot. /daemons.log (Solaris/Soft (On Solaris/Soft Ap- Appliance Only) pliance) jrm Job and Resource Manager. This allows Program started - CmfDbMonitor, NMSRoot\log\ scheduling of jobs to be run at specific No mgt msgs NameService- jrm.log times. It also allows locking and received Monitor, EDS, Es- (On Windows) unlocking of resources. sMonitor /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance) LicenseServer Provides Licensing functionality for Program started - — NMSRoot\log\ evaluation and file based licensing mech- No mgt msgs LicenseServer.log anisms. received (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-9 Chapter 3 Administering LMS Server Managing Processes

Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Normal Process Dependent Pro- Process Name Description State cess Log Files NameService- Name Service agent that monitors Running NameServer NMSRoot\log\ Monitor objects and messages and acts as a Normally NameServiceMoni- gateway between the JacORB clients and tor.log the Name Server. (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance) NameServer Object Request Broker for the JacORB Program started - — NMSRoot\log\ framework used in Cisco Prime. No mgt msgs NameServer.log received (On Windows) /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance) Tomcat Java servlet engine used on Windows, Program started - — NMSRoot\MDC\ Solaris and Soft Appliance systems No mgt msgs tomcat\logs\stdout.log hosting applications based on the Cisco received (On Windows) Prime desktop. /opt/CSCOpx/MDC/ You cannot view the details of this tomcat/logs/std- process or restart this process from the out.log(On user interface (from Process Manage- Solaris/Soft Appli- ment page). ance) TomcatMonitor Monitors the health of the Tomcat Running Tomcat NMSRoot\log\ process and shuts down automatically normally TomcatMonitor.log when Tomcat fails or does not function (On Windows) properly. /var/adm/CSCOpx/log /daemons.log (On Solaris/Soft Ap- pliance)

Administration of Cisco Prime LAN Management Solution 4.2 3-10 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Inventory, Config and Image Management Processes

Table 3-2 lists Inventory, Config and Image Management processes, and their dependency processes.

Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes

Dependency Process Name (Sequential) Log Information Description RMEDbEngine None NA System service: the database engine for Inventory, Config and Image Management applications. ConfigMgmtServer EssentialsDM dcmaservice.log Configuration Management service performs the following tasks, • Collects the configuration for the LMS managed devices on request from jobs or user Interface. • Archives new version if there is a difference between the fetched configuration and the latest configuration in archive. • Parses the configuration based on configlet rules and generates differences between the configurations. • Logs change record for every new version of archived running configuration. • Detects config changes on the device and triggers configuration collection • Caches the device and NetConfig template mapping information. • Populates the database with NetShow system-defined command sets and NetShow commands by retaining them from device packages. ConfigUtilityService EssentialsDM cfgutilservice.log ConfigUtilityService parses the archived configurations of the devices for assessing the technology readiness of the devices. It does config and CLI parsing. ConfigUtilService also performs OGS grouping attributes updates at the end of Inventory collection. SyslogCollector ESS SyslogCollector.log Filters and sends the syslog objects to various SyslogAnalyzer services subscribed to it.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-11 Chapter 3 Administering LMS Server Managing Processes

Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes (continued)

Dependency Process Name (Sequential) Log Information Description EssentialsDM ESS EssentialsDM_Server.log It publishes a dummy Common Services Transport Mechanism (CSTM) service name to DCRServer synchronize publishing of service names with LMSDbEngine CSTM. All other LMS services that publish service names with CSTM are made dependant on this service either directly or indirectly. After adding devices to LMS, this service triggers for Inventory and Configuration collection. System service that monitors the accessibility of the LMS database engine that helps to ensure that the system is not started until the database engine is ready. EnergyWise EssentialsDM ICServer EnergyWise.log EnergyWise process provides services for: EnergyWiseUI.log • EnergyWise endpoint and device collection EnergyWiseConfiguratio • EnergyWise monitoring n.log • EnergyWise compliance check EnergyWiseMonitoring.l • Auto-push of EnergyWise policies on the og devices. EnergyWiseCollection.lo g EnergyWiseNative.log EnergyWiseComplianceC heck.log EnergyWiseNativeCompl iance.log EnergyWise_Purge.log EnergyWiseNativePolicy. log CTMJrmServer EssentialsDM CTMJrmServer.log This service is a proxy to the JRM service. This jrm is used by LMS to connect to the JRM service. It hides all the direct interaction with JRM. Tomcat ChangeAudit EssentialsDM ChangeAudit.log Change Audit program that provides back-end database services for applications that want to CTMJrmServer log network changes and for Change Audit jrm reports and Automated actions

Administration of Cisco Prime LAN Management Solution 4.2 3-12 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes (continued)

Dependency Process Name (Sequential) Log Information Description ICServer ESS IC_Server.log This is a service that collects and stores Inventory information from the device using CTMJrmServer SNMP. It also detects changes that occurred between the last time Inventory was collected for a device, and the current Inventory collection. SyslogAnalyzer ESS SyslogAnalyzer.log for It takes the filter definition from the user and Windows sends it to the various Syslog Collectors it is EssentialsDM subscribed to. AnalyzerDebug.log for CTMJrmServer Solaris/Soft Appliance Receives the syslogs from the Syslog collector jrm and inserts them into the database and also takes automated actions from the user. PMCOGSServer LMSOGSServer PMCOGSServer.log Port and Module group administration service. This is used for managing Port and Module groups. ANIDbEngine None None System service: Database engine for Topology and Identity Services. ANIServer EDS ani.log System service: Collects device information for ANIDbEngine Topology and Identity Services. MACUHIC EssMonitor macuhic.log System service: Receives and processes SNMP traps for Dynamic UT ANIDbEngine UTLITE EssMonitor utlite.log System service: Receives and processes the ANIDbEngine UTLITE data UTMajorAcquisition ANIServer ut.log UTMajor Acquisition is a transient process. System service: Collects end hosts information. UTManager EssMonitor utm.log System service: Queries external system for Dynamic UT ANIDbEngine DCRServer VNMServer ANIDbEngine Vnmserver.log System service: Handles VRF Lite Services like configuration, VRF Lite collector job scheduling WlseUHIC ANIDbEngine wlseuhic.log System service: Collects information from Wlse Device Compliance and Essentials DM caam_server.log The Compliance and Audit Manager server collects information from the Inventory and Audit Manager cammserverui.log (CAAM) Server Configuration management servers and stores caamservercollection.log the details in a database.

If you stop or restart any of these processes you must stop and restart their dependency processes. See Table 3-2 for the list of dependent processes. You can stop and restart the process using Admin > System > Server Monitoring > Processes.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-13 Chapter 3 Administering LMS Server Managing Processes

Network Topology, Layer 2 Services and User Tracking Processes

Table 3-3 lists Inventory, Config and Image Management processes, and their dependency processes.

Table 3-3 Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes

Dependency Process Name (Sequential) Log Information Description ANIDbEngine None None System service: Database engine for Topology and Identity Services. ANIServer EDS ani.log System service: Collects device information ANIDbEngine for Topology and Identity Services. MACUHIC EssMonitor macuhic.log System service: Receives and processes ANIDbEngine SNMP traps for Dynamic UT UTLITE EssMonitor utlite.log System service: Receives and processes the UTLITE data ANIDbEngine UTMajorAcquisition ANIServer ut.log UTMajor Acquisition is a transient process. System service: Collects end hosts information. UTManager EssMonitor utm.log System service: Queries external system for ANIDbEngine Dynamic UT DCRServer VNMServer ANIDbEngine Vnmserver.log System service: Handles VRF Lite Services like configuration, VRF Lite collector job scheduling WlseUHIC ANIDbEngine wlseuhic.log System service: Collects information from Wlse Device

Administration of Cisco Prime LAN Management Solution 4.2 3-14 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

IPSLA Performance Management Processes and Dependency Processes

Table 3-4 lists the LMS 4.2 Performance Management processes and their dependency processes.

Table 3-4 LMS 4.2 IPSLA Performance Management Process and the Dependency Processes

Dependency (Sequen- Process Name Description tial) Default State Log Files IPMProcess Provides core function of managing DCRServer, Program ipmserver.log,dmgtd.log IPSLA Performance Management IpmDbEngine Started Devices, Collectors and Operations in LMS. jrm IPMOGSServer IPSLA Performance Management CmfDbMonitor, Program IPMOGSServer.log, Started group administration service. This is EssMonitor, IPMOGSClient.log used for managing IPSLA Performance Management collector groups. It is also DCRServer, used for IPSLA Performance Manage- IpmDbEngine ment Collector selector. IpmDbEngine IPSLA Performance Management NA Program dmgtd.log Database Engine service. Started It is used for managing and storing IPSLA Performance Management related information on the database

Device Performance Management Module Processes

Table 3-5 gives a description of key processes in Device Performance Management module.

Table 3-5 Key Processes in LMS 4.2 Device Performance Management Module

Dependent Default Process Name Description Process State Log Files UPMDbEngine This is the Device None Started None Performance Management database engine process. If this process is down, you will not be able to access Device Performance Management module of LMS, and polling, threshold monitoring, and trendwatch monitoring will fail.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-15 Chapter 3 Administering LMS Server Managing Processes

Table 3-5 Key Processes in LMS 4.2 Device Performance Management Module

Dependent Default Process Name Description Process State Log Files UPMDbMonitor Responsible for monitoring UPMDbEngine Started UPMDbMonitor.log the UPMDbEngine process. UPMProcess Responsible for the Polling DCRServer, Started upm_process.log engine, Threshold UPMDbMonitor monitoring and Poller Management features of LMS. If this process is down, poller management, threshold management, trendwatch management will fail.

Fault Management Processes

Table 3-6 provides a complete list of Fault Management-related Cisco Prime processes. Logs for most of these processes are provided in Table 1-2.

Table 3-6 Fault Management Related Processes

Default Name Description Dependency State Log Files AdapterServer/ Event adapter takes events from backend None Program adapterServer.log, AdapterServer 1 servers. Started adapterServer1.log , daemons.log DataPurge Data Purge—Starts as scheduled in the GUI and jrm Administrato DPS.log, purges the Fault History database. r has shut daemons.log down this server

Administration of Cisco Prime LAN Management Solution 4.2 3-16 OL-25947-01 Chapter 3 Administering LMS Server Managing Processes

Table 3-6 Fault Management Related Processes (continued)

Default Name Description Dependency State Log Files DfmBroker Fault Management Broker maintains a registry None Program brstart.log about Fault Management domain managers, that Started register the following information with the broker when its initialization is complete: • Application name of the domain manager • Hostname on which the domain manager is running • TCP port at which the HTTP server is listening When a client needs to connect to the domain manager, it first connects to the broker to determine the hostname and TCP port the HTTP service of that server is listening. It then disconnects from the broker and establishes a connection to the domain manager. The DfmBroker log file is located at NMSROOT/objects/smarts/local/logs/brstart.log . DFMLogServer Controls Fault Management logs. None Program DfmLogService.lo Started g, daemons.log DFMMultiProcLog Handles processes with multiple threads. None Program MultiProcLogger.l ger Started og, daemons.log DFMOGSServer Fault Grouping Service Server evaluates group CmfDbEngine, Program DFMOGSServer.l membership. ESS, DCRServer, Started og TISServer DfmServer/DfmSe Infrastructure device domain manager, a DfmBroker Running DFM.log, rver 1 program that provides backend services for Normally DFM1.log Fault Management. Services include SNMP data retrieval and event analysis. The DfmServer log is NMSROOT/objects/smarts/logs/DFM.log. If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log. DFMCTMStartup Handles interprocess communication. None Administrato DFMCTMStartup. r has shut log, daemons.log down this server EPMDbEngine Event Promulgation Module (EPM) database None Program EPM.log engine—Repository for the EPM module. Started EPMServer Sends events to notification services. EPMDbEngine Running EPM.log Normally

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-17 Chapter 3 Administering LMS Server Managing Processes

Table 3-6 Fault Management Related Processes (continued)

Default Name Description Dependency State Log Files FHDbEngine Fault History database engine—Repository for None Program daemons.log alerts and events. Started FHPurgeTask Fault History purge task. None Transient FHCollector.log, terminated FHUI.log FHServer Fault History server, a program that runs EPMServer, Running FHServer.log backend services for Fault History. EPMDbEngine, Normally FHDBEngine Interactor Provides inventory and device information to InventoryCollect Program Interactor.log the Detailed Device View (DDV); updates the or Started DDV with events. Interactor 1 Provides inventory and device information to Inventory Program Interactor1.log the Detailed Device View (DDV); updates the Collector 1 Started DDV with events. InventoryCollector Synchronizes voice device inventory with ESS, TISServer, Running InventoryCollector / infrastructure device inventory. Handles all DFMOGSServer Normally/Pr .log, InventoryCollector inventory events, such as adding and deleting ogram InventoryCollector 1 devices. Started 1.log INVDbEngine Inventory database engine—Repository for None Program daemons.log devices. Started NOSServer Notification Server monitors alerts and sends EPMDbEngine, Running nos.log notifications based on subscriptions. EPMServer, Normally INVDbEngine, DFMOGSServer PTMServer Polling and thresholds server. DFMOGSServer Running PTMServer.log Normally PMServer PMServer is used for the Partition Manager INVDbEngine Running PMServer.log (For funtionality for the Fault Management module EssMonitor Normally Windows) of LMS. When you add a device to the Fault daemons.log (For Management module, it is always added to the Solaris/Soft default partition 0. Appliance) All the debug logs related to PMServer can be found at NMSROOT/log/dfmLogs/PM TISServer Inventory server. EssMonitor, Program TISServer.log INVDbEngine Started

Administration of Cisco Prime LAN Management Solution 4.2 3-18 OL-25947-01 Chapter 3 Administering LMS Server Backing Up Data

Backing Up Data

You should back up the database regularly so that you have a safe copy of the database. You can schedule immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges to use this option. You cannot back up the database while restoring the database. LMS uses multiple databases to store client application data. These databases are backed up whenever you perform a backup. Backup requires enough storage space on the target location for the backup to start. If your current license count is lower than your earlier license count, and you restore the data now, devices that exceed the current licence count will be moved to Suspended state.

Caution You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes, storing the backup data in this location may corrupt the Cisco Prime installation.

This section explains: • Scheduling a Backup • Restoring Data • Changing the Database Password • Effects of Backup-Restore on DCR • Master-Slave Configuration Prerequisites and Restore Operations • Effects of Backup-Restore on Groups

Scheduling a Backup

You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up Data Using CLI for more information. To schedule a backup:

Step 1 Select Admin > System > Backup. The Backup Job page appears. Step 2 Enter the appropriate information in the following fields:

Field Description Backup Directory Location of the backup directory. We recommend that your target location be on a different partition than the Cisco Prime installation location. The backup directory should not contain any special character. Generations Maximum number of backups to be stored in the backup directory. Time From the lists, select the time period between which you want the backup to occur. Use a 24-hour format.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-19 Chapter 3 Administering LMS Server Backing Up Data

Field Description E-mail Enter a valid e-mail ID in this field. You can enter multiple e-mail IDs separated by commas. The system uses the e-mail ID or e-mail IDs to notify you the following: • New backup schedules. • Status of immediate or scheduled backup jobs upon their completion. • Cancelled backup schedules.

Warning There may be a problem in sending e-mails when you have enabled virus scanner in the Cisco Prime LMS Server. Frequency Select the backup schedule: • Immediately - The database is backed up immediately. • Daily - The database is backed up every day at the time specified. • Weekly - The database is backed up once a week on the day and time specified. Select a day from the Day of week list. • Monthly - The database is backed up once a month on the day and time specified. Select a day from the Day of month list. You cannot schedule more than one backup at a time. The new schedule overwrites the previous schedule, if any.

Step 3 Click Apply. The Schedule Backup message verifies your schedule and provides the location of backup log files. Examine the log file at the following location to verify backup status: On Solaris/Soft Appliance: /var/adm/CSCOpx/log/dbbackup.log On Windows: NMSROOT\log\dbbackup.log You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job. The Remove button appears only if you have scheduled any backup.

Restoring Data

The new restore framework supports restore across versions. This enables you to restore data from versions 3.1, 3.2. The restore framework checks the version of the archive. • If the archive is of the current version, then the restore from current version is run. • If the backup archive is of an older version, the backup data is converted to LMS format, if needed, and applied to the machine. You can restore your database by running a script from the command line. You have to shut down and restart Cisco Prime while restoring data.

Administration of Cisco Prime LAN Management Solution 4.2 3-20 OL-25947-01 Chapter 3 Administering LMS Server Backing Up Data

In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is restored on the same machine A, or on a different machine B. Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data of such tasks. For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.

Caution Restoring the database from a backup permanently replaces your database with the backed up version.

The list of applications in a backup archive should match the list of applications installed on the LMS Server where you want to restore the data. You should not continue the restore when there is a mismatch, as it may cause problems in the functionality of Cisco Prime applications. This section explains the following: • Restoring Data On Solaris/Soft Appliance • Restoring Data On Windows

Restoring Data On Solaris/Soft Appliance To restore the data on Solaris/Soft Appliance:

Step 1 Log in as the superuser, and enter the root password. Step 2 Stop all processes by entering: /etc/init.d/dmgtd stop

Step 3 Restore the database by entering: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h] • [-t temporary directory]—The restore framework uses a temporary directory to extract the content of backup archive. By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData. You can customize this, by using this – t option, where you can specify your own temp directory. This is to avoid overloading NMSROOT • [-gen generationNumber]—Optional. By default, it is the latest generation. If generations 1 through 5 exist, then 5 will be the latest. • [-d backup directory]—Required. Which backup directory to use. • [-h]—Provides help. When used with -d syntax, shows correct syntax along with available suites and generations. To restore the most recent version, enter: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl -d backup directory For example, -d /var/backup Step 4 Examine the log file in the following location to verify that the database was restored by entering: /var/adm/CSCOpx/log/restorebackup.log Step 5 Restart the system: /etc/init.d/dmgtd start

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-21 Chapter 3 Administering LMS Server Backing Up Data

Restoring Data On Windows To restore the data on Windows, make sure you have the correct permissions, and do the following:

Step 1 Stop all processes by entering the following at the command line: net stop crmdmgtd Step 2 Restore the database by entering: NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen generationNumber] [-d backup directory] [-h]

where NMSROOT is the Cisco Prime installation directory. See the previous section for command option descriptions. To restore the most recent version, enter the following command: NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory

Step 3 Examine the log file in the following location to verify that the database was restored by entering: NMSROOT\log\restorebackup.log Step 4 Restart the system by entering: net start crmdmgtd

Note For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.2 in Installing and Migrating to Cisco Prime LAN Management Solution 4.2

Changing the Database Password

You must enter the database password while installing Cisco Prime. If you do not enter the password, Cisco Prime generates the password at random. However, we recommend that you change the password periodically to ensure system security.

Caution You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data.

This section explains the following: • Changing Password on Solaris/Soft Appliance • Changing Password on Windows • Formats Available for Changing the Database Password

Changing Password on Solaris/Soft Appliance To change the password on Solaris/Soft Appliance:

Step 1 Log in as the superuser, and enter the root password.

Administration of Cisco Prime LAN Management Solution 4.2 3-22 OL-25947-01 Chapter 3 Administering LMS Server Backing Up Data

Step 2 Stop all processes by entering: /etc/init.d/dmgtd stop

Step 3 Change to the installation directory by entering: cd NMSROOT/bin NMSROOT is your default Cisco Prime installation directory. Step 4 Enter the following command to list the different formats available for changing the database password: NMSROOT/bin/perl dbpasswd.pl Step 5 When prompted, enter the new password and verify it by re-entering it. The password can contain a maximum of 30 characters. Step 6 Start all processes by entering: /etc/init.d/dmgtd start

Changing Password on Windows To change the password on Windows:

Step 1 At the command line, make sure you have the correct permissions. Step 2 Stop all processes by entering: net stop crmdmgtd

Step 3 Change to the Installation Directory by entering: cd NMSROOT\bin NMSROOT is your default Cisco Prime installation directory. Step 4 Enter the following command to list the different formats available for changing the database password: NMSROOT\bin\perl dbpasswd.pl Step 5 When prompted, enter the new password and verify it by re-entering it. The password can contain a maximum of 30 characters. Step 6 Start all processes by entering: net start crmdmgtd

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-23 Chapter 3 Administering LMS Server Backing Up Data

Formats Available for Changing the Database Password The different formats available and the commands for changing the database passwords on Windows, Solaris and Soft Appliance platforms are tabulated below:

Format Command Format 1 detects the available datasource names On Solaris/Soft Appliance: and databases and prompts you to enter and NMSROOT/bin/perl dbpasswd.pl all confirm the passwords for each of them. On Windows: It also allows you to encrypt the password. NMSROOT\bin\perl dbpasswd.pl all Format 2 allows you to list all the databases and On Solaris/Soft Appliance: datasource names (DSNs) available in the server. NMSROOT/bin/perl dbpasswd.pl listdsn On Windows: NMSROOT\bin\perl dbpasswd.pl listdsn Format3 allows you to change the database On Solaris/Soft Appliance: password. NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource Format 4 allows you to change the database On Solaris/Soft Appliance: password for a specific DSN. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password It also allows you to enter a new password in the On Windows: command line using the npwd option. NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password Format 5 allows you to encrypt the existing On Solaris/Soft Appliance: database password. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes On Windows: NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes Format 6 allows you to change the database On Solaris/Soft Appliance: password for a specific DSN. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password Format 6.0 also: encryption=yes • Allows you to enter a new password in the On Windows: command line using the npwd option. NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password • Allows you to encrypt the password using the encryption=yes encryption option.

Effects of Backup-Restore on DCR

Data changes are a normal part of any restore from a backup. However, because Device and Credential Repository (DCR) is a distributed system with varying modes, it is also possible for any restored DCR to: • Change modes.

Administration of Cisco Prime LAN Management Solution 4.2 3-24 OL-25947-01 Chapter 3 Administering LMS Server Backing Up Data

For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from which the backup was taken (source machine), and the machine on which the data was restored (target machine). • Change Master/Slave relationships. For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed, the Slave will attempt to use Master A. For detailed information on DCR, see Managing Device and Credentials in Inventory Management Guide. The following scenarios helps you understand the implications of Restore operations on DCR. • Restoring Data From a DCR Standalone • Restoring Data From S1 on S1 • Restoring Data From S1 to M1 • Restoring Data From S1 on M2 • Restoring Data From M1 on M1 • Restoring Data From M1 to M2

Restoring Data From a DCR Standalone If you restore the data backed up from a machine in the Standalone mode, on any machine whose working mode is either Standalone, Master, or Slave, the end mode will be Standalone. Let X be a machine in Standalone mode. If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to Standalone mode. Further scenarios can be better explained based on the following DCR set up. Let us assume there are two DCR domains. • For Domain 1, you have M1 as Master, and S1, and S2 as Slaves. • For Domain 2, you have M2 as Master, and S3, and S4 as Slaves.

Restoring Data From S1 on S1 Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1 will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1 is available. However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize after the restore on S1. The changes that have taken place after the backup was taken from S1 will be reflected in S1, even if S1b is restored on S1. In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1 is down.

Restoring Data From S1 to M1 Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to Standalone mode.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-25 Chapter 3 Administering LMS Server Backing Up Data

At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices. Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However, after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent than the data on M1.

Restoring Data From S1 on M2 Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master in the DCR Domain 2 in our example. After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3, and S4, which were Slaves of M2, will switch to the Standalone mode.

Restoring Data From M1 on M1 Suppose you take a back up from M1. After the backup you would be performing several operations that would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example. Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that on the Master. To avoid this, you must perform the Restore operation in the following sequence:

Step 1 Back up data from the slaves, S1 and S2. Step 2 Back up data from the Master, M1. This is to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2. Step 3 Stop Daemon Manager on all three machines. Step 4 Restore data on the Master, M1. Step 5 Restart Daemon Manager on M1. Step 6 Restore data on S1, and S2 after the Master is up and stable, Step 7 Restart Daemon Manager on S1, and S2.

This ensures that Master has more recent data than the Slaves.

Note To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take a back up of all machines at the same time.

Restoring Data From M1 to M2 Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2. S3, and S4 which were Slaves of M2, will switch to Standalone mode.

Master-Slave Configuration Prerequisites and Restore Operations

DCR Master-Slave setup requires you to perform certain tasks prior to Master-Slave configuration, to enable proper, and secure communication between them. This involves copying certificates, and setting up a valid system identity user. For details, see Master-Slave Configuration Prerequisites.

Administration of Cisco Prime LAN Management Solution 4.2 3-26 OL-25947-01 Chapter 3 Administering LMS Server Backing Up Data

Restore operations can affect Master-Slave relationships because they may modify these pre-configured parameters. For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server. Suppose you take a backup from S1, and restore the backed up data, say S1b on X. Now, X has to be in Slave mode. Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1, and S1 will have the certificate of M1. After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not present on M1, X will not be able to have M1 as its Master. So you have to ensure that the certificates of the peer machines are in place, before you do a Restore. Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer Server Account user configuration might get affected by Restore operations. For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user. You take a backup from S1. After you take the backup, say you change the Peer Server User and System Identity User to Bob. Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This will upset the Master-Slave relationship. During restore you are prompted to confirm whether you need to overwrite the SSL certificate. SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it on another, you should be careful not to overwrite the SSL certificate. However, if you backup data from a machine and restore it to the same machine, you may overwrite the SSL certificate.

Effects of Backup-Restore on Groups

Backup-Restore operations have an implication on the way Groups will be displayed in the LMS. The changes in Groups behavior is discussed in relation with the Device and Credential Repository (DCR) mode changes explained in Effects of Backup-Restore on DCR. If you perform a backup on machine A and restore the backed up data, say Ab, on the same machine, the system-defined groups, and the user-defined groups created after the data backup will be removed. The following scenarios helps you understand the implications of Restore operations on Groups. • Restoring Data From a DCR Standalone • Restoring Data From S1 on S1 • Restoring Data From S1 on M1 • Restoring Data From S1 on M2 • Restoring Data From M1 on M2

Restoring Data From a DCR Standalone The following scenarios have to be considered: • Restore data from a Standalone machine A to another Standalone machine B: The provider group name will change accordingly. That is, the provider group CS @A will become CS@B.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-27 Chapter 3 Administering LMS Server Backup for Cisco Prime Infrastructure

• Restore data from a Standalone machine A to a Master M: The Master will switch to Standalone mode. The provider group name will be updated accordingly. The Slave groups will be removed from the Master. Only the groups pertaining to LMS and the applications installed in the Standalone machine will be visible. All dependent Slaves of M will become Standalone. • Restore data from a Standalone machine A to a Slave S: The Slave will switch to Standalone mode. The provider group name is updated accordingly. The groups pertaining to other Slaves in the domain, and the Master of S, will be removed from S. The groups UI will be enabled. The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.

Restoring Data From S1 on S1 No impact on CS groups. There may be applications installed on S1. Say you create 10 groups in the Applications before you backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore, the 10 groups you created after backup will not be present. This loss of newly added groups also propagates to other Slaves in the domain.

Restoring Data From S1 on M1 After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other Slaves of M1 will switch to Standalone mode.

Restoring Data From S1 on M2 After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of M2 (before restore) will now switch to Standalone mode.

Restoring Data From M1 on M2 Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be deleted from M2. In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated in the target machine.

Backup for Cisco Prime Infrastructure

From LMS 4.2.2, Cisco Prime LAN Management Solutions will support data migration to Cisco Prime Infrastructure (PI) and the device data from LMS 4.2.x versions can be exported to PI 1.2. The following two procedures will be used to export data from LMS to PI: • Exporting Device Credentials Repository (DCR) data from LMS—User can export the Device List and Credentials to a CSV file that would be shown as a link. The data backup status and backup location will be displayed at the bottom of the Export Data to Prime Infrastructure page.

Administration of Cisco Prime LAN Management Solution 4.2 3-28 OL-25947-01 Chapter 3 Administering LMS Server Licensing Cisco Prime LMS

• Exporting complete data of LMS—This option enables you to store data in an external server or LMS server. The default backup location will be populated in the Backup location field at the bottom of the Export Data to Prime Infrastructure page. If the user chooses storing data in external server, the external server credentials namely Server IP or Host name, username, password and backup location will be required.

Licensing Cisco Prime LMS

You must register your software and obtain a product license before you start using an application. You can obtain a product license and license your application, view details of your current software license, or update to a new license from the Licensing page. LMS will authenticate and perform the license check. If your current license count is lower than your earlier license count, and you restore the data now, devices that exceed the current licence count will be moved to Suspended state. This section explains: • Obtaining a License for Cisco Prime LMS • Licensing the Application • Viewing License Information • Updating Licenses • Ordering LMS licenses

Obtaining a License for Cisco Prime LMS To obtain a product license for your Cisco Prime applications, register your software at one of the following websites. You will need to provide the Product Authorization Key (PAK), which is printed on a label affixed to the Bundle sub-box. If you are a registered user of Cisco.com, use this website: http://www.cisco.com/go/license If you are not a registered user of Cisco.com, use this website: http://www.cisco.com/go/license/public The product license will be sent to the e-mail address you provide during registration. Retain this license with your Cisco Prime software records.

Licensing the Application After you obtain the product license, perform these steps to license your software:

Step 1 Copy the new license file to the LMS Server, with read permission for casuser/casusers. Step 2 Select Admin > System > License Management. The License Information page appears. The License Information page displays the name, version, size, status and expiration date of the license. Step 3 Click Update. Step 4 Enter the path to the new license file in the License field, or click Browse to locate the new file. Step 5 Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-29 Chapter 3 Administering LMS Server Compliane and Audit Manager (CAAM) Server License

The system verifies whether the license file is valid, and updates the license. The updated licensing information appears in the License Information page. Otherwise an error message is displayed. To return to the License Information page, click Cancel.

Note You must have Compliance and Audit Manager (CAAM) server license for accesing the CAAM features in LMS 4.2. For more details, refer Compliane and Audit Manager (CAAM) Server License.

Viewing License Information To view details of your current software license, select Admin > System > License Management to open the License Information page. The license name, license version, size (device limit for the licensed application), status of the license, and the expiration date of the license appear under License Information. The license version shows the major version of the application.

Updating Licenses You can view details of your current software license, or update to a new license from the License page. To update to a new license from the Licensing page:

Step 1 Select Admin > System > License Management. The License Information page displays the license name, license version, status of the license, and the expiration date of the license. Step 2 Click Update. Step 3 Enter the path to the new license file in the License field, or click Browse to locate the new file. Step 4 Click OK. The system verifies whether the license file is valid, and updates the license. The updated licensing information appears in the License Information page. Otherwise, an error message is displayed. To return to the License Information page, click Cancel.

Ordering LMS licenses For availability, ordering, upgrade, and licensing options refer to www.cisco.com/go/lms

Compliane and Audit Manager (CAAM) Server License

You must have CAAM server license for accessing the following CAAM features in LMS: • Compliance data collection • Compliance profile execution • Compliance Policy and groups • HIPAA Compliance Reports • SOX(COBIT) Compliance Reports

Administration of Cisco Prime LAN Management Solution 4.2 3-30 OL-25947-01 Chapter 3 Administering LMS Server Configuring a Default SMTP Server

• ISO/IEC 27002 Compliance Reports • NSA Compliance Reports • PCI DSS Compliance Reports • Department of Homeland Security (DHS) Checklist Reports • Defense Information Systems Agency (DISA) Checklists • Center for Internet Security (CIS) Benchmarkss The following Compliance and Audit Reports are supported only by LMS license and do not require CAAM server license. • Service Reports • Lifecycle Management Reports • Vendor Advisory Reports

Configuring a Default SMTP Server

This SMTP server is used by default when you add or edit subscriptions for e-mail notifications or send e-mail notifications from the Alerts and Activities display. LMS also provides a facility for specifying a default SMTP server. Specifying a default server here will override the setting used by LMS.

Step 1 Select Admin > System > SMTP Default Server. Step 2 Enter a fully qualified SMTP server name. Step 3 Click Apply.

Collecting Server Information

This feature helps you to get the required information about the server. The information about the server includes system information, environment, configuration, logs, web server information, device and credentials administration information, and grouping services information. You can use the collected server information for troubleshooting. For example, when you have chosen to collect the grouping services information about the server, the following details will be collected and stored: • Status of LMS grouping server. The status values are Running, and Not Running. • List of groups created in the LMS grouping server. • Content of the registry and properties files associated with LMS. • Status of the grouping server installed on same Cisco Prime Server. The status values are Running, and Not Running. • List of groups created in the LMS grouping server. • Content of the properties files associated with other applications. • Error encountered if the grouping servers are not running or if they are not reachable.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-31 Chapter 3 Administering LMS Server Collecting Server Information

You can look into this collected information to find out the errors with grouping servers and debug them. You can also collect server information using CLI. See Collecting Server Information Using CLI To collect the server information:

Step 1 Select Admin > System > Server Monitoring > Collect Server Information. The Collect Server Information page appears. Step 2 Click Create to collect the current server information. The Collect Server Information popup dialog box appears with a list of options. The available options are: • System Information — Displays the server type, operating system version, installation date of operating system, and other system information. • Event Logs — Displays the logs of events in the LMS Server. • Cisco Prime Registry — Displays the registry entries of Cisco Prime components installed in the server. • Tomcat Log Files — Displays the log files corresponding to the application server. • Grouping Service — Displays the information of grouping servers and the groups created in the grouping server. • Application Registry Details — Displays the information of applications registered with Cisco Prime home page. • Device Credentials Admin Information — Displays the details of DCR mode, status of DCR Master, number of devices in DCR and the contents of DCR configuration files. • ODBC Configuration — Displays the information about the configuration of database connection in the LMS Server. • Product Log Files — Displays the contents of log files of all Cisco Prime components. • Environment Variables — Displays the list of environmental variables set up in the LMS Server. • Process Status — Displays the name of processes, current state of the process, process ID, start and finish time of the process, and other information. • Network Configuration — Displays information about the various configurations in a network. • Memory and Harddrive Status — Displays details of free space and total space of memory and hard disk drives in the LMS Server. • JRE Registry — Displays information about the Java Runtime Environment registry files. Step 3 Select the check boxes corresponding to the options you need. You can use the All check box to select or deselect all the available options. By default all the check boxes are selected. Step 4 Click OK. The server information for the selected components is collected. Collecting server information may take longer if more components are selected. To return to the Collect Server Information page, click Cancel. You can click Refresh in the Collect Server Information page to see the latest status.

Administration of Cisco Prime LAN Management Solution 4.2 3-32 OL-25947-01 Chapter 3 Administering LMS Server Collecting Self Test Information

To view the collected information:

Step 1 Select Admin > System > Server Monitoring > Collect Server Information. The Collect Server Information page appears. Step 2 Click Server Information at the date time link to view the collected server information. The popup window displays the server information collected. Step 3 View server information by clicking the corresponding link in the Table of Contents.

To delete the collected server information:

Step 1 Select Admin > System > Server Monitoring > Collect Server Information The Collect Server Information page appears. Step 2 Select the corresponding check box of the server information you want to delete. Step 3 Click Delete.

Collecting Server Information Using CLI You can also collect server information using CLI. Enter the following command: • NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows) or • NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance) where NMSROOT is the directory where you installed Cisco Prime.

Collecting Self Test Information

You can view self test reports using this option. Self test feature helps to test certain basic functions of the server. Execute the following steps to receive the system generated self test report to your Email ID.

Step 1 Go to Admin > System > Server Monitoring > Selftest. Step 2 Select the E-mail text box and enter your Email ID. Step 3 Click Save. The system generated self test report will be sent to the specified Email ID.

Execute the following steps to create a self test report.

Step 1 Select Admin > System > Server Monitoring > Selftest.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-33 Chapter 3 Administering LMS Server Messaging Online Users

Step 2 Click Create to perform a selftest and to view the report. Step 3 Click the Selftest Information at date time link. A popup window displays the selftest information report. To delete a Selftest Information report, select the checkbox and click Delete.

In LMS 4.2, the selftest report provides the following Hardware Parameters details: • Memory availability • Swap • CPU • DSN • Backup status • Number of MIB objects being polled • Maximum number of MIB objects that can be managed • Syslog database size If the syslog database size exceeds 10 GB you need to purge the syslog records to reclaim space. Do the following to purge syslog records and reclaim the database space:

Note If you want to backup the syslogs, refer Setting the Syslog Backup Policy.

Step 1 Perform a forced purge of Syslog messages, refer Performing a Syslog Forced Purge. Step 2 Open RMEDebugToolsReadme.txt from NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools. where NMSROOT is the Cisco Prime installation directory. Step 3 Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and execute the perl script DBSpaceReclaimer.pl.

Note The perl script will reclaim the space occupied by SyslogFirst.db, SyslogSecond.db and SyslogThird.db files present in the server. The amount of space reclaimed will depend on the purge criteria that you specify. The most effective way to reclaim the space is to purge the records older than 1 day.

Messaging Online Users

You can use the Notify User feature in LMS to broadcast messages to online users. You can post messages to users with active Cisco Prime browsers. By default, the messages will be received within 60 seconds. You can also change this polling interval. To send a broadcast message:

Administration of Cisco Prime LAN Management Solution 4.2 3-34 OL-25947-01 Chapter 3 Administering LMS Server Managing Resources

Step 1 Select Admin > System > User Management > Notify Users. The Notify Users page lists all the users currently logged in. Step 2 Enter the message in the Message field and click Send. The Status field displays the status of the message.

Note If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every visit to the page.

Managing Resources

LMS provides a Resource Browser for managing resources. You can free locked resources, when necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can access the Resource browser page. The Refresh icon in the Resource browser is available for all users.

Note The System Identity user must configure all the Resource management related tasks. The Browse Resources and Free Resources tasks should be enabled.

To view Resource details:

Step 1 Select Admin > Network > Resource Browser. The Resource Browser page displays the following details:

Item Description Resource Name of the resource currently locked. Job ID / Owner Number assigned to this task at creation time. Identifies all related locked resources, and user who locked the resource. Time Locked Time this lock was established. Expire Time Lock expiration time.

To free locked resources:

Step 1 Select Admin > Network > Resource Browser. The Resource Browser page appears. Step 2 Check the check box corresponding to the Job ID. Step 3 Click Free Resources. All users (except those with Help Desk and Approver role) can perform the Free Resource operation in the Resource browser.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-35 Chapter 3 Administering LMS Server Modifying System Preferences

To view updated resources, click Refresh.

Modifying System Preferences

You can configure system-wide information on the LMS Server using the System Preferences option. It is a way to centrally locate information that is used by Cisco Prime applications.

Field Description SMTP Server System-wide name of the SMTP server used by Cisco Prime applications to deliver reports. The default server name is localhost. Administrator Cisco Prime Administrator e-mail ID. E-mail ID This e-mail address is used as the From Address in all mails sent from LMS Server. There is no default e-mail ID. Enable E-mail Allows you to enable e-mail attachments in the mails sent from LMS Server. Attachment This option helps you to attach PDF or CSV reports with the e-mail after the scheduled jobs have completed. This option is disabled by default. Maximum Maximum size of the e-mail attachments that are allowed to be sent from LMS Attachment Size Server. You can specify the attachment size in KB or MB. RCP User Name used by network device when it connects to LMS Server to run rcp. User account must exist on UNIX systems, and should also be configured on devices as local user in the ip rcmd configuration command. The default RCP username is cwuser. SCP User Name used by network device when it connects to LMS Server to run SCP. The username you have entered here is used for authorization while transferring software images using SCP protocol. You must specify a user name that has SSH authorization on a Solaris system. SCP uses this authorization for transferring the software images. This field is available only if Cisco Prime LMS applications are installed on the LMS Server. SCP Password Enter the password for SCP User in this field. The password you have entered here is used for authentication while transferring software images using SCP protocol. You must specify a user name that has SSH authentication on a Solaris system. SCP uses this authentication for transferring the software images. This field is available only if Cisco Prime LMS applications are installed on the LMS Server.

Administration of Cisco Prime LAN Management Solution 4.2 3-36 OL-25947-01 Chapter 3 Administering LMS Server Modifying System Preferences

Field Description SCP Verify Password Re-enter the SCP password in this field. This field is available only if Cisco Prime LMS applications are installed on the LMS Server. Enable crmlogger Enable the Domain Name Service Resolution for the crmlog service using this DNS resolution field. Note that enabling the DNS Resolution for the crmlog service will slow down the Syslog performance. The crmlog service will stop and start when you enable or disable the Domain Name Service Resolution for crmlog service. If the crmlog registry does not contain the CrmDnsResolution parameter, it will be created automatically when you enable the service. This field is available only on Windows systems. Disable Idle Timeout By default this settings will be enabled and time interval for idle page will be Settings 120 minutes. Idle Timeout You can choose the time interval ranging from 15, 30, 45, 60 and 120 minutes. A page is considered to be idle when there is no mouse or keyboard movement in a particular screen. If the page is kept idle for the set time period then a pop up redirecting the page to idle page will be displayed. You can click cancel to avoid redirecting to the idle page. If you are redirected to the idle page then click the hyperlink click here to return to your previous page.

To edit system preferences:

Step 1 Select Admin > System > System Preferences. The System Preferences page appears. Step 2 Enter the following information: • SMTP Server • Administrator E-mail ID • Maximum Attachment Size • RCP User

Caution Set this information carefully. If you introduce errors, users may not be able to log in.

Step 3 Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution for the crmlog service, on a Windows system. Step 4 Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the LMS Server: • SCP User • SCP Password • SCP Verify Password

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-37 Chapter 3 Administering LMS Server Configuring Log Files Rotation

Step 5 Click Apply after making the changes. To cancel the changes, click Cancel.

Configuring Log Files Rotation

Log files can expand and fill up disk space. Log files rotation helps you manage the log files more efficiently. See Maintaining Log Files for an overview of maintaining the log files in LMS Server. Logrot is a log rotation program that enables you to control the size growth of the log files. It helps you to: • Rotate log files while Cisco Prime is running. • Optionally archive and compress rotated logs. • Rotate log files only when they have reached a particular size. Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI. The following log files are maintained by the log rotation program: • Daemon Manager • Web server log files This section explains: • Configuring Log Files Rotation Settings From the User Interface • Configuring Log Files For Rotation From the User Interface • Scheduling Log Files Rotation • Configuring Logrot Utility • Running Logrot Script • Viewing the Scheduled Logrot Job

Configuring Log Files Rotation Settings From the User Interface To configure log files rotation from the user interface:

Step 1 Select Admin > System > Log Rotation. The Log Rotation page appears. Step 2 Set your backup directory in the Backup Directory field. This backup directory stores the rotated log files. You can also use the Browse button to select a directory from the file browser. The default directory is: • NMSROOT\log on Windows systems • /var/adm/CSCOpx/log on Solaris/Soft Appliance systems If you do not set a backup directory, each log file will be rotated in its current directory. Step 3 Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log rotation starts. This is optional.

Administration of Cisco Prime LAN Management Solution 4.2 3-38 OL-25947-01 Chapter 3 Administering LMS Server Configuring Log Files Rotation

Configuring Log Files For Rotation From the User Interface To add the log files for rotation:

Step 1 Select Admin > System > Log Rotation. The Log Rotation page appears. Step 2 Click Add to add the log files you wish to rotate. The Configure Logrot page appears. Step 3 Enter the name of the log file in the Select Log File field. You can enter only one log file at a time. You should specify log file using its fully-qualified path. If the log files do not exist in the path you have specified, this will not be considered for rotation. You can also click Browse to select a log file name from the file system. Step 4 Enter the maximum file size in the Maximum Logrot Size field. The log file will not be rotated until this size is reached. You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log rotation is 4096 MB. Step 5 Select a file compression type from Compression Format. The supported formats are: • Z—UNIX compression (on Solaris/Soft Appliance only) • gz—GNU gzip • bz2—bzip2 (on Solaris/Soft Appliance only) Step 6 Specify the number of backups in the No of Backups field. If you do not want to keep any archives, enter 0 (the default) for this option. Step 7 Click Apply to save the changes. To return to the Log Rotation page, click Cancel.

To edit the log files that you have configured for rotation:

Step 1 Select Admin > System > Log Rotation. The Log Rotation page appears. Step 2 Select a record from the list of log files displayed. Step 3 Click Edit. The Edit Logrot page appears. Step 4 Edit the name of the log file. The rotated log files will be stored with the new name you have edited. Step 5 Edit the log file size, compression type or number of archive revisions. Step 6 Click Apply to save the changes. To return to the Log Rotation page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-39 Chapter 3 Administering LMS Server Configuring Log Files Rotation

Scheduling Log Files Rotation To schedule log files rotation:

Step 1 Select Admin > System > Log Rotation. The Log Rotation page appears. Step 2 Click Schedule. The Schedule Logrot appears. Step 3 Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should start. You should specify the time in 24-hour format. Step 4 Select a periodic or immediate backup schedule in the Frequency field. The available schedule frequencies are: • Immediate—Log rotation job runs immediately. • Daily—Log rotation job runs every day at the time specified. • Weekly—Log rotation job runs once a week on the day and time specified. Select a day from the Day of Week list. • Monthly—Log rotation job runs once a month on the day and time specified. Select a day from the Day of Month list. Step 5 Click Apply to save the changes. You can remove a schedule at any time. Click Remove to delete the scheduled job. The Remove button is enabled only if you have scheduled a log rotation. To return to the Log Rotation page, click Cancel.

Configuring Logrot Utility Logrot should be installed on the same machine where you have installed LMS. To configure the Logrot script:

Step 1 Enter: • NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows) • Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance) The Logrot configuration menu appears. You have the following options: • Edit variables. • Edit log files. • Quit and save changes. • Quit without saving change. Step 2 Select Edit variables to set your Backup Directory. If you do not set a backup directory, each log will be rotated in its current directory.

Administration of Cisco Prime LAN Management Solution 4.2 3-40 OL-25947-01 Chapter 3 Administering LMS Server Configuring Log Files Rotation

Step 3 Select Edit log files to add log files you wish Logrot to rotate. You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log file does not exist in that path, the default log file path for your operating system will be added during rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance). Step 4 Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default) for this option. Step 5 Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in kilobytes (KB). The default is 1024 KB or 1 MB. Step 6 Specify the file compression type to be used. It can be: • Z—UNIX compression (on Solaris/Soft Appliance only) • gz—GNU gzip • bz2—bzip2 (on Solaris/Soft Appliance only) When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a certain pattern. For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that match the pattern *.log. You can also specify the special pattern, *, which means delete all logfiles in the configuration.

Running Logrot Script To run the Logrot Script enter: • On Windows: Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl • On Solaris/Soft Appliance: Run /opt/CSCOpx/bin/logrot.pl You can schedule log rotation so that the utility works on a specified time and day. The following command line flags are accepted: • -v option to get verbose messages. • -s option shuts down dmgtd before rotating logs.

Caution The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.

• -c option reruns the configuration tool. • -h option displays the help. The following wrapLogrot permissions should be checked for proper working of LogRotation. For Solaris: bash-3.00# ls -l /opt/CSCOpx/bin/wrapLogrot -r-sr-x--- 1 root casusers 6852 Oct 1 19:08 /opt/CSCOpx/bin/wrapLogrot

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-41 Chapter 3 Administering LMS Server Configuring Disk Space Threshold Limit

For Virtual Appliance: [root@HOSTNAME bin]# ls -l wrapLogrot -r-sr-s--- 1 root casusers 7430 Sep 26 16:00 wrapLogrot

Viewing the Scheduled Logrot Job You can view the scheduled jobs log file to troubleshoot the logrot utility. To look at the scheduled logrot job: • On Windows, use the command: crontab.cmd • On Solaris, use the command: crontab -l Example: To view the job scheduled to run as root user, use the command: crontab -l root To view the job scheduled to run as casuser, use the command: crontab -l casuser • On Soft Appliance, use the command:

crontab -lu Example: To view the job scheduled to run as root user, use the command: crontab -lu root To view the job scheduled to run as casuser, use the command: crontab -lu casuser

Configuring Disk Space Threshold Limit

DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file. Disk space information is calculated for the following directories on LMS Server: • Cisco Prime Installation directory (on both platforms) • /var directory (on Solaris/Soft Appliance platform only) • /tmp directory (on Solaris/Soft Appliance platform only) The process calculates the disk space availability of the LMS Server directories at a regular interval of approximately one hour. In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes and in the last 15 minutes of an approximate one hour time interval. This process also alerts you when the disk space is less than the threshold level you have configured in the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert messages through e-mail if you have configured your e-mail ID along with threshold level.

Administration of Cisco Prime LAN Management Solution 4.2 3-42 OL-25947-01 Chapter 3 Administering LMS Server Effects of Third Party Backup Utility and Virus Scanner

This process records the alert information in the system log files. The alert information is recorded in diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and daemons.log files in Solaris machines. To configure the disk space threshold limit:

Step 1 Select Admin > System > Server Monitoring > DiskWatcher Configuration. The DiskWatcher Configuration page appears. Step 2 Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk space in the Cisco Prime Installation directory. This is mandatory. You should enter the threshold value in units of MB or GB. Step 3 Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in Solaris file systems. This is mandatory. You should enter the threshold value in units of MB or GB.

Note This field is available only on Solaris systems.

Step 4 Enter a valid e-mail in the E-mail ID field. You can enter multiple e-mail addresses separated by commas. The system uses the e-mail addresses to notify about the disk space availability when the disk space is less than the threshold limit you have configured. There may be a problem in sending e-mails if you have enabled virus scanner in the LMS Server. Step 5 Click Apply to save the changes or click Cancel to reset the values.

Effects of Third Party Backup Utility and Virus Scanner

Sometimes, the LMS database fails to run and throws the following Sybase Assertion error message: *** ERROR *** Assertion failed: 100909 (9.0.0.1383). 100909 is the Assertion ID.

The following are the scenarios where Assertion Error might appear: • If you use any third-party backup software to back up a live, running database, the Assertion Error might be thrown. This is because some of the database pages that have been modified will be in the database server cache, so the database file will be in an inconsistent state. • If you use any anti-virus software. The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O operations, which contribute to the good performance of Adaptive Server Anywhere. However, anti-virus software might detect this as a potential problem and quarantine the file. This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption by interfering with the normal functions of the database. Poor performance can also occur if the anti-virus software is checking all I/O operations performed by the database server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-43 Chapter 3 Administering LMS Server Configuring TFTP

We recommend that you do not use third-party backup software for backing up a running database. We also recommend that you configure your anti-virus software so that it must not scan the NMSROOT/databases directory. NMSROOT is the directory where you have installed Cisco Prime.

Configuring TFTP

This applies only to Solaris. The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP (Transmission Control Protocol) Wrappers. If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the jobs requiring TFTP may fail. To ensure that TFTP works properly, check the following configuration files: • If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the command is not there in the file at all, add it as in.tftpd:ALL • If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file • If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any changes

Note The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon under its control. It provides logging support, returns messages to connections, and permits a daemon to accept only internal connections.

Displaying LMS Server Name With Browser Title Displaying LMS Server name with browser title helps you to identify the server from which the application window is launched especially in a multi-server setup and Single Sign-On based setup. You can enable or disable the option of displaying the LMS Server name along with the browser title. When you choose to display the server name in the browser title, the browser window displays the title in the following format: Hostname - ApplicationWindowTitle where, – Hostname is the name of the LMS Server – ApplicationWindowTitle is the title of application window launched from LMS Server.

Note By default, the option of displaying the LMS Server name with the application window title in the browser is enabled.

For example, if the name of your LMS Server is lmsdocultra, then the title of the Cisco Prime home page is displayed as lmsdocultra - CiscoPrime. If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra - LMS Home.

Administration of Cisco Prime LAN Management Solution 4.2 3-44 OL-25947-01 Chapter 3 Administering LMS Server Cisco Prime Integration Application Settings

You can also enable or disable the display of server name with the browser title by changing the configurations in a properties file. Configure the uii-windows.properties file located at NMSROOT/lib/classpath to: • Enable or disable the option of displaying server name with browser title. • Change the format of display from Hostname - ApplicationWindowTitle to ApplicationWindowTitle - Hostname and vice versa. • Replace hyphen (-) with any other delimiter except empty spaces. • Trim the spaces between the Hostname, delimiter and Application window title.

Cisco Prime Integration Application Settings

The Cisco Network Analysis Module Traffic Analyzer (NAM) offers flow-based traffic analysis of applications, hosts, and conversations, performance-based measurements on application, server, and network latency, quality of experience metrics for network-based services such as voice over IP (VoIP) and video. Only NAM 4.1 is supported in LMS 4.2. The Cisco Prime Integration Application Settings page allows you to configure NAM. To add, edit, or delete the NAM configuration details:

Step 1 Select Admin > Cisco Prime Integration > Application Settings. The Application Settings page appears. Step 2 You can do the following: • Add – Click Add. The Server Configuration page appears. – Select NAM from the drop-down list. – Enter the IP Address in the NAM IP field. – Enter the user name and password in the corresponding fields. – Enter the SNMP read community. – Select either HTTP or HTTPS as the protocol. – Enter the port number. – Click Add to add the new NAM configuration details or Cancel to return to the NAM Configuration page. • Edit – Select a configuration detail that has to be edited. – Click Edit. The Edit NAM Configuration page appears. – Enter the IP Address in the NAM IP field. – Enter the user name and password in the corresponding fields. – Enter the SNMP read community. – Select either HTTP or HTTPS as the protocol. – Enter the port number. – Click Edit to save the changes or Cancel to return to the NAM Configuration page.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 3-45 Chapter 3 Administering LMS Server Cisco Prime Integration Application Settings

• Delete – Select a configuration detail that has to be deleted. – Click Delete. A confirmation dialog box appears. – Click OK to confirm or Cancel to return to the NAM Configuration page. • Filter – In the Filter By field, select the filter criteria e.g. ApplicationName from the drop-down list. – In the Matches text box, enter the matching details e.g. NAM. – Click Go, to execute the selected filter condition. – Click Clear Filter, to clear the filter condition.

Administration of Cisco Prime LAN Management Solution 4.2 3-46 OL-25947-01

CHAPTER 4

Administering Discovery Settings and Device and Credential Repository

You can configure discovery settings, and perform some administrative tasks in DCR. This chapter contains: • Scheduling Device Discovery • Configuring Device Selector • Administering Device and Credential Repository For details on configuring discovery logging, see Configuring Discovery Logging.

Scheduling Device Discovery

You can schedule one or more Device Discovery jobs. The optimum Device Discovery schedule depends on the size of network and changes in the network. Before you schedule a Device Discovery job, read the following: • Only one Device Discovery job can run at a time. • Ensure jobs, other than Device Discovery, are not scheduled parallely along with the Device Discovery jobs. If any other jobs are scheduled parallely, Device Discovery job will take more than 5 min to complete. • When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each other. Otherwise, one of the Device Discovery jobs may fail. • You should configure the Device Discovery settings before you schedule a Device Discovery job. Otherwise, the system displays an error message when you try add a schedule. However, you can edit the Device Discovery settings for the scheduled job later. From the Discovery Schedule page, you can: • Add a Device Discovery schedule. See Adding Device Discovery Schedule for details. • Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details. • Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details. • Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for details. • Start device discovery. See Starting Device Discovery for details.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-1 Chapter 4 Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery

• Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs for details. • View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing Discovery Settings for Selected Discovery Schedule for details. • Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery Settings for Selected Discovery Schedule for details.

Adding Device Discovery Schedule To add a Device Discovery schedule:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Step 2 Click Add. The Add Discovery Schedule popup window appears. The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add button if you have not configured Device Discovery Settings. The Add button is disabled on a fresh installation of LMS in LMS Server. Step 3 Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should start. You should specify the time in 24-hour format. Step 4 Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern field. Step 5 Enter a description in the Job Description field. This is optional. You cannot edit the description entered in this field later.

Note The job description should not contain special characters like , and #.

Step 6 Click Schedule. The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the email address you have configured in the Discovery Settings wizard.

Editing Device Discovery Schedule To edit a Device Discovery schedule:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Step 2 Select a Device Discovery schedule from the list. Step 3 Click Edit. The Edit Discovery Schedule popup window appears. Step 4 Edit the values in the Hour and Min drop-down list, if required.

Administration of Cisco Prime LAN Management Solution 4.2 4-2 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery

Step 5 Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern field. Step 6 Click Schedule to save the changes.

Deleting Device Discovery Schedule To delete a Device Discovery schedule:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Step 2 Select a Device Discovery schedule from the list. Step 3 Click Delete. The Delete Confirmation dialog box appears. Step 4 Click OK. The selected Device Discovery schedule is deleted from the list of schedules.

Caution Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the Device Discovery job is running, deleting the schedule will stop the job first and then will remove it.

Starting Device Discovery To start immediate discovery for scheduled job:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Step 2 Select a job from the list. Step 3 Click Start Discovery. A popup window appears with the information on the immediate jobID. The Start Discovery button will be disabled before setting any jobs or if a discovery is already running. Step 4 Click OK. The Device Discovery summary screen appears. You can view the status of the job in Job Browser page (Admin > Jobs > Browser).

Viewing the Status of Device Discovery Schedules You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status of Device Discovery jobs. To do so:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-3 Chapter 4 Administering Discovery Settings and Device and Credential Repository Scheduling Device Discovery

Step 2 Click the link provided at the bottom of the page. The Job Browser page displays the Device Discovery jobs.

Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the settings for scheduled jobs later and maintain different settings for different jobs. To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for Selected Discovery Schedule. To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected Discovery Schedule.

Viewing Discovery Settings for Selected Discovery Schedule You can view the Discovery settings used to create the selected Discovery Schedule job. To do so:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Step 2 Select a Discovery schedule from the list. Step 3 Click View Settings. The View Discovery Settings dialog box appears. Step 4 Click OK to return to the Discovery Schedule page after you have view the schedule.

Editing Discovery Settings for Selected Discovery Schedule You can edit the Discovery Settings used to create the selected Discovery Schedule job. To do so:

Step 1 Select Admin > Network > Discovery Settings > Schedule. The Discovery Schedule page appears. Step 2 Select a Discovery schedule from the list. Step 3 Click Edit Settings. The Module Settings page of Discovery Settings wizard appears. Step 4 Edit the required module settings and click Next. The Seed Devices Settings page appears. Step 5 Edit the required seed devices settings and click Next. If you do not want to proceed further, click Finish. The SNMP Settings page appears. Step 6 Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish. The Filter Settings page appears. Step 7 Edit the Filter settings and click Next. If you do not want to proceed further, click Finish. The Global Settings page appears. Step 8 Edit the Global settings and click Next. If you do not want to proceed further, click Finish.

Administration of Cisco Prime LAN Management Solution 4.2 4-4 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

The Discovery Settings Summary page appears. Step 9 Click Finish to return to Discovery Schedule page.

Configuring Device Selector

The improved Device Selector allows you to search the devices in DCR. It helps to locate the devices and perform the various device management tasks quickly. With this improved Device Selector, you need not remember the device type or application group hierarchy to locate the devices. The devices are categorized under Device Type based groups, User Defined groups, Subnet Based groups, or under All Groups. You can define the settings of the Device Selector pane to customize the display of devices and the order of display. You can customize the top level groups, sub-groups and the list of devices displayed under each group using the Group Customization option. The Group Ordering option allows you to specify the order of display in which the groups are seen in the Device Selector pane. See Device Selector Settings for more information. The Device Selector Settings are specific to each user. You can search for devices using a Simple search or an Advanced search. See Searching Devices for more information. Tool tips are also provided for devices that contain long names so that you do not have to scroll horizontally to see the complete device name. The Device Selector is used to select devices to perform various device management tasks. The device selector lists all devices in a group. The Device Name of the devices added in DCR is displayed in the Device Selector pane. The Device Selector contains the following components:

Component Name Description Search Input Enter your search expression in this text field. You can enter a single device name or multiple device names in this field. You can enter the following as search inputs for searching multiple devices: • Comma separated list of full device names • Device names with wildcard characters, (?) and (*), to search for multiple devices matching the text string entered in this input field. The wildcard character ? matches a single character in a device name and the wildcard character * matches multiple characters in a device name. • Combination of comma separated list of device names, and device names with wildcard characters. See Performing Simple Search for more information. Search Use this icon to perform a Simple search of devices, after you have entered your search input. See Performing Simple Search for more information. Advanced Search Use this icon to perform an Advanced search of devices. See Performing Advanced Search for more information.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-5 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

Component Name Description All This tab lists all the top-level device groups and the device names under each group in a hierarchical format (tree view). The top-level device groups include: • All Devices • Device Type Groups • Subnet Groups • User Defined Groups See Understanding Device Groups for more information on types of device groups. Search Results This tab displays all the Simple or Advanced search results and you can select all devices, clear all devices, or select a few devices from the list. The Simple search results are based on the device name of the devices added to DCR. The Advanced search results are based on the grouping attributes of the grouping services server. Selection This tab lists all the devices that you have selected in the All or Search Results tab or through a combination of both. You can also use this tab to deselect the devices you have already selected. You can perform more than one search and can accumulate your selection of devices.

The Device Selector displays the number of devices selected by you at the bottom. When you click the link provided, it launches the Selection Tab. Tool tips are also provided for devices that contain long names so that you do not have to scroll horizontally to see the complete device name. This section contains the following information: • Selecting Devices for Device Management Tasks • Searching Devices • Device Selector Settings

Selecting Devices for Device Management Tasks

You can select devices to perform various device management tasks such as editing device credentials and viewing device credentials, using any of these methods: • Selecting Devices From All Tab • Selecting Devices From Search Results • Combination of Selection From All Tab and Search Results

Selecting Devices From All Tab The All tab lists the top-level device groups and the device names under each group in a hierarchical format (tree view).

Administration of Cisco Prime LAN Management Solution 4.2 4-6 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

You can select the devices from the tree view. The Selection tab shows the flat list of selected devices from the All tab. You should expand the nodes of the top-level device groups and sub groups to see the list of devices within a group and select the devices you want. We recommend that you do not expand all and leave all the multiple group nodes open. This may affect the performance of the device selector.

Selecting Devices From Search Results You can perform a Simple Search or an Advanced Search, and the search results are displayed under the Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab and the All tab, display the devices you have selected from the Search Results tab.

Note You can perform more than one search and can accumulate your selection of devices.

Combination of Selection From All Tab and Search Results You can select the devices from the All tab and add more devices to the Selection list from the Simple or Advanced search results in the Search Results tab. The Selection tab displays the accumulated list from both All and Search Results tabs. You can enter another search criteria and select more devices. The selected devices are accumulated in the Selection tab.

Searching Devices

With the improved Device Selector, you can search for the devices by performing a Simple search or an Advanced search. In both cases, you do not need to remember the name of the devices and the groups in which the devices are grouped.

Note The search string is not case sensitive in LMS.

This section contains the following: • Performing Simple Search • Performing Advanced Search

Performing Simple Search

You can enter your search criteria in the Search Input field and search for the devices using the Search icon. The search results are based on the device name of the devices added in DCR. Note the following points when you perform a Simple search. • You can enter a comma separated list of device names to search for multiple devices. • You can use the wildcard characters, * and ?, to search for multiple devices that match the text string entered in this input field. Multiple wildcard characters are allowed in a search string. • You can use the combination of comma separated list of device names and wildcard characters in the device names to search for multiple devices. • If you are not using the wildcard characters, make sure that you enter the full device name. For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-7 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

• Device names starting with device2 and with only one character after device2 • Device names ending with .cisco1 • Device names containing the text string device10

Performing Advanced Search

Use the Advanced Search icon to open the Advanced Search popup window and specify a set of rules for performing an Advanced search. The advanced search is based on the grouping attributes of the application's grouping server. You can create a rule in the Advanced Search dialog box by either: • Using Expressions or • Using Rule Text Fields You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule you have created using the Clear button.

Using Expressions

You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression contains: • Device Type — Object type used for forming a group. All expressions start with the string Device • Variables — Device attributes used to form a device group. The list of variables for advanced search are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress, MDFId, Model, Series, SystemObjectID, and the user-defined data, if any. The list of device attributes are different across Cisco Prime modules. The Advanced Search window in the Device Selector of Cisco Prime applications displays the respective device attributes as variables. • Operators — Various operators to be used with the rule. The list of operators includes equals, contains, startswith, and endswith. The list of operators changes dynamically with the value of the variable selected. For the ManagementIpAddress variable, you can select the range operator other than the standard list of operators. The range operator enables you to search for devices of the specified range of IP Addresses. SeeUsing IP Address Range to Form a Search Rule for more information. • Value — Value of the variable. The value field changes dynamically with the value of the variable and operator selected, and this may be a text field or a list box. After you define the rule settings, click Add Expression to add the rule expression. You can also enter multiple rule expressions using the logical operators. The logical operators include OR, EXCLUDE and AND.

Using IP Address Range to Form a Search Rule The range operator enables you to search the devices of the specified range of IP Addresses. You can select the range operator only for the ManagementIpAddress and IP.Address variables. You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address ranges. When you enter the IP Address range in the text field, you should:

Administration of Cisco Prime LAN Management Solution 4.2 4-8 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

• Specify the range with permissible values for one or more octets in the IP Address. The minimum limit in the range is 0 and the maximum limit is 255. • Use the hyphen character (-) as a separator between the numbers within a range. • Specify the range of IP Addresses within the [ and ] characters to create a group rule. For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field. You should not: • Enter numbers lesser than 0 and greater than 255 in the IP Address range. • Enter any characters other than the range separator (-). • Enter the value of highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4].

Example for forming a Search Rule Using Expressions For example, if you want to search all the devices in the network whose device name contains TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform the following:

Step 1 Click the Advanced Search icon in the Device Selector pane. The Define Advanced Search Rule dialog box appears. Step 2 Create a search rule expression. To do so: a. Select Variable as DisplayName b. Select Operator as equals c. Enter the Value as TestDevice Step 3 Click Add Rule Expression. The rule is added into the Rule Text. Step 4 Create another rule expression. To do this: a. Select OR as the logical operator b. Select Variable as ManagementIPAddress/IP.Address c. Select Operator as range d. Enter the Value as 10.10.[210-212].[207-247] Step 5 Click Add Rule Expression. The rule is appended into the Rule Text. Step 6 Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-9 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

Using Rule Text Fields

You can use Rule Text Fields to directly enter a rule without building any expressions. Ensure the rule you create follows the syntax Object type.Variable Operator Value. You can also enter multiple rule expressions using the logical operators. For example, if you want to search all the devices in the network whose device name contains TestDevice or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:

Device.DisplayName contains "TestDevice" OR Device.SystemObjectID startswith “1.3.12.1.4"

Note We recommend that you use expressions to construct a complex rule instead of creating them using the Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.

Additional Notes

Read the following notes before you perform an advanced search: • You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith or contains. • You can use Check Syntax button, when you add or modify a rule manually. • You must delete the complete rule expression including the logical operator, when you delete a portion of your rule. • The search string is case-insensitive.

Device Selector Settings

The devices are categorized under Device Type groups, User Defined groups, Subnet groups, Application specific groups or under All groups. You can define the settings of the Device Selector pane to customize the display of devices and the order of display. These configurations are specific to each user and you can save them. The devices are displayed in the appropriate category based on your roles and privileges. All the devices will be listed to the administrator role. This section has the following information: • Understanding Device Groups • Customizing Device Grouping • Customizing Display Order of Device Groups

Understanding Device Groups

The Device Selector pane displays the following top-level device groups: • All Devices • Device Type Groups • Subnet Groups • User Defined Groups

Administration of Cisco Prime LAN Management Solution 4.2 4-10 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

All Devices

The All Devices Group displays all the devices in the application in the alphabetical order of their device names. The device names are defined when you have added the devices in DCR.

Device Type Groups

The Device Type Groups displays all devices in groups and subgroups based on their Device Category, Series and Model. By default, the device grouping is based on their Device Categories such as Routers, Switches and Hubs. The Device Category Groups folder can contain devices in subgroups based on their Device Series. For example, the Device Category Group Router can contain devices (Routers) in subgroups Cisco 7000 Router Series and Cisco 12000 Router Series. The Device Series subgroup can contain subgroups of devices based on their Model. For example, the subgroup Cisco 12000 Router Series can contain the devices Cisco 12012 Router and Cisco 12816 Router. See Customization of Device Type Groups for information on customizing the display of devices under Device Type Groups.

Subnet Groups

You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can check the functionality settings at Admin > System Administration > Collection Settings > Functionality Settings. In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services, then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups folder in the Device Selector pane. See Customization of Subnet Groups for information on customizing the display of devices under this group.

User Defined Groups

The User Defined Groups are created by users to administer the applications. The User Defined Groups are created in Groups Administration window based on defined group rules. All User Defined Groups (shared groups) from all application group hierarchies are collated and shown as subgroups under this group. In a Multi Server Setup, the top level User Defined Groups will be named as User Defined Groups@Server Name. When there two or more User Defined Groups with the same name, the Device Selector displays all of them. You have to use the Tooltip to find the source server where the User Defined Group is created.

Tip We recommend you to provide unique and meaningful names to User Defined Groups when you create them to avoid the display of multiple User Defined Groups with the same name.

See Customization of User Defined Groups for information on customizing the display of devices under this group.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-11 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

Customizing Device Grouping

You can customize the device grouping and display the customized device groups in the Device Selector pane. See Understanding Device Groups for more information on Device Groups. You can use the Group Customization option to customize the display of device groups. This section contains: • Customization of Device Type Groups • Customization of Subnet Groups • Customization of User Defined Groups

Customization of Device Type Groups

You can display or hide the Device Type Groups folder in the Device Selector pane using the Group Customization option. You can customize the Device Type Based Groups folder to display: • All devices in groups, based on their Device Category only • All devices in groups and subgroups, based on their Device Category and Series • All devices in groups and subgroups, based on their Device Category, Series and Model By default, the Device Type Group folder displays the devices in sub groups based on their category only. To display the devices in groups based on their Device Category:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Check the Show Category Groups check box from the Device Type Based Groups panel. Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.

To display the devices in groups and subgroups based on their Device Category and Series:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Check the Show Series Groups check box from the Device Types Based Groups panel. When you check the Show Series Groups check box, the Show Category Groups check box will also be checked automatically and will be disabled. Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.

Administration of Cisco Prime LAN Management Solution 4.2 4-12 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

To display the devices in groups and subgroups based on their Device Category, Series and Model:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Check the Show Model Groups check box from the Device Type Based Groups panel. When you check the Show Model Groups check box, the Show Category Groups and Show Series Groups check boxes will also be checked automatically and will be disabled to you. Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.

To hide the display of Device Type Based Folders from the Device Selector Pane:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Go to the Device Type Based Groups Panel and uncheck all the check boxes. Step 3 Click Apply to save your changes.

Customization of Subnet Groups

The Subnet Groups contains device groups from the Topology and Identity Services. By default, the Subnet Based Groups folder is not displayed in the Device Selector pane. You can customize the Device Selector pane to display the Subnet Based Groups folder using the Group Customization option. To display the devices under Subnet Based groups in the Device Selector Pane:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel. Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.

Customization of User Defined Groups

You can customize the User Defined Groups folder in the Device Selector pane to contain the following: • Only User Defined Groups created by you in the local server • Only User Defined Groups created by you in all Peer Servers in a Multi Server setup • All User Defined Groups created by any user in the local server • All User Defined Groups created by any user in all Peer Servers in a Multi Server setup By default, you can view all the User Defined Groups (irrespective of any user) created in the local server in the Device Selector pane.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-13 Chapter 4 Administering Discovery Settings and Device and Credential Repository Configuring Device Selector

To display only the User Defined Groups created by you:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel. Step 3 Select either: • Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups created by you in the local server. Or • All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined Groups created by you in all the servers in a Multi-server setup. In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item. Step 4 Click Apply to save your preferences or click Restore Defaults to restore the default values.

To display all the User Defined Groups created by all users:

Step 1 Select Admin > Network > Display Settings > Group Customization. The Group Customization page appears. Step 2 Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups panel. Step 3 Select either: • Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups in the local server. Or • All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined Groups in all the servers in a Multi-server setup. In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item. Step 4 Click Apply to save your preferences or click Restore Defaults to restore the default values.

Customizing Display Order of Device Groups

You can specify the order in which device groups appear in the Tree view on the Device Selector pane using the Group Ordering option. The Group Ordering setup is specific to each user and the changes will be reflected in the Device Selector panes of all applications. The default order of the groups displayed in the Device Selector pane is: 1. All Devices 2. Device Type Groups 3. User Defined Groups

Administration of Cisco Prime LAN Management Solution 4.2 4-14 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

4. Subnet Groups 5. Application Specific Groups You can change the order and save the configurations. To change the order of the device groups:

Step 1 Select Admin > Network > Display Settings > Group Ordering. The Group Ordering page appears. Step 2 Select a group from the list displayed. Step 3 Click Up to move the device group up in the displayed order or click Down to move down. Step 4 Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.

Administering Device and Credential Repository

The DCR Administration feature allows you to do the following tasks: • Changing DCR Mode • Configuring Device Polling • Configuring User Defined Fields • Configuring Default Credentials To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page appears with the current DCR Administration settings. You can change the Mode Settings or modify User Defined fields.

Changing DCR Mode

To change Mode Settings:

Step 1 Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page appears. Step 2 Click Change Mode to change the current mode. The DCR Mode dialog box appears. You can select the required mode from this dialog box.

This section contains information on: • Master-Slave Configuration Prerequisites • Changing the Mode to Standalone • Changing the Mode to Master • Changing the Mode to Slave

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-15 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Master-Slave Configuration Prerequisites Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure communication takes place between the Master and Slave.

Tip We recommend you to configure the Master and all its Slaves in the management domain with the same version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory Management Guide.

If machine M is to be the Master and S is to be the Slave:

Step 1 Add a Peer Server User and password in M See Setting up Peer Server Account for details. Step 2 Add a System Identity user and password in S. This should be same as the Peer Server User set up in M. See Setting up System Identity Account for details. Step 3 Copy the Self-Signed Certificate of S to M. Also, copy the Self-Signed Certificate of M to S. See Creating Self Signed Certificates for details on creating Self-Signed Certificate and Setting up Peer Server Certificate for details on copying Peer Certificate. Step 4 Configure S as Slave and M as Master.

Changing the Mode to Standalone

Step 1 Select the Standalone radio button. Step 2 Click Apply to change mode. The default DCR mode is Standalone.

Changing the Mode to Master Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in place.

Step 1 Select the Master radio button. Step 2 Click Apply to change mode.

Changing the Mode to Slave Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place. You need to perform the following tasks:

Step 1 Select the Slave radio button. Step 2 Enter the hostname of the Master in the Master field. This hostname should exactly match the Hostname field in the Self Signed Certificate of the Master.

Administration of Cisco Prime LAN Management Solution 4.2 4-16 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Step 3 Specify the SSL port of the master. Default is 443. Step 4 Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from Master to Slave. If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave) will be informed of the new master hostname. That is, they will become the slaves of the new Master. Step 5 Select the Add new devices to Master check box to add the devices in Slave to the new Master. If the devices are already available in the new Master, they will be discarded. Step 6 Click Apply. A warning message appears when the Master server has the earlier version of LMS. Step 7 Click OK to change the mode to Slave. To cancel the change of mode, click Cancel.

Note You must restart the daemon manager after the mode change to Slave is complete.

Changing the Hostname of a Master Changing the hostname of a Master is equivalent to pointing Slaves to a new Master. When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same Domain ID as the current machine. If Domain ID is the same, DCR displays an error message that Master cannot be configured since the new Master has the same Domain ID. In this case, you need to convert the Slave to Standalone, and then register the machine with the new Master. When you re-register, the applications on Slave will clean up the device list. When you change the host name of the current Master, you must change the Slave mode to Standalone, and then re-register the machine as a Slave by providing the new Master hostname. However, when the machine is re-configured as Slave, the applications will clean up the device list. For example, if you have a Master M and Slave S, and if you change the hostname of M, you should change the mode of S to standalone. Then, you have to configure S as the Slave of M. But when you re-configure S as Slave, the applications on S will clean up their device lists. Therefore, you have to be aware that while changing the hostname of a Master, application data is cleaned up on all Slaves.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-17 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Configuring Device Polling

In the earlier releases, there was no mechanism to detect the devices that were not reachable for a certain time period and easily identify the devices to be deleted. The Device Polling configuration feature overcomes this and helps you to: • Activate Device Polling to check whether the devices can be reached • Configure Device Polling policy • Schedule Device Polling • Display a list of devices that are not reachable for a certain period of time • Delete the selected unreachable devices from DCR You should have the required privileges to configure Device Polling policy. You should be a Network Administrator, or a System Administrator to perform this task in Local Authentication mode. You should have the following privileges to delete the devices: • Privileges to perform the Delete Devices task • Device level authorization This section explains: • Configuring Device Polling Settings • Deleting Unreachable Devices from DCR

Configuring Device Polling Settings

You can configure a Device Polling policy and schedule a Device Polling job to check whether the devices can be reached. Read the following notes before you configure Device Polling settings: • You can use any one or more of the following protocols to poll devices: – ICMP (Ping) – SNMPv3 – SNMPv2c/SNMPv1 • When you select all protocols, the devices in the network are polled using ICMP (Ping) first followed by SNMPv3, and later by SNMPv2c/SNMPv1. • When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1 is used to poll the devices only if the SNMPv2c protocol has failed to query the device. • If you use more than one protocol for polling and if a device is reachable using the first protocol, the other protocols will not be used. • You can configure only one job at a time to detect unreachable devices. You can modify the schedule later at any point of time. • You cannot schedule an immediate Device Polling job. • In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job only from Master server.

Administration of Cisco Prime LAN Management Solution 4.2 4-18 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

To configure a Device Polling policy:

Step 1 Select Admin > Network > Timeout and Retry Settings > Device Poll Settings. The Device Poll Settings page appears. Step 2 Select the Activate Device Polling to Check Reachability check box to enable Device Polling. Device Polling is not enabled by default. You must select this check box to activate Device Polling. Step 3 Configure a Polling Policy. To do so: a. Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for polling: – ICMP (Ping) – SNMPv3 – SNMPv2c/SNMPv1 You must select at least one protocol to activate Device Polling. b. Enter the timeout value for the selected protocols in the appropriate Timeout fields. The timeout denotes the time period after which the ICMP or SNMP query of devices times out. You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds and the maximum value is 20000 milliseconds. Default value is 1000 milliseconds. You cannot leave this field blank. c. Enter the value of retries for the selected protocols in the appropriate Retries fields. The retry denotes the number of attempts made to query the device. You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for both ICMP and SNMP protocols. You cannot leave this field blank. d. Enter the number of instances in Notify when devices not reachable for, to receive notifications when the devices are not reachable for a specific time period. This is mandatory. For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily, you will receive notifications of devices that are not reachable for two days or more than 2 days. If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will receive notifications of devices not reachable for last 18 hours or more than 18 hours. See Step 4 for details on the job frequencies available. Step 4 Schedule the Device Polling task. To do this: a. Select a job frequency from the Run Type drop-down list. You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily, Weekly, or Monthly. b. Enter a date in the Date field or select a date from the date picker to start the scheduled job. The current date on the client system is displayed in the Date field by default. You can edit the schedule at a later point of time. See Step 5 for details. If you do not want to edit the schedule, go to Step 7.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-19 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Step 5 Select the Change Schedule check box if you want to edit the schedule information (Run Type and Starting Date). This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not been scheduled earlier. If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager (JRM) and a job is scheduled. The device reachability status is also reset. A warning message appears if you select this check box. Step 6 Click OK. Step 7 Enter the Job information. To do this: a. Select the Report Attachment field if you want to receive the report through e-mail. b. Select the Attachment Option as either PDF or CSV. c. Enter a brief description about the Device Polling job in the Job Description field. d. Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device Polling job. You can enter multiple e-mail addresses separated by commas. Entering an e-mail ID is mandatory when you have selected the Report Attachment field. Step 8 Click Apply for the Device Polling settings to take effect. The Device Polling schedule is created and assigned with a job ID. Notification is sent to the e-mail address you have configured in the Device Polling Settings page.

Deleting Unreachable Devices from DCR

The possible reasons for device unreachability are: • Connectivity protocols such as SNMP or ICMP may be disabled on the device. • Incorrect credentials may be configured for the device. • Invalid timeout and retries may have been configured on the device. To delete unreachable devices from DCR, select Reports > Inventory > Management Status > Unreachable Devices.

Configuring User Defined Fields

The User Defined Fields (UDFs) are used to store the additional information about a device. DCR supports a maximum of ten UDFs. By default, the user interface provides four UDFs: • user_defined_field_0 • user_defined_field_1 • user_defined_field_2 • user_defined_field_3

Administration of Cisco Prime LAN Management Solution 4.2 4-20 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

You can add six more UDFs through the user interface. You can rename or delete all the UDFs including the four default UDFs provided by the user interface. This section explains the following: • Adding User Defined Fields • Renaming User Defined Fields • Deleting User Defined Fields

Adding User Defined Fields

To add a User Defined Field (UDF):

Step 1 Select Admin > Network Administration > Device Credential Repository Settings > User Defined Fields. The User Defined Fields page appears with the current settings. Step 2 Click Add to add a UDF. Step 3 Enter the field label and description in the corresponding fields. Step 4 Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.

Renaming User Defined Fields

To rename a UDF:

Step 1 Select Admin > Network > Device Credential Settings > User Defined Fields. The User Defined Fields dialog box appears. Step 2 Select the radio button corresponding to the UDF you want to rename. Step 3 Click Rename. The User Defined Field dialog box opens in a new window. Step 4 Enter the UDF label and description in the corresponding fields. Step 5 Click Apply. To return to the User Defined Fields page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-21 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Deleting User Defined Fields

By default, you can define four attribute fields for a device. These fields are used to store additional user-defined data for the device. You can add up to ten UDFs. To delete a UDF:

Step 1 Select Admin > Network > Device Credential Settings > User Defined Fields. The User Defined Fields dialog box appears. Step 2 Select a UDF and click Delete. A confirmation message window appears. Step 3 Click OK. To return to the User Defined Fields page, click Cancel.

Configuring Default Credentials

Devices added or imported into DCR do not contain all credentials required by the network management applications to manage them. Sometimes this could lead to failure of application jobs. The default credentials feature helps you to add or import devices into DCR with the default credentials and prevents the management applications from failing when the network management applications manage the devices added or imported in DCR. Default credentials are stored in DCR and are not associated with any device. You can configure multiple default credential sets. You can set these default credential sets for a range of devices to be added or imported to DCR based on certain policies. You should be a Network Administrator, a System Administrator, or a Super Admin to configure default credential sets and default credential set policies. This section explains: • Using Default Credentials • Important Notes on Default Credentials • Default Credentials Behavior in Multi-Server Setup • Configuring Default Credential Sets • Configuring Default Credential Set Policy

Using Default Credentials

You can choose to use the default credentials when you: • Manually add devices in DCR When you manually add devices with a similar credential set in DCR, you have to enter the credentials repetitively for every device addition. Instead, you use the default credentials defined in default credential sets or default credential set policies to populate DCR. • Add devices into DCR through Discovery Discovery populates only the SNMP read community string in DCR during device addition and leaves the other credentials as blank.

Administration of Cisco Prime LAN Management Solution 4.2 4-22 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

When other applications manage the newly added device, the management operations fail if they cannot retrieve the required credentials from DCR. To prevent the management operations failing, you can use the default credentials while adding devices through Discovery. • Import devices into DCR Importing devices from a file, NMS or any other third party applications into DCR populates the SNMP read-only community string and the SNMP read/write community string. When other applications manage the newly imported devices, the management operations fail if they could not retrieve the required credentials from DCR. To prevent the management operations from failing, you can use the default credentials while importing devices from NMS or any other third party application.

Important Notes on Default Credentials

You should read the following notes about the default credentials before you configure them and choose to use them in various flows: • The default credentials you use while adding or importing devices into DCR will not be verified. • You can configure multiple default credential sets and add or import a set of devices in DCR with default credentials from a default credential set. Later, you can edit the value of the credentials in a default credential set and add another set of values with the edited default credentials. • The devices that are already added or imported into DCR will not be affected if you edit the values of the default credentials or remove the default credentials from DCR. • Devices added with default credentials in DCR populates all the credentials you have configured for the default credential set irrespective of the device management type. For example, if you have configured the default credential set with Standard credentials, SNMP credentials, and Auto Update Server Managed Device credentials and if you add a device of Standard management type in DCR, the Auto Update Server Managed Device credentials are also populated for that device. • We recommend you to configure a default credential set with the values common for most of the devices that are to be added or imported into DCR.

Default Credentials Behavior in Multi-Server Setup

You can configure the default credential sets and policies only in the DCR Master and Standalone modes. This option is not available in the DCR Slave Server. However, you can use the default credentials in the Cisco Prime applications in DCR Slave Server while adding the devices to DCR. If you opt to use the default credentials, the DCR Slave Server uses the credentials stored at the DCR Master Server. If you configure a LMS Server from DCR Standalone to DCR Slave mode, the default credentials entered in the server will not be used after the mode is changed to Slave. However, when you change the DCR mode back to the Standalone mode from the Slave mode, the default credential sets and policies are restored as configured earlier.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-23 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Configuring Default Credential Sets

You can configure a maximum of 50 default credential sets. Each default credential set comprises the following credentials: • Primary Credentials (Username, Password, Enable Password) • Secondary Credentials (Username, Password, Enable Password) • SNMPv2c/SNMPv1Credentials (Read-Only Community String, Read-Write Community String) • SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm, Privacy Password, Privacy Algorithm) • HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and Password, HTTP port, HTTPS port, Current Mode) • Auto Update Server Managed Device Credentials (Username and Password) • Rx Boot Mode Credentials (Username, Password) This section explains: • Configuring a Default Credential Set • Editing a Default Credential Set • Deleting a Default Credential Set

Configuring a Default Credential Set

To configure a default credential set:

Special Character Description _ Underscore - Hyphen .Period

Administration of Cisco Prime LAN Management Solution 4.2 4-24 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Step 4 Enter a description of the credential set in the Set Description field. Step 5 Click Next or select a credential type from the Default Credentials list panel and enter the respective credential information. You can select any of the credential types from the panel. • Standard Credentials • SNMP Credentials • HTTP Credentials • Auto Update Server Managed Device Credentials • Rx-Boot Mode Credential Step 6 Enter the following credentials as required: • Standard Credentials – Primary Credentials (Username, Password, Enable Password) – Secondary Credentials (Username, Password, Enable Password) • SNMP Credentials – SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community String) – SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy Password, Privacy Algorithm) You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is AuthPriv. • HTTP Credentials – Primary Credentials (Username, Password) – Secondary Credentials (Username, Password) – Other Information (HTTP Port, HTTPS Port, Current Mode) • Auto Update Server Managed Device Credentials (Username, Password) • Rx-Boot Mode Credentials (Username, Password)

Note Re-enter the value of passwords in the respective Verify fields.

You must enter a value for at least one credential before applying the default credentials. Step 7 Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also click Back to navigate to the previous page and click Remove to delete the Default Credential Set and the credentials configured in this Credential Set, but it will not affect the devices that are already added or imported with default credentials.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-25 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Editing a Default Credential Set

To edit a default credential set:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server. Step 2 Click Next or select Credential Set Name from the Default Credentials list panel. Step 3 Select a default credential set name from the Credential Set drop-down list box. Step 4 Edit the description of the credential set in the Set Description field. You cannot edit the name of the credential set. Step 5 Click Next or select a credential type from the Default Credentials list panel. Step 6 Edit the following credentials as required: • Standard Credentials – Primary Credentials (Username, Password, Enable Password) – Secondary Credentials (Username, Password, Enable Password) • SNMP Credentials – SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community String) – SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy Password, Privacy Algorithm) You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default, these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is AuthPriv. • HTTP Credentials – Primary Credentials (Username, Password) – Secondary Credentials (Username, Password) – Other Information (HTTP Port, HTTPS Port, Current Mode) • Auto Update Server Managed Device Credentials (Username, Password) • Rx-Boot Mode Credentials (Username, Password)

Note Re-enter the value of passwords in the respective Verify fields.

Step 7 Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also click Back to navigate to the previous page and click Remove to delete the Default Credential Set and the credentials configured in this Credential Set, but it will not affect the devices that are already added or imported with default credentials.

Administration of Cisco Prime LAN Management Solution 4.2 4-26 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Deleting a Default Credential Set

To delete a default credential set:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets. The Default Credentials Sets page appears. The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Server. Step 2 Select a credential set from Credential Set drop-down list box. Step 3 Click Remove to delete a default credential set. The selected default credential set is deleted from the LMS Server. The default credential set policies that you have configured with this default credential set will also be deleted.

Configuring Default Credential Set Policy

You can configure default credential set policies and apply the default credentials for a range of devices to be added or imported to DCR. We recommend that you create up to 50 default credential set policies. You can create default credential set policies based on following policy types: • IP Address • Hostname • Device Name This section explains: • Before Configuring a Credential Set Policy • Creating a Default Credential Set Policy • Patterns in IP Address Default Credential Set Policy Rules • Regular Expressions in Default Credential Set Policy Rules • Examples For Default Credential Set Policies • Deleting Default Credential Set Policies • Defining the Order of Default Credential Set Policies

Before Configuring a Credential Set Policy

Read the following notes before configuring a default credential set policy: • You can include patterns when creating rules for IP Address based default credential set policies. See Patterns in IP Address Default Credential Set Policy Rules for more information. • Regular expressions are supported for policies based on Hostname and Device Names. IP Address based policy types do not support regular expressions. See Regular Expressions in Default Credential Set Policy Rules for more information.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-27 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

• The expressions in default credential set policy rules are case insensitive. • You can include the following characters in Device Name and Hostname: – Lower case alphabets – Upper case alphabets – Numerals ( 0 to 9) – Special characters such as hyphen (-), underscore (_), period (.) and colon (:) • When you define more than one policy for a default credential set, all these policy rules work together. The policies will be applied in the same order in which they appear on the Credentials Sets Policy Configuration page. See Defining the Order of Default Credential Set Policies for more information.

Creating a Default Credential Set Policy

To create a default credential set policy:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Default Credentials Sets Policy Configuration page appears. The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers. Step 2 Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Step 3 Construct a policy rule. To do so: a. Select a parameter from the Select a Policy Type drop-down dialog box. The listed parameters are IP Range, Hostname and Device Name. Based on the parameter that you have selected, the value field name changes dynamically. b. Enter a value for the rule parameter. If you have selected IP Range as the rule parameter, enter a value in the IP Range field. If you have selected Hostname as the rule parameter, enter a value in the Hostname field. If you have selected Device Name as the rule parameter, enter a value in the Device Name field. See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default Credential Set Policy Rules for more information. The expressions in credential set policy rules are case insensitive. c. Select a credential set name from the Credentials Set drop-down list box to associate the rule expression with the default credential set. Select No Default if you do not want to enter a credential set name. Step 4 Click OK to go back to Credentials Sets Policy Configuration page. The policy that you have configured is listed in the Credentials Sets Policy Configuration page.

You can edit a default credential set policy later. To do so, you must select a default credential set policy in the Credentials Sets Policy Configuration page and click Edit.

Administration of Cisco Prime LAN Management Solution 4.2 4-28 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Patterns in IP Address Default Credential Set Policy Rules

When you define a default credential policy type based on IP Address, you should follow these guidelines: • Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format. • Any octet can have one of the following:

Any Octet can have.. Example Numbers between: • 10.77.240.225 (IPv4 Address) • 0 to 255 for an IPv4 Address • 001:DB8:0:2AA:FF:C0A8:0:640A (IPv6 Address) • 0 to FFFF for an IPv6 Address Asterisk (*) as wildcard denoting all numbers from • 10.*.*.240 (IPv4 Address) 0 to 255 in an IPv4 Address and 0 to FFFF in an • 001:*:0:2AA:FF:*:*:* (IPv6 Address) IPv6 Address. Range of numbers in the • 10.77.[220-240].[210-220] (IPv4 [StartingNumber-EndingNumber] format, where: Address) – StartingNumber and EndingNumber should • 001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA be numbers between 0 to 255 in an IPv4 F] (IPv6 Address) Address and 0 to FFFF in an IPv6 Address The following are examples of invalid IP – StartingNumber should not be greater than Address ranges: or equal to EndingNumber • 10.77.[250-200].221 • 10.77.200-250.221 • 001:DB8:0:[EEEE-FF]:FF:C0A8:0:[D-5] • 001:DB8:0:AA-BB:FF:C0A8:0:[D-5]

• The octets in an IP Address policy type can also contain the combination of wildcard characters and range of numbers. Some examples of IP Address filter combinations include: – 10.77.[210-230].* – 10.77.*.[110-210] – 001:DB8:*:*:FF:[C0A-DD8]:0:[5-D] – [10-20]:[10-20]:[A-F]:2:4:*:*:*

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-29 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Regular Expressions in Default Credential Set Policy Rules

Hostname and Device Name policy types supports regular expressions. You can use the following characters in regular expressions:

Characte r Description Purpose . Period Matches any character ( Opening parenthesis Marks the beginning of a group of matched characters ) Closing parenthesis Marks the end of a group of matched characters * Asterisk Matches zero or more occurrences of regular expression specified earlier + Plus character Matches zero or more occurrences of regular expression specified earlier \ Trailing slash Identifies a special character within a regular expression

Examples For Default Credential Set Policies

Example 1 - IP Range Policy Type Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added or imported to DCR with the default credentials defined in a default credential set IPSet. You should create a default credential set policy based on the IP Range policy type. To do so:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. Step 2 Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Step 3 Construct the policy: a. Select the policy type as IP Range from the Select a Policy Type drop-down list box. b. Enter the IP Range value as 10.77.[210-230].* c. Select the Default Credential Name as IPSet Step 4 Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.

Example 2 - IP Range Policy Type Consider that all devices whose IP Addresses are within the range 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default credentials defined in a default credential set IPv6Set. You should create a default credential set policy based on the IP Range policy type. To do so:

Administration of Cisco Prime LAN Management Solution 4.2 4-30 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. Step 2 Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Step 3 Construct the policy: a. Select the policy type as IP Range from the Select a Policy Type drop-down list box. b. Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15] c. Select the Default Credential Name as IPv6Set Step 4 Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.

Example 3 - Device Name Policy Type Consider that all devices whose Device Names end with or contain device, should be added or imported to DCR with the default credentials defined in a default credential set SetName2. You should create a default credential set policy based on the Device Name policy type. To do so:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. Step 2 Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Step 3 Construct the policy: a. Select the policy type as Device Name from the Select a Policy Type drop-down list box. b. Enter the value as (.)*device c. Select the Default Credential Name as SetName2 Step 4 Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.

Example 4 - Device Name Policy Type Consider that all devices whose Device Names contain 1.3.6.1.4.1.9.1.n, should be added or imported to DCR with the default credentials defined in a default credential set SOIDset. You should create a default credential set policy based on the Device Name policy type. To do so:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-31 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

The Add Credentials Policy Configuration dialog box appears. Step 3 Construct the policy: a. Select the policy type as Device Name from the Select a Policy Type drop-down list box. b. Enter the value as (.)*\.1\.3\.6\.1\.4\.1\.9\.1\.(.) c. Select the Default Credential Name as SOIDset Step 4 Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.

Example 5- Host Name Policy Type Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with the default credentials defined in a default credential set SetName1. You should create a default credential set policy based on the Hostname policy type. To do so:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. Step 2 Click Add to add a default credential set policy. The Add Credentials Policy Configuration dialog box appears. Step 3 Construct the policy: a. Select the policy type as Host Name from the Select a Policy Type drop-down list box. b. Enter the value as Che(.)* c. Select the Default Credential Name as SetName1 Step 4 Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.

Example 6- Host Name Policy Type Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the default credentials defined in a default credential set SetName3. You should create a default credential set policy based on the Hostname policy type. To do so:

Administration of Cisco Prime LAN Management Solution 4.2 4-32 OL-25947-01 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

c. Select the Default Credential Name as SetName3 Step 4 Click OK to go back to Default Credential Sets Policy Configuration page. The policy that you have configured will be listed in a table format.

Deleting Default Credential Set Policies

To delete default credential set policies:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears. The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers. Step 2 Select a default credential set policy to delete. You can also select multiple default credential set policies to delete. Step 3 Click Delete to remove the default credential set policies.

Defining the Order of Default Credential Set Policies

You can specify the order in which the default credential set policies should be applied for devices that are added or imported into DCR. The default credential set policies are applied in the order they appear on the Credentials Sets Policy Configuration page. The default credential set policies appearing at the top of the list are applied first. You can create more than one default credential set policy for a default credential set. When you define more than one policy for a default credential set, all these policy rules work together. For example, consider 10.77.240.[50-52] as a first IP Address policy associated with a default credential set name Test1 and 10.77.240.* as the second IP Address policy associated with a default credential set name Test2. The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.240.[50-52] added or imported into DCR. The default credentials defined in Test2 will be applied for all devices in the IP range 10.77.240.* except the devices with IP Addresses 10.77.240.50, 10.77.240.51 and 10.77.240.52. For example, consider 10.77.*.* as a first IP Address policy for a default credential set name Test1 and 10.77.210.* as the second IP Address policy for a default credential set name Test2. The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.*.* added or imported into DCR. The policy rule 10.77.210.* will never be applied as 10.77.210.* is a subset of 10.77.*.*. To specify the order of default device credentials policies:

Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy Configuration. The Credentials Sets Policy Configuration page appears with a list of default credential set policies.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 4-33 Chapter 4 Administering Discovery Settings and Device and Credential Repository Administering Device and Credential Repository

Step 2 Select a default credential set policy. Step 3 Either: • Click the Up Arrow icon to move the selected default credential set policy up in the displayed order. Or • Click the Down Arrow icon to move the selected default credential set policy down in the displayed order. Step 4 Click Apply Settings to save the changes.

Administration of Cisco Prime LAN Management Solution 4.2 4-34 OL-25947-01

CHAPTER 5

Managing Groups

LMS 4.2 combines the device grouping with a new attribute list. The other grouping services that are available in LMS are: • Fault Group - supports 50 groups • IPSLA Collector Group - supports 100 groups • Port and Module Group - supports 100 groups The numbers of groups that LMS supports will vary according to the SKU that you use. For more details, see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN Management Solution 4.2 guide. This chapter explains the following: • Groups - Components and Basic Concepts • Groups in Single-Server and Multi-Server Setup • Device Group Administration • DCR Mode Changes and Group Behavior • Port and Module Group Administration • Working with Fault System-defined Groups • Working with Customizable Groups • Managing Fault Groups • Viewing Fault Group Details • Viewing Fault Membership Details • Refreshing Fault Membership • Deleting Fault Groups • Understanding Collector Group Rules • IPSLA Collector Group Administration Process • Understanding IPSLA Collector Group Administration • Working with User-Defined Collector Groups • Operation-Based Collector Groups (System-Defined)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-1 Chapter 5 Managing Groups Groups - Components and Basic Concepts

Groups - Components and Basic Concepts

This section explains the components of a group and the basic concepts of a group.

Components The following are the components of a group: • Group Server: Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by the application. It interfaces with an application service adapter (ASA) to evaluate group rules and retrieve devices of a particular group. • Application Service Adapters (ASAs): Application-specific information repository that serves as source of the devices and attributes that are grouped by the Groups Server. Till LMS 3.2, ASA was an interface between applications and Groups Server. In LMS 4.2, there is only a single ASA. • Group Admin: Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.

Basic Concepts The following are the basic concepts of a group: • Group Class: Representation of a set of devices belonging to DCR. In this context a device in Device and Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set of attributes and a unique device ID. • Group Object: Device in a group class. Each device in the group will have a set of attributes stored in DCR. Associated with every device is a unique and immutable device ID. • Group: Named aggregate entity comprising a set of devices belonging to a single class or a set of classes, with a common superclass. Groups can be shared between users or applications, subject to access-control restrictions. The membership of a group is determined by a rule. • Group Rule: Consists of one or more rule expressions combined by operators, which can be AND, OR or EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.

Administration of Cisco Prime LAN Management Solution 4.2 5-2 OL-25947-01 Chapter 5 Managing Groups Groups in Single-Server and Multi-Server Setup

Groups in Single-Server and Multi-Server Setup

This section has the following subsections: • Groups in Single Server Scenario • Groups in Multi-Server Scenario

Groups in Single Server Scenario

The devices you see in the Group Administration UI in depends on whether the devices are being managed by LMS or not, and not on any application like CS, RME, CM. In LMS 3.2, if there are Common Services, LMS, and RME installed on a server, you can see the following groups in the Groups UIs of the applications. • CS@hostname • RME@hostname • Campus@hostname In LMS 4.2, there are no separate applications and there are four types of groups: • Device Groups The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and Campus@hostname. LMS supports 200 device groups. • Fault Groups These groups are created by the Fault Management module in LMS, and consist of interface, trunk port, and access port groups. Each group has a set of properties (such as a name, description, and permission.), and are defined by the rules associated with the group. • IPSLA Collector Groups You can group IPSLA collectors based on a set of criteria such as operation name, operation type, source address, target address. • Port and Module Groups You can group ports and modules for easy port and module selection in various configuration workflows.

Groups in Multi-Server Scenario

Groups you create in LMS groups UI in the Master get synchronized with the Slave. If you create a subgroup under LMS@Master hostname in one server, it appears under LMS@Slave hostname in the peer server. However, in the Master server, if you create a subgroup under LMS@Master hostname, it will always appear under LMS@\Slave hostname\, in the Slave. That is, the subgroup created in the Master appears under the shared group of the application in the Slave. When the user-defined group under master and the user-defined group under slave has the same group name, then when doing master slave setup, the master group will be retained in slave. The slaves group will get deleted.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-3 Chapter 5 Managing Groups Device Group Administration

Once the master slave setup is done, when we add a group in master it will be synced with slave only after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both the OGS will act as a individual servers.

Note You can create groups in LMS even if the server on which it is installed is in Slave mode.

If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under LMS@Slave hostname. In a cluster, if you have M as the Master, and S1 and S2 as M’s slaves, and you want to evaluate S1’s groups from S2, you need to import the certificate of S1 to S2 and vice versa.

Device Group Administration

The Group Administration UI helps you to create, edit, view, delete, export, import, and refresh groups. The UI displays a Group Selector that contains the following predefined higher-level groups: • System-defined Groups • User-defined Groups The System-defined Groups shows subgroups only after Device and Credential Repository is populated. The predefined sub-groups under System-defined Groups are: • Cisco Interfaces and Modules • Network Management • Non Cisco Devices • Routers • Switches and Hubs • Subnet Based Groups Contains sub folders representing subnets (one folder per subnet) discovered in the network. Each folder contains the devices corresponding to those subnets.

Note Subnets groups will appear only after a successful Data Collection.

• Voice and Telephony • Unknown Device Type • Universal Gateways and Access Servers • Wireless You can create subgroups only under User-defined Groups. You cannot create them under System-defined Groups. However, you can view the details of a subgroup under System-defined Groups and refresh the group.

Note Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone mode. The groups created in DCR Master will be copied to Group Administration instances on servers where DCR is in Slave mode.

Administration of Cisco Prime LAN Management Solution 4.2 5-4 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

The following sections provide information on how to perform group administrative tasks in LMS 4.2: • Migrating Device Groups from Previous Releases of LMS • Creating Groups • Viewing Group Details • Modifying Group Details • Refreshing Groups • Deleting Groups • Exporting Groups • Importing Groups • Overview of Subnet Based Groups

Migrating Device Groups from Previous Releases of LMS The following table explains migration of device groups from previous releases of LMS, in the table. In this example, Group A is an application group created separately in CS, RME, and CM, in earlier versions of LMS:

Common Services LMS Version UDG/SDG RME UDG/SDG Campus Manager UDG/SDG 3.2.1 Group A Group A Group A 4.2 After migration to After migration to LMS After migration to LMS 4.2, LMS 4.2, Group A is 4.2, Group A is not Group A is not available Available available 3.2.1 — Group A Group A 4.2 — After migration to LMS After migration to LMS 4.2, 4.2, Group A will not be Group A will not be available available 3.2.1 — — Subnet-based groups 4.2 You must create new — After migration to LMS 4.2, CM subnet-based groups Subnet-based groups will not be after a successful available. Data Collection

Creating Groups

This section contains: • Specifying Group Properties • Defining Group Rules • System Defined Attributes • Assigning Group Membership You can create device groups using this feature. To create a new device group:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-5 Chapter 5 Managing Groups Device Group Administration

Step 1 Either: • Select Admin > System > Group Management > Device. The Group Administration page appears. Or • Select Inventory > Group Management > Device. The Group Administration page appears. The Group Administration in the Group Administration page provides you with Group Selector. Step 2 Select the group from the groups listed in Group Selector to create a new subgroup. The Group Info fields on the right, display details of the selected group. The group you select here is the Parent group for the new group that you are about to create. You can change the Parent group later, if required. You cannot create groups under System-defined Groups but you can view details and refresh the group. Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public or Private). If you have the required permissions, you can create subgroups under groups. Step 3 Click Create to create a new group. The Group Administration Creation wizard is launched and guides you through the process of creating a new group. Perform the following tasks using the Groups Create wizard. a. Specify group properties. See Specifying Group Properties for information. b. Define group rules. See Defining Group Rules for information. c. Assign group membership. See Assigning Group Membership for information. The first page in the wizard is the Properties:Create window. While creating a new group you must complete all of the above three tasks in this sequence to create a group. If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the group will not be created.

The recommended limit for creating User-Defined group is 200, but you are allowed to create upto 600 User-Defined groups in LMS.

Example To create a group of all Energywise capable devices:

Step 1 Either: • Select Admin > System > Group Management > Device. The Group Administration page appears. Or • Select Inventory > Group Management > Device. The Group Administration page appears. The Group Administration in the Group Administration page provides you with Group Selector. Step 2 Select User Defined Groups from the groups listed in Group Selector to create a new subgroup.

Administration of Cisco Prime LAN Management Solution 4.2 5-6 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Step 3 Click Create to create a new group. The Properties page appears. Step 4 Enter the name Energywise_capable devices in the Group Name field in the Properties:Create dialog box.

Note See Specifying Group Properties for more details.

Step 5 Click Next. The Rule Dialog box appears. Step 6 Create an expression in the Rules:Create dialog box by entering: a. Select Variable as EnergyWise.EnergyWisestate b. Select Operator as = c. Enter the Value as EnergyWise_capable Step 7 Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered.

Note See Defining Group Rules for more details.

Step 8 Click Next. The Group Membership Assigning page appears. Step 9 Select one or more devices in Available Objects From Parent Group column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Step 10 Click Add. The selected devices are removed from the Available Objects From Parent Group and added to the Object Matching Membership Criteria column.

Note See Assigning Group Membership for more details.

Step 11 Click Next. The Summary page appears. Step 12 Click Finish.

Specifying Group Properties

While specifying group properties, you can enter the properties such as name and description, and modify the parent group, if required, and update membership, and specify the visibility scope. To complete the tasks in this phase:

Step 1 Either:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-7 Chapter 5 Managing Groups Device Group Administration

• Select Admin > System > Group Management > Device. Click The Group Administration page appears. Or • Select Inventory > Group Management > Device. The Group Administration page appears. Step 2 Click the Create button in the Group Administration. The Properties page appears. Step 3 Enter a name for the group in the Group Name field in the Properties:Create dialog box. The group name should be unique within the Parent group. However, it need not be so across groups. The same group name cannot be used in the same group hierarchy. For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create another group with the same name “MyView” under /LMS@Servername/User Defined Groups. Step 4 Click Select Group, if you want to copy the attributes of an existing group. The Replicate Attributes dialog box appears. Step 5 Select the group you need from the Replicate Attributes list and click OK. To return to the Properties page, click Cancel. Step 6 Click Change Parent, to change the Parent group. The Group Selector page appears. Step 7 Select the group you need from the Select Parent list. Step 8 Click OK. The Group Administration wizard changes the Parent group to the one you selected. To return to the Properties page, click Cancel. Step 9 Enter a description for the group. Typically, you can enter a detailed description of the group that identifies its characteristics in this field. Step 10 Select the Membership Update mode for the group. The modes of membership updates available are: • Automatic: The membership of the group is updated when you add a new device to the group, and each time the group is invoked. • Only Upon User Request: The membership of the group is recomputed only when an explicit request is made, using the Refresh option. If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request, the group will be a Static group. Step 11 Select either Public or Private to specify the visibility scope. • Private The group created can be viewed only by user who creates the group. • Public The group created can be viewed by all users.

Administration of Cisco Prime LAN Management Solution 4.2 5-8 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Step 12 Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and composite group rules.

Defining Group Rules

In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase determine the contents of the group. The rules you specify here determine the devices to be included in the group. In the Rules:Create dialog box, you can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. The rule expression has the following components: Object.Variable operator “value”

If you have created the group by copying the attributes of another group, the rules specified for that group appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a new set of rules. The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this facility to validate the rules you have created. If you leave the rule blank, it creates a Container group. Click View Parent Rules to display the rules defined for its ancestor groups. This section explains: • Defining a Group Rule • Defining Composite Group Rules • Using IP Address Range Operator • Examples • System Defined Attributes Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in Properties:Create dialog box. See Specifying Group Properties for more information.

Defining a Group Rule

To create a group rule:

Step 1 Complete all the tasks in the Properties page. See Specifying Group Properties for more information. Step 2 Delete the rules displayed in the Rule Text field, if any. Step 3 Select appropriate parameters for the following: • Object Type — Denotes the object type used for forming a group. All expressions start with the string Device. • Variables — Denotes the device attributes, which are used to form a device group. See System Defined Attributes for details on the variables. • Operators — Denotes the various operators to be used with the rule. The list of operators includes equals, contains, startswith and endswith. The list of operators changes dynamically with the value of the variable selected.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-9 Chapter 5 Managing Groups Device Group Administration

For the ManagementIpAddress variable, you can select a range operator other than the standard list of operators. See Using IP Address Range Operator for more information. • Value — Denotes the value of the variable. The value field changes dynamically based on the value of the variable and operator selected, and the field type can be a text field or a list box. Step 4 Click Add Rule Expression. The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field. For example, the rule type: Device.DisplayName equals "joe" will select the device with the DisplayName joe. The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression. You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field. See Defining Composite Group Rules for more information. You can validate rules that are entered directly into the Rules Text field, or rules formed using the Add Rules Expression option in the dialog box. • To check whether the syntax is valid, click Check Syntax. • To view the rules defined for the parent groups, click View Parent Rules. Step 5 Click Next. The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information. If you have entered an invalid IP Address range or invalid values in the Value field, an error message will be displayed. You should correct the values and then navigate to the Membership:Create dialog box.

Defining Composite Group Rules

A Composite rule contains more than one rule expression separated by a Boolean operator. The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you have entered at least one rule expression. When the composite rule has more than two simple rule expressions, you can adjust priorities among the expressions using opening and closing parenthesis. To create a composite rule:

Step 1 Delete the rules displayed in the Rule Text field and click any other field. Step 2 Form a simple rule. See Defining a Group Rule for details. Step 3 Click Add Rule Expression. The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field. The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression. Step 4 Select a Boolean Operator from the drop-down list.

Administration of Cisco Prime LAN Management Solution 4.2 5-10 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Step 5 Select the appropriate parameters for Object Type, Variables, and Operators. Step 6 Enter a value in the Value field. Step 7 Click Add Rule Expression. You can validate rules that are entered directly into the Rules Text field or rules formed using the Add Rules Expression option in the dialog box. • To check whether the syntax is valid, click Check Syntax. • To view the rules defined for the parent groups, click View Parent Rules. Step 8 Click Next. The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information.

Using IP Address Range Operator

The range operator enables you to group the devices of the specified range of IP Addresses. You can select the range operator only for the ManagementIpAddress and IP.Address variables. You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address ranges. When you enter the IP Address range in the text field, you should: • Specify the range with permissible values for one or more octets in the IP Address. The minimum limit in the range is 0 and the maximum limit is 255. • Use the hyphen character (-) as a separator between the numbers that indicate a range. • Specify the range of IP Addresses within the [and] characters to create a group rule. For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field. You should not: • Enter numbers less than 0 and greater than 255 in the IP Address range. • Enter any characters other than the range separator (-). • Enter the value of the highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4]. See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on the IP Address Range based device groups in a multi-server setup.

Examples

This section contains: • Example to Create a Simple Group Rule • Example to Create a Composite Group Rule • Example to Create a Group Rule Using Range Operator

Example to Create a Simple Group Rule To create a group of all devices ending with the hostname Test, you should:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-11 Chapter 5 Managing Groups Device Group Administration

Step 1 Create an expression in the Rules:Create dialog box by entering: a. Select Variable as HostName b. Select Operator as endswith c. Enter the Value as Test Step 2 Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered.

Example to Create a Composite Group Rule If you want to group all the devices in the network that match the following criteria: • Device Name of the device should contain TestDevice • Category of the device should be equal to Routers or IP Address of the device should starts with 10.77 To create this composite rule:

Step 1 Create an expression in the Rules:Create dialog box by entering: a. Select Variable as DisplayName b. Select Operator as contains c. Enter the Value as TestDevice Step 2 Click Add Rule Expression. The rule is added into the Rule Text. Step 3 Create another rule expression by entering: a. Select AND as the Boolean operator b. Select Variable as Category c. Select Operator as equals d. Enter the Value as Routers Step 4 Click Add Rule Expression. The rule is appended into the Rule Text. Step 5 Create another rule expression by entering: a. Select OR as the Boolean operator b. Select Variable as ManagementIPAddress/IP.Address c. Select Operator as startswith d. Enter the Value as 10.77 Step 6 Click Add Rule Expression. The following composite rule is formed in the Rule Text Area: Device.DisplayName contains “TestDevice” AND Device.Category equals “Routers” OR Device.ManagementIpAddress startswith “10.77”

Administration of Cisco Prime LAN Management Solution 4.2 5-12 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Step 7 Edit the rule expression in the text area to adjust the priorities among the group expressions. You should place two rule expressions together within an opening and a closing parentheses. Ensure that you leave a space between the parenthesis and the group expressions. The edited composite rule is: Device.DisplayName contains "TestDevice" AND ( Device.Category equals "Routers" OR Device.ManagementIpAddress startswith "10.77" )

You can also check the syntax of the group rule entered. Step 8 Click Next to proceed further.

Example to Create a Group Rule Using Range Operator To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you should:

Step 1 Create an expression in the Rules:Create dialog box by entering: a. Select Variable as ManagementIPAddress/IP.Address b. Select Operator as range c. Enter the Value as 10.10.[0-212].[207-247] Step 2 Click Add Rule Expression. The rule is added into the Rule Text. You can also check the syntax of the group rule entered

System Defined Attributes

The following table provides details on some of the System Defined attributes that are available in LMS. These are predefined attributes, available by default.

Note In LMS 4.2, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are not available. If you backup and restore any group created in older versions of LMS using these attributes, the groups will not be restored.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-13 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example Asset.CLE_Identifier CLE identifier of the asset. To create a group of all devices having asset CLE identifier CLE12: • Select the variable Asset.CLE_Identifier • Select the operator equals. • Enter the value CLE12. Asset.Part_Number Orderable part number of the asset. To create a group of all devices having asset part number PN123: • Select the variable Asset.Part_Number • Select the operator equals. • Enter the value PN123. Asset.User_Defined_Identifier User-defined identifier of the asset To create a group of all devices having user defined asset identifier UD34: • Select the variable Asset.User_Defined_Identifier. • Select the operator equals. • Enter the value UD34. Category Category into which the device falls. The To create a group of all routers in the first level entries in the Device Type tree network. in DCR Device Management UI. • Select the variable Category. • Select the operator contains. • Enter the value router. Chassis.Model_Name Name of the model. To create a group of all devices containig chassis model name WS-C6506: • Select the variable Chassis.Model_Name • Select the operator contains. • Enter the value WS-C6506. Chassis.Number_Of_Slots Number of slots in that chassis. To create a group of all devices containig 10 chassis slots. • Select the variable Chassis.Number_Of_Slots • Select the operator =. • Enter the value 10.

Administration of Cisco Prime LAN Management Solution 4.2 5-14 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example Chassis.Port_Count Total port count of the chassis. To create a group of all devices having chassis port count more than 5. • Select the variable Chassis.Port_Count. • Select the operator >. • Enter the value 5. Chassis.Serial_Number Serial number of the chassis. To create a group of all devices containing chassis serial number SSI1. • Select the variable Chassis.Serial_Number. • Select the operator contains. • Enter the value SSI1. Chassis.Vendor_Type Vendor type of the chassis. To create a group of all devices containing chassis vendor type cevChassisN5k. • Select the variable Chassis.Vendor_Type. • Select the operator contains. • Enter the value cevChassisN5k. Chassis.Version Version number of the chassis. To create a group of all devices containing chassis version 0.102. • Select the variable Chassis.Version. • Select the operator contains. • Enter the value 0.102. DeviceName Device name, as you want it to be To create a group of all devices having represented in reports or graphical Device Name starting with 10.77.132. displays. This can be derived from Host • Select the variable DeviceName. Name, Management IP Address or Device Identity. • Select the operator startswith • Enter the value 10.77.132. DomainName Domain name of the device. To create a group of all Cisco.com devices. • Select the variable DomainName. • Select the operator contains. • Enter the value Cisco.com.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-15 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example EnergyWise.Domain_Name Name of the EnergyWise domain. To create a group of all devices having EnergyWise Interfaces Information. • Select the variable EnergyWise.Domain_Name. • Select the operator contains. • Enter the value Interfaces Information. EnergyWise.EnergyWiseState EnergyWise status of the device, for To create a group of all EnergyWise-capable example, EnergyWise-capable devices, devices. EnergyWise-enabled devices, • Select the variable EnergyWise-hardware-incapable devices EnergyWise.EnergyWiseState. and EnergyWise-software-incapable devices. • Select the operator =. • Enter the value EnergyWise-capable devices. EnergyWise.Importance EnergyWise Importance of the device. To create a group of all devices having EnergyWise importance 2. This value prioritizes the devices in a domain based on their power usage. • Select the variable EnergyWise.Importance. • Select the operator =. • Enter the value 2. EnergyWise.Keyword A word that will help you identify a To create a group of all devices having specific device or group of devices in the EnergyWise keyword switch. EnergyWise domain. • Select the variable EnergyWise.Keyword. • Select the operator contains. • Enter the value switch. EnergyWise.Role Role or function of the device in the To create a group of all devices having EnergyWise domain. EnergyWise role router. • Select the variable EnergyWise.Role. • Select the operator contains. • Enter the value router. Flash.File_Name Location of Flash file. To create a group of all devices having Flash file name /20-oct.cfg. • Select the variable Flash.File_Name. • Select the operator equals. • Enter the value /20-oct.cfg.

Administration of Cisco Prime LAN Management Solution 4.2 5-16 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example Flash.File_Size Flash file size in MB. To create a group of all devices having Flash file size greater than 20 KB. • Select the variable Flash.File_Size. • Select the operator >. • Enter the value 20. Flash.Model_Name Model name of the Flash device. To create a group of all devices having Flash model name starting with c3725-i. • Select the variable Flash.Model_Name. • Select the operator startswith. • Enter the value c3725-i. Flash.Partition_Free Free space in MB. To create a group of all devices having Flash free space greater than 50 MB. • Select the variable Flash.Partition_Free. • Select the operator >. • Enter the value 50. Flash.Partition_Name Flash partition name. To create a group of all devices having Flash partition name flash:1. • Select the variable Flash.Partition_Name. • Select the operator contains. • Enter the value flash:1. Flash.Partition_Size Flash partition size in MB. To create a group of all devices having Flash partition size less than or equal to 20 MB. • Select the variable Flash.Partition_Size. • Select the operator <=. • Enter the value 20. Flash.Size Total Flash device size in MB. To create a group of all devices having Flash size greater than or equal to 50 MB. • Select the variable Flash.Size. • Select the operator >=. • Enter the value 50.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-17 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example HostName Device Host name. To create a group of all devices ending with the hostname 3750: • Select the variable HostName • Select the operator endswith. • Enter the value 3750. Image.ROM_Sys_Version System ROM software version To create a group of all devices having system ROM software version 12.4(25): • Select the variable Image.ROM_Sys_Version. • Select the operator equals. • Enter the value 12.4(25). Image.ROM_Version Version of ROM. To create a group of all devices having ROM image version 12.2(8r)T2: • Select the variable Image.ROM_Version. • Select the operator equals. • Enter the value 12.2(8r)T2. Image.Sys_Description Image system description To create a group of all devices having ROM image version 12.2(8r)T2: • Select the variable Image.Sys_Version. • Select the operator equals. • Enter the value 12.2(8r)T2. Image.Version Running device image version. To create a group of all running devices having image version 12.4(25): • Select the variable Image.Version. • Select the operator equals. • Enter the value 12.4(25). ImageVersion Software version running on the device. To create a group of all devices having image version 12.2(52)SE: • Select the variable ImageVersion. • Select the operator equals. • Enter the value 2.2(52)SE. IP.Address Device IP address. To group all devices whose IP Addresses are within the range 10.10.0.0 to 10.10.50.255 • Select the variable IP.Address. • Select the operator range. • Enter the value 10.10.[0-50].[0-255].

Administration of Cisco Prime LAN Management Solution 4.2 5-18 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example IP.Address_Type Version of IP, IPv4 or IPv6 To group all IPv6 devices: • Select the variable IP.Address_Type. • Select the operator =. • Select IPv6. IP.Network_Mask Network mask address To group all devices having network mask address starting with 255.255.255: • Select the variable IP.Network_Mask. • Select the operator startswith. • Enter the value 255.255.255. IPv4.Subnet IPv4 subnet of a device. To create a group of all devices having subnet 32: • Select the variable IPv4.Subnet. • Select the operator contains. • Enter the value 32. IPv4.SubnetMask IPv4 subnet mask of a device. To create a group of all devices having subnetmask starts with 255. • Select the variable IPv4.SubnetMask. • Select the operator startswith. • Enter the value 255. IPv6.Subnet IPv6 subnet of a device. To create a group of all devices having subnet 32 • Select the variable IPv6.Subnet. • Select the operator contains. • Enter the value 32. IPv6.SubnetMask IPv6 subnet mask of a device. To create a group of all devices having subnetmask starts with 255. • Select the variable IPv6.SubnetMask. • Select the operator startswith. • Enter the value 255. ManagementIpAddress IP Address used to access the device. To group all devices having Management IP Both IPv4 and IPv6 address types are address starting with 10.77.215: supported. • Select the variable ManagementIpAddress. • Select the operator startswith. • Enter the value 10.77.215

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-19 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example MDFId Normative name for the device type as To create a group of all devices having MDF described in Cisco Meta Data Framework ID 323. (MDF) database. Each device type has a • Select the variable MDFID. unique normative name defined in MDF. • Select the operator equals. • Enter the value 323. Memory.Free Free memory in MB. To create a group of all devices having free Memory greater than 83 MB. • Select the variable Memory.Free. • Select the operator >. • Enter the value 83. Memory.Name Name of the memory. To create a group of all devices having Memory name starting with workspace: • Select the variable Memory.Name. • Select the operator startswith. • Enter the value workspace.

Memory.Size Total RAM size in MB. To create a group of all devices having Memory size greater than 512 MB. • Select the variable Memory.Size • Select the operator >. • Enter the value 512. Memory.Type Memory type. To create a group of all devices having processorMemory. • Select the variable Memory.Type • Select the operator equals. • Enter the value processorMemory. Memory.Used Used memory in MB. To create a group of all devices having Memory used size less than 30 MB. • Select the variable Memory.Used • Select the operator <. • Enter the value 30. Model Model of the device. The third level To create a group of all Cisco 3101 Routers. entries in the Device Type tree in DCR • Select the variable Model Device Management UI. • Select the operator contains. For example, the model Cisco 3101 Router falls under the Cisco 3100 • Enter the value Cisco 3101 Routers. Series Routers, which comes under the category Routers.

Administration of Cisco Prime LAN Management Solution 4.2 5-20 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example Module.HW_Version Module hardware version. To create a group of all devices having Module hardware version 3.x • Select the variable Module.HW_Version. • Select the operator startswith. • Enter the value 3. Module.Model_Name Name of the model. To create a group of all devices having model name starting with NM-16. • Select the variable Module.Model_Name. • Select the operator startswith. • Enter the value NM-16. Module.Port_Count Total ports on that module. To create a group of all devices having 16 port modules. • Select the variable Module.Model_Count. • Select the operator =. • Enter the value 16. Module.Serail_Number Serial number of the module. To create a group of all devices having module serial number starting with FOC08. • Select the variable Module.Serail_Number. • Select the operator startswith. • Enter the value FOC08. Module.Vendor_Type Vendor type of the module. To create a group of all devices having module vendor type starting with cevPwr. • Select the variable Module.Vendor_Type. • Select the operator startswith. • Enter the value cevPwr. Processor.Model_Name Name of the model. To create a group of all devices having pentium processor. • Select the variable Processor.Model_Name. • Select the operator contains. • Enter the value pentium.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-21 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example Processor.NVRAM_Size Size of the processor NVRAM in MB. To create a group of all devices having NVRAM greater than 512 KB. • Select the variable Processor.NVRAM_Size. • Select the operator >. • Enter the value 512. Processor.NVRAM_Used Size of the processor NVRAM that has To create a group of all devices with been utilized, in MB. NVRAM used size greater than 23 KB. • Select the variable Processor.NVRAM_Used. • Select the operator >. • Enter the value 23. Processor.Port_Count Total port count of the processor To create a group of all devices having 24 ports processor. • Select the variable Processor.Port_Count. • Select the operator =. • Enter the value 24. Processor.RAM_Size Size of the processor RAM in MB. To create a group of all devices having processor RAM of 0f 128 MB. • Select the variable Processor.RAM_Size. • Select the operator =. • Enter the value 128. Processor.Serial_Number Serial number of the processor. To create a group of all devices containing processor serial number JAE081. • Select the variable Processor.Serial_Number. • Select the operator contains. • Enter the value JAE081. Processor.Vendor_Type Vendor type of the processor. To create a group of all devices containing processor vendor type cevCpu37252fe. • Select the variable Processor.Vendor_Type. • Select the operator contains. • Enter the value cevCpu37252fe.

Administration of Cisco Prime LAN Management Solution 4.2 5-22 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example Series Series to which the device belongs. The To create a group of Cisco 3100 Series second level entries in the Device Type Routers. tree in DCR Device Management UI. • Select the variable Series. • Select the operator equals. • Enter the value Cisco 3100 Series Routers. System.ASP_Capability Groups devices according to their Auto To create a group of all ASP_Enabled Smartport capability devices. • Select the variable System.ASP_Capability. • Select the operator =. • Select the value ASP_Enabled. System.Contact Device contact person name. To create an User Defined group whose member devices have a common system contact person, J Smith • Select the variable System.Contact. • Select the operator equals. • Enter the value J Smith. System.Description Description of the system. To create a group of all devices having Cisco IOS software. • Select the variable System.Description. • Select the operator contains. • Enter the value Cisco IOS software. System.DomainName Device domain name. To create a group of all Cisco.com devices. • Select the variable System.DomainName. • Select the operator contains. • Enter the value Cisco.com. System.Identity_Capability Groups devices according to their To create a group of all Identity_Enabled Identity capability devices. • Select the variable System.Identity_ Capability. • Select the operator =. • Select the value Identity_Enabled.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-23 Chapter 5 Managing Groups Device Group Administration

Table 5-1 Group Attributes in LMS

Attribute Description Example System.Location Device location information. To create a System Defined Group whose member devices are located in Bldg 1 Devices • Select the variable System.Location. • Select the operator equals. • Enter the value Bldg 1 Devices. System.Name Name of the device as configured by the To create a group of all devices whose Administrator. system name has NDX • Select the variable System.Name. • Select the operator contains. • Enter the value NDX. System.OSTYPE Type of the operating system. To create a group of all devices having UNIX OS. • Select the variable System.OSTYPE. • Select the operator contains. • Enter the value UNIX. System.Smart_Install_Directors Groups devices according to their Smart To create a group of all Smart Install Install capability software incapable devices. • Select the variable System.Smart_Install_Directors. • Select the operator =. • Enter the value Smart Install_SW_Incapable. SystemObjectID SysObjectID of the device as configured To group all devices whose systemObjectID by the Administrator. It may be starts with 1.3.6.1.4.1.9 UNKNOWN in the case the facility that • Select the variable SystemObjectID. populates the repository does not know the value. • Select the operator startswith. • Enter the value 1.3.6.1.4.1.9.

The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details, see Adding User Defined Fields. If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is appended to the User-Defined Field you add, to distinguish these two attributes. For example if you create a UDF called DisplayName (which is one of the predefined attributes present in the Variable drop-down list), this will be displayed as DisplayName_UDF.

Note You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field stands for any attribute listed in the above table.

Administration of Cisco Prime LAN Management Solution 4.2 5-24 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum number of UDFs that can be added in the Variable drop-down list is 10.

Assigning Group Membership

You can include more devices or exclude devices using this option. To decide the devices that will be available to the group you have created, the wizard uses the details of the parent members and rules you have already specified. These devices appear in Available Objects From Parent Group column based on the properties and rules you have already specified in the Properties:Create and Rule:Create dialog boxes. See Specifying Group Properties and Defining Group Rules for more information.

Note You can add devices from the list of available objects in the parent group even if they do not match membership criteria.

To add devices to the group you have created:

Step 1 Select one or more devices in Available Objects From Parent Group column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Step 2 Click Add. The selected devices are removed from the Available Objects From Parent Group and added to the Object Matching Membership Criteria column.

Note The newly added devices will not be included in the jobs scheduled prior to their addition to the group. You must reschedule the job and select the group again.

To remove devices from the group:

Step 1 Select one or more devices in Object Matching Membership Criteria column. To select multiple devices, hold the Ctrl or Shift keys down and click on the devices. Step 2 Click Remove. The selected devices are removed from the Object Matching Membership Criteria column and added to Available Objects From Parent Group. Step 3 Click Next. The Summary:Create window appears. It displays the group name, the parent group, description, the membership update type, group rules, and the visibility scope of the group you created. If you want to change the parameters, click Back to go back to the previous windows and make changes. Step 4 Click Finish to create the group based on the parameters specified.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-25 Chapter 5 Managing Groups Device Group Administration

Viewing Group Details

You can view the details of a group using this feature. To view the details of a group:

Administration of Cisco Prime LAN Management Solution 4.2 5-26 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Modifying Group Details

You can modify some of the details for a group using this feature. To modify the details of a group:

Step 1 Either: • Select Admin > System > Group Management > Device. The Group Administration page appears. Or • Select Inventory > Group Management > Device. The Group Administration page appears. Step 2 Select a group from the Group Selector pane. The Group Info fields on the right side displays details of the selected group. Step 3 Click Edit. The Group Administration wizard guides you through the process of editing a group. It displays the details of the group in Properties:Edit window. Step 4 Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit dialog box. You cannot change the Parent group or copy attributes from a different group in Edit mode. Step 5 Click Next. The wizard takes you to the Rules:Edit window. Step 6 Change the rules as required. For details on creating the rules, see Defining a Group Rule. Step 7 Click Next. The wizard takes you to the Membership:Edit window. Step 8 Add or remove devices from the list of objects in Objects Matching Membership Criteria as required. For details on creating the rules, see System Defined Attributes. Step 9 Click Next. The wizard takes you to the Summary window. If you want to change the parameters specified, click Back to go back to the previous windows and make changes to the properties or rules. Step 10 Click Finish to modify the group. Step 11 Click OK. The Group Administration wizard copies the attributes of the selected group and displays it in the corresponding fields in Properties:Create window. Note that the Parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different Parent group.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-27 Chapter 5 Managing Groups Device Group Administration

Refreshing Groups

You can recompute the membership of a group by re-evaluating the group rule. The membership of Automatic groups is recomputed dynamically. The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with this option.

Note Only users with read-write access can refresh the Only-upon-user-request groups.

To refresh a group:

Whenever you delete devices from a group, refresh the group so that group membership is recomputed.

Deleting Groups

You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that belong to users removed from Cisco Prime). To delete a group:

Administration of Cisco Prime LAN Management Solution 4.2 5-28 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

The Group Info fields on the right pane displays details of the selected group. Step 3 Click Delete. The Group Administration prompts you for confirmation. Step 4 Click Yes. The selected group is deleted.

See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.

Exporting Groups

This feature helps you to export a User-defined group hierarchy into a file. You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to an output file. Private User-defined groups created by other users will not be exported. However, the privateUser-defined groups created by you will be exported. You must have Network Administrator, System Administrator or Super Admin privileges to export groups. In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same DCR domain. You can do this from a DCR Master Server and a Slave server. Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are not supported. See Sample Export Groups Output File for sample XML file generated by the Grouping Services export utility.

Note We recommend that you use the file generated by the Grouping Services export utility for import operations and do not edit the XML file.

You can: • Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details. or • Export Groups through the CLI. See Exporting Groups Through CLI for details. This section explains: • Sample Export Groups Output File • Exporting Groups From User Interface

Sample Export Groups Output File

/CS@server-name/User Defined Groups/CSDyna

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-29 Chapter 5 Managing Groups Device Group Administration

2 PUBLIC /CS@server-name/User Defined Groups/CSStat :CMF:DCR:Device.DisplayName contains "77" 1 PUBLIC

Exporting Groups From User Interface

To export device groups from the user interface:

Step 1 Select Admin > System > Group Management > Device. The Group Administration page appears. Step 2 Select a User-defined Group hierarchy from the Group Selector. Step 3 Click Export. The Export Groups dialog box appears. Step 4 Select either one of the following options: • Export the selected User-defined Group hierarchy— Exports the selected User-defined Group and its child groups. Or • Export All Applications User-defined Groups —Exports all User-defined Groups from all applications installed on all LMS Server in the same DCR domain. The browser-specific File Download window appears prompting you to open or save the output XML OGSExport.xml file. Step 5 Click either of the following buttons: • Open to open the XML file Or • Save to store the file on the client system with the same or a different filename.

Administration of Cisco Prime LAN Management Solution 4.2 5-30 OL-25947-01 Chapter 5 Managing Groups Device Group Administration

Importing Groups

This feature helps you to import User-defined group hierarchies from an input XML file to the LMS Server.

Note You cannot import User-defined groups from older versions of LMS to LMS 4.0 and later versions.

You can import User-defined groups from an input file to the LMS Server. The private User-defined groups in the input XML file will be imported as your private User-defined groups in LMS Server. They will not be visible to other users. You must have Network Administrator, System Administrator or Super Admin privileges to import groups. In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave server.

Note We recommend that you use the file generated by the Grouping Services export utility for import operations and do not edit the XML file.

You can: • Importing Groups From User Interface Or • Importing Groups Through CLI This section explains: • Important Notes on Importing Groups • Importing Groups From User Interface

Important Notes on Importing Groups

Read the following notes before importing User-defined groups: • You must have the required file permissions to select a source XML file for import groups operation. • After importing groups, the group selector may take some time to refresh and display the latest groups information. You must launch the Groups Administration page again to view the newly imported groups. To launch the Groups Administration page, select Admin > System > Group Management > Device. • Importing groups from an input XML file fails if: – The groups to be imported to the selected Grouping Server locations already exist. – The User-Defined Fields (UDF) that are configured for the import group rules are not available in the Grouping Servers to which the groups are to be imported.

Importing Groups From User Interface

To import device groups from the user interface:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-31 Chapter 5 Managing Groups Device Group Administration

Step 1 Either: • Select Admin > System > Group Management > Device. The Group Administration page appears. Or • Select Inventory > Group Management > Device. The Group Administration page appears. Step 2 Click Import. The Import Groups - File Selection dialog box appears. Step 3 Enter an input XML file name in the File Name field or click Browse to select a file from the client system. The Import Groups dialog box appears with a list of import groups specified in the input XML file. Step 4 Select the list of groups to be imported from the Import Groups From field. Step 5 Select a server location to which the groups are to be imported in the Import Groups to Servers field. You can select multiple Grouping Server locations or All to select all the Grouping Server locations. This field is disabled on LMS Servers operating in the DCR Standalone mode. Step 6 Click OK. A message appears indicating if the groups were imported or not. See Important Notes on Importing Groupsfor the possible causes of the import job failure.

See Using Group Administration Features Through CLI for more information on using group administration feature using CLI.

Overview of Subnet Based Groups

Subnet based groups are automatically created when devices are managed. These are a part of System defined groups. You cannot create, edit or delete them. Subnet based groups help you work on smaller subsets of devices that are logically grouped. They are automatically deleted when all the devices in a subnet are deleted. This topic covers: • Accessing Subnet Based Groups • Understanding Subnet Based Groups • Creating Groups Based on Subnet

Accessing Subnet Based Groups

To access Subnet based groups: • Select Admin > System > Group Management > Device. The Group Administration page appears. Or

Administration of Cisco Prime LAN Management Solution 4.2 5-32 OL-25947-01 Chapter 5 Managing Groups DCR Mode Changes and Group Behavior

• Select Inventory > Group Management > Device. The Group Administration page appears. This displays the Group Management page. The Group Selector field displays two groups, System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System Defined Groups.

Understanding Subnet Based Groups

The Subnet based groups use the following name format: Subnet -- Subnet Mask.

The rule expression for Subnet Based Groups has the following components: Class.attribute operator "value"

For example, Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"

The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.

Creating Groups Based on Subnet

When you need to create subnet based groups, you can do it under User defined groups. For example, the following rules might be used to create two groups based on the IP address subnet: Device.IP.Subnet equals "172.29.252.32" Device.IP.Subnet equals "172.29.252.64"

The examples provided here are simple. However, the Grouping Service allows complex rules to be arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives the administrator the power and flexibility to create view partitions tailored to the needs of their site.

DCR Mode Changes and Group Behavior

The DCR modes have a bearing on how groups are displayed in the Groups UI. Also the DCR mode decides whether you can perform any operation on the groups. In Standalone mode, you can create system-defined and user-defined groups. In Slave mode, LMS allows you to preserve the user-defined groups, and create new system-defined device groups. The port and module groups, Fault groups and Collector groups are not affected by the change in the DCR mode. All DCR devices in the Slave are removed, and synchronized with the Master server. Therefore, in a cluster that has several Slaves and a Master, if you need to create LMS group, you need to go to the LMS Groups UI in the Master and create the group. The group you create there, will be synchronized with the Slaves.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-33 Chapter 5 Managing Groups DCR Mode Changes and Group Behavior

The following table gives details of DCR mode changes and implications on Groups.

Mode Changed to: The Initial Standalone Slave Master Mode Standalone Not applicable. Slave will get Master’s groups, both No change in the Group system-defined and user-defined groups. hierarchy. You can also create new user-defined groups in the Slave. These groups will not be shared with the Master or other slaves in the domain. Device Allocation Policy gets disabled (Inventory > Device Administration > Device Allocation Policy). Slave Device Allocation Policy gets Not applicable. Device Allocation Policy gets enabled. The groups pertaining enabled. Groups pertaining to the to Master and Slaves will be previous Master and the removed. associated Slaves will be removed. The existing Device Allocation Policy is retained. Local groups will behave in the same manner. The existing Device Allocation Policy is retained. Master All dependent Slaves will If you select Inform current Slaves of new Not applicable. switch to Standalone mode. Master Hostname when you change the mode to Slave, all the Slaves in the domain, All groups pertaining to other switch to the new Master. machines will be removed. Device Allocation Policy will In this case, the groups in the Master will be be enabled on all machines in seen in the new Slave. Device Allocation the cluster. Policy gets disabled. If this check box is not selected, the new Slave will pickup the groups of the new Master. Other Slaves in the domain will move to Standalone mode.

Unregistering a Slave

The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain. The utility is useful in the following scenarios: • Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone or Master belonging to a different domain. • When you uninstall Cisco Prime from the Slave. • Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode changes, the Master will not be aware of the Slave mode change, when it comes up. The Master will not receive any data from the Slave, but the Slave information will still be in its registry. A redundant group (such as LMS@Slave) will still appear in the Master Groups UI.

Administration of Cisco Prime LAN Management Solution 4.2 5-34 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

In the case of DCR, any device operation on Master will update the Slave list. However, this does not happen in the case of Groups. You can run the UnregisterSlave utility to remove any unwanted slave information: From the CLI, run: NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name You have to enter the hostname of the machine you want to unregister. For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.

Behavior of IP Address Range Based Device Groups in Multi-Server Setup

The range operator allows you to group devices within a specified range of IP addresses. In a Master-Slave setup: • When the Master server is using an earlier version of LMS, you cannot create device groups based on IP Address range. • When the Slave server is using an earlier version of LMS, the IP Address Range based device groups information in the Master is synchronized with the Slave. Even if you change the mode of Slave server to Standalone, the IP address range based device groups will remain as they were in the Groups Server. However, you cannot retrieve the device group information from the Standalone LMS Server to view it in the user interface. To retrieve and view the device group information, you should either: – Upgrade the LMS in Standalone LMS Server to LMS 4.2. Or – Change the mode of the LMS Server that has the earlier version of LMS 4.2 from Standalone to Slave for a DCR Master with the latest version of the software.

Port and Module Group Administration

LMS allows you to create groups based on ports and modules for a selected set of devices or device groups using Port and Module Group Administration.

Notes for Port and Module Configuration 1. Port and Module configuration depends on the data collected by LMS Inventory. For the Port and Module configuration to work properly, the inventory collection for the devices must be successful. 2. You must trigger a fresh inventory collection to update all the port and module attributes. 3. If the data collection is not successful, then data will not be available for some attributes. 4. The following are the recommended number of ports in LMS: 1. The maximum number of ports supported in LMS is 500,000 ports. 2. The maximum number of ports supported in a port group is 100,000 ports. 3. The maximum number of ports supported in an LMS job is 250,000 ports.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-35 Chapter 5 Managing Groups Port and Module Group Administration

4. In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry for the ifName will be considered and the duplicate entries will be dropped. 5. The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in the device, then port configuration for the device will not work. For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the device. In this case, the port configuration for the device will not work. The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)

Table 5-2 Fields on Port and Module Group Browser

Field/Button Description Group Name Name of the group created. By default, the following System-defined groups are displayed: • 1 Gbps Ethernet Ports—Contains all 1 Gbps Ethernet ports in the network. • 10 Gbps Ethernet Ports—Contains all 10 Gbps Ethernet ports in the network. • 10 Mbps Ethernet Ports—Contains all 10 Mbps Ethernet ports in the network. • 100 Mbps Ethernet Ports—Contains all 100 Mbps Ethernet ports in the network. • Access Ports—Contains all the Access mode ports. • DMP Ports—Contains all ports connected to DMP. • End Hosts—Contains all ports connected to End Hosts. • IP Phones—Contains all ports connected to IP Phones. • IPVSC Ports—Contains all ports connected to IPVSC. • Link Ports—Contains all ports connected to other devices. Description Description of the group created. Group Type Type of the group created. For example, Port or Module. Created By User who created the group. Last Modification Time at which the group settings were last modified. Time. Rows per page This page displays the number of rows you have set for display in the Rows per page field. You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You can navigate through the pages of the report using the navigation icons at the bottom right of this table. Create Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module Groups. Edit Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module Groups. View Allows you to view the group details, as described in the Viewing Port and Module Group Details. Delete Deletes the group, as described in the Deleting Port and Module Groups.

You can perform the following tasks from the LMS Port and Module Group Browser window: • Creating Port and Module Groups • Editing Port and Module Groups

Administration of Cisco Prime LAN Management Solution 4.2 5-36 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

• Viewing Port and Module Group Details • Deleting Port and Module Groups

Creating Port and Module Groups

Creating a Port and Module Group involves the following steps: 1. Entering the Port and Module Group Properties Details 2. Selecting Group Source 3. Defining Rule Expression for Port or Module Groups 4. Understanding the Summary You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using Cancel, the details you have specified will be lost and the group will not be created.

Note Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and Module configuration to work properly, the inventory collection for the devices must be successful.

Entering the Port and Module Group Properties Details

In this step, you will enter the name and description for the group. The Port and Module Group Properties dialog box contains the following fields. (See Table 5-3)

Table 5-3 Fields on the Port and Module Group Properties dialog box

Field Description Group Name Name of the group you are creating. Description Text description of the group.

To enter the values in Port and Module Group Properties dialog box:

Step 1 Either: • Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2). Or • Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2). Step 2 Click Create. The Group Properties page appears. Step 3 Enter a unique name for the group in the Group Name field. Step 4 Enter a description for the group in the Description field (optional). Step 5 Click Next.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-37 Chapter 5 Managing Groups Port and Module Group Administration

The Select Group Source page appears, displaying the Device Selection dialog box.

Selecting Group Source

In this step, you need to select the Group source. This can be either devices or groups (System-defined or User-defined). The Select Group Source page displays the Device Selection and Group Selection dialog box. The Device Selection and Group Selection dialog box contains the following fields. (See Table 5-4) You must select either devices or device groups from Device Selector or Group Selector, respectively.

Table 5-4 Fields on the Device Selection dialog box

Fields Description Device Selector Displays all LMS devices in the group. Search Input Enter the search expression in this field. You can enter single device names or multiple device names. If you are entering multiple device names, separate them with a comma. You can also enter the wildcard characters “*” and "?". For example: 192.168.10.1*, 192.168.20.* Search Use this icon to perform a simple search of devices based on the search criteria you have specified in the Search Input text field. For information on Search, see Performing Simple Search. Advanced Search Use this icon to perform an advanced search of devices based on the search criteria you have specified in the Search Input text field. For information on Advanced Search, see Performing Advanced Search. All Lists all User-defined and System-defined groups for all applications that are installed on LMS Server. For more information, see Selecting Devices From All Tab. Search Results Displays all the search results from Search or Advanced Search. For more information, see Selecting Devices From Search Results. Selection Lists all the devices that you have selected in the Search Results or All tab. Using this tab, you can deselect devices from the list. Group Selector Displays all groups in LMS.

To select the group source:

Step 1 Either: • Select Device Selector. • Select the devices. or • Select Group Selector.

Administration of Cisco Prime LAN Management Solution 4.2 5-38 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

• Select the groups. Step 2 Click Next. The Rule Express page appears.

Defining Rule Expression for Port or Module Groups

In this step, you will define the rules for creating port or module groups. The rules you define in this phase, determine the contents of the group. The rules you specify here, determine the ports and modules to be included in the group. You can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. The Rules Expression page contains the following fields:

Field/Buttons Description Object Type Select the following object types to form a group: • Module • Port Variable Object type attributes, based on which you can define the group. See Rule Attributes for Port and Module Creation. Operator Operator to be used in the rule. The list of possible operators change, based on the variable selected. When using the equals operator the rule is case-sensitive. Value Value of the rule expression. The possible values depend upon the variable and operator that you select. Depending on the operator selected, the value may be free-form text or a list of values. Wildcard characters are not supported. Add Rule Expression Adds the rule expression to the group rules. (Button) Rule Text Displays the rule. Check Syntax Verifies that the rule syntax is correct. (Button) Use this button to verify the syntax of the rule that you have created before proceeding to the next step.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-39 Chapter 5 Managing Groups Port and Module Group Administration

Field/Buttons Description Include Include List popup opens and lists all the modules or ports from the selected devices that do not (Button) match the rule. You can choose to include those modules or ports for group creation. The Include List popup will also list the modules or ports that match the rule but will not be enabled for selection. Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in the Include List window. You can also include modules or ports for the selected devices, without specifying a rule, by clicking Include. Exclude Exclude List popup opens and lists all the modules or ports from the selected devices that match (Button) the rule. You can choose to exclude those modules or ports for group creation. The Exclude List popup will also list the modules or ports that do not match the rule but will not be enabled for selection. Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields in the Exclude List window.

To define the group rule:

Step 1 Go to the Rules Expression page. Step 2 Set the parameters for Object Type, Variable and Operator. Step 3 Enter the desired value for the Variable you have selected. Step 4 Click Add Rule Expression. The LMS Port and Module Group Administration creates the rule based on the parameters you have specified and adds it to the rules already present in the Rules Text field. You can use the same procedure to add more rules. You can manually add or change any text in the Rule Text box. Step 5 Click Include or Exclude. • Include—A popup window appears, allowing you to include ports or modules for the group. See Table 5-5 for the descriptions of the fields in the Include List window. • Exclude—A popup window appears, allowing you to exclude ports or modules for the group. See Table 5-5 for the descriptions of the fields in the Exclude List window. Step 6 Click Check Syntax to validate the rules expression syntax. • If the syntax is correct, an information box appears with a message, The rule syntax is valid. • If the syntax is incorrect, an error box appears with a message, You have entered an invalid rule. Enter a valid rule. See the Help for examples of valid rules. For examples on defining valid rules, see Examples for Port and Module Groups. Step 7 Click Next. The Summary page appears, displaying the group properties. See Understanding the Summary.

Administration of Cisco Prime LAN Management Solution 4.2 5-40 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

Note You can also include modules or ports for the selected devices, without specifying a rule, by clicking Include. If you include the ports or modules for the selected devices, and also exclude the same ports or modules, the exclude option will have a higher priority.

Rule Attributes for Port and Module Creation The following table lists the available attributes that you can use to define rules to create port and module groups.

Object Type Attribute Description Module AdminStatus Administrative status of the module. For example, Enabled/Commissioned. FW_Version Firmware version of the module. For example, 12.1(27b)E1 ModuleName Name of the module. For example, Linecard OperStatus Operational status of the module. For example, Dormant SlotNumber Slot number of the module. For example, 6 SW_Version Software version of the module. For example, 12.1(27b)E1 VendorType Vendor type of the module. For example, cevAS53004ct1

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-41 Chapter 5 Managing Groups Port and Module Group Administration

Object Type Attribute Description Port AdminStatus Administrative status of the port. For example, Disabled/Decommissioned CM.AccessStatus Whether the port is an Access port or not. CM.Channel Whether the port is a channel port. CM.Duplex The duplex mode of the port. The values could be unknown-duplex, full-duplex, half-duplex, default, disagree, auto-duplex. CM.JumboFrameEnabled Whether the port is JumboFrame enabled or disabled. CM.L2L3 Whether the port is in switched or routed mode. CM.LinkStatus Link status of the port. Whether the link is up or down. CM.Neighbor Whether the port is connected to a device, IP Phone, or End Host. CM.TrunkStatus Whether the port is a Trunk port. If trunk is configured in the port, then it is a trunk port. CM.VLAN_ID The index of the VLAN configured on the port. CM.VLAN_NAME Name of the VLAN configured on the port. CM.VTP_DOMAIN Name of the VTP Domain that the port is associated with. EnergyWise_Importance EnergyWise Importance of the device. This value prioritizes the devices in a domain based on their power usage. EnergyWise_Role Role or function of the device in the EnergyWise domain. EnergyWise_Keyword A word that will help you identify a specific device or group of devices in the EnergyWise domain. FlexLink Whether the FlexLink status of the port is enabled or disabled. IFIndex IFIndex of the port. For example, 10 IsEnergyWisePort Specifies if the port is EnergyWise-enabled.

Administration of Cisco Prime LAN Management Solution 4.2 5-42 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

Object Type Attribute Description Port Identity_Security_Mode Specifies the security mode, based on the level of security you wish to (contd.) implement in your network. The three types of security modes are: • Monitor Mode • Low Impact Mode • High Security Mode MACsecStatus You can enable or disable MACsec on the interface. MACsec provides secure, encrypted communication on wired LANs. OperStatus Operational Status of the port. For example, Stopped/Suspended PortDescription Description of the port. For example, FastEthernet0/1 PortName Name of the port. For example, Fa0/1 SpanEnabled Whether the port is Span enabled. Speed Speed of the port. For example, 10000000 (for 10 Mbps) Type Enter the value for the port type. For example, if you want to define a rule for the port type ethernetCsmacd, you need to enter 6 as the value. For information on the port type values, see http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift ype&translate=Translate&submitValue=SUBMIT&submitClicked=true

Note For the port attributes that start with name “CM.” , the data collection for the attributes must be successful.

Examples for Port and Module Groups This section shows examples of a valid rule. The following are some examples for grouping tasks: • Rule to select all the Ports whose Port Description contains the string: Ethernet • Rule to select all the Ports that are connected to another device • Rule to select all the Modules whose Slot number is 1 • Rule with OR Operator • Rule with AND Operator

Rule to select all the Ports whose Port Description contains the string: Ethernet This rule filters all ports whose Port description consists of the string Ethernet. To provide rule expression for this scenario: From the Create Rules dialog box:

Step 1 Select Port from the Object Type drop down listbox Step 2 Select PortDescription from the Variable drop down listbox

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-43 Chapter 5 Managing Groups Port and Module Group Administration

Step 3 Select contains from the Operator drop down listbox Step 4 Enter Ethernet in the Value textbox Step 5 Click Add Rule Expression The following rule gets added to the Rule Text: Port.PortDescription contains "Ethernet"

Rule to select all the Ports that are connected to another device This rule filters all Ports that are connected to another device. To provide rule expression for this scenario: From the Create Rules dialog box:

Step 1 Select Port from the Object Type drop down listbox Step 2 Select CM.LinkStatus from the Variable drop down listbox Step 3 Select = from the Operator drop down listbox Step 4 Select Configured in the Value drop down list box. Step 5 Click Add Rule Expression The following rule gets added to the Rule Text: Port.CM.LinkStatus = "Configured"

Rule to select all the Modules whose Slot number is 1 This rule filters all the modules that are placed in slot number 1. To provide rule expression for this scenario: From the Create Rules dialog box:

Step 1 Select Module from the Object Type drop down listbox Step 2 Select SlotNumber from the Variable drop down listbox Step 3 Select = from the Operator drop down listbox Step 4 Enter 1 in the Value textbox Step 5 Click Add Rule Expression The following rule gets added to the Rule Text: Module.SlotNumber = "1"

Rule with OR Operator Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet. To provide rule expression for this scenario:

Administration of Cisco Prime LAN Management Solution 4.2 5-44 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

Step 1 From the Create Rules dialog box: a. Select Port from the Object Type drop down listbox b. Select PortDescription from the Variable drop down listbox c. Select StartsWith from the Operator drop down listbox d. Enter Ethernet from the Value drop down listbox e. Click Add Rule Expression The following rule gets added to the Rule Text: Port.PortDescription StartsWith "Ethernet" Step 2 Select the OR option from the logical operator list box. Step 3 From the Create Rules dialog box: a. Select Port from the Object Type drop down listbox b. Select PortDescription from the Variable drop down listbox c. Select StartsWith from the Operator drop down listbox d. Enter FastEthernet in the Value textbox e. Click Add Rule Expression The following rule gets appended to the Rule Text: Port.PortDescription StartsWith "Ethernet" OR Port.PortDescription StartsWith "FastEthernet" The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected based on either or both of the matching criteria.

Rule with AND Operator Rule to select all the FastEthernet Ports whose Operational status is up. To provide rule expression for this scenario:

Step 1 From the Create Rules dialog box: a. Select Ports from the Object Type drop down listbox b. Select OperStatus from the Variable drop down listbox c. Select = from the Operator drop down listbox d. Select OK from the Value drop down listbox e. Click Add Rule Expression The following rule gets added to the Rule Text: Port.OperStatus = "OK" Step 2 Select the AND option from the logical operator list box. Step 3 From the Create Rules dialog box: a. Select Ports from the Object Type drop down listbox b. Select PortDescription from the Variable drop down listbox c. Select StartsWith from the Operator drop down listbox

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-45 Chapter 5 Managing Groups Port and Module Group Administration

d. Enter FastEthernet in the Value textbox e. Click Add Rule Expression The following rule gets appended to the Rule Text: Port.OperStatus = "OK" AND Port.PortDescription StartsWith "FastEthernet" The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both the criteria are selected.

Include and Exclude Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and Module Group Administration.

Table 5-5 Include and Exclude Window Fields Description

Window Fields/Buttons Description Include List Device Selector Devices selected for group creation. Port Name/Module Name Name of the port or module in the device. For some of the devices, if ports or module names are not available in the device, the message Not Available will be shown. Description/Vendor Type Description of the port or module. For some of the devices, if ports description or module vendor type is not available in the device, the message Not Available will be shown. Slot Number Slot number of the module. This field is available only for modules. Include The selected ports or modules are included for group creation. (Button) Filter by Port/Module Enter the filter expression and click Filter to filter Name the port or modules in the device.

Administration of Cisco Prime LAN Management Solution 4.2 5-46 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

Table 5-5 Include and Exclude Window Fields Description

Window Fields/Buttons Description Exclude List Device Selector Devices selected for group creation. Port Name/Module Name Name of the port or module in the device. For some of the devices, if ports or module names are not available in the device, the message Not Available will be shown. Description/Vendor Type Description of the port or module. For some of the devices, if ports description or module vendor type is not available in the device, the message Not Available will be shown. Slot Number Slot number of the module. This field is available only for modules. Exclude The selected ports or modules are excluded from group creation. (Button) Filter by Port/Module Enter the filter expression and click Filter to filter Name the port or modules in the device.

Understanding the Summary

The final step in creating the port or module group is a summary page that displays the new group definition. The Summary page contains the following information. (See Table 5-6):

Table 5-6 Fields on the Summary page.

Field Description Group Name Name of the group you are creating. Description Text description of the group. Rule Rules used to filter the group. Devices/Groups in Rule List of devices or groups to which the rule will be applied.

After reviewing the group summary, either:

Step 1 Click Finish to complete the procedure for Creating Groups. A confirmation box appears. Step 2 Click OK. You can view the newly created group in the Port and Module Group Browser page. Or Click Back to change the group properties.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-47 Chapter 5 Managing Groups Port and Module Group Administration

Viewing Port and Module Group Details

To view the existing port or module group details:

Step 1 Either: • Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2). Or • Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2). Step 2 Select the group name and click View. The View Group Details page appears, displaying Group: Details dialog box with the following details:

Field/Button Description Group Name Name of the group you are viewing. Parent Group Parent group of the group you are viewing. Type Type of the objects that belong to the group. Description Text description of the group. Rule Rules used to create the group. Created By User who created the group. This also displays the time at which the group was created. Last Modified By User who last modified the group. This also displays the time at which the group was last modified. Devices/Groups Devices or Device Groups that are part of the port or module group. Membership Details Used to view the list of devices that belong to the group. See Viewing Membership Details. (Button) Cancel Closes the page and takes you back to the Port and Module Group (Button) Browser page.

Viewing Membership Details You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.

Administration of Cisco Prime LAN Management Solution 4.2 5-48 OL-25947-01 Chapter 5 Managing Groups Port and Module Group Administration

Step 2 Select the group name for which you want to view the membership details and click View. The Group: Details dialog box appears. Step 3 Click Membership Details. The View Group Members dialog box appears with the following information:

Field/Button Description Device Selector Devices selected for group creation. Port Name/Module Name Name of the port or module in the device that are part of the group. Description Description of the ports or modules in the device that are part of the group. Filter by Port/Module Name Enter the filter expression and click Filter to filter the port or modules in the device that are part of the group. Close To close the View Group Members dialog box. (Button)

Editing Port and Module Groups

You can edit all attributes that are defined while creating a group, except Group Name. To edit a port and module group:

Step 1 Either: • Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2). Or • Select Inventory > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2). Step 2 Select the group by checking the check box. Step 3 Click Edit. The Group Properties page appears, displaying Port and Module Group Properties dialog box. See Entering the Port and Module Group Properties Details. You cannot: • Modify the Group Name field. • Click Finish to complete the edit flow.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-49 Chapter 5 Managing Groups Port and Module Group Administration

Step 4 Click Next. The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box. • Device Selection – If you have selected devices using Device Selector in the Create flow. – If you have created the group by including the ports or modules without specifying the rule in the Create flow. In this case, only the devices for which you selected ports or modules are displayed. Or • Group Selection—If you have selected device groups using Group Selector in the Create flow. You can modify the devices or groups that you have selected, based on your requirement. Step 5 Click Next. The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression for Port or Module Groups. You can modify and define new rules. If you include the ports or modules for the selected devices, and also exclude the same ports or modules, the exclude option will have the higher priority. Step 6 Click Next. The Summary page appears, displaying the group details. Understanding the Summary. Step 7 Either: Click Finish to complete the editing procedure for the group. Or Click Back to change the group properties.

Note You can click Finish at any point in the workflow.

Deleting Port and Module Groups

To remove an existing port or module group:

Step 1 Select Admin > System > Group Management > Port and Module. The Port and Module Group Browser page appears, displaying the list of groups. Step 2 Select the group to remove from the Port and Module Group Browser dialog box. Step 3 Click Delete. A confirmation dialog box shows that the group will be deleted. Step 4 Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 5-50 OL-25947-01 Chapter 5 Managing Groups Working with Fault System-defined Groups

Working with Fault System-defined Groups

The group selector displays some groups such as Access Port Groups, Trunk Port Groups, and Interface Port Groups. See Fault System Defined Groups for more information. You can control the polling and thresholds settings for these groups using Monitor > Threshold Settings > Fault. See Monitoring and Troubleshooting Online Help for more information. These system defined groups can be used when searching for devices using the Advanced Search option in the device selector. This section contains: • LMS System-defined Groups • Fault System Defined Groups

LMS System-defined Groups

The LMS system defined groups are visible to all Cisco Prime users, and are the factory default groups administered by LMS. Device Groups appear in the group selector when they have device members, that is, devices in the DCR that belong to that group. The following are the LMS system defined groups: • Broadband Cable • Content Networking • DSL and LRE • Interfaces and Modules • Network Management • Non Cisco Devices • Optical • Routers • Security and VPN • Server Fabric Switches • Storage Networking • Switches and Hubs • Server Fabric Switches • Universal Gateways and Access Servers • Unknown Device Types • Voice and Telephony • Wireless

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-51 Chapter 5 Managing Groups Working with Fault System-defined Groups

Fault System Defined Groups

The fault system defined groups are visible to all Cisco Prime users, and are the factory default groups that are administered by the Fault Management module in LMS 4.0. The following are the Fault Management system defined groups: • System defined access port groups: – 1 GB Ethernet – 10 GB Ethernet – 10MB-100MB Ethernet – ATM – Others • System defined interface groups: – 1 GB Ethernet – 10 GB Ethernet – 10MB-100MB Ethernet – ATM – Backup – Dial-on-Demand – FDDI – ISDN B channel – ISDN D channel – ISDN physical interface – Others – Serial – Token Ring • System defined trunk port groups: – 1GB Ethernet – 10 GB Ethernet – 10MB-100MB Ethernet – ATM – Others A 10 GB Ethernet interface device, during an upgrade, behaves in the following ways: • If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group, then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB Ethernet Group, you must set the priority of the group to high. • If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group, then the 10GB device falls under 10 GB group. For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.

Administration of Cisco Prime LAN Management Solution 4.2 5-52 OL-25947-01 Chapter 5 Managing Groups Working with Customizable Groups

Working with Customizable Groups

Customizable groups are the only user-defined groups for which you can set polling and threshold parameters. They are provided so you can create groups that fit your needs. Fault Management in LMS 4.0 provides 28 customizable groups, which are divided into four categories: • Access Port Groups • Trunk Port Groups • Interface Groups • Device Groups Table 5-7 lists the seven customizable groups that appear in each of the four categories.

Table 5-7 Polling and Thresholds: Customizable Groups

Customizable Groups Intended Use A Consider reserving customizable groups A, B, and C to troubleshoot B Add one device to any of these groups when you need to test. For example, to test a C changed threshold or interval value for a polling setting. 1 Consider using customizable groups 1, 2, 3, and 4 when you want to override polling settings and thresholds for more than one device. 2 3 4

You configure a customizable group to have the highest priority. To do so, see Setting Priorities section in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups before you can set polling parameters or threshold values for them. To do so, see Working with Customizable Groups. Since you cannot change the rules for system defined groups, Fault Management provides groups that you can customize so that they contain devices, ports, or interfaces. Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold Settings > Fault). After you edit or create a group, you can determine whether other Cisco Prime users can view the group.

Table 5-8 Fault Management Customizable Groups

Use this group to Settings you can Group Name monitor... configure for this group: Customizable Access Port Access ports Thresholds Groups Customizable Groups Devices Polling and thresholds Customizable Interface Groups Interfaces Thresholds Customizable Trunk Ports Trunk ports Thresholds Groups

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-53 Chapter 5 Managing Groups Managing Fault Groups

For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable subgroups. Table 5-9 describes the restrictions placed on the subgroups.

Table 5-9 Fault Management Customizable Groups—Restrictions

Group Name Restrictions Customizable Group A • Use to troubleshoot a single device (but can Customizable Group B contain more than one device) Customizable Group C • Cannot be deleted • Cannot have subgroups • Cannot have name changed Customizable Group 1 • Can contain multiple devices Customizable Group 2 • Cannot be deleted Customizable Group 3 • Cannot have subgroups Customizable Group 4 • Cannot have name changed

Managing Fault Groups

The Fault Group Administration and Configuration page is where all group management activities take place. To open the Group Administration and Configuration page: Either: Select Admin > System > Group Management > Fault. Or Select Inventory > Group Management > Fault.

Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed when you select an option. Do not proceed without viewing and installing the self-signed security certificate.

See Editing and Creating Fault Groups for information on how to use Group Administration to create and edit groups. In addition to creating and editing groups, Group Management provides the following functions: • Refreshing Fault Membership • Deleting Fault Groups

Administration of Cisco Prime LAN Management Solution 4.2 5-54 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

Table 5-10 describes the fields in the Group Administration and Configuration page.

Table 5-10 Fields on Group Administration and Configuration Page

Field/Button Description Group Selector Hierarchical display of all available groups. Group Info When you select an item from the Group Selector, the Group Info pane displays the following information: • Group Name—Name of the group you selected. • Type—Type of objects in the selected group. • Description—Text description of the group. • Created By—Person who created the group. • Last Modified By—Last person to modify the group settings. Create Starts the Group Creation Wizard for creating a group, as described in Editing a Fault Group. Edit Starts the Group Edit Wizard for editing user defined groups, as described in Editing a Fault Group. Not supported for view groups created from the Alerts and Activities Defaults page. Details Opens the Properties: Details page, as described in Viewing Fault Group Details. Refresh Refreshes a group memberships, as described in Refreshing Fault Membership. Not supported for port and interface groups. Delete Deletes a group, as described in Deleting Fault Groups.

Editing and Creating Fault Groups

The processes for editing and creating groups are similar. Keep these points in mind: • You can edit user defined customizable subgroups. For example, the subgroup Customizable Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with Customizable Groups. • You can create or edit user defined miscellaneous groups. These groups can be used with views in the Alerts and Activities display, or with notification groups in Notification Services. You cannot edit or view groups created from the Alerts and Activities Defaults page. This section contains information on: • Editing a Fault Group • Creating a Fault Group • Understanding Rules • Finalizing Fault Group Membership • Viewing the Fault Group Summary

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-55 Chapter 5 Managing Groups Managing Fault Groups

LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group. The wizard consist of four steps: 1. Setting properties (for details, see Editing a Fault Group) 2. Creating rules (for details, see Understanding Rules). 3. Modifying group membership (for details, see Finalizing Fault Group Membership). 4. Viewing the summary (for details, see Viewing the Fault Group Summary).

Editing a Fault Group

You can edit the properties of user defined customizable port, interface, and device groups. You can also edit miscellaneous user defined groups you created using Group administration.

Procedure

Note If you edit a device-type group, you can launch the Preview.

Administration of Cisco Prime LAN Management Solution 4.2 5-56 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

This section contains: • Adding and Deleting Rules from the Rules:Edit Page • Adding and Removing Objects from the Rules: Edit Page

Adding and Deleting Rules from the Rules:Edit Page

You can add new rules or delete existing rules in the Rules: Edit page. To add a new rule:

Step 1 From the first list, select a logical operator (applicable when there are multiple rule expressions). The list of logical operators is enabled after at least one rule expression is entered.+ Step 2 From the Object Type list, select an object type. Step 3 From the Variable list, select a variable. Step 4 From the Operator list, select an operator. Step 5 In the Value field, enter a value. Step 6 Click Add Rule Expression. The rule expression appears in the Rule Text box. You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\), an error is displayed. To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single backslash. You should always check the syntax after changing a rule expression. If you have added complex rules (containing both AND and OR conditions), you must manually enter parentheses, as in the following example: (AccessPort.Mode equals ““ OR AccessPort.Mode contains “BACKUP” OR AccessPort.Mode contains “NORMAL”) AND AccessPort.DuplexMode contains “HALFDUPLEX” OR AccessPort.DuplexMode contains “FULLDUPLEX”)

Step 7 Verify whether the syntax of the rule is correct by clicking Check Syntax. A dialog box appears, stating that the syntax is valid. Step 8 Click OK. If you want to view the rules for the parent group, select View Parent Rules. All rules assigned to a parent group also apply to any of its subgroups. Step 9 Click Next. The Membership: Edit page appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-57 Chapter 5 Managing Groups Managing Fault Groups

To delete a rule:

Step 1 In the Rule Text box, select the entire rule text and press the Delete key. After deleting the rule, you must click the page so that the page can refresh, removing the list of logical operators. Step 2 Click Next. The Membership: Edit page appears.

Adding and Removing Objects from the Rules: Edit Page

You can add or remove specific objects from the group membership. This feature is not supported for port and interface groups. The group's rule captures the list of objects that are added to or deleted from the group. The rule will contain an Includelist and an Excludelist section to reflect this. Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across both lists and ensure that no device is both included and excluded. You can add and remove objects from the Parent Group To add an object:

Step 1 In the Available Objects from Parent Group column, select the device you want to add. Step 2 Click Add. Step 3 Click Next. The group’s information appears in the Summary: Create page. Step 4 Click Finish. A dialog box appears, stating that changes to the group have been saved. Step 5 Click OK.

To remove an object:

Step 1 In the Objects Matching Membership Criteria column, select the device you want to remove. Step 2 Click Remove. Step 3 Click Next. The group’s information appears in the Summary: Create page. Step 4 Click Finish. A dialog box appears, stating that changes to the group have been saved. Step 5 Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 5-58 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

Creating a Fault Group

Creating fault groups is supported only for user defined miscellaneous groups. Once created, you can edit these groups.

Note When you create a fault group, at least one device must be in the managed state.

Procedure

Step 1 Either: • Select Admin > System > Group Management > Fault. The Fault Group Administration and Configuration page appears. Or • Select Inventory > Group Management > Fault. The Fault Group Administration and Configuration page appears. Step 2 In the Group Selector, select User Defined Groups. Step 3 Click Create. The Properties: Create page appears. Step 4 Enter a group name for the new group. If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If you want to copy the attributes of an existing group to the new group, do the following: a. Click Select Group. The Replicate Attributes page appears. b. Select the group from which you want to copy the attributes. c. Click OK. All attributes except the group name are copied to the new group. If you want to change the parent group (the location where the group will reside in the Group Selector), do the following: a. Click Change Parent. The Select Parent page appears. b. Select the parent group. Step 5 Click OK. Enter a description. This is optional. Step 6 Choose how you want the group membership updated. This choice is not displayed for port and interface groups): • If you want the membership for this group updated automatically, select Automatic. • If you want the membership for this group updated only when the Refresh button is clicked, select Only Upon User Request.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-59 Chapter 5 Managing Groups Managing Fault Groups

Step 7 Select a Visibility Scope: • Available to Created User Only • Available to All Cisco Prime Users Step 8 Click Next. The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.) Step 9 Do one of the following: • To create rules to apply to the group, go to Step 10. • Click Next and select the objects on the Membership: Create page (not supported for port and interface groups). Then go to Step 10. If you need to return to any of the previous pages in the wizard, click Back. Step 10 Create all rules that you want to apply to the group: a. Select a logical operator (applicable when there are multiple rule expressions). The list of logical operators is enabled after at least one rule expression is entered. b. Select an object type. c. Select a variable. d. Select an operator. e. Enter a value. f. Click Add Rule Expression. The rule expression appears in the Rule Text box. You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\), an error is displayed. To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single backslash. You should always check the syntax after changing a rule expression. If you have added complex rules (containing both AND and OR conditions), you must manually enter parentheses, as in the following example: (AccessPort.Mode equals ““ OR AccessPort.Mode contains “BACKUP” OR AccessPort.Mode contains “NORMAL”) AND AccessPort.DuplexMode contains “HALFDUPLEX” OR AccessPort.DuplexMode contains “FULLDUPLEX”)

g. Verify that the rule syntax is correct by clicking Check Syntax. A dialog box appears, stating the syntax is valid. h. Click OK. If you want to view the rules for the parent group, select View Parent Rules. All rules assigned to a parent group also apply to any of its subgroups. i. Click Next. The Membership: Create page appears.

Administration of Cisco Prime LAN Management Solution 4.2 5-60 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

Adding and Removing Objects from the Rules: Create Page

To remove an object:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-61 Chapter 5 Managing Groups Managing Fault Groups

Understanding Rules

Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule expressions. Rules are created to filter in the objects that you want to belong to the group, and to filter out those that you do not want in the group. When determining the objects that belong to a group, Group Management compares object information to the rule. If an object information satisfies all of the rule requirements, it is placed in the group. One or more rule expressions can be applied to form a rule. Each rule expression contains the following: Object Type.Variable Operator Value For example: Routers.Location equals "San Jose"

Complex rules that contain both OR and AND conditions require you to edit the rule manually. For example, all parentheses in the following rule must be added in the Rule Text field: (AccessPort.Mode equals ““ OR AccessPort.Mode contains “BACKUP” OR AccessPort.Mode contains “NORMAL”) AND (AccessPort.DuplexMode contains “HALFDUPLEX” OR AccessPort.DuplexMode contains “FULLDUPLEX”) Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You can define the following: • Logical Operators • Object Type • Variable • Operator • Value

Logical Operators The logical operator field appears when you are defining multiple rules. The logical operators can be: • OR—Include devices that fulfill the requirements of either rule. For interface, access port, and trunk port groups, this operator can only be used between the variables of the same type, as in the following valid rule: AccessPort.DuplexMode equals “HALFDUPLEX” OR AccessPort.DuplexMode equals “FULLDUPLEX”

If you used an AND operator in the previous port rule, it would be invalid. • AND—Include only objects that fulfill the requirements of both rules. For interface, access port, and trunk port groups, this operator can only be used between the variables of different types, as in the following example: AccessPort.Mode equals “” AND AccessPort.DuplexMode equals “FULLDUPLEX”

If you used an OR operator in the previous rule, it would be invalid.

Administration of Cisco Prime LAN Management Solution 4.2 5-62 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

For device groups, this operator can only be used between variables of the same type, as in the following example: Routers.Model equals "12816" AND Routers.Model equals “12810”

The following would be an invalid rule for a device group: Routers.Model equals "12816" AND SwitchesAndHubs.Type equals "6509"

In the previous example, you would have to use the OR operator. • EXCLUDE—Do not include these devices.

Object Type The Object Type field lists the available objects that you can use to form a group. Depending upon the type of group you are creating, the Object Type field may contain the following choices: AccessPort TrunkPort Interface Cable ContentNetworking Device DSLAndLRE Group InterfacesAndModules NetworkManagement Optical Routers SecurityAndVPN ServerFabricSwitches StorageNetworking SwitchesAndHubs UniversalGatewaysAndAccessServers Unknown VoiceAndTelephony Wireless

Variable The Variable field lists the possible attributes for the selected object type to be used for the rule. The list of possible variables changes based on the object type that is selected. Some variables for port and interface groups are described in Table 5-11.

Operator The Operator field defines the operator to be used in the rule. The list of possible operators changes based on the object type and the variable selected. When using the equals operator, the rule is case-sensitive.

Value The Value field describes the value of the rule expression. The possible values depend upon the object type, variable, and operator selected. Depending on the operator selected, the value may be free-form text or a list of values.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-63 Chapter 5 Managing Groups Managing Fault Groups

Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some of the objects in the Variables field have special meanings or restrictions on how to enter the related attribute in the Value field. Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need further explanation.

Table 5-11 Explanations for the Values of Special Variables

Variable Explanation Description Interface or port description. DuplexMode Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED). InterfaceCode Interface types, protocols, or encapsulations. MaxSpeed Maximum speed, in bits per second. MaxTransferSpeed Speed of the largest datagram that can be sent or received, specified in octets. For interfaces that use transmitting network datagrams, this is the speed of the largest network datagram that can be sent. Mib2ifType Type of interface, distinguished according to the physical or link protocols immediately below the network layer in the protocol stack, represented as a digit. Mode Intended purpose (for example, for interfaces, backup, dial-on-demand, and so forth). Name Name of object. SystemModel Name of the system. SystemName Name of system containing this element. SystemObjectID System Object Identifier associated with vendor of system. SystemVendor Name of system supplier. Type Type of element (for example, interface), distinguished according to the physical or link protocols immediately below the network layer in the protocol stack.

Note After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page.

Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.

Table 5-12 Fields on the Rules: Edit Page

Field/Button Description Add Rule Expression Used to add the rule expression to the group rules. Rule Text Displays the rule. For complex rules (which contain both OR and AND conditions), you must manually add parentheses in this field. (In Editing a Fault Group, see Step 10 and Step 6.)

Administration of Cisco Prime LAN Management Solution 4.2 5-64 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

Table 5-12 Fields on the Rules: Edit Page (continued)

Field/Button Description Check Syntax Verifies that the rule syntax is correct. View Parent Rules Used to view the parent group rules. All parent group rules apply to the subgroups.

Examples of Rules

You want to create a group that contains all interfaces using full duplex mode in the Dallas location. Form the following rule: Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains “Dallas”

• Interface • Variable—Duplex.Mode • Operator—Contains • Value—“FULLDUPLEX” • Logical Operator—And • Variable—Location • Operator—contains • Value—“Dallas” You want to create a group that contains all of the security and VPN devices in the San Jose location. Form the following rule: SecurityAndVPN.Location contains "SanJose"

• Object Type—SecurityAndVPN • Variable—Location • Operator—Contains • Value—“San Jose” To understand the group rules, see the rules used for system defined groups. These rules appear in the Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group Details.

Finalizing Fault Group Membership

After the group rules have been defined, they are evaluated, and you can view the group members (except for port and interface groups, which are only used for polling and threshold purposes). In addition, the group membership can be modified by adding or removing specific objects. The group rule will be automatically modified to reflect the objects that were added or removed from the group. You add or remove specific objects from a group membership in the Membership: Edit page of the Create Group Wizard.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-65 Chapter 5 Managing Groups Managing Fault Groups

Viewing the Fault Group Summary

The final step in the Create Group Wizard is viewing a summary page that displays the new group definition. Table 5-13 describes the fields on the Group Summary page of the Group Creation Wizard.

Table 5-13 Fields on the Group Summary Page

Heading/Button Description Group Name Name of the group you are creating. Parent Group Parent group of the group you are creating. Description Text description of the group. Membership Update Automatic (updated whenever the group is accessed) or upon user request (updated only when you click the Refresh button). Rules Rules used to filter group membership. Visibility Scope Setting that determines whether all Cisco Prime users or only the created user can view the group. Polling Overriding Click to display the Preview page. This page displays the priorities of the Group preview Polling Overriding Groups. Threshold Click to display the Preview page. This page displays the priorities of the Overriding Group Threshold Overriding Groups. preview

Viewing Fault Group Details

Information about a group is displayed on the Properties: Details page. To view the Fault group details:

Administration of Cisco Prime LAN Management Solution 4.2 5-66 OL-25947-01 Chapter 5 Managing Groups Managing Fault Groups

Table 5-14 describes the fields on the Properties: Details page.

Table 5-14 Fields on the Properties: Details Page

Heading/Button Description Group Name Name of the group you are viewing. Parent Group Parent group of the group you are viewing. Type Type of the objects that belong to the group. Description Text description of the group. Membership Update Automatic (updated whenever the group is accessed) or upon user request (updated only when you click the Refresh button) Created By Person who created the group. Last Modified By Last person to modify the group. Rules Rules used to filter group membership. View Parent Rules Used to view the parent group rules. All parent group rules apply to the subgroups. Membership Details Used to view the list of devices that belong to the group. Does not apply to port and interface groups. Cancel Closes the page and takes you back to the Group Administration and Configuration page.

Viewing Fault Membership Details

You can view a list of the objects that belong to a group by accessing the Properties: Details page. Membership is not displayed for port and interface groups, which are used only for polling and threshold purposes.

Procedure

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-67 Chapter 5 Managing Groups Managing Fault Groups

Table 5-15 describes the fields on the Membership: Details page.

Table 5-15 Fields on the Membership: Details Page

Heading/Button Description Name Name of the device for which you want to view membership details. Object Type Type of object for which you want to view details. Property Details Takes you back to the Properties: Details page. Cancel Closes the page and takes you back to the Group Administration and Configuration page.

Refreshing Fault Membership

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules and obtaining membership information from the data collectors. Port and interface group membership lists are not supported, because these groups are only used for polling and threshold purposes.

Procedure

Administration of Cisco Prime LAN Management Solution 4.2 5-68 OL-25947-01 Chapter 5 Managing Groups Understanding Collector Group Rules

Deleting Fault Groups

You can only delete user defined groups that are not one of the seven customizable groups.

Procedure

Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a period of high CPU utilization after these processes are triggered.

Understanding Collector Group Rules

Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule expressions. You can access the IPSLA Collector groups using either: • Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Or • Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group page appears. Rules are created to filter in the devices that you want to include in the group, and to filter out those that you do not want in the group. While determining the devices that belong to a group, Group Management compares device information to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the group. The devices are filtered based on the data present in the IPSLA Performance database. One or more rule expressions can be applied to form a rule. Each rule expression contains the following: object type.variable operator value

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-69 Chapter 5 Managing Groups Understanding Collector Group Rules

This section contains: • IPSLA Collector Group Administration Process • Understanding IPSLA Collector Group Administration Table 5-16 lists the various operators that can be used to create rules to group Collectors.

Table 5-16 Understanding Collector Group Rules

Field/Button Description OR, AND, EXCLUDE, Logical operators. INCLUDE • OR—Include objects that fulfill the requirements of either rule. • AND—Include only objects that fulfill the requirements of both rules. • EXCLUDE—Do not include these objects. • INCLUDE— Include these objects The Rule Text field appears only after a rule expression is added. Object Type Type of object (collector) that is used to form a group. Variable Collector components, based on which you can define the group. For more information, see Collector Components. Operator Operator to be used in the rule. The list of possible operators changes based on the Variable selected. When using the equals operator the rule is case-sensitive.

Administration of Cisco Prime LAN Management Solution 4.2 5-70 OL-25947-01 Chapter 5 Managing Groups Understanding Collector Group Rules

Table 5-16 Understanding Collector Group Rules

Field/Button Description Value Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-from text or a list of values. Wildcard characters are not supported. The following are the values for the corresponding operations: • 1 = echo • 2 = pathEcho • 5 = udpEcho • 6 = tcpConnect • 7 = http • 8 = dns • 9 = jitter • 10 = dlsw • 11 = dhcp • 12 = ftp • 14 = RTP • 16 = icmpjitter • 18 = VoipCallSetupPostDialDelay • 19 = VoipGKRegDelay • 1019-Ethernetping • 1020-Ethernetjitter • 1119-EthernetPingAutoIPSLA • 1120-EthernetJitterAutoIPSLA Add Rule Expression Used to add the rule expression to the group rules. Rule Text Displays the rule. Check Syntax Verifies if the rule syntax is correct. Use this button if you have entered the rules manually. View Parent Rules Used to view the parent group rules. All parent group rules apply to the subgroups.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-71 Chapter 5 Managing Groups Understanding Collector Group Rules

Collector Components Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.

Table 5-17 Collector Components

Component Type Description Source Address Device IP address. Target Address Device IP address. Operation Type All IPSLA operations available for LMS Operation Name Name of a user-defined operation. VRF Name of the VRF (Virtual Routing and Forwarding).

IPSLA Collector Group Administration Process

The IPSLA Collector Group Administration depends on the IPMOGSServer processes. If these processes are not running, then an error message appears: Error in communicating with Group Administration Server. It may be down or not yet up. Please make sure that the Group Administration Server is up and running, then refresh the page. You can resolve this error by starting the IPMOGSServer process. You can start this process using Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. In the Process Management page, select the IPMOGSServer and click Start.

If the IPMOGS Server is down, do the following: You can start the IPMOGS Server either from the CLI, or from the LMS UI. To start IPMOGS Server from the CLI: Enter NMSROOT/bin/pdexec IPM OGSServer where NMSROOT is the Cisco Prime installation directory. To start IPMOGS server from the LMS UI:

Step 1 Select Admin > System > Server Monitoring > Processes. The Process Management page appears with all Cisco Prime processes listed. Step 2 Select IPM OGSServer in the Process Management dialog box. Step 3 Click Start.

Administration of Cisco Prime LAN Management Solution 4.2 5-72 OL-25947-01 Chapter 5 Managing Groups Understanding Collector Group Rules

If the CMFOGS Server is down, do the following: You can start the CMFOGS Server either from the CLI, or from the LMS UI. To start CMF OGS Server from the CLI: Enter NMSROOT/bin/pdexec CMFOGSServer where NMSROOT is the Cisco Prime installation directory. To start CMFOGS server from the LMS UI:

Step 1 Select Admin > System > Server Monitoring > Processes. Step 2 Select CMFOGSServer in the Process Management dialog box. Step 3 Click Start.

Understanding IPSLA Collector Group Administration

This section explains the various tasks that you can perform on the IPSLA Collector Group Administration. Table 5-18 lists the Fields and buttons available in the Group Administration page.

Table 5-18 IPSLA Collector Group Administration Page

Field/Buttons Description Group Selector Hierarchical display of all available groups. Group Info Displays the following collector group information: • Group Name—The name of the group you selected. • Type—The type of objects in the selected group. • Description—A text description of the group. • Created By—The person who created the group. You can also view the time at which the group was created. • Last Modified By—The last person to modify the group settings. You can also view the time at which the group was modified. Create Starts the Group Creation Wizard for creating a group, as described in the Creating and Modifying User-Defined Collector Groups. Edit Starts the Group Edit Wizard for editing an existing group, as described in the Creating and Modifying User-Defined Collector Groups. Details Opens the Properties: Details page, as described in the Viewing Collector Group Details and Viewing Membership Details. Refresh Refreshes a group membership, as described in the Refreshing User-Defined Collector Group Membership. Delete Deletes a group, as described in the Deleting User-Defined Collector Groups.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-73 Chapter 5 Managing Groups Working with User-Defined Collector Groups

Working with User-Defined Collector Groups

These are collector groups created by the user based on a set of criteria such as operation name, operation type, source address, and target address. For example, if you want to create a location-based collector groups, you must select the devices used by that location and define the collector groups based on the criteria mentioned above. You can perform the following tasks on user-defined collector groups: • Creating and Modifying User-Defined Collector Groups • Deleting User-Defined Collector Groups • Viewing User-Defined Collector Groups • Refreshing User-Defined Collector Group Membership

Creating and Modifying User-Defined Collector Groups

LMS provides a single wizard-based approach that leads you through the procedure to create multiple user-defined collector groups. This wizard process involves the following four steps: 1. Setting Collector Group Properties 2. Defining Collector Group Rules 3. Assigning Collector Group Membership 4. Viewing the Collector Group Summary You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard at any stage using Cancel, the details you have specified will be lost and the collector groups will not be created.

Setting Collector Group Properties

In this step, you can enter the group properties such as name and description, copy the attributes from another group, change the parent group, and modify the parent group and membership update details, if required.

Administration of Cisco Prime LAN Management Solution 4.2 5-74 OL-25947-01 Chapter 5 Managing Groups Working with User-Defined Collector Groups

To set or edit the collector group properties:

Step 1 Either: • Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Or • Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group page appears. Step 2 Select the required group from the Group Selector pane. For example: • If you want to create or edit a group, select the User Defined Group folder from the Group Selector pane. • If you want to create or edit a subgroup, select the required collector group under the User Defined Groups folder. Step 3 You can either: • Click Create to create a group or subgroup. Or • Click Edit to edit a group or subgroup. The Properties page appears. Step 4 Specify the collector group name and description in the Group Name and Description fields. The Group Name must be unique within the parent group. However, you can specify the same name in some other groups. For example, if you already have a group named ‘MyGroup’ in a group named ‘Views’ under User-Defined Groups, you cannot use the same name for another subgroup in the group ‘Views’. However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups. After entering the group name and description, you can either copy the attributes of an existing group to the new group or proceed to Step 5. To copy the attributes of an existing group to the new group, do the following: a. Click Select Group. The Replicate Attributes window appears. b. Select the required collector group from the User Defined Groups folder. c. Click OK. All attributes except the group name are copied to the new group. The parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different parent group.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-75 Chapter 5 Managing Groups Working with User-Defined Collector Groups

To change the parent group, do the following: a. Click Change Parent. The Select Parent window appears. b. Select the required group. c. Click OK. The Properties page appears with the new parent group. Step 5 Select the Membership Update and Visibility Scope for the group. For more information, see Table 5-19. Step 6 Click Next. The Rules page appears.

Table 5-19 Setting Collector Group Properties

Field Description Group Name Name of the group you are creating. Copy Attributes from Copy the attributes of an existing group to your new group using Select Group. Group Parent Group Parent group of the group you are creating. You can change the parent group using Change Parent.

Description Text description of the group. Membership Update Group Membership is updated. • Automatic: Updates whenever the group is accessed. • Only Upon User Request: Click Refresh. Visibility Scope • Private Groups: Visible only to users who created the group. • Public: Visible to all users.

Defining Collector Group Rules

In this step, you can define the rules for the collector groups. This rule determines the contents and the collectors to be included in the collector group. This rule allows you to add collectors and VRFname based on the variables such as operation name, operation type, source address, and target address. You can use one or a combination of variables while defining the rule. The collectors that satisfy the rule will be added to the collector group. If you have created the collector group copying the attributes of another group, the rules specified for that group appears in the Rule Text field. You can retain these and add more rules, or delete these rules and create a new set of rules.

Note All rules assigned to a parent group also apply to any of its subgroups.

Administration of Cisco Prime LAN Management Solution 4.2 5-76 OL-25947-01 Chapter 5 Managing Groups Working with User-Defined Collector Groups

In the Rules page, you can either enter the rules directly in the Rule Text field or select the components of the rule from the Rule Expression fields and define a rule. Table 5-20 lists the various Fields and Buttons available in the Rules page.

Table 5-20 Defining Collector Group Rules

Field/Buttons Description OR, AND, EXCLUDE Logical operators. • OR—Include objects that fulfill the requirements of either rule. • AND—Include only objects that fulfill the requirements of both rules. • EXCLUDE—Do not include these objects. The Rule Text field appears only after a rule expression is added. Object Type Type of object (Collector) that is used to form a group. All IPSLA Collector group rule expressions begin with the same Object Type, IPM:Collector Management: Collector. Variable Collector attributes, based on which you can define the group. For more information, see Collector Components. Operator Operator to be used in the rule. The list of possible operators change based on the Variable selected. When using the Equals operator, the rule is case sensitive. Value Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. Wildcard characters are not supported. Add Rule Expression Used to add the rule expression to the group rules. Rule Text Displays the rule. Check Syntax Verifies that the rule syntax is correct. Use this button if you have entered the rules manually. View Parent Rules Used to view the parent group rules. All parent group rules apply to the subgroups.

For group rule restrictions and examples, see Understanding Collector Group Rules.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-77 Chapter 5 Managing Groups Working with User-Defined Collector Groups

To define the collector group rules:

Step 1 Either: • Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Or • Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Step 2 Select the Object Type from the drop-down list. Step 3 Select the required variables from the Variable drop-down list. You can select one or a combination of variables. The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target Address. For more information, see Table 5-20. Step 4 Select the Boolean operator from the Operator drop-down list. The Boolean operators change based on the variable you have selected. For more information, see Table 5-20. Step 5 Specify the Value for the variable you have selected. Step 6 Click Add Rule Expression. The IPSLA Collector Group Administration creates the rule based on the parameters you specified and adds it to the rules already present in the Rules Text field. You can use the same procedure to add more rules. If you want to delete a rule expression, you have to select the complete expression including the logical operator and press the Delete key on your keyboard. Step 7 Click Check Syntax to validate the rules expression syntax. If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is incorrect, an error message appears with syntax error messages along with the line and column number. Step 8 Click View Parent Rules to view the parent and group rules. Step 9 Click Next. The Membership page appears.

Assigning Collector Group Membership

The Membership page allows you to create a highly customized user-defined collector group. This page lists the collectors in two panes, namely Objects From Parent Group and Objects Matching Membership. • Objects From Parent Group—Lists the collectors in the parent group. • Objects Matching Membership—Lists the collectors that satisfy the rule defined by you. You can add or delete collectors from this pane. You can also add collectors from the parent group to create the collector group.

Administration of Cisco Prime LAN Management Solution 4.2 5-78 OL-25947-01 Chapter 5 Managing Groups Working with User-Defined Collector Groups

To assign collector group membership:

Step 1 Select the required collectors from the Objects From Parent Group pane. Step 2 Click Add. The selected collectors are added to the Objects Matching Membership pane. Step 3 Click Next. The Summary page appears with the User-Defined Group properties.

To remove collectors from the group:

Step 1 Select the required collectors from Objects Matching Membership pane. Step 2 Click Remove. The selected collectors are removed from the Objects Matching Membership pane and added to the Objects From Parent Group pane. Step 3 Click Next. The Summary page appears with the summary of the user-defined collector group.

Viewing the Collector Group Summary

The final step is the Summary page that displays the new group definition as in Table 5-21.

Table 5-21 Understanding Collector Group Summary

Field Description Group Name Name of the group you are creating. Description Text description of the group. Parent Group Parent group of the group you are creating. You can change the parent group using Change Parent. You can select only IPSLA Collector User-Defined groups. You cannot edit this field in the Edit flow. Membership Update Updates group membership. Membership updates can be automatic (updated every time the group is accessed) or upon user request only (updated only when you click Refresh). Rules Rules used to filter group membership. Visibility Scope Describes if the group is public (all users) or private (only for the group owner).

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-79 Chapter 5 Managing Groups Working with User-Defined Collector Groups

To view the collector group summary:

Step 1 Click Finish to complete the procedure for creating collector groups. A confirmation message appears. Step 2 Click OK. You can view the newly created user-defined collector group in the Group Selector pane. Or Click Back to modify the group properties.

Deleting User-Defined Collector Groups

In the The IPSLA Collector Group Administration page, you can use the Delete option to delete the user-defined collector groups. During the deletion process, only the collector group is deleted , and the associated collectors are not deleted. You cannot delete the system-defined collector groups. To delete user-defined collector groups:

Step 1 Select the group for which you want to view details from the Group Selector pane. Step 2 Click Delete. A confirmation message appears.

Viewing User-Defined Collector Groups

This section explains how to view the group and membership details and refresh the same. • Viewing Collector Group Details • Viewing Membership Details • Refreshing User-Defined Collector Group Membership

Viewing Collector Group Details

The Property Details page displays the group details. To view the collector group details:

Administration of Cisco Prime LAN Management Solution 4.2 5-80 OL-25947-01 Chapter 5 Managing Groups Working with User-Defined Collector Groups

Step 2 Select the group for which you want to view details from the Group Selector pane. Step 3 Click Details. The Property Details page appears. For more information, see Table 5-22.

Table 5-22 Viewing Collector Group Details

Field/Button Description Group Name Name of the group you are viewing. Parent Group Parent group of the group you are viewing. Type Type of the objects that belong to the group. Description Text description of the group. Membership Update How group membership is updated. Created By Person who created the group. This also displays the time at which it was created. Last Modified By Last person to modify the group. This also displays the time at which it was modified. Rules Rules used to filter group membership. Visibility Scope Indicates whether the group is Public (visible to all users) or Private (visible only for the group owner). View Parent Rules Allows you to view the parent group rules. All parent group rules apply to the subgroups. Membership Details Allows you to view the membership details. Cancel Takes you back to the Group Administration page.

Viewing Membership Details

The Property Details page allows you to view a list of the objects that belong to a group. To view the membership details:

Step 1 Either: • Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Or • Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Step 2 Select the group for which you want to view details from the Group Selector pane. Step 3 Click Details. The Property Details page appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-81 Chapter 5 Managing Groups Working with User-Defined Collector Groups

Step 4 Click Membership Details. The Membership Details page appears. For more information, see Table 5-23.

Table 5-23 Viewing Membership Details

Field/Button Description Name Name of the device. Object Type Type of object. Property Details Takes you back to the Property Details page. Cancel Takes you back to the Group Administration page.

Refreshing User-Defined Collector Group Membership

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules and obtaining membership information from the data available. To refresh the membership of the group:

Step 1 Either: • Select Admin > System > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Or • Select Inventory > Group Management > IPSLA Collector. The IPSLA Collector Group Administration page appears. Step 2 Select the group for which you want to view details from the Group Selector pane. Step 3 Click Refresh to refresh the membership of the selected group. The Refresh Group Confirmation dialog box appears. Step 4 Click OK. A message appears that the selected group membership has been refreshed. Or Click Cancel to return to the Group Administration page.

Administration of Cisco Prime LAN Management Solution 4.2 5-82 OL-25947-01 Chapter 5 Managing Groups Operation-Based Collector Groups (System-Defined)

Operation-Based Collector Groups (System-Defined)

The operation-based collector groups are predefined groups available with IPSLA module in LMS by default. They are also referred as system-defined collector groups. The various operation-based collector groups available are Echo, Path Echo, UDP Echo, ICMP Jitter, UDP Jitter, Call Setup Post Dial Delay, Gatekeeper Registration Delay, RTP, DNS, DHCP, HTTP, FTP, DLSW, TCP Connect, Ethernet Jitter, Ethernet Ping, Ethernet Jitter Auto IP SLA and Ethernet Ping Auto IP SLA. You can perform the following tasks on operation-based collector groups: • Viewing Operation-Based Collector Details • Refreshing Operation-Based Collector Groups To view the details of an operation-based collector group:

To refresh the membership of an operation-based group:

Step 1 Select the group for which you want to view details from the Group Selector pane. Step 2 Click Refresh to refresh the membership of the selected group. The Refresh Group Confirmation dialog box appears. Step 3 Click OK. A message appears that the selected group membership has been refreshed. Or Click Cancel to return to the Group Administration page.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 5-83 Chapter 5 Managing Groups Operation-Based Collector Groups (System-Defined)

Administration of Cisco Prime LAN Management Solution 4.2 5-84 OL-25947-01

CHAPTER 6

Administering Data Collection

Data Collection runs automatically when you add, or delete devices in the Unified Device Manager (UDM). This section explains: • Modifying Data Collection SNMP Timeouts and Retries. • Scheduling Data Collection. • Data Collection Critical Device Poller. • Compliance and Audit Settings

Modifying Data Collection SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when Data Collection fails for a particular device with SNMP timeout exceptions. The SNMP fallback methodology applicable for Data Collection, UT Acquisition, and Dynamic UT is as follows: • If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1. • If you have configured a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1. To modify SNMP timeouts and retries:

Step 1 Select Admin > Network > Timeout and Retry Settings > Data Collection SNMP Timeouts and Retries. The SNMP Timeouts and Retries dialog box appears. Step 2 Modify the SNMP settings as given in Table 6-1.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 6-1 Chapter 6 Administering Data Collection Modifying Data Collection SNMP Timeouts and Retries

Table 6-1 Modify Data Collection SNMP Timeouts and Retries

Field Description Target Denotes the Target device. You should enter IPv4 or IPv6 address of the target device in this field. You can also use wildcard characters or range of numbers to specify the target device. For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB] as the target device Timeouts Time period after which the query times out. This also indicates the time interval between the request and the first initial response from the device. The SNMP response may be slow for remote devices. If your network has remote devices connected over a slow link, configure a higher value for time-out. If timeout is increased, discovery time could also increase. Enter the value in seconds. For every retry, the timeout value is doubled. For example, If the timeout is 10 seconds and retries 4: LMS waits for 10 seconds for response for the first try, 20 seconds for the second retry, 40 seconds for the third retry and 80 seconds for the fourth retry. 150 seconds (10+20+40+80) is the total time lapse after which LMS stops querying the device. Retries Number of attempts made to query the device. The allowed range is 0-8.

Step 3 Click Add to add SNMP settings. Step 4 Select a row and either: • Click Edit to edit the timeouts and retries values. Or • Click Delete to delete the timeouts and retries values. Click OK to save the changes or click Cancel to exit. Step 5 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 6-2 OL-25947-01 Chapter 6 Administering Data Collection Scheduling Data Collection

Scheduling Data Collection

Data Collection runs automatically when you add, or delete devices in the Unified Device Manager (UDM). You can also schedule the day and time of data collection using this feature. You can start data collection immediately for all or failed devices and schedule data collection for all devices. All devices is a default option. You can select the Failed devices option to run data collection for failed devices. To schedule data collection:

Step 1 Select Admin > Collection Settings > Data Collection > Data Collection Schedule. The Data Collection Schedule dialog box appears. Step 2 Modify the data collection settings as described in Table 6-2.

Table 6-2 Data Collection Schedule Settings

Field Description Usage Notes Schedule Days, Hour, Min Days on which and the time at The optimum data collection schedule depends which data collection is on the size of the network and the frequency of scheduled. network changes. The default data collection schedule is every 4 hours, on the 4-hour mark, daily: 04.00, 08.00, 12.00, 16.00, 20.00, 24.00 Note that time is in the 24-hour format.

• Select a schedule and click Edit to edit the schedule. • Select a schedule and click Delete to delete the schedule. • Click Add to add a new schedule. Step 3 Click OK to save the changes or click Cancel to exit.

Best Practices Be cautious while scheduling Data Collection: • Data Collection consumes significant resources on the network management system. • Use the Polling option to see the device and link status without running data collection. For more details on polling see, Data Collection Critical Device Poller

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 6-3 Chapter 6 Administering Data Collection Data Collection Critical Device Poller

Data Collection Critical Device Poller

LMS polls the entire network for device and link status periodically.This feature allows you to: • Configure the time interval at which the network is polled. • Poll only a critical set of devices. Use this option to see the device and link status without running Data Collection. Since Data Collection consumes significant system resources, you can simply poll the network and view the device and link status in Topology maps.

Adding Critical Devices to the Device Poller To add a device to the Critical Devices list from Topology Map:

Step 1 Launch a Topology map. Step 2 Right click a device and select Add device to Critical Poller.

To add a device to the Critical Devices list from N-Hop View Portlet:

Step 1 Launch N-Hop View Portlet. Step 2 Go to the configuration screen and select Poll devices.

Caution If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle will use a large amount of bandwidth.

To configure Device Poller:

Step 1 Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller. The Device Poller screen appears. Step 2 Configure the device poller options as specified in Table 6-3.

Table 6-3 Device Poller Options

Field Description Usage Notes Polling Details All Devices Specifies that all devices in the network will By default the whole network is polled every 2 be polled at the specified interval. hours. Critical Devices Specifies that only critical devices in the You can configure this option when you need to network will be polled at the specified poll a few devices in the network more frequently. interval. By default, the critical devices are polled every five minutes.

Administration of Cisco Prime LAN Management Solution 4.2 6-4 OL-25947-01 Chapter 6 Administering Data Collection Compliance and Audit Settings

Table 6-3 Device Poller Options

Field Description Usage Notes Time Interval Time interval at which the specified devices Configure this option to change the interval from are polled. the default value. The time interval is added to the completion time of Data Collection. For example, you have configured the following: • Data Collection is scheduled to run at 07:00 hours • Time interval is set to 4 hours. If Data Collection completes at 08:00 hours, the next polling will happen at 12:00 hours (8 + 4). Show Devices For Critical Devices: The following information about the Critical Devices is displayed: Displays the list of critical devices in the network. • IP Address • DeviceName You can choose any device and click Delete to remove it from the Critical Device poller list. For All Devices: The following information about the devices in the Launches the Data Collection report. network is displayed: • IP Address • DeviceName • DeviceType • Neighbors

Step 3 Click Apply to save the configuration.

Compliance and Audit Settings

The following topics are discussed in this section: • Compliance Data Collection • Import Contracts • Import Policy Updates

Compliance Data Collection

The Compliance Data Collection allows you to schedule the Compliance Data Collection System Job.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 6-5 Chapter 6 Administering Data Collection Compliance and Audit Settings

The Compliance Data Collection job runs daily by default. The user can schedule a Compliance Data Collection Job. To schedule a Compliance Data Collection System Job do the following:

Step 1 Select Admin > Compliance and Audit Settings > Compliance Data Collection > Compliance Data Collection System Job Schedule. The Compliance Data Collection System Job Schedule page appears. Step 2 Enter the information required to scheule a Compliance Data Collection System Job

Field Description Job Type Command Output Collection Job . Scheduling Run Type Specifies the type of schedule for the job: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the day of the week and at the specified time. • Monthly—Runs monthly on the day of the month and at the specified time. For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date 1. Enter the start date in the dd mmm yyyy format, for example, 06 Oct 2011, or click on the calendar icon and select the date. 2. Enter the start time by selecting the hours and minutes from the drop-down list. Job Info Job Description The default job description is, System-defined job for Compliance data Collection. E-mail Enter e-mail addresses to which the job sends messages when the job has run. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address,

Step 3 Click Apply. The scheduled job appears in the Compliance Data Collection Jobs.

Administration of Cisco Prime LAN Management Solution 4.2 6-6 OL-25947-01 Chapter 6 Administering Data Collection Compliance and Audit Settings

Compliance Data Collection Jobs

The Compliance Data Collection Jobs enables you to view the status of all the Compliance Data collection jobs.

Table 6-4 List of Compliance Data Collection Jobs

Column Description Job ID Unique number assigned to this task at scheduling time. This number is never reused. There are two formats: • Job ID: Identifies the task. This does not maintain a history. For Example:1002 • JobID.Instance ID: Here, in addition to the task, the instance of the task can also be identified. For example: 1002.1, 1002.2 Status Provides the status of the current jobs. The status of the current jobs is displayed as succeeded or failed. It also displays the failure reasons. Description Description of the job. Owner Username of the job creator. Job Type Type of job e.g. system compliance. Scheduled At Date and time at which the job was scheduled. Completed At Date and time at which the job was completed. Schedule Type Frequency of the job. This can be: • Daily • Weekly • Montly. Work Order Displays information about the Job Description, Owner, Schedule Type, Schedule Time, E-mail Notification, E-mail IDs and Devices List. Device Details Displays the Device IP, Job Status and Message Summary. Job Summary Displays the Job Status, Job Message, Start Time, End Time and Device Updates.

Import Contracts

The Import Contracts enables you to import customer contracts into the Compliance and Audit Manager Database. The contract summary report can be generated only after importing contracts into the Compliance and Audit Manager Database.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 6-7 Chapter 6 Administering Data Collection Compliance and Audit Settings

The following steps should be performed for importing contracts into the Compliance and Audit Manager Database:

Step 1 Go to http://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do?method=viewContractMgr.

Note Open the link in Internet Explorer and use your Cisco.com credentials.

Step 2 A contract Manager screen listing the contracts associated with your Cisco.com ID appears.

Note If you do not see the contracts then there are no contracts associated with your Cisco.com ID. Open a case with Cisco to get access to your contracts.

Step 3 Select Download Contract or Selected Data option from the Action drop-down menu. Step 4 Select the contracts from the Contract Table. Step 5 Click Go. A Download Contract or Selected Data window appears Step 6 In the Download Contract or Selected Data window, perform the following: a. Select Products + Configurations. b. Click Save Now radio button, to save a Zip file containing a CSV file in your local system. c. Click Send by Email to radio buttion, to receive a zip file containing a CSV file by Email. Step 7 Go to Import Contracts page and Click Browse to select the downloaded contract file from your local system. Step 8 Click Import Contracts File to import the contracts file into the Compliance Engine.

Import Policy Updates

The Import Policy Updates allows a user to manually download policy updates patch file from cisco.com. The following steps should be performed for manually downloading the policy updates patch file from Cisco.com and importing the downloaded policy patch file into the Compliance and Audit Manager Engine:

Step 1 Go to Admin > Compliance and Audit Settings > Import Policy Updates Step 2 In Cisco.com, navigate to Home > Products > Cloud and Systems Management > Routing and Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN Management Solution 4.2 > Compliance Policy Updates. Step 3 You will be prompted to enter your Cisco.com credentials. Step 4 Login using your Cisco.com credentials to open the LMS Compliance Policy Updates page in the browser.

Administration of Cisco Prime LAN Management Solution 4.2 6-8 OL-25947-01 Chapter 6 Administering Data Collection Compliance and Audit Settings

Step 5 Download the CompliancePolicyUpdates.vX-y.jar patch file, where X is the major version and y is the minor version. Step 6 Save the CompliancePolicyUpdates.vX-y.jar patch file in your local system. Step 7 Go to Import policy updates page and click Browse to select the downloaded CompliancePolicyUpdates.vX-y.jar file from your local system Step 8 Click Import Policy Updates to import the CompliancePolicyUpdates.vX-y.jar patch file into the Compliance Engine. A message appears indicating the successful importing of policy into the Compliance Engine.

Note Ensure that the CAAM Server process is re-started to effect the changes.

Restarting CAAM server from User Interface Perform the following to restart CAAM server from user interface:

Step 1 Go to Admin > System > Server Monitoring > Processes. The Process Management page appears. Step 2 Select CAAM Server from the Process Management Grid and click stop. Step 3 After the CAAM server stops, click start to restart the CAAM server.

Restarting CAAM server from CLI Perform the following to restart the CAAM Server from CLI:

Step 1 Enter NMSRoot/bin/pdterm CAAMServer to stop the CAAM server. Step 2 Enter NMSRoot/bin/pdexec CAAMServer to start the CAAM server. where NMSROOT is the root directory of the LMS Server.

Note The policy updates patch file can be automatically downloaded and posted into the CAAM server by scheduling a system defined job under Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 6-9 Chapter 6 Administering Data Collection Compliance and Audit Settings

Administration of Cisco Prime LAN Management Solution 4.2 6-10 OL-25947-01

CHAPTER 7

User Tracking and Dynamic Updates

User Tracking application of LMS allows you to track end stations. This chapter contains the following sections: • Understanding User Tracking • Using User Tracking Administration • Understanding Dynamic Updates • Using User Tracking Utility

Understanding User Tracking

User Tracking helps you to locate and track the end hosts in your network. In this way, you get the information required to troubleshoot and analyze connectivity issues. The application identifies all end users connected to the discovered Cisco access layer switches on the network, including printers, servers, IP phones PCs and wireless hosts. User Tracking collects the details of the end users and the layer 2 connections, and updates User Tracking table in the LMS database. This is done through automated polling of the network, by User Tracking (UT) Major Acquisition process. In addition to polling the network, the Dynamic UT process receives details from the end users and updates the database dynamically. User Tracking also computes subnet related data and updates the database with complete host information. Thus you get latest information about the changes in the connections on your network. You can also configure User Tracking to collect usernames of the end hosts connected in the network. The user names are collected from the UTLite process installed in UNIX hosts, Primary Domain Controller (PDC), or Novell Directory Services (NDS). This makes it easier for you to locate and track specific users in your network. You can sort and query the User Tracking table that contains details such as VLANs, switches and switch ports to which the end users are connected. Predefined reports such as the reports on duplicate IP addresses or MAC addresses, multiple MAC addresses enable you to accurately locate the end users. Switch Port reports give you information on: • Recently down ports • Ports that are in unused condition for the specified interval • Connected ports and Free ports • Percentage utilization of ports for each device

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-1 Chapter 7 User Tracking and Dynamic Updates Understanding User Tracking

These reports give a clear picture of the switch port utilization in the network and help you in doing capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from the megamenu. This topic covers: • Using User Tracking • Accessing UT Data • Various Acquisitions in User Tracking

Using User Tracking

You can use User Tracking to: • Display information about the connectivity between the devices, users, and hosts in your network. For example, you might want to identify all users connected to a particular subnet, or all hosts on a particular switch. • Display information about the IP phones registered with discovered Media Convergence Servers. • Use simple queries to limit the amount of information User Tracking displays. • Configure or limit the User Tracking acquisition by subnets. • Create and save simple and advanced queries. • Modify, add, and delete username and notes. You can configure User Tracking Acquisition settings to collect usernames during UT Major Acquisition and update the UT table. The user names are collected from the UTLite process. • Customize User Tracking table layouts. For example, you can design a layout that displays only the MAC addresses of hosts on your network. • View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses. You can also view History Reports for Switch port utilization, and the connection and disconnection of endhosts and users from your network. You can set the schedule for generating the reports, and also generate the reports for a subset of devices. • Launch Device Center, host center, phone center.

Accessing UT Data

The following are the ways to access User Tracking data:

Quick Reports You can generate End hosts or IP Phones report based on the given filter criteria For example, you can generate reports on end hosts that belong to a specific VLAN. To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.

Administration of Cisco Prime LAN Management Solution 4.2 7-2 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Understanding User Tracking

Scheduled Reports You can schedule reports that run at the specified date and time. You can generate immediate reports or schedule them to run once or at repetitive intervals.

Custom Reports You can customize the layout and columns displayed in the reports to suit your needs. To generate these reports select Reports > Report Designer > User Tracking > Custom Reports.

Command Line Interface You can generate various User Tracking reports from the Command Line Interface also. For more details, see User Tracking Command Line Interface.

Data Extraction Engine Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format. For more details, see Overview of Data Extraction Engine.

User Tracking Utility Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful information about users or hosts discovered by LMS User Tracking application. You can use UTU search band to search for the users or hosts in your network. You can search using user name, host name or IP address, or MAC address.

Various Acquisitions in User Tracking

This section explains the various acquisitions that can be done using LMS, to get information about the end users.

User Tracking Major Acquisition Discovers all the end hosts that are connected to the devices managed by LMS. For details on the various options that can be set before starting an acquisition, see Modifying UT Acquisition Settings. User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following command: NMSROOT/campus/bin/ut –cli performMajorAcquisition –u userid -p password where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User Tracking Command Line Interface.

User Tracking Minor Acquisition Minor acquisition occurs on a device if any of the following changes take place: • A new endhost or IP phone is added to the network. • Port state changes (when the port comes up or goes down). • A new VLAN is added to the network. • There is a change in the existing VLAN.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-3 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Minor acquisition updates the LMS database with just the changes that have happened in the network. It is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the interval at which the acquisition takes place. For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule

User Tracking IP Phone Acquisition Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.

Subnet based User Tracking Major Acquisition User tracking subnet based acquisition would run only on those subnets that are configured in LMS. LMS discovers end hosts on all the VLANs available in the configured subnets. Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by LMS. For details on running subnet based acquisition, see Configuring UT Subnet Acquisition

Single device on-demand User Tracking Acquisition This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is useful for collecting information only on end hosts connected to the specified device. For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions

Using User Tracking Administration

You can perform the following administrative tasks using User Tracking Administration: • Modify Acquisition settings. Before you start collecting information about the hosts in your network, you can set various options that control the way in which Acquisition happens. For example, you can set LMS to perform DNS lookup, while resolving the IP address of a host. For complete details, see Modifying UT Acquisition Settings • Schedule Acquisition. You can set the day and time of the week when you want to run Major Acquisition. The time interval at which Minor Acquisition happens in the network can also be set. For more details, see Modifying UT Acquisition Schedule • Configure Ping Sweep options for Acquisition. You can configure LMS to perform Ping Sweep on selected subnets, during Acquisition. For more details, see Modifying Ping Sweep Options • Configure Subnet Acquisition. You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition collects details about the end hosts that are connected to a particular subnet or a select set of subnets. This Acquisition completes faster, since it is not run on all devices managed by LMS. For more details, see Configuring UT Subnet Acquisition

Administration of Cisco Prime LAN Management Solution 4.2 7-4 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

• Configure end host and IP phone data delete interval. You can modify the time interval for deleting entries from the End Host Table, IP Phone Table, or the History Table from the database. For more details, see Deleting User Tracking Purge Policy Details • Configure UT Acquisition to discover end hosts connected to non-link trunk ports. Normally UT Acquisition only discovers end hosts that are connected to access ports. If you enable this feature, UT Acquisition also discovers end hosts that are connected to non-link trunk ports. For more details, see Configuring UT Acquisition in Trunk for End Host Discovery • Specify Purge Policy. You can specify the intervals at which you want old reports and jobs to be purged. You can save the Purge Policy, so that the older jobs and archives are purged at the specified interval. For more details, see Specifying User Tracking Report Purge Policy • Specify Domain Name display. You can specify the way in which domain names are to be displayed in User Tracking Reports. For more details, see Specifying Domain Name Display. • Import information on end hosts. You can import user names and notes of end hosts that are already discovered by User Tracking, from a file. For more details, see Importing Information on End Host Users • Enable Dynamic User Tracking. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. LMS tracks changes about the end hosts and users on the network to provide real-time updates, based on these traps. For more details, see Understanding Dynamic Updates • Enable Debugging options. When you face issues in running User Tracking, logging can be enabled for debugging purposes. For more details, see Debugging Options for User Tracking Server and Debugging Options for User Tracking Reports

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-5 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Viewing User Tracking Acquisition Information

You can view acquisition information. To view acquisition information:

Step 1 Either: • Select Admin > Collection Settings > User Tracking > Acquisitions Info. Or • Select Inventory > User Tracking Settings > Acquisition Summary. The acquisition information appears with the following information:

Field Description Acquisition status Status of the User Tracking Major Acquisition process. It can be either Idle or Running. Last acquisition type Type of User Tracking acquisition that you had performed last time. Types of acquisition are: • Major—User Tracking Major Acquisition • Devices—User Tracking Acquisition for a device • Subnets—User Tracking Acquisition for subnets • IP Phones—User Tracking Acquisition for IP phones Acquisition start time Date and time at which User Tracking started the Acquisition process. This is displayed in the format dd mon yyyy hh:mm:ss. Acquisition end time Date and time at which User Tracking stopped the Acquisition process. This is displayed in the format dd mon yyyy, hh:mm:ss time zone. Number of acquisitions Number of major and minor acquisitions performed. Number of host entries Number of hosts found after User Tracking acquisition. Number of duplicate MAC Number of MAC addresses that have duplicate entries in the list of hosts found. Number of duplicate IP Number of IP addresses that have duplicate entries in the list of end hosts found. Number of CCM hosts Number of Cisco CallManagers in the list of devices found after Data Collection. Number of IP phone entries Number of IP phones available in the LMS managed network. Last Campus data collection Date and time of the previous LMS Data Collection process. This completed at is displayed in the following format: dd mon yyyy hh:mm:ss time zone. Data collection status Status of the LMS Data Collection process. It can be either Idle or Running.

Administration of Cisco Prime LAN Management Solution 4.2 7-6 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Configuring User Tracking Acquisition Actions

You can trigger the following acquisitions from this page: • Device based Acquisition • Subnet based Acquisition • IP Phone Acquisition To configure the required acquisition:

Step 1 Either: • Select Admin > Collection Settings > User Tracking > Acquisition Action. Or • Select Inventory > User Tracking Settings > Acquisition Actions. The Acquisition Actions dialog box appears. Step 2 Configure Acquisition Actions as specified in Table 7-1.

Table 7-1 Acquisition Actions

Field Description Usage Notes Select a type You can select the type of acquisition. Type When you select a type of acquisition the appropriate of acquisition can be: fields are displayed. • Device • Subnet • IP Phones Scope Selection Select the All hosts and users check box to If you do not select the All hosts and users check box, the acquire information about all hosts and device selection field is enabled and you can enter the users in your network. name or IP address of the device for which you require data. Device Selection Device Name or IP Enter the name or IP address of the device Click Select to select the device from the list of available Address about which data is to be acquired. devices. Subnets Type Selection You can choose to get data about a particular If you choose to acquire data about a particular subnet, the subnet or about all the configured subnets. subnet selection fields are enabled. Subnet Selection Subnet ID Select the IDs of the subnets on which you This field is enabled only if you select the Subnet option need to get data. in the Type Selection area. Click Select to select the subnet ID from the list of available subnets.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-7 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Table 7-1 Acquisition Actions (continued)

Field Description Usage Notes Subnet Mask Enter the subnet mask. If you select the subnet ID, the subnet mask is automatically entered. Acquire Only Select this check box to get data only about • If you select this check box, only the work stations VLAN Specific to the VLANs specific to the subnet. associated with the VLANs that are mapped to the Subnet selected subnets will be acquired. • If you do not select this check box, work stations associated with all the available VLANs in the selected subnets will be acquired.

You do not have to specify any details for the IP Phones option. Step 3 Click Start Acquisition.

Using User and Host Acquisition

You can modify the Acquisition settings and Acquisition schedule using the User and Host Acquisition option. This section contains: • Modifying UT Acquisition Settings • Configuring Rogue MAC List • Modifying UT Acquisition Schedule • Modifying Ping Sweep Options • Configuring UT Subnet Acquisition • Deleting User Tracking Purge Policy Details • Configuring UT Acquisition in Trunk for End Host Discovery • Specifying User Tracking Report Purge Policy • Importing Information on End Host Users

Modifying UT Acquisition Settings

You can modify User Tracking Acquisition settings. This section contains: • Modifying Acquisition Settings from UI • UT Behaviour in DHCP Environment for Missing IP address • Configuring Properties That Support Duplicate MAC Addresses • Configuring User Tracking Properties from the Backend

Administration of Cisco Prime LAN Management Solution 4.2 7-8 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Modifying Acquisition Settings from UI To modify acquisition settings:

Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings dialog box appears. Step 2 Modify the acquisition settings as specified in Table 7-2.

Table 7-2 Acquisition Settings Field Description

Field Description Usage Notes Enable User Tracking for Enables User Tracking for DHCP If you enable this property, it allows you to control DHCP Environment Environment. inclusion and exclusion of Duplicate MAC addresses in the Acquisition. To understand the behavior of User Tracking in case of missing IP address, see UT Behaviour in DHCP Environment for Missing IP address. For details on properties that support Duplicate MAC addresses, see Configuring Properties That Support Duplicate MAC Addresses. Enable User Tracking on Enables User Tracking on Access This is enabled by default and allows UT Major Acquisition Access Points Points process to collect Access point information. However, WlseUHIC cannot collect Wlse related end host information. If disabled, it precludes Access point acquisition. However, WlseUHIC collects Wlse related end host information. Get user names from Select this option to allow Collects information only for users, who are logged into the UNIX hosts Acquisition to collect the active console port of the UNIX hosts. usernames of UNIX hosts. UNIX user names are updated at the end of major acquisitions. Get user names from hosts Allows LMS to collect active user This option helps you to: in NT and NDS names on the Windows or Novell • Collect information only for users who are currently Directory Service (NDS) servers. logged into the network. • Collect information from NDS hosts. You must use NDS 5.0 or later. For this option you need to install the UTLite script.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-9 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Table 7-2 Acquisition Settings Field Description (continued)

Field Description Usage Notes Use DNS to resolve host Resolves host names using DNS. User Tracking performs DNS Lookup for a host to resolve names its IP address. When you choose this option the Advanced button is enabled. Click on this to launch the Advanced UT Acquisition Settings window. The following options are available: • DNS threads Number of parallel threads allowed for name resolution. The default value is 1. Maximum number of threads allowed is 12. • DNS Timeout Time duration for which UT waits for a response from the DNS server, for name resolution. The value should be entered in milli seconds. The default value is 2000 milliseconds (2 seconds). Enter values and click OK to save changes. User Port Number Specify the UDP port number from You must use the default port number unless it is already in where logon and logoff messages use. This port number must match the port indicated in the are received from hosts in login script. Windows and NDS. Rogue MAC Detection Enable notification when Rogue LMS sends e-mails to the specified addresses, when MACs are detected in the network. unauthorized end hosts are detected in the network. E-Mail Specify the E-mail IDs to be You can enter multiple E-mail IDs separated by commas. notified when Rogue MACs are This field is enabled only when you check the Rogue MAC detected in the network. Detection field. Define Rogue MACs Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List. the screen that is launched. New MAC Detection Enable notification when new LMS sends e-mails to the specified addresses, when new MACs are detected in the network. end hosts are detected in the network. E-Mail Specify the E-mail IDs to be You can enter multiple E-mail IDs separated by commas. notified when new end hosts are This field is enabled only when you check the New MAC detected in the network. Detection field.

Step 3 Click Apply to save the modifications in the settings. Step 4 Click Start Acquisition to start User Tracking Acquisition with the modified settings.

Administration of Cisco Prime LAN Management Solution 4.2 7-10 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

UT Behaviour in DHCP Environment for Missing IP address Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion and exclusion of Duplicate MAC addresses in UT Acquisition. LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment property, is explained in Table 7-3. The conventions used in Table 7-3 are: • MACx — MAC address of the endhost • IPx — IP address of the endhost • Device x — Device to which the end host is connected. • Time in xx:xx format — Time entries in the Last seen column • NA — Not Available.

Note The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User Tracking for DHCP Environment property.

Table 7-3 UT Behaviour in DHCP Environment for Missing IP address

Scenario Explanation What gets Updated in Database Scenario1: Missing IP Address MAC1 NA Device 1 6:35 For an endhost, if the IP address is MAC1 IP1 Device 1 6:40 MAC1 IP1 Device 1 6:40 not available in the first UT acquisition, but is available in the next, the IP address field in the database is updated with the value that is currently discovered. Scenario 2: Missing IP Address MAC1 IP1 Device 1 6:45 For an endhost, if the IP address is MAC1 IP1 Device 1 6:50 MAC1 NA Device 1 6:50 available in the first UT acquisition, but is not available in the next, the older value for IP address is retained in the database. Scenario 3: Single MAC, Multiple IP Addresses MAC1 IP1 Device 1 6:55 For an endhost with Single MAC MAC1 IP1 Device 1 7:00 MAC1 IP2 Device 1 6:55address but multiple IP addresses, if MAC1 IP2 Device 1 7:00 UT does not get the IP address in MAC1 IP3 Device 1 6:55the current acquisition, it retains the MAC1 IP3 Device 1 7:00 MAC1 NA Device 1 7:00 older values in the database. Scenario 4: Dynamic change in IP Address

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-11 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Table 7-3 UT Behaviour in DHCP Environment for Missing IP address

Scenario Explanation What gets Updated in Database MAC1 IP1 Device 1 4:00 MAC1 IP1 Device 1 4:00 MAC1 IP2 Device 1 5:00For an endhost with different IP MAC1 IP2 Device 1 5:00 MAC1 IP3 Device 1 6:00addresses at different points of MAC1 IP3 Device 1 7:00 time, if UT does not get the IP MAC1 NA Device 1 7:00 address in the current acquisition, it retains the value that was last discovered. Scenario 5: Endhost moving between devices MAC1 IP1 Device 1 4:00 When an end host moves between MAC1 IP1 Device 1 6:00 MAC1 IP1 Device 2 5:00 devices, if UT does not find the IP address in the current acquisition, it MAC 1 NA Device 1 6:00 retains the IP address value that was last discovered for that device.

Configuring Properties That Support Duplicate MAC Addresses The following properties can be configured in the ut.properties file stored in NMSROOT/campus/etc/cwsi/ where NMSROOT is the root directory where you installed Cisco Prime. Table 7-4 lists the properties that support Duplicate MAC Addresses

Table 7-4 Properties Supporting Duplicate MAC Addresses

Property Description UT.DuplicateMac.Include_SwitchPorts List of switchports connected to endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. UT.DuplicateMac.Exclude_SwitchPorts List of switchports connected to endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. UT.DuplicateMac.Include_Switches List of switches connected to end hosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. UT.DuplicateMac.Exclude_Switches List of switches connected to end hosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. UT.DuplicateMac.Include_Vlans List of VLANs associated with endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition.

Administration of Cisco Prime LAN Management Solution 4.2 7-12 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Table 7-4 Properties Supporting Duplicate MAC Addresses

Property Description UT.DuplicateMac.Exclude_Vlans List of VLANs associated with endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. UT.DuplicateMac.Include_Subnets List of subnets associated with endhosts, for which duplicate MAC entries need to be included in UT Major, UT Minor, UT device based, and UT subnet based Acquisition. UT.DuplicateMac.Exclude_Subnets List of subnets associated with endhosts, for which duplicate MAC entries need to be excluded in UT Major, UT Minor, UT device based, and UT subnet based Acquisition.

For the above list of properties: • Values should be separated by commas. • IP addresses of the devices should be given. • Port numbers should be given along with the device IP address as deviceip:port. • The Exclude list takes precedence over the Include list. The usage scenario for the above lists is as follows: • If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included or excluded as specified. For example, if you set the Include list as, UT.DuplicateMac.Include_Switches=X,Y Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y. Duplicate addresses will not be allowed for any other endhost. • If you set both Include and Exclude list as, UT.DuplicateMac.Include_Switches=X,Y UT.DuplicateMac.Exclude_Switches=A,B Duplicate MAC addresses will not be allowed for endhosts connected only to Switches A and B. Duplicate addresses will be allowed for all other end hosts, even for those connected to switches not specified in the Include list. Thus when an Exclude list is set, the Include list is ignored. The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs. • The order of priority for the property list is as follows: a. SwitchPorts b. Switches c. VLANs d. Subnets

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-13 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list. For example, if you set UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2 UT.DuplicateMac.Exclude_Switches=10.77.211.33 Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch. Thus the SwitchPorts list has higher priority over the Switches list.

Configuring User Tracking Properties from the Backend This section explains the new user configurable properties that have been added to UT. You can configure properties that control DNS name resolution and history reports, by editing them in the file ut.properties, stored in NMSROOT/campus/etc/cwsi/ where NMSROOT is the root directory where you installed Cisco Prime.

Administration of Cisco Prime LAN Management Solution 4.2 7-14 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Table 7-5 lists the new properties added to UT:

Table 7-5 Configuring User Tracking Properties

Property Default Value Description HistoryHostPurgeTime 10 days Purges history entries that are older than the specified time. The value should be provided in minutes. For example, If you want to purge entries older than 10 days, set HistoryHostPurgeTime=14400 UT.nameResolution both Name resolution for end hosts using Java APIs JNDI and InetAddres.This property can have the following values: • wins (Use only InetAddress) • dns (Use only JNDI) • wins,dns (First InetAddress then JNDI) • both (JNDI first and InetAddress next) UT.nameResolution.dnsTimeout 2000 Time duration for which UT waits for response from the DNS server, for name resolution. The value should be entered in milliseconds. UT.nameResolution.winsTimeout 2000 Time duration for which UT waits for response from the DNS server, for name resolution.The value should be entered in milliseconds. This property must be enabled only for windows server. UTMajorUseDNSCache false Uses cache memory for name resolution in subsequent User Tracking discoveries. User Tracking performs DNS Lookup for a host only if the IP address of the host is being resolved for the first time.It does not perform DNS Lookup for every Major Acquisition. This helps the application to reduce the number of queries during User Tracking Acquisition. This in turn reduces the time taken for Acquisition process. UT.RunLookupAnalyzer OFF To analyze the performance of DNS servers and provide the following information in the NMSROOT\log\ut.log file: • DNS Server Efficiency for each DNS Server • Overall Summary of DNS Servers • Namelookup related settings in ut.properties file • Issues found and recommendations to overcome them Set the value to ON to turn on the feature. You need not enable debugging for UT to get the LookupAnalyzer data in the ut.log file. For details on running Lookup Analyzer utility from the command prompt and example output of the utility, see Using Lookup Analyzer Utility

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-15 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Configuring Rogue MAC List

MAC Addresses that are not authorized to exist in your network are termed as Rogue MAC addresses. When you enable the Rogue MAC notification feature, you need to define the list of MAC addresses that are to be classified as unauthorized addresses in the network. You can also import MAC addresses to Acceptable OUI either from a file or directly from UT. If you import the MAC Addresses from a file or directly from UT, the MAC addresses in the file are converted to OUIs before you add them to the Acceptable OUI list. To do so:

Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Settings. The User Tracking Acquisition settings window appears. Step 2 Click Define Rogue MACs. The Rogue MAC Configuration window appears. The lists displayed in the window are: – Rogue MAC/OUI List – Acceptable MAC/OUI List Step 3 Click Add MAC/OUI to add new entries to the list. The Add MAC/OUI window appears. The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely identify the vendor, manufacturer, or a worldwide organization. An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses, and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC), network protocol, or MAC addresses for Ethernet. In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three octets of the address are the OUI.

Administration of Cisco Prime LAN Management Solution 4.2 7-16 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

The Add MAC/OUI page is as explained in Table 7-6: Table 7-6 Populating the MAC/OUI list

Property Description Select Mode Provides the following options to add MAC addresses to MAC/OUI List: • Manual — Enables you to add MAC/OUI to either the Acceptable MAC/OUI List or to the Rogue MAC/OUI list. The Manual Add option is selected by default. • Import from file — Enables you to import MAC Addresses from a file to the Acceptable MAC/OUI List • Import from UT — Enables you to import MAC Addresses directly from UT to Acceptable MAC/OUI List Add MAC/OUI Enter the MAC Address or OUI in the text box provided. The values should be separated by spaces, tabs, or commas. You can also enter values on separate lines. The address can have only hexa decimal numbers separated by hyphen. Example: 00-c0-1d-99-06-b6 OUI List Displays predefined values in LMS. You can select values from the list, to add to the Rogue OUI or Acceptable OUI list. To add more values to the list, add them to the Property file: NMSROOT/campus/etc/cwsi/OUI.properties where NMSROOT is the directory where you installed Cisco Prime. To get the latest OUIs listed by IEEE, see http://standards.ieee.org/regauth/oui/index.shtml

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-17 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Step 4 Select any of the following: • Manual Add a. Select the required OUIs from the list displayed in OUI List. b. Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your requirement. The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list that you selected. • Import From File a. Click Browse and browse to the folder location and choose the file to be imported b. Click the Import to Acceptable OUI list. The MACs are converted to OUIs before you add them to the Acceptable MAC/OUI list. • Import From UT Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to the Acceptable MAC/OUI List. It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header - MAC Address followed by MAC Address entries. For example: In the example, the file to be imported includes a MAC Address column with MAC Address entries. MAC Address MAC 1 MAC 2 MAC 3 The newly added values are reflected in the Rogue MAC Configuration screen. Step 5 Check Consider unqualified MAC as Rogue When you check this, LMS treats any new MAC address coming into the network as Rogue MAC. This is if it is not defined in the Acceptable MAC list. Step 6 Click any of the following: • Save Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle. – If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the network, are sent immediately. – If WLSE is integrated with LMS, notification for wireless MACs detected in the network is sent. • Delete Deletes entries. • Cancel Cancels changes and closes the window.

Administration of Cisco Prime LAN Management Solution 4.2 7-18 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Modifying UT Acquisition Schedule

You can modify UT acquisition schedule. To modify acquisition schedule:

Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Schedule. The Acquisition Schedule dialog box appears. Step 2 Start the user tracking major acquisition for all or failed devices as specified below: • Select either All devices or Failed devices . • Click Start to start the user tracking major acquisition immediately for the selected devices. The UT Acquisition Confirmation pop up appears. • Click OK to start user tracking acquisition. A success message appears. Click OK. To cancel the user tracking acquisition process, click Cancel. Step 3 Modify the acquisition schedule as specified in Table 7-7.

Table 7-7 Acquisition Schedule Field Description

Field Description Usage Notes Minor Acquisition Specify, in minutes, the periodicity at which a None. minor acquisition should take place. Major Acquisition Specify the time at which a major acquisition is to None. take place. Specify the days of the week on which a major acquisition is to be scheduled. Days, Hour, Min Days on which and the time at which a major You can add new schedules and edit or delete acquisition is to be carried out. existing schedules. Recurrence Pattern Select the days of the week on which a major This field is available only when you are adding acquisition is to be scheduled. or editing a schedule.

Step 4 Select the schedule and do any of the following: • Click Edit to edit the schedule. • Click Delete to delete the schedule. • Click Add to add a new schedule. Step 5 Click OK to save the changes or Cancel to cancel the changes. Step 6 Click Apply after adding or editing a schedule.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-19 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Modifying Ping Sweep Options

A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out whether a specific end host exists on the network. A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older and slower methods used to scan a network. When Ping Sweep is enabled in LMS, the UTPing program in NMSROOT/campus/bin will be invoked during acquisition to send out a sweep of pings for each subnet. Before collecting information from a device, the subnets connected to the device are pinged. This serves as a connectivity check, as well as loads the ARP table of the layer 3 device with the latest information. After pinging, acquisition process starts collecting end host information from the device. To modify Ping Sweep options:

Step 1 Select Admin > Collection Settings > User Tracking > Ping Sweep. The Ping Sweep dialog box appears. Step 2 Choose any of the following: • Disable Ping Sweep • Perform Ping Sweep on all subnets • Exclude subnets from Ping Sweep When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude from Ping Sweep. You can select subnets from the list of available subnets and add to the list of subnets to be excluded. Step 3 Specify the Wait Interval, if Ping Sweep is enabled. Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not flooded with ping packets. For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10 seconds. If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10 seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on Device 1. Same happens with Device 2. Step 4 Click Apply. User Tracking does not perform Ping Sweep on large subnets. For more details, see Notes on Ping Sweep Option.

Administration of Cisco Prime LAN Management Solution 4.2 7-20 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Notes on Ping Sweep Option

User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not display the IP addresses. Ping Sweep will not refresh the ARP cache, if firewall or Access Control List is enabled to block the ICMP packets to the network devices. Hence, User Tracking will not display the IP addresses of the associated hosts. In larger subnets, the Ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources. You can increase the value of the wait interval. Wait interval helps the ping response traffic to settle, which may appear as Denial Of Service (DOS) or may affect the functioning of router by high CPU usage. To perform Ping Sweep on larger subnets, you can: • Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the arp time-out interface configuration command on devices running Cisco IOS. • Use any external software, that will enable you to ping the host IP addresses. This will ensure that when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.

Configuring UT Subnet Acquisition

You can configure LMS to perform User Tracking Acquisition on selected subnets. These configurations are used for User Tracking Major Acquisition and Configured Subnets based acquisition. You can choose to include or exclude specified subnets to perform User Tracking major acquisition. To configure Subnet acquisition:

Step 1 Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration. The Configure Subnet Acquisition dialog box appears. Step 2 Select either of the following options: • Perform acquisition on all subnets All the subnets are included for User Tracking Major Acquisition. If you select this option do not perform steps 4 and 5. Or • Perform Subnet-based acquisition The action depends on the Filter value. Step 3 Select either of the following Filter values: • Perform major acquisition on selected subnets All subnets added to the Selected Subnets list are included for User Tracking acquisition. Or • Do not perform major acquisition on selected subnets All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-21 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Step 4 Select subnets from the list of Available Subnets and add them to the list of Selected Subnets. In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking > Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available. • If you select this check box, only the work stations associated to the VLANs that are mapped to the selected subnets will be acquired. • If you do not select this check box, work stations associated to all the available VLANs in the selected subnets will be acquired. For more information, see Configuring User Tracking Acquisition Actions. Step 5 Click Apply.

Deleting User Tracking Purge Policy Details

Using this option, you can modify the time interval and delete entries from the End Host Table, IP Phone Table, or the History Table from the database. To delete user tracking purge policy details:

Step 1 Select Admin > Network > Purge Settings > User Tracking Purge Policy. The Delete Interval dialog box appears. Step 2 Specify delete intervals for end host, IP phone and history tables. Step 3 Either: • Click Delete now to delete the entries immediately. If you select this step do not perform Step 4. Or • Select Delete After Every Major Acquisition. If you select this option, LMS will delete records older than the specified interval, after every UT Major Acquisition. Step 4 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 7-22 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Administration

Configuring UT Acquisition in Trunk for End Host Discovery

Normally UT Acquisition discovers end hosts connected only to access ports. If you enable this feature UT Acquisition discovers end hosts connected to non-link trunk ports also. LMS classifies trunk ports as follows: • Link ports — Trunk ports connected to Cisco devices (Switch or Router). • Non-link ports— Trunk ports connected to end hosts or IP phones.

Scenarios where a Trunk port is connected to an end host: In a switched network, many clients from different VLANs might access an enterprise resource, such as a database server. If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a different VLAN would have to send their traffic to a router. The router forwards the frames to the database server. The problem with this approach is the latency introduced by the router. To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN information. With this arrangement, an end station need not send its frame to the router. Instead it can directly access the file server. This makes the access much faster. To configure trunk ports:

Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk. The Configure Trunk for End Hosts Discovery page appears. Step 2 You can: – Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 8. – Select Enable End Host Discovery on selected Trunks to include only the required set of non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3. – Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing this option, go to Step 8. Step 3 Select the list of switches where end hosts are connected to trunk ports, from the device selector. Step 4 Click Show Trunks. This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down state are also listed here. If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display the ports. Link ports are not listed here. Step 5 Select the list of trunk ports where end hosts are connected from the Available Trunks list. Step 6 Click Add. The selected ports are displayed under the Selected Trunks list.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-23 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Step 7 Select either • Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition. Or • Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition. Step 8 Click Apply. This saves the configuration on the server. After saving the configuration, run Data Collection. End hosts connected to trunk ports will be discovered in successive UT Major Acquisitions. For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.

Importing Information on End Host Users

You can import from a file, user names and notes for end hosts already discovered. To import information in end host users:

Step 1 Select Admin > Collection Settings > User Tracking > Table Import. The End Host Table Import dialog box appears. Step 2 Specify the name of the file from which you are importing the end host table data. Step 3 Click Apply.

Note We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory headers: MAC Address, User Name and Notes. For example: MAC1 Peter Finance department

Understanding Dynamic Updates

User Tracking generates reports on various functions and attributes of the end hosts and devices connected to your network that are managed by LMS. These reports are generated by polling the network at intervals set by the network administrator. In addition to polling the network at regular intervals, LMS tracks changes in the end hosts and users on the network to provide real-time updates. Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. When an endhost is connected to a switch managed by LMS, an SNMP MAC notification trap is sent immediately from the switch to the LMS Server, indicating an ADD event. This trap contains the MAC address of the end host connected to the switch.

Administration of Cisco Prime LAN Management Solution 4.2 7-24 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts coming into and moving out of the network. Traps from suspended devices are not processed by LMS. The difference between a UTMajor Acquisition and a Dynamic UT process is: LMS collects data from the network at regular intervals for UTMajor Acquisition. In Dynamic UT, the devices send traps to LMS as and when changes happen in the network. This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have happened in your network. This is an improvement over the earlier versions, where updates on endhost information happened based on the polling cycle. As a result of Dynamic updates, the following reports contain up-to-date information: • End-Host Report Contains information from UT Major Acquisition and the recently added end-hosts. • History Report Contains information from UT Major Acquisition and the recently disconnected end-hosts or end-hosts that have moved between ports or VLANs. • Switch Port reports Contains information about the utilization of switch ports. SNMP Traps are generated when a host is connected to the network, disconnected from the network or when it moves between VLANs or ports in the network.

To enable the Dynamic Updates feature: • Switches must be managed by LMS. • Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP MAC Notification Listener. • Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port number that you would have configured on LMS Administration screen). For more details, see Enabling SNMP Traps on Switch Ports. • Configure DHCP snooping on the switches Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that filters untrusted DHCP message received from outside the network or Firewall, and builds and maintains a DHCP snooping binding table. LMS queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected. For details on configuring DHCP, see http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati on/guide/scg.html • User Tracking collects username and IP address through UTLite for Windows environment. For more details, see Understanding UTLite. In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address of the end host. They can also co-exist.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-25 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device should be populated with the IP address, for UT Major Acquisition to discover it. The User Tracking Dynamic Updates process includes: • MAC User-Host Information Collector (MACUHIC) Process • User Tracking Manager (UTManager) Process • UTLite

MAC User-Host Information Collector (MACUHIC) Process

MAC User-Host Information Collector tracks wired end users dynamically. It receives MAC notifications from the switches either directly or through LMS or HPOV. After receiving the MAC notifications, MACUHIC validates the traps as follows: • Checks whether the traps are generated from a switch managed by LMS. • Checks whether the source is an access port. If the traps are from valid sources: • Updates LMS database. • Informs UTManager if the trap is received for an ADD event.

User Tracking Manager (UTManager) Process

UTManager receives the information from MACUHIC about the ADD MAC notification trap that is received. This information is not complete and can be completed using updates from DHCP or UTLite or from both. In the UTLite process, UTLite receives details of changes in username, and the time at which the host has logged in or logged out of the network.

UTLite

UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active Directory, and Novell servers. To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell servers. You can also install UTLite in an Active Directory server. For complete information, see Understanding UTLite. When an end-host is connected to your network, the following happens in the background. 1. The switch to which it is connected sends a MAC notification. 2. The MACUHIC process in LMS receives the MAC notification either directly from the switch or through other applications like LMS Monitor and Troubleshoot module or HPOV. 3. After processing this MAC notification, MACUHIC informs the UTManager.

Administration of Cisco Prime LAN Management Solution 4.2 7-26 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

4. LMS updates the database with the username and IP Address received from the UTLite. Database does not contain the complete information about the end host. 5. UTManager finds the following details: – Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data Collection. – Hostname from DNS Server LMS updates the database with the complete User Tracking information for the host. The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients, duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating reports.

Viewing Dynamic Updates Process Status

You can check whether the Dynamic Updates processes are running or not. To check the status:

Step 1 Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status. The Dynamic Updates Process Status window appears. If you have started the process already, the status window shows Dynamic Updates Processes are RUNNING. Step 2 Click Stop to stop the Dynamic Updates processes. The Stop button then toggles to Start, and the status window shows Dynamic Updates Processes are STOPPED. When you stop these processes, LMS stops processing traps sent by devices. Step 3 Click Start to restart the Dynamic Updates processes. The Start button again toggles to Stop.

Enabling SNMP Traps on Switch Ports

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps. You can configure the ports CLI (see the Appendix Commands to Enable MAC Notification Traps on Devices ) or Through LMS Interface. Ensure that you have configured System Identity User under Admin > Trust Management > Multi Server > System Identity Setup, and the same username and password is configured under Admin > System > User Management > Local User Setup. If you do not have Configuration Management functionality enabled on your LMS Server, you have to manually configure the switches, for the switches to send MAC Notifications to the LMS server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-27 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Note LMS supports only those switches that contain the Management Information Base (MIB) named MAC Notification, for enabling the SNMP traps.

Through LMS Interface Prerequisites to enable MAC Notification on switches through LMS UI: • The switches must be managed by LMS. If the devices are managed in SNMP version 2 (SNMPv2), you need to configure the Read as well as the Write community strings to enable MAC Notification in the switches. • Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.

Note LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic Updates.

To enable MAC notification in switches:

Step 1 Select Admin > Collection Settings > User Tracking > Device Trap Configuration. The Configure Trap on Devices dialog box appears. Step 2 Select the switches for which you want to enable the traps, from the Device Selector. Step 3 Click Configure to see the devices that you have selected. Step 4 Click Configure to configure MAC notification on the ports in the devices. The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in the Configure MAC-Notification Trap on Ports dialog box.

Table 7-8 Configure MAC-Notification Trap on Ports Field Description

Field Description Add LMS Server as Trap Check the check box to configure devices, to send SNMP traps to LMS. Receiver To configure LMS to listen to traps sent from devices, see Configuring SNMP Trap Listener. Trap Community Set a community string for the SNMP traps sent by devices. This property is enabled only when LMS is the Primary receiver for SNMP traps. This string is added to the list of valid strings in the Dynamic User Tracking Configuration screen. Set as Dynamic User Check the check box to make this community string as the default for Tracking Default future configurations, if LMS is the Primary Trap receiver. Filter Allows you to filter the ports listed, based on port name, device name and the device address (IP address of the device). Trap Receiver Port Port number that you entered for receiving traps. The default trap receiver port number of the LMS server is 1431. Port Name of the port. Access ports as well as Non-link Trunk ports are listed.

Administration of Cisco Prime LAN Management Solution 4.2 7-28 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Table 7-8 Configure MAC-Notification Trap on Ports Field Description (continued)

Field Description Device Name Name corresponding to IP address of the switch. Device Address IP address of the switch. Rows per page Select to view 10 to 50 rows on a page.

Step 5 Check the check boxes to select the ports that you want to enable SNMP traps. Step 6 Click Configure to enable the SNMP traps. An Information window appears. Step 7 Click OK.

SNMP MAC Notification Listener

You must enable the switches to send SNMP MAC notifications to the listener, to avail the Dynamic Updates feature. After you enable the switches, you can choose either LMS Monitor and Troubleshoot module, or HP OpenView (HPOV) as the primary listener for MAC notifications. • If you select LMS as the Primary listener, the MAC notifications reach the application directly from the switches. • If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and Troubleshoot module.

Note Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.

To select the MAC notification listener, see the following sections: • Configuring SNMP Trap Listener • HPOV as Primary Listener • LMS Fault Monitor Module as Primary Listener

Configuring SNMP Trap Listener

LMS receives SNMP traps directly from the switches, unless you configure the port to direct the traps through HP Open View (HPOV) or Cisco Prime Monitoring Services. To configure the trap listener:

Step 1 Select Admin > Collection Settings > User Tracking > Trap Listener Configuration. The Trap Listener Configuration dialog box appears. Step 2 Check Listen traps from Device to configure the trap reception directly from the devices This makes LMS as the primary listener for receiving SNMP traps from devices. OR

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-29 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications. In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They forward it to LMS which acts as the secondary listener for traps. If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS Fault Monitor module. Step 3 Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port field. The default trap listener port number of the LMS server is 1431. Step 4 Click Apply to save the details.

HPOV as Primary Listener

If you select HPOV as the primary listener, you must perform the following to receive the Dynamic Updates through LMS: • Install Cisco Works Integration Utility • Install Trap Adapter for HPOV The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.

Install Cisco Works Integration Utility You must have Cisco Prime Integration Utility (Integration Utility) installed on your system. Integration Utility is a utility that integrates Cisco Prime applications with third-party Network Management Systems (NMS). This utility is available as part of the DVD in the LMS 4.0. This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications. See User Guide for Cisco Prime Integration Utility 1.11, for more details on the integration utility.

Note You must install the Integration Utility on the same machine on which you have installed HPOV.

Install Trap Adapter for HPOV LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems. To install the adapter on Windows:

Step 1 Locate the TrapListener.conf file in the NMSROOT/campus/hpovadapter/WIN/ directory. Step 2 Modify the Trap Receiver address and the port number to the LMS values, in the file. Step 3 Set the LIB environment variable to HP OpenView lib directory. Step 4 Run the fwdTrap.exe program located in the same directory. The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.

To install the adapter on Solaris/Soft Appliance:

Administration of Cisco Prime LAN Management Solution 4.2 7-30 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Step 1 Locate the TrapListener.conf file in the /opt/CSCOpx/campus/hpovadapter/SOL directory. Step 2 Modify the Trap Receiver address and the port number to the LMS values, in the file. Step 3 Set the LD_LIBRARY_PATH environment variable to HP OpenView lib directory. Step 4 Run the fwdTrap program located in the same directory. The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-31 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Supported Platforms (Operating Systems) The supported platforms for the HP NNM and HPOV adapters are:

Network Management System Supported Platforms HP OpenView 9.1 • Solaris 10 • Windows 2008 R2 Standard x 64 Edition HP OpenView 9.01 • Solaris 10 • Windows 2008 R2 Standard x 64 Edition HP OpenView 9.0 • Solaris 10 • Windows Server 2008 x64 with Service Pack 2 • Windows Server 2008 x64 R2 with Service Pack 2

LMS Fault Monitor Module as Primary Listener

If you select Fault Monitor Module as the primary listener, you must perform the following to receive MAC Notifications. The default port number of the Fault Monitor Module for receiving Traps from the switches is 9000. You must configure or verify this port number on the device, for the device to forward the Traps to the Fault Monitor Module. The trapd.conf file has the details of the port number that receives the Traps from the Fault Monitor server. To enable Fault Monitor Module to forward the MAC Notifications, you must modify the trapd.conf file in the Fault Monitor Module server, at NMSROOT/object/smarts/conf/trapd directory. You can modify the file through the command line interface or through the application interface. You can configure the application to forward the MAC Notifications to LMS Server in two ways: • From LMS • From the LMS Fault Monitor Server From LMS

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. The Notification Services page appears. Step 2 Enter the Hostname and the port number of the LMS server to which you want to forward the MAC Notifications. Step 3 Click Apply to configure. The trapd.conf file is modified and the DFMServer process is restarted.

Note If you configure through Cisco Prime, LMS server receives all Traps including MAC Notification.

From the LMS Fault Monitor Server

Step 1 Access the LMS Fault Monitor server using Telnet.

Administration of Cisco Prime LAN Management Solution 4.2 7-32 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Understanding Dynamic Updates

Step 2 Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server. Step 3 Navigate to NMSROOT/object/smarts/conf/trapd directory. Step 4 Edit the trapd.conf file in the directory to reflect the following changes. Enter: FORWARD: address OID generic type specific type \ host [:port] | [:port:community] [host [:port] | [:port:community] ...], where the explanation for each variable is provided in the trapd.conf file. Step 5 Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.

Configuring Dynamic User Tracking

You can configure certain properties in Dynamic User Tracking to enhance the security of the system. These properties make the server receive traps only from specified devices and with specified community strings. To configure properties for filtering SNMP Traps:

Step 1 Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration. The Dynamic User Tracking Configuration page appears. Step 2 Select the Validate SNMP Community check box. LMS validates the community string in SNMP traps, with the values you have set. You can add community strings only after checking this check box. • If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1. • If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1. Step 3 Enter the community string in the Valid Community List text box and click Add. You can add the community strings one at a time. You can use the Delete button to remove the extra or erroneous strings. The default Trap community string that you might have added in the Device Trap configuration screen is also listed here. Step 4 Select the Validate Trap Source check box. LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking this check box. Step 5 Enter the IP Address in the text box provided and click Add. You can use the Delete button to delete extra or erroneous entries. Step 6 Click Apply to save changes to the server. To revert to the default values, click Reset.

You can use any one of the options to filter SNMP traps. For example:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-33 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

To process traps from all sources, and that have private or test as the community string, set Validate SNMP Community = true (by checking the check-box) Community String = private, test Validate Trap Source =false

then traps from all sources with community string private or test will be processed by LMS. To process traps from the listed IP addresses, with the community string private or test set: Validate SNMP Community =true Community String = private, test Validate Trap Source =true Valid IP Addresses = 10.77.210.211, 10.77.210.212

then traps from the listed IP addresses, with the community string private or test will be processed by LMS. In this case, LMS first validates the community string, and if it matches, validates the source address.

Using User Tracking Utility

Cisco Prime User Tracking Utility (UTU) is a Windows desktop utility that provides quick access to useful information about users, hosts, or IP Phones discovered by LMS User Tracking application. This section contains the following: • Understanding UTU • Hardware and Software Requirements for UTU • Downloading UTU • Installing UTU • Accessing UTU • Configuring UTU • Searching for Users, Hosts or IP Phones Using UTU • Uninstalling UTU • Upgrading to UTU 2.0 • Re-installing UTU 2.0

Understanding UTU

User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones discovered by LMS User Tracking application. UTU comprises a server-side component and a client utility. UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.2, Network Topology, Layer 2 Services and User Tracking must be enabled and accessible through the network. UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS server in Secure Sockets Layer (SSL) mode. The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:

Administration of Cisco Prime LAN Management Solution 4.2 7-34 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Windows Vista Support Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts. UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this, UTU 2.0 now works on Windows Vista client systems

Support for Phone Number Search In this release, UTU supports searching phone numbers in addition to existing search criteria.

Hardware and Software Requirements for UTU

Table 7-9 lists the minimum system requirements for UTU.

Table 7-9 System Requirements for UTU

Requirement Type Minimum Requirements System hardware IBM PC-compatible computer with Intel Pentium processor. System software • Windows 2008 • Windows XP with SP2 or SP3 • Windows Vista Memory (RAM) 512 MB Additional • LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or required software LMS 3.2 (Campus Manager 5.2.1), or LMS 4.2 (Network Topology, Layer 2 Services and User Tracking) • Microsoft .Net Runtime 3.5 Service Pack 1 You can download Microsoft .Net Runtime 3.5 Service Pack 1 from http://www.microsoft.com Network LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS Connectivity 3.2 (Campus Manager 5.2.1) or LMS 4.0 (Network Topology, Layer 2 Services and User Tracking) must be running, and accessible through the network

Downloading UTU

UTU requires Cisco PrimeUserTrackingUtility2.0.exe file to be downloaded and installed. To download UTU 2.0:

Step 1 Click http://www.cisco.com/cisco/software/navigator.html. You must be a registered Cisco.com user to access this Software Download site. The site prompts you to enter your Cisco.com username and password in the login screen, if you have not logged in already. Step 2 From the Software Product Category, select Cloud and Systems Management > Routing and Switching Management > Cisco Prime LAN Management Solution. Step 3 Select the latest version of Cisco Prime LAN Management Solution. Step 4 Select the appropriate product software type.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-35 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Step 5 Select a product release version from the Latest Releases folder and locate the software update to download. Step 6 Locate the file CiscoWorksUserTrackingUtility2.0.zip This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent installation). Step 7 Click the Download Now button to download and save the device package file to any local directory on LMS Server. Step 8 Extract the file using any file extractor such as WinZip.

Installing UTU

You can install UTU 2.0 either in normal installation mode or silent installation mode. Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware and Software Requirements for UTU. This section explains: • Installing UTU in Silent Mode • Installing UTU in Normal Mode

Installing UTU in Silent Mode

To install UTU in silent mode, run the following command at the command prompt: exe-location\CiscoWorksUserTrackingUtility2.0.exe –a –s –f1file-location\setup.iss where – exe-location is the directory where you have extracted the CiscoWorksUserTrackingUtility2.0.exe file – file-location is the directory where you have the setup.iss file. Do not use space after the -f1 option. Use the complete path for file-location. For example, if the install directory for UTU is c:\utu, enter the following at the command prompt: c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss

Editing Setup.iss File UTU is installed in the C:\Program Files\CSCOutu2.0 directory, by default. If you want to install UTU in some other directory, you must edit the content of the setup.iss file. Change the value of the szDir attribute in the setup.iss file. For example, if you want to set the installation directory as D:\utu20, change szDir=C:\Program Files\CSCOutu2.0 to szDir=D:\utu20 in the setup.iss file.

Setup.log File The setup.log file is created during the installation in the same directory where you have extracted the setup.iss file. You should see the setup.log file to check the installation completion status.

Administration of Cisco Prime LAN Management Solution 4.2 7-36 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

The value of the ResultCode attribute in the setup.log informs you whether the installation has completed successfully. The value 0 denotes that the UTU installation in silent mode is successful. When the value of the ResultCode attribute is other than 0, you must install UTU again.

Installing UTU in Normal Mode

To install UTU in normal installation mode:

Step 1 Log into the system with local system administrator privileges. Step 2 Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe. Step 3 Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation. The User Tracking Utility Welcome screen appears. Step 4 Click Next. A warning message appears if you have not installed .Net Framework 3.5 SP1. You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before completing the current UTU installation. Step 5 Click Next. A confirmation message appears. Step 6 Click Yes. The Choose Destination Location dialog box appears. By default, UTU is installed in the directory C:\Program Files\CSCOutu2.0.

Note If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome screen.

If you click No in the confirmation message, the warning message appears again stating that you have not installed .Net Framework 3.5 SP1. You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation. Step 7 Click Next to install UTU in the default directory. or a. Click Browse to choose a different directory and click OK. b. Click Next to continue with the installation. The installation continues. Step 8 Click Finish to complete the installation. User Tracking Utility is installed at the destination location you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see Accessing UTU.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-37 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Accessing UTU

To access UTU, click either: • Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0 Or • UTU 2.0 shortcut available on the desktop The UTU band appears. See Figure 7-1 for UTU 2.0 band. You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.

Figure 7-1 User Tracking Utility - Search Band

1 - Settings Icon 2 - Minimize icon 3 - Close icon 4 - UTU task bar icon

After a system restart and during the startup, the system launches the UTU automatically.

Administration of Cisco Prime LAN Management Solution 4.2 7-38 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Configuring UTU

You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2 server configurations. To configure UTU:

Step 1 Click the Settings icon. Or a. Right-click the UTU search band. A popup menu appears. b. Click Settings. The Cisco Prime Server Settings dialog box appears. Step 2 Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2 is installed. Step 3 Enter the port number of the LMS Server. The default HTTP port number is 1741. You can modify the port number if required. Step 4 Click Enable SSL for communicating with an SSL enabled server. The port is changed to 443, which is the default port for SSL. You can modify the port number if required. See Figure 7-2.

Figure 7-2 Enabling SSL

Step 5 Enter a valid Cisco Prime Server user name and password. This is used to verify the validity of the user when searching for users, hosts, or IP Phones. Step 6 Confirm the password by re-entering it. Step 7 Select the Remember me on this computer checkbox if you want the client system to remember your credentials. The credentials are preserved only for the current user of Windows system. The credentials are not available when you log into the Windows system with a different user name.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-39 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Step 8 Click Apply to save the changes.

Searching for Users, Hosts or IP Phones Using UTU

You can use the UTU Search Band to search for the users, hosts, or IP Phones in your network.

Note UTU search is case-insensitive.

To search for users, hosts, or IP Phones:

Step 1 Right-click the UTU search band. A popup menu appears with the default search criterion Host name/IP Address selected. Step 2 Select a search criterion from the popup menu. You can search using: • User name • Host name or IP Address • Device name or IP Address • MAC Address • Phone number The default search criterion is host name or IP Address of the host. The selected criterion is set for future searches until you change the criterion. Step 3 Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC Address in the UTU search field. For example, you can enter 10.77.208 in the search field. Step 4 Press Enter. If your server is not SSL enabled, go to Step 7. When you query for data from an SSL enabled server, the Certificate Summary dialog box appears. Step 5 Click Details to view the certificate details. You can verify the authenticity and correctness of the SSL server here. See Figure 7-3.

Administration of Cisco Prime LAN Management Solution 4.2 7-40 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Figure 7-3 Certificate Details

You can click Summary to go back to the Certificate Viewer dialog box. Step 6 Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the certificate. SSL connection is established with the server. If you click No, the certificate is not stored and no connection is established with the server.

Note The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes the first time, you are not prompted to store the certificate during subsequent sessions.

Step 7 Click the X Record(s) Found button to launch the results window. X denotes the number of matches found. For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See Figure 7-4.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-41 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Figure 7-4 UTU Search Band displaying the number of matching records

UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your search if you want better and more accurate results. Step 8 Select an entry in the Results window. UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC Addresses, in a Results window. The Results window has the following options: • Copy to Clipboard, where you can copy the selected search result record. • Copy All to Clipboard, where you can copy all the search result records. • Close, which you can use to close the window. For a selected search result record, the Results window displays the details as described in: • Table 7-10 for all search criteria except Phone Number • Table 7-11 for search based on Phone Number See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results window.

Table 7-10 Details for Each Entry in Results Window For a User or Host Search

Entry Description User Name Name of the user logged in to the host. MAC Address Media Access Control (MAC) address of network interface card in end-user node. Host IP Address IP Address of the host. Host Name Name of the host discovered by User Tracking. Subnet Subnet to which the host belongs. Subnet Mask Subnet mask of the host Device name Name of the switch. Device IP Address IP Address of the switch VLAN VLAN to which the port of the switch belongs. Port Port number to which the host is connected. Port Description Description of the port number to which the host is connected. Port State State of the port: Static or Dynamic. Port Speed Bandwidth of the port of the switch.

Administration of Cisco Prime LAN Management Solution 4.2 7-42 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Table 7-10 Details for Each Entry in Results Window For a User or Host Search

Entry Description Port Duplex Port Duplex configuration details on the device. Last Seen Date and time when User Tracking last found an entry for this user or host in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.

Figure 7-5 MAC Address Search Results Window

Table 7-11 Details for Each Entry in Results Window For a Phone Number Search

Entry Description Phone Number IP Phone number MAC Address Media Access Control (MAC) address of network interface card on the phone. Phone IP Address IP Address of the phone. CCM Address IP Address of the Cisco Call Manager Status Status of the phone, as known to Cisco Call Manager Phone Type Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus, 30VIP, SoftPhone, or unknown. Phone Description Description of the phone. Device Name Name corresponding to IP Address of device. Device IP Address IP Address of the device Port Port number to which the phone is connected.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-43 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Table 7-11 Details for Each Entry in Results Window For a Phone Number Search

Entry Description Port Description Description of the port to which the phone is connected. Last Seen Date and time when User Tracking last found an entry. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.

Figure 7-6 IP Phone Number Search Results Window

Note The search results for the value you enter in the search field depends on the default search criteria.

Using Search Patterns for UTU

UTU searches for the users, hosts, or IP Phones that match the search criterion. See Searching for Users, Hosts or IP Phones Using UTU for more information. You can search for users, hosts, or IP Phones by entering a search pattern or substring of a search pattern. For example, entering Cisco displays host names that start with, end with or contain Cisco for a search on host names. You do not have to use wildcard character * to match a pattern or substring of the pattern. To search for a MAC Address, you can use one of the following MAC Address patterns or a substring of these patterns: • xxxx.xxxx.xxxx

Administration of Cisco Prime LAN Management Solution 4.2 7-44 OL-25947-01 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

• xx:xx:xx:xx:xx:xx • xxxxxxxxxxxx • xx-xx-xx-xx-xx-xx Here x denotes a hexadecimal number.

Uninstalling UTU

Ensure that UTU is not running while uninstalling. If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates. To uninstall UTU:

Step 1 Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall Cisco Prime User Tracking Utility 2.0 from the windows task bar. The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation. Step 2 Click Yes. The Uninstallation continues. Step 3 Click Finish to exit the uninstallation wizard.

Upgrading to UTU 2.0

You can install UTU 2.0 on the same system where UTU 1.1.1 is installed. You can choose to install UTU 2.0 on any directory other than the directory where UTU 1.1.1 is installed. See Installing UTU for installation instructions.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 7-45 Chapter 7 User Tracking and Dynamic Updates Using User Tracking Utility

Re-installing UTU 2.0

Re-installation of UTU 2.0 is supported on the normal mode of installation. In the normal mode of installation, you are prompted with a confirmation message to continue the installation. You must provide your inputs to continue the installation. See Installing UTU for installation instructions. The user profiles that are created are not lost during re-installation.

Administration of Cisco Prime LAN Management Solution 4.2 7-46 OL-25947-01

CHAPTER 8

Administering Collection Settings

All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout settings are grouped under the collection settings in the Admin tab in the menu. This section contains: • Using the Inventory Job Browser • Timeout and Retry Settings • Secondary Credentials • Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System • PSIRT or End-of-Sale or End-of-Life Data Administration • Administering VRF Lite • Modifying Fault Management SNMP Timeout and Retries • Configuring Fault Management Rediscovery Schedules • Configuring Event Forensics • Fault Monitoring Device Administration • Device Management Functions • Performance Management SNMP Timeouts and Retry Settings • IPSLA Application Settings • Setting Up Archive Management • Defining the Configuration Collection Settings • Configuring Transport Protocols • Overview: Common Syslog Collector • Viewing Status and Subscribing to a Common Syslog Collector

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-1 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

Using the Inventory Job Browser

The Inventory Job Browser displays all user-defined jobs. It also displays the system-defined inventory collection and polling jobs. You can create and manage inventory jobs using the Job Browser. You can edit, stop, cancel or delete jobs using this Job Browser.

Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks.

When you install LMS, a default job is defined for Inventory Collection and Inventory Polling. When the default job runs, LMS evaluates the “all devices” group and executes the job. This way, whenever new devices are added to the system, these devices are also included in the default collection/polling job. For the default system jobs, the device list cannot be edited. You can only change the schedule of those jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the scheduled job is not displayed in the Inventory Job Browser. The default system jobs for Inventory Collection and Inventory Polling are created immediately after installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers > Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job Browser (Admin > Jobs > Browser) only after some time has elapsed. The jobs are displayed in the Job Browser when they are running, or after they are completed, with all the details such as Job ID, Job Type, and Status. User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are running, and after they are completed. You can do the following tasks from the Inventory Job Browser: • Viewing Job Details • Creating and Editing an Inventory Collection or Polling Job • Stopping, Cancelling or Deleting an Inventory Collection or Polling Job

Administration of Cisco Prime LAN Management Solution 4.2 8-2 OL-25947-01 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

To invoke the Inventory Job Browser, either: • Select Inventory > Job Browsers > Inventory Collection. Or • Select Admin > Collection Settings > Inventory > Inventory Jobs. The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs. The columns in the Inventory Job Browser dialog box are:

Column Description Job ID Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the Job details (see Viewing Job Details.) Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. Job Type Type of job—System Inventory Collection, System Inventory Polling, Inventory Collection and Inventory Polling. Status Status of the job—Scheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start. The number, within brackets, next to Failed status indicates the count of the devices that had failed for that job. This count is displayed only if the status is Failed. For example, If the status displays Failed(5), then the count of devices that had failed is 5. This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions. Description Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values. The field is restricted to 256 characters. Owner Username of the job creator. Scheduled at Date and time at which the job was scheduled. Completed at Date and time at which the job was completed. Schedule Type Type of schedule for the job: • Immediate—Runs the report immediately. • 6 - hourly—Runs the report every 6 hours, starting from the specified time. • 12 - hourly—Runs the report every 12 hours, starting from the specified time. • Once—Runs the report once at the specified date and time. • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the specified day of the week and at the specified time. • Monthly—Runs monthly on the specified day of the month and at the specified time. For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3.

Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-3 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

You can filter the jobs using any of the following criteria and clicking Filter:

Filter Criteria Description All Select All to display all jobs in the Job Browser Job ID Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display. Job Type Select Job Type and then select any one of the following: • Inventory Polling • System Inventory Polling • Inventory Collection • System Inventory Collection Status Select Status and then select any one of these: • Schedule • Successful • Failed • Cancelled • Stopped • Running • Missed Start Missed start is the status when the job could not run for some reason at the scheduled time. For example, if the system was down when the job was scheduled to start, when the system comes up again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the specified job will be displayed as Missed Start. Description Select Description and enter the first few letters or the complete description. Owner Select Owner and enter the user ID or the beginning of the user ID. Schedule Type Select the Schedule Type and select any one of these: • Immediate • Once • 6-hourly • 12-hourly • Daily • Weekly • Monthly Refresh Click on this icon to refresh the Inventory Job Browser. (Icon)

Administration of Cisco Prime LAN Management Solution 4.2 8-4 OL-25947-01 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

To perform the following tasks, use the Inventory Job Browser (Table 8-1)

. Table 8-1 Inventory Browser Buttons, the Tasks they Perform and their Description

Button Task Description Create Create jobs You can create a new job. Edit Edit jobs You can edit only a scheduled job. You can select only one job at a time for editing. If you select more than one job, the Edit button is disabled. Cancel Cancel jobs You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are prompted to confirm the cancellation. If it is a periodic job, you are prompted to confirm whether you want to cancel only the current instance of the job or all future instances. 1. Select a periodic job and click Cancel. The Cancel Confirmation dialog box appears. 2. Select one of the following options: – Cancel only this instance – Cancel this and all future instances 3. Click OK. Stop Stop jobs You can stop a running job. However, the job will be stopped only after the devices currently being processed are completed. This is to ensure that no device is left in an inconsistent state. Delete Delete jobs You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However, you cannot delete a running job. You can select more than one job to delete, provided they are scheduled, successful, failed, stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete button is disabled. If you are deleting a scheduled periodic inventory job, the following message is displayed: If you delete periodic jobs, or instances of a periodic job, that are yet to be run, the jobs will no longer run, nor will they be scheduled to be run again. You must recreate the deleted jobs. You are prompted to confirm the deletion.

Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge Settings.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-5 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

Viewing Job Details

In the Inventory Job Browser, click on the Job ID hyperlink to view the following job details for Inventory collection, or polling jobs: • Job Details—Expand this node to display Job Summary and Job Results for the inventory collection or polling job. • Job Summary—Click on this node to view the following for the inventory collection or polling job: – Job Summary—Displays information about the job type, the job owner, the status of the job, the start time, the end time, the schedule type, and details of email notification. – Device Summary—Displays information about the total devices submitted for the job, the number of devices that were scanned, the number of devices that were pending, the devices that were successful with change, successful without change, and the failed devices. Also, the Device Details and Not Attempted information appears. Not Attempted displays the number of devices for which the Inventory collection module did not attempt to collect the data. • Job Results—Displays information about the number of devices scanned, the names of the scanned devices, the duration of scanning, the average scan time per device, and the job results description, for the inventory collection or polling job. To see more details, expand the Job Results node. You will see the following details: – Failed—If you click on this node, you will see the collective list of failed devices and the reason for their failure in the right pane, for the inventory collection or polling job. If you expand this node, the list of failed devices appears. If you select a device, the right pane displays the device name and the reason for the failure. For example, Device sensed, but collection failed, or Device not reachable. – Successful: With Changes For a Inventory collection job: Expand the Successful: With Changes node to display a list of devices. If you select a device, the right pane displays the device name and a hyperlink: View Changes. If you click on this hyperlink, the Inventory Change Details report appears for the device. The report displays information about the attribute, the type of change, the time of change, the previous value and the current value for the collection job. If you do not expand this node, you will see the collective list of devices with the status Success: With changes with their View Changes hyperlinks, in the right pane, for the collection job. There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the changes on the devices are displayed. For a Inventory polling job: Click on the Successful: With Changes node to display a list of devices that have changes, as a comma separated list, in your right pane. When there is a change in the config of a device and when the device is polled, the information like Collection initated will appear in the job results. A separate job will be created for the inventory collection as a result of changes occuring in the inventory .

Administration of Cisco Prime LAN Management Solution 4.2 8-6 OL-25947-01 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

– Successful: Without Changes If you click on this, you will see as a comma-separated list in your right pane, the devices that were successful for the inventory collection or polling job.

Note Inventory Poller creates a Collection job when it detects changes.

Creating and Editing an Inventory Collection or Polling Job

To create or edit an Inventory collection or polling job:

Step 1 Either: • Select Inventory > Job Browsers > Inventory Collection. Or • Select Admin > Collection Settings > Inventory > Inventory Jobs. The Inventory Job Browser appears. Step 2 Select either: • Click Create. The Create Inventory Job dialog box appears. Or • Select a job and click Edit. Step 3 Select either: • Device Selector, if you want to schedule report generation for static set of devices Or • Group Selector, if you want to schedule report generation for dynamic group of devices.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-7 Chapter 8 Administering Collection Settings Using the Inventory Job Browser

Step 4 Enter the information required to create a job:

Field Description Job Type Select either Inventory Collection or Inventory Polling, as required. Scheduling Run Type Specifies the type of schedule for the job: • Immediate—Runs the report immediately. • 6 - hourly—Runs the report every 6 hours, starting from the specified time. • 12 - hourly—Runs the report every 12 hours, starting from the specified time. • Once—Runs the report once at the specified date and time. • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the day of the week and at the specified time. • Monthly—Runs monthly on the day of the month and at the specified time. For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. If you select Immediate, the date field option will be disabled. Date 1. Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the calendar icon and select the date. 2. Enter the start time by selecting the hours and minutes from the drop-down list. The Date field is enabled only if you have selected an option other than Immediate in the Run Type field. Job Info Job Description Enter a description for the report that you are scheduling. This is a mandatory field. Accepts alphanumeric values. This field is restricted to 256 characters. E-mail Enter e-mail addresses to which the job sends messages when the job has run. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address,

Administration of Cisco Prime LAN Management Solution 4.2 8-8 OL-25947-01 Chapter 8 Administering Collection Settings Timeout and Retry Settings

Step 5 Click Submit. You get a notification that the job has been successfully created, and it appears in the Inventory Job Browser. To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit. The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change the Scheduling and Job Info fields as required, and click Submit. The job is edited.

Stopping, Cancelling or Deleting an Inventory Collection or Polling Job

You can stop, cancel or delete Inventory Collection or Polling jobs. • Stopping a job, see Stop in Table 8-1. • Cancelling a job, see Cancel in Table 8-1. • Deleting a job, see Delete in Table 8-1.

Timeout and Retry Settings

This option enables you to set the default values for Inventory, Config timeout and retry settings. These values are applicable to all devices in LMS. • SNMP Retry—Number of times that the system should try to access devices with SNMP options. The default value is 2. The minimum value is zero and the maximum value is 6. • SNMP Timeout—Amount of time that the system should wait for a device to respond before it tries to access it again. It refers to the total transaction time of SNMP Packets. The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection. • Telnet Timeout—Amount of time that the system should wait for a device to respond before it tries to access it again. It refers to the initial response time required to create a socket. The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value limit. Changing the Telnet timeout value affects inventory collection. • Natted LMS IP Address—The LMS server ID. This is the translated address of LMS server as seen from the network where the device resides. You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the NAT boundary. The default value is Not Available. • TFTP Timeout—Amount of time that the system should wait to get the result status of the copy operation. Changing the TFTP timeout value affects Config collection. The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit. • Read Delay—Amount of time the system will sleep in between each read iteration. The default read delay is 10 milliseconds.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-9 Chapter 8 Administering Collection Settings Timeout and Retry Settings

• Transport Timeout—Amount of time the socket will be blocked for read operation. The default value is 45000 milliseconds. • Login Timeout—Amount of time in milliseconds after which it will start reading the user prompt. The default value is 2000 milliseconds. • Tune Sleep—Amount of sleep time in milliseconds after sending tune command 3 to 4 times. The default value is 50 milliseconds. • Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will wait for the set time before doing the next operation. The default value is 300 milliseconds. To edit the Inventory, Config timeout and retry settings:

Step 1 Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings. The Inventory, Config timeout and retry settings page appears. Step 2 Enter the default values for: • SNMP Retry • SNMP Timeout • Telnet Timeout • Natted LMS IP Address • TFTP Timeout • Read Delay • Transport Timeout • Login Timeout • Tune Sleep • Delay After Connect Step 3 Click Apply.

Note Modifying the default timeout values will apply to all the devices and impact the work flows of all devices. To edit per device level attributes, go to Editing Device Attributes.

Step 4 Click OK. A confirmation message appears: The settings are updated successfully

Note When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry values will not be restored by default. To restore the values for all the devices, edit the default values in Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings

Administration of Cisco Prime LAN Management Solution 4.2 8-10 OL-25947-01 Chapter 8 Administering Collection Settings Secondary Credentials

Secondary Credentials

The LMS server polls and receives two types of credentials from each device and populates the Device Credential Repository (DCR).These credentials are: • Primary Credentials • Secondary Credentials LMS uses either the primary or secondary credentials to access the devices using the following protocols: • Telnet • SSH The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as a fallback mechanism in LMS for connecting to devices. For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to failure. You can add or edit the Secondary Credentials information through the DCR page (Select Inventory > Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is not available for a device.

Note The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.

You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials fallback when the Primary Credentials for a device fails. This is a global option which you can use to enable or disable the use of Secondary Credential fallback for all LMS applications. To enable or disable the Secondary Credentials fallback:

Step 1 Select Admin > Collection Settings > Config > Secondary Credential Settings. or Select Admin > Collection Settings > Inventory > Secondary Credential Settings. The Secondary Credentials dialog box appears. Step 2 Do either of the following: • Check Fallback to Secondary Credentials check box if you want to enable the Secondary Credential fallback. Or • Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary Credential fallback. Step 3 Click either Apply to apply the option or click Cancel to discard the changes.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-11 Chapter 8 Administering Collection Settings Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System

Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System

At the time of LMS installation, system jobs are created for both Inventory collection and polling, with their own default schedules. A periodic inventory collection job collects inventory data from all managed devices and updates your inventory database. Similarly, the periodic polling polls devices and updates the inventory database. You can change the schedule of these default, periodic system jobs. For inventory collection or polling to work, your devices must have accurate read community strings entered. The changes detected by inventory collection or polling, are reflected in all associated inventory reports. This section contains the following topics: • Changing the Schedule for System Inventory Collection or Polling Settings • Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings

Changing the Schedule for System Inventory Collection or Polling Settings

Note that the inventory poller allows you to collect inventory less often. The poller detects most changes in managed devices, with much less impact on your network. If the poller detects changes, it initiates inventory collection. To collect inventory or poll devices as a one-time event or for selected devices only, create user-defined inventory collection or polling jobs (see Creating and Editing an Inventory Collection or Polling Job).

Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks.

Step 1 Select Admin > Collection Settings > Inventory > Inventory System Job Schedule. The System Job Schedule dialog box displays the current collection or polling schedule. Step 2 Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2. Inventory data does not change frequently, so infrequent collection is better. However, if you are installing much new equipment, you may need more frequent collection. Infrequent collection reduces the load on your network and managed devices. Collection is also best done at night or when network activity is low. Also, make sure your collections do not overlap, by checking their duration using the Inventory Job Browser (see Using the Inventory Job Browser), and scheduling accordingly. Step 3 Click Apply. The new schedule is saved.

Administration of Cisco Prime LAN Management Solution 4.2 8-12 OL-25947-01 Chapter 8 Administering Collection Settings Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX

Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings

Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform these tasks.

Step 1 Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and Psirt/Eox System Job Schedule. The Compliance Policy and PSIRT/EOX System Job Schedule page appears. Step 2 Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2. Step 3 Click Apply. The new schedule is saved.

Table 8-2 Details of Inventory system schedule and CAAM Policy and PSIRT/EOX System Job Schedule

Field Description Scheduling Run Type Select the run type or frequency for inventory collection or polling, CAAM Policy and PSIRT/EOX—Daily, Weekly, or Monthly. For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date Select the date for the collection or polling to begin, using the date picker. at Enter the time for the collection or polling to begin, in the hh:mm:ss format. Job Info Job Descrip- Has a default Job Description: tion If the Job Type is Inventory Collection, the description is, System Inventory Collection Job. If the Job Type is PSIRT and EOX Or Compliance Policy, the description is, System Compliance Policy and PSIRT/EOX Job. E-mail Enter e-mail addresses to which the job sends messages when the collection or polling job has run. You can enter multiple e-mail addresses, separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-13 Chapter 8 Administering Collection Settings PSIRT or End-of-Sale or End-of-Life Data Administration

Compliance Policy and PSIRT/EOX Job Report Perform the following steps to view the Compliance Policy and PSIRT/EOX Job Report:

Step 1 Go to Admin > Jobs > Browser. Step 2 Select Type in the Filter by field and SystemPsirtJob in the drop-down list. Step 3 Click Filter. The SystemPsirtJob will be filtered and displayed. Step 4 Click the JOB ID e.g 1005.1 to view the Compliance Policy and PSIRT/EOX Job Report.

PSIRT or End-of-Sale or End-of-Life Data Administration

Product Security Incident Response Team (PSIRT) of Cisco is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco products and networks. For every security vulnerability, a PSIRT document is created with a PSIRT Document ID. This document consists of definitions of the vulnerabilities, the IOS image version that is affect by the PSIRT, as well as the device that is impacted.

Note System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the selected devices.

The EoS/EoL reports will be successful but might not contain data in the below scenarios: 1. If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not configured the Cisco.com credentials. 2. If the system PSIRT job fails due to problems in the downloaded local XML file. 3. If there is no PSIRT/EoX data in the database for the selected devices. LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and End-of-Sale or End-of-Life (EOX) job runs. LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see Changing the Data Source for PSIRT/EOS/EOL Reports.

Changing the Data Source for PSIRT/EOS/EOL Reports

You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or End-of-Sale or End-of-Life report. To access this option, select Reports > Fault and Event > PSIRT Summary This section contains: • Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com • Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location

Administration of Cisco Prime LAN Management Solution 4.2 8-14 OL-25947-01 Chapter 8 Administering Collection Settings PSIRT or End-of-Sale or End-of-Life Data Administration

When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data either from Cisco.com or from a local text file with XML data, depending upon the option you have set.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-15 Chapter 8 Administering Collection Settings PSIRT or End-of-Sale or End-of-Life Data Administration

To change the PSIRT or End-of-Sale/End-of-Life report settings:

Step 1 Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option. The PSIRT/EOX Reports dialog box appears. Step 2 Either: • Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com Or • Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from local file. The local file location is shown if you have selected Local. Step 3 Click Apply The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com

You can use the Cisco.com option, if you have access to Cisco.com from the LMS server. When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data from Cisco.com. The report so generated consists of latest data from the system PSIRT and EOX job. If you have opted to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com, you must setup the Cisco.com user account using Admin > System > Cisco.com Settings > User Account Setup. If you do not configure the Cisco.com user account, the System PSIRT and EOX job will fail.

Note While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy Password fields are also enabled.

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location

You can use the Local option, if you do not have an internet connection from the LMS server. The local file is a text file with XML data in it.

Downloading the text file with XML data from Cisco.com You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store it in the local file location on the LMS server. To download the text file with XML data from Cisco.com: 1. Use a server other than LMS server with internet connection as the external server. 2. From this external server, access the following link to download the XML data:

Administration of Cisco Prime LAN Management Solution 4.2 8-16 OL-25947-01 Chapter 8 Administering Collection Settings PSIRT or End-of-Sale or End-of-Life Data Administration

For EoS/EoL Hardware Report: 1. Go to http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=l atest# 2. Login to Cisco.com by entering the Cisco.com user name and password. 3. Download the PSIRT_EOX_OFFLINE.zip file. 4. Extract the text file with XML data to the external server. 5. Copy the text file from the external server into the LMS Server under: – On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml – On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml The text file with XML data gets saved under local_xml folder. Where NMSROOT is the default Cisco Prime installation directory. For EoS/EoL Software Report: 1. Go to http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=l atest# 2. Login to Cisco.com by entering the Cisco.com user name and password. 3. Download the EOX_SOFTWARE.zip file to the external server. 4. Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under: – On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml – On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml

Note You must not extract the EOX_SOFTWARE.zip file in the LMS Server.

The EOX_SOFTWARE.zip file gets saved under local_xml folder. Where NMSROOT is the default Cisco Prime installation directory. When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data from the XML file. To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest: 1. Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external server which has internet connection. 2. Store this retrieved XML information in the local file location. 3. Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report. For more information, see: – Downloading the text file with XML data from Cisco.com

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-17 Chapter 8 Administering Collection Settings Administering VRF Lite

Administering VRF Lite

From the Admin tab in the mega menu you can administer the following features of VRF Lite: • Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings. • Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector. • Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and Retries. You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select Admin > System > Debug Settings. You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view only VRF Lite jobs. You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging VRF Management Reports Jobs and Archived Reports. This section contains: • Using VRF Lite Collector Settings • Scheduling VRF Lite Collector • Modifying VRF Lite SNMP Timeouts and Retries

Using VRF Lite Collector Settings

You can perform the following administrative tasks using the VRF Lite Collector Settings page: • Schedule VRF Lite Collector You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and VRF Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs. To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link. For details, see Scheduling VRF Lite Collector. • VRF Lite SNMP Timeouts and Retries Settings You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries Settings, click VRF Lite SNMP Timeouts and Retries Settings link. For details, see Modifying VRF Lite SNMP Timeouts and Retries.

Administration of Cisco Prime LAN Management Solution 4.2 8-18 OL-25947-01 Chapter 8 Administering Collection Settings Administering VRF Lite

Scheduling VRF Lite Collector

You can schedule the day and the time of VRF Lite Collection using this feature. You can add a new schedule, edit or delete existing schedules. To schedule VRF Lite Collector:

Step 1 Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule. The VRF Lite Collector Schedule dialog box appears. Step 2 Enter the details as mentioned in Table 8-3.

Table 8-3 VRF Lite Collection Schedule Settings

Field Description Usage Notes Schedule Run VRF Lite Allows you to enable or disable VRF Lite • Enable: Check the check box to enable VRF Lite Collector After Collection after every Data Collection. Collection after every Data Collection and click Apply. Every Data The VRF Lite Collection collects VRF • Disable: Uncheck the check box to disable VRF Lite Collection Lite-specific details. Collection after every Data Collection and click Apply. Job ID Job ID of the VRF Lite Collector Schedule Display only. job. Schedule VRF Lite Collector Days, Hour, Min Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the Lite collection is scheduled. size of the network and the frequency of network changes. By default, the VRF Lite collection process is scheduled to run after the Data Collection process has completed. Recurrence Select the days of the week on which VRF This field is available only when you are adding or editing a Pattern Lite collection is to be scheduled. schedule. Job Description Description of the VRF Lite Collector Enter the description of the VRF Lite Collector Schedule job. Schedule job.

• Select a schedule and click Edit to edit the schedule • Select a schedule and click Delete to delete the schedule • Click Add to add a new schedule Step 3 Click OK to save the details Or Click Cancel to exit the VRF Lite Collection Schedule dialog box.

You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use the filter to view VRF Lite Collector Schedule job.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-19 Chapter 8 Administering Collection Settings Administering VRF Lite

Modifying VRF Lite SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. To modify SNMP timeouts and retries:

Step 1 Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries. The VRF Lite SNMP Timeouts and Retries dialog box appears. Step 2 Modify the SNMP settings as given in Table 8-4.

Table 8-4 Modify VRF Lite SNMP Timeouts and Retries

Field Description Target IP address of the target device. For example, 10.*.*.* Timeouts Time period after which the query times out. This also indicates the time interval between the request and the first initial response from the device. The SNMP response may be slow for remote devices. If your network has remote devices connected over a slow link, configure a higher value for time-out. If Time out is increased, Discovery time could also increase. Enter the value in seconds. The allowed range is 0-60. For every retry, the Timeout value is doubled. For example, If the Timeout is 10 seconds and retries 4: LMS waits for 10 seconds for response for the first try, 20 seconds for the second retry, 40 seconds for the third retry and 80 seconds for the fourth retry. 150 seconds (10+20+40+80) is the total time lapse after which Virtual Network Manager stops querying the device. Retries Number of attempts made to query the device. The allowed range is 0-8.

Step 3 Click Add to add VRF Lite SNMP settings. Step 4 Select a row and either: • Click Edit to edit the VRF Lite SNMP Timeouts and Retries value. Or • Click Delete to delete the VRF Lite SNMP Timeouts and Retries value. Click OK to save the changes or click Cancel to exit. Step 5 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 8-20 OL-25947-01 Chapter 8 Administering Collection Settings Modifying Fault Management SNMP Timeout and Retries

Modifying Fault Management SNMP Timeout and Retries

If an SNMP query does not respond in time, Fault Management will time out. It will then retry contacting the device for as many times as displayed when you select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and Retries. The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds and the retries value is 3, LMS waits for 4 seconds before the first retry, 8 seconds before the second retry, and 16 seconds before the third retry. The SNMP timeout and retries are global settings. The default values are: • Timeout—4 seconds • Retries—3

Note Changing the settings on this page will modify the settings on all devices managed by LMS.

Note Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To modify the Fault Management SNMP timeout and retries:

Step 1 Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and Retries. The SNMP Configuration page appears. Step 2 Select a new SNMP timeout setting. Step 3 Select a new Number of Retries setting. Step 4 Click Apply. Step 5 In the confirmation box, click Yes.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-21 Chapter 8 Administering Collection Settings Configuring Fault Management Rediscovery Schedules

Configuring Fault Management Rediscovery Schedules

Note Your login determines whether or not you can perform this task. View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

LMS rediscovery probes the devices to discover their configuration and verify their manageable elements in inventory. LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional schedules. For more information, see • Suspending and Resuming a Rediscovery Schedule • Adding and Modifying a Rediscovery Schedule

Suspending and Resuming a Rediscovery Schedule

LMS includes a default rediscovery schedule, Default_Schedule. You cannot edit or delete Default_Schedule, but you can suspend it. To completely suspend rediscovery for a period of time, you may have to repeat this procedure to suspend multiple schedules. To suspend and resume a rediscovery schedule:

Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule. The Rediscovery Schedule page appears. Step 2 You can either: • Select a schedule that does not have a Suspended status, and click Suspend. The status for the schedule changes to Suspended and the schedule does not run until you resume the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it. Or • Select a schedule with a status of Suspended and click Resume. The status for the schedule changes to Scheduled.

Administration of Cisco Prime LAN Management Solution 4.2 8-22 OL-25947-01 Chapter 8 Administering Collection Settings Configuring Fault Management Rediscovery Schedules

Adding and Modifying a Rediscovery Schedule

See Performing Scheduling Tasks to plan the rediscovery schedule for maximum efficiency and minimum system impact.

Performing Scheduling Tasks You should plan the rediscovery schedule for maximum efficiency and minimum system impact. When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are scheduled by default to ensure that they do not run concurrently. You can configure the schedules for these tasks to meet the requirements of your site. However, you should still avoid running them concurrently.

Table 8-5 Scheduling Considerations

Configuration Task Default Schedule Comments and Notes Database purging Run daily at The amount of time it takes to purge the database midnight. depends on the size of the database. For more information on how to configure the Daily Fault History Purging Schedule, see Configuring the Daily Fault History Purging Schedule. Rediscovery Run weekly on By default, rediscovery starts 2 hours after database Monday at 2:00 a.m. purging.

In addition to configuring schedules, a system administrator can schedule database backups. Be careful while coordinating the database backup schedule to avoid running concurrently with the tasks listed in Table 8-5. To add or edit a rediscovery schedule:

Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule. Step 2 Select either: • Click Add. Or • Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit Default_Schedule. Step 3 Enter a name for the schedule. Step 4 Select how often the schedule should run: • Once • Daily • Weekly (default) • Monthly

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-23 Chapter 8 Administering Collection Settings Configuring Event Forensics

Step 5 Select the date, hour, and minute on which to start the rediscovery schedule and click Next. Step 6 Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule page appears, listing the new schedule.

Deleting a Rediscovery Schedule To delete a rediscovery schedule:

Step 1 Select a rediscovery schedule and click Delete. A confirmation dialog box appears.

Note You cannot delete Default_Schedule.

Step 2 Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job Browser.

Configuring Event Forensics

Event Forensics refer to additional information related to the specific events that are polled by LMS server. The polled data are stored on the server and you can use this for troubleshooting. You must enable the Event Forensics collection feature on LMS server to start collecting the event forensics data. To enable collection of Event Forensics:

Step 1 Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event Forensics Configuration page appears. Step 2 Select the Event Forensics Enable check box to enable LMS to collect forensics data. Step 3 Click Apply. LMS polls for Event Forensics data for the following events only: • Device unavailability or unresponsiveness • Flapping • Operationally Down

To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see the event forensics results when you move your mouse over the Annotations in the Faults table of Fault Monitor Device Fault Summary view tab.

Administration of Cisco Prime LAN Management Solution 4.2 8-24 OL-25947-01 Chapter 8 Administering Collection Settings Fault Monitoring Device Administration

Fault Monitoring Device Administration

To rediscover and delete specific devices, select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page contains two panes. • The left pane displays a device selector, from which you select the device or group that you want to rediscover or delete. The left pane includes a search option • The right pane displays the information for the selected object. Click the Refresh button to refresh the view.

Note If the IP addresses of the device and its components such as interface or port are added separately in DCR then only device IP will be managed in fault Management and the components IP will not be managed separately as the components are already managed under the device IP.

The devices that appear in the device selector are organized in folders by device state as shown in the Table 8-6. The folders appear only if there is a device to go in the folder.

Table 8-6 Device Summary and Device States

Heading Description Status Lists the state the devices are in, from the following possibilities: Known The device has been successfully imported, and is fully managed by Fault Management. Learning Fault Management is discovering the device. This is the beginning state, when the device is first added or is being rediscovered. Some of the data collectors may still be gathering device information. Questioned Fault Management cannot successfully manage the device. Pending The device is being deleted. (Fault Management is waiting for confirmation from all of its data collectors before purging the device and its details.) Unknown IPv6 device or the selected algorithm is not supported in Fault Management.

Rediscovering Devices When rediscovery takes place, if there are any changes to a device or group configuration, the new settings will overwrite any previous settings. Rediscovery occurs only for managed devices, and not suspended devices. Rediscovery also occurs when: • Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule) • A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured to import that device type (or LMS automatically imports all DCR devices). Such DCR changes include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type) changed in the DCR.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-25 Chapter 8 Administering Collection Settings Device Management Functions

• A device is manually added to LMS using the Device Import page.

Note Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and Rediscovery is a process that affects only the LMS inventory.

To rediscover devices:

Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page appears. Step 2 Select the device or group that you want to rediscover. With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the device selector.

Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed after you select nearly any option. Do not proceed without viewing and installing the security certificate. You should contact a user with System Administrator privileges to create a self-signed security certificate, and then install it. If you do not install the self-signed security certificate, you may not be able to access some LMS application pages.

Step 3 Click Rediscover. Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage Device State.

Note If the number of components managed by fault management exceeds 40000/domain then the remaining devices will be moved to Question State with the error message “Network Adapter Limit Exceeded”.

Question State Device Report Creating a question state device report involves the following steps:

Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault Monitoring Device Administration page appears. Step 2 Click Question State Devie Report. The question state device report containing the device name, device IP, discovery start time and error details is displayed.

Device Management Functions

Till LMS 3.2 there were 8 different applications like Common Services, Portal and applications covering functionalities in FCAPS model.

Administration of Cisco Prime LAN Management Solution 4.2 8-26 OL-25947-01 Chapter 8 Administering Collection Settings Performance Management SNMP Timeouts and Retry Settings

LMS 4.2 removes application boundaries and provides tighter integration among the components. It groups all the related functionalities in one place, thus making the product more user friendly. LMS 4.2 consists of the following five functionalities: • Inventory, Config and Image Management • Network Topology, Layer 2 Services and User Tracking • Fault Management • IPSLA Performance Management • Device Performance Management To view the functionality settings: Select Admin > System > Device Management Functions. By default, all the functions will be enabled. If you have a 10K license, only Inventory, Config and Image Management will function. You should disable all functions except Inventory, Config and Image Management from this page.

Note If you disable a function, the function will stop collecting device information. For IPSLA Management, history data will be deleted.

Performance Management SNMP Timeouts and Retry Settings

Cisco Prime LMS allows you to configure the Performance Management SNMP timeout and SNMP retries using the Poll Settings option. The Performance Management SNMP timeout and SNMP retries are based on the device and network response time. • SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to query the device again. • SNMP retry is the maximum number of times LMS retries to query the device. You can also set the notification interval time in case of poller failures and the e-mail ID to which the notification should be sent. You can also configure Poll Settings to send the polling failure report as an e-mail. To configure Poll Settings:

Step 1 Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP timeouts and retry settings. The Poll Settings dialog box appears. Table 8-7 describes the fields in the Poll Settings dialog box.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-27 Chapter 8 Administering Collection Settings IPSLA Application Settings

Table 8-7 Poll Settings Fields

Field Description Poll Details SNMP Timeout Specify the SNMP timeout interval in seconds. The default SNMP timeout value is 3 seconds. You can change the default SNMP timeout value to a value between 1 to 15 seconds. SNMP Retries Specify the SNMP retries count. The default SNMP retry count value is 1. You can set the default SNMP retry count to a value from 0 to 3. Polling Failure Notification Interval Specify the polling failure notification interval. You can select any of these predefined values. The default option is 6 hours. • 01 - Hour—Polling failures notified every 1 hour. • 06 - Hours—Polling failures notified every 6 hours. • 24 - Hours—Polling failures notified every 24 hours. • 48 - Hours—Polling failures notified every 48 hours. • Weekly—Polling failures notified every week. Polling failure notification report is generated periodically based on notification interval. This report contains information on the SNMP polling failures with device details. E-mail ID Enter the e-mail address. The E-mail address must be in the format: [email protected]. The poll failure report is send to the E-mail address based on the Notification Interval.

Step 2 Update the necessary fields in the following panes: • Poll Details • Polling Failure See Table 8-7 for the description of fields that appear in the Poll Settings dialog box. Step 3 Click Apply to update the poll settings or Reset to cancel the poll settings. A message appears confirming that poll settings are updated successfully.

IPSLA Application Settings

The IPSLA Application Settings page allows you to copy IP SLA (Internet Protocol Service Level Agreement) configuration to running-config, and set managed source interface. • Copying IPSLA Configuration to Running-Config • Managed Source Interface Setting

Administration of Cisco Prime LAN Management Solution 4.2 8-28 OL-25947-01 Chapter 8 Administering Collection Settings IPSLA Application Settings

Copying IPSLA Configuration to Running-Config

You can see the IPSLA (Internet Protocol Service Level Agreement) probes for the collectors that you configure in LMS at the command line interface of the router in the running configuration by selecting the Copy IP SLA Configuration to running-config option on the Application Settings page. This option is not selected by default. You cannot view the IPSLA probes in the running configuration of the source router if this option is not set.

Note The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and saved the IP SLA probes of the LMS collectors in the startup configuration.

To view the configured collectors in the running configuration:

Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings. The IPSLA Application Settings page appears. Step 2 Select the Copy IPSLA Configuration to Running-config check box. Step 3 Click Apply. A message appears that the application settings have been modified successfully. Click Default to retain the default settings. Step 4 Click OK.

Managed Source Interface Setting

Managed Source Interface configures the source router with appropriate IP address for sending/receiving the IPSLA (Internet Protocol Service Level Agreement) operation packets. You can set a source interface address for the source router by selecting the Use Managed Source Interface Address option on the Application Settings page. After this option is set, the source router uses the managed interface address while configuring the collectors on the source device. However, you can also specify a source interface address while configuring a collector. In this case, the source router uses the specified interface. If the Use Managed Source Interface option is not set, then by default, the source router selects the source interface for the collector from the Routing Table based on the IP address of the destination. To set a source interface address:

Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings. The Application Settings page appears. Step 2 Select the Use Managed Source Interface Address check box. Step 3 Click Apply. A message appears that the application settings have been modified successfully. Click Default to retain the default settings. Step 4 Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-29 Chapter 8 Administering Collection Settings Setting Up Archive Management

Setting Up Archive Management

You can move the directory for archiving the LMS device configuration and enable and disable the usage of Shadow directory. You can also list the commands that need to be excluded while comparing configuration To do this select Configuration > Configuration Archive > Summary. This section contains: • Preparing to Use the Archive Management • Entering Device Credentials • Modifying Device Configurations • Modifying Device Security • Moving the Configuration Archive Directory • Enabling and Disabling the Shadow Directory • Configuring Exclude Commands • Configuring Fetch Settings

Preparing to Use the Archive Management

Before you start using the Archive Management, you must: • Enter Device Credentials (See Entering Device Credentials for details) • Modify Device Configurations (See Modifying Device Configurations for details) • Modify Device Security (See Modifying Device Security for details)

Entering Device Credentials

Enter the following device credentials in the Device and Credentials window (Admin > Network > Configuration Job Settings > Config Job Policies): • Read and write community strings • Primary Username and Password • Primary Enable Password If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs, you are prompted for the following device credentials: • Login User name • Login Password • Enable Password

Administration of Cisco Prime LAN Management Solution 4.2 8-30 OL-25947-01 Chapter 8 Administering Collection Settings Setting Up Archive Management

The supported Device authentication prompts are: • Routers “Username:”, “Username: ” “Password:”, “Password: ” • Switches “username: ”, “Username: ” “password: ”, "Password: ” • Cisco Interfaces and Modules—Network Analysis Modules “login: ” “Password: ” “password: ” • Security and VPN—PIX “username: ”, “Username: ” “passwd: ”, “password: ”, “Password: ” • Content Networking—Content Service Switch “Username: ”, “username: ”, “login: ”,“Username:” , “username:” , “login:” “Password: ”, “password: ”, “passwd: ”,”Password:” , “password:” , “passwd:” • Content Networking—Content Engine “Username: ” ,”login: ” “Password: ” • Storage Networking—MDS Devices “Username:”, “Username: ” “Password:”, “Password: ” If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more information.

Handling Custom Telnet Prompts To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located at: NMSROOT/objects/cmf/data (on Solaris/Soft Appliance) NMSROOT \objects\cmf\data (on Windows) where NMSROOT is the location where you have installed Cisco Prime LMS. The format of this ini file is: [TELNET] USERNAME_PROMPT= PASSWORD_PROMPT=

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-31 Chapter 8 Administering Collection Settings Setting Up Archive Management

For example, if you have configured username and password prompts as MyUserName: and MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini file must be configured as:

[TELNET] USERNAME_PROMPT=MyUsername:, Secret Username: PASSWORD_PROMPT=MyPassword:, Secret Password:

Note You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only the custom prompts need to be added.

Modifying Device Configurations

To enable the configuration archive to gather the configurations, modify the device configurations for the following: • Enabling rcp • Enabling scp • Enabling https • Configuring Devices to Send Syslogs

Enabling rcp

To enable the configuration archive to gather the configurations using the rcp protocol, modify your device configurations. Make sure the devices are rcp-enabled by entering the following commands in the device configurations: # ip rcmd rcp-enable # ip rcmd remote-host local_username {ip-address | host} remote_username [enable] Where ip_address | host is the IP address/hostname of the machine where LMS is installed. Alternatively, you can enter the hostname instead of the IP address. The default remote_username and local_username are cwuser. Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, no ip rcmd domain-lookup for rcp to fetch the device configuration.

Administration of Cisco Prime LAN Management Solution 4.2 8-32 OL-25947-01 Chapter 8 Administering Collection Settings Setting Up Archive Management

Enabling scp

To enable the configuration archive to gather the configurations using the scp protocol, modify your device configurations. To configure local User name: aaa new-model aaa authentication login default local aaa authentication enable default none aaa authorization exec default local

username admin privilege 15 password 0 system ip ssh authentication-retries 4 ip scp server enable To configure TACACS User name: aaa new-model aaa authentication login default group tacacs+ aaa authentication enable default none aaa authorization exec default group tacacs+

ip ssh authentication-retries 4 ip scp server enable User on the TACACS Server should be configured with priv level 15: user = admin { default service = permit login = cleartext "system" service = exec { priv-lvl = 15 } }

Enabling https

To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations. To modify the device configuration, follow the procedure as described in this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html

Configuring Devices to Send Syslogs

Configure your devices for Syslog Analysis if you want the device configurations to be gathered and stored automatically in the configuration archive when Syslog messages are received. After you perform these tasks and the devices become managed, the configuration files are collected and stored in the configuration archive.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-33 Chapter 8 Administering Collection Settings Setting Up Archive Management

Modifying Device Security

Configuration Management must be able to run certain commands on devices to archive their configurations. You must have the required permissions to run these Configuration Management commands: • Router Commands • Switches Commands • Content Networking—Content Service Switch Commands • Content Networking—Content Engine Commands • Cisco Interfaces and Modules—Network Analysis Modules • Security and VPN—PIX Devices For example, you can use the LMS server to access the devices using Telnet or SSH to archive their configurations. Ensure that the user credentials provided by you in DCR has the required permissions to access the devices and execute the above mentioned configuration CLI commands on the devices to fetch the configurations. These configuration information fetched from the devices by the LMS server is stored in the LMS database.

Router Commands

Command Description terminal length 0 Sets the number of lines on the current terminal screen for the current session terminal width 0 Sets the number of character columns on the terminal screen for the current line for a session show privilege Displays your current level of privilege Show running Gets running configuration. Show startup Gets startup configuration Show running-brief1 Gets the running configuration in brief by excluding the encryption keys.

1. This is applicable for the IOS release 12.3(7)T release or later.

The commands in the above tables also apply to the following device types: • Universal Gateways and Access Servers • Universal Gateways and Access Servers • Optical Networking • Broadband Cable • Voice and Telephony • Wireless • Storage Networking

Administration of Cisco Prime LAN Management Solution 4.2 8-34 OL-25947-01 Chapter 8 Administering Collection Settings Setting Up Archive Management

Switches Commands

The switches commands are:

Command Description set length 0 Configures the number of lines in the terminal display screen set logging session Disables the sending of system logging messages to the current login disable session. write term Gets running configuration.

Content Networking—Content Service Switch Commands

The Content Service Switch commands are:

Command Description no terminal more Disables support for more functions with the terminal. show running-config Gets all components of the running configuration. show startup-config Gets the CSS startup configuration (startup-config).

Content Networking—Content Engine Commands

The Content Engine commands are:

Command Description terminal length 0 Sets the number of lines on the current terminal screen for the current session show run Gets running configuration. show config Gets startup configuration.

Cisco Interfaces and Modules—Network Analysis Modules

The Network Analysis Modules commands are:

Command Description terminal length 0 Sets the number of lines on the current terminal screen for the current session show autostart Displays autostart collections show configuration Gets startup configuration.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-35 Chapter 8 Administering Collection Settings Setting Up Archive Management

Security and VPN—PIX Devices

The PIX devices commands are:

Command Description terminal width 0 Sets the number of character columns on the terminal screen for the current line for a session show config Gets startup configuration. show running Gets running configuration. show curpriv View the current logged-in user. no pager Removes paging control

Moving the Configuration Archive Directory

You can move the directory where the configuration of the devices can be archived on the LMS server. The default Configuration Archive directory is: On LMS Solaris/Soft Appliance server, /var/adm/CSCOpx/files/rme/dcma On LMS Windows server, NMSROOT\files\rme\dcma Where NMSROOT is the Cisco Prime installed directory. The new archive directory location should have the permission for casuser:casusers in Solaris and casuser should have Full Control in Windows. The new archive directory location should not be the root of any drive (F:\) and must be a subdirectory (F:\LMSarchives).

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

The following is the workflow for moving the configuration archive location:

Step 1 Stop the ConfigMgmtServer process. To do this: a. Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. b. Select the ConfigMgmtServer process. c. Click Stop. Step 2 Select Admin > Collection Settings > Config > Config Archive Settings. The Archive Settings dialog box appears. Step 3 Enter the new location in the Archive Location field, or click Browse to select a directory on your system.

Administration of Cisco Prime LAN Management Solution 4.2 8-36 OL-25947-01 Chapter 8 Administering Collection Settings Setting Up Archive Management

Step 4 Click Apply. A message appears confirming the changes. Step 5 Restart the ConfigMgmtServer process. To do this: a. Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. b. Select the ConfigMgmtServer process. c. Click Start.

Enabling and Disabling the Shadow Directory

The configuration archive Shadow directory is an image of the most recent configurations gathered by the configuration archive. The Shadow directory contains subdirectories that represent each device class and the latest configurations supported by the configuration archive. Each file name is DeviceName.cfg, as defined in the Device and Credential Repository. Each time the archive is updated, the Shadow directory is updated with the corresponding information. The Shadow directory can be used as an alternative method to derive the latest configuration information programmatically by using scripts or other means. To access to the Shadow directory, you must be root or casuser on Solaris, or in the administrator group for Windows. You can find the Shadow directory in the following locations: • On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow • On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS is installed (the default is C:\Program Files\CSCOpx).

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

You can enable or disable the use of Shadow directory by following this workflow:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-37 Chapter 8 Administering Collection Settings Setting Up Archive Management

Step 4 Click Apply. A message shows that the changes were made. Step 5 Restart the ConfigMgmtServer process. To do this: a. Select Admin > System > Server Monitoring > Processes. The Process Management dialog box appears. b. Select the ConfigMgmtServer process. c. Click Start.

Configuring Exclude Commands

You can list the commands that have to be excluded while comparing configuration. To do this select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration. You can enter multiple commands separated by commas. LMS provides default exclude commands for some Device Categories. For example, the default exclude commands for Router device category are, end,exec-timeout,length,width,certificate,ntp clock-period You can specify Exclude Commands at all these levels: • Device Category (For example, Routers, Wireless, etc.) • Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.) • Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.) While comparing configurations, if you have specified exclude commands in the Device Type, Device Family and Device Category, these commands are excluded only at the Device Type level. The commands in the Device Family and Device Category are not excluded.

Example 1: If you have specified these commands at, • Routers (Device Category) level end,exec-timeout,length,width,certificate,ntp clock-period • Cisco 1000 Series Routers (Device Family) level banner incoming,snmp-server location • Cisco 1003 Router (Device Type) level ip name-server,banner motd,snmp-server manager session-timeout While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are excluded.

Administration of Cisco Prime LAN Management Solution 4.2 8-38 OL-25947-01 Chapter 8 Administering Collection Settings Setting Up Archive Management

Example 2: If you have specified these commands only at Device Family and Device Category, • Routers (Device Category) level end,exec-timeout,length,width,certificate,ntp clock-period • Cisco 1000 Series Routers (Device Family) level banner incoming,snmp-server location • Cisco 1003 Router (Device Type) level No commands specified. While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands are excluded. If the commands are specified only at the Device Category level, these commands are applicable to all devices under that category. To configure Exclude Commands:

Step 1 Select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration. The Configure Exclude Commands dialog box appears. Step 2 Select one of these from the Device Type Selector pane: • Device Category (For example, Routers, Wireless, etc.) • Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.) • Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.) Step 3 Enter the command in the Exclude Commands pane to add new commands. You can enter multiple commands separated by commas. You can also edit or delete the existing commands in the Exclude Commands pane. Step 4 Click Apply. A message appears, The commands to be excluded are saved successfully.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-39 Chapter 8 Administering Collection Settings Understanding Configuration Retrieval and Archival

Configuring Fetch Settings

You can configure the Job Result Wait Time per device for the Sync Archive Jobs. The default value is 120 seconds. The minimum value can be set to 60 seconds. Job Result Wait Time is the maximum wait time that Archive Management waits to get the configurations from the device during the sync-archive job execution. To configure the Job Result Wait Time:

Step 1 Select Admin > Collection Settings > Config > Config Job Timeout Settings. The Fetch Settings dialog box appears. Step 2 Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device (seconds) field. Step 3 Click either of these: • Click Apply, if you want to submit the Job Result Wait Time entered. • Click Cancel if you want to cancel the changes made to the Job Result Wait Time.

Understanding Configuration Retrieval and Archival

LMS supports different ways to trigger the retrieval of configuration files from the device for archival purposes. This section contains: • Schedule Periodic Configuration File Archival • Schedule Periodic Configuration Polling • Manual Updates (Sync Archive function) • Using Version Summary • Timestamps of Configuration Files • How Running Configuration is Archived • Change Audit Logging

Schedule Periodic Configuration File Archival

LMS will archive both the startup and running configuration files for all devices at the scheduled time (6-hourly, 12-hourly, daily, weekly, monthly), as configured by the user. Since this method collects the full running configuration and startup configuration files for the entire network, we recommend that you schedule this to run at no more than once per day, especially if the network is large and outside the LAN. See Defining the Configuration Collection Settings for further details.

Administration of Cisco Prime LAN Management Solution 4.2 8-40 OL-25947-01 Chapter 8 Administering Collection Settings Understanding Configuration Retrieval and Archival

Schedule Periodic Configuration Polling

LMS can be configured to periodically poll configuration MIB variables on devices that support these MIBs according to a specified schedule, to determine if either the startup or running configuration file has changed. If it has, LMS will retrieve and archive the most current configuration file from the device. Polling uses fewer resources than full scheduled collection, because configuration files are retrieved only if the configuration MIB variable is set. On IOS devices the variables ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged from the CISCO-CONFIG-MAN-MIB MIB, and on CATOS the variable sysConfigChangeTime from CISCO-STACK-MIB are used to detect the change. Any change in the value of these variables causes the configuration file to be retrieved from the device. SNMP change polling works only in case of IOS and CATOS devices which support these MIBs. If these MIBs are not supported on the devices, then by default, configuration fetch will be initiated without checking for the changes. By default, the Periodic Collection and Polling are disabled. See Defining the Configuration Collection Settings for scheduling the periodic polling.

Note The Syslog application triggers configuration fetch, if configuration change messages like SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.

Manual Updates (Sync Archive function)

This feature allows the LMS user to force the configuration archive to check specified devices for changes to the running configuration file only. Use Sync Archive if you need it to synchronize quickly with the running configuration. You can also poll the device and compare the time of change currently on the device with the time of last archival of the configuration to determine whether the configuration has changed on a device. The Startup configuration is not retrieved during manual update archive operation. However, you can retrieve the Startup configuration by enabling the Fetch startup Config option while scheduling Sync Archive job. To use this function select Configuration > Configuration Archive > Synchronization.

Using Version Summary

You can trigger a configuration file retrieval by clicking on the Running or Startup configuration in the Configuration Version Summary report (select Configuration > Configuration Archive > Views > Version Summary). After a configuration file is fetched from the device, as described above, LMS submits the configuration file for archival.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-41 Chapter 8 Administering Collection Settings Understanding Configuration Retrieval and Archival

Timestamps of Configuration Files

These are timestamps of a running configuration file, or the change time (in change audit), indicate the time at which LMS system archived the configuration file. This is not the time at which the configuration actually changed on the device. If changes are detected immediately using Syslog messages, the timestamp should be very close to the actual configuration change time on the device. Startup configurations are handled differently by LMS. Startup configs are simply saved into the system, as they are retrieved from the device (unlike running configurations, which are compared and saved in versioned archives, if different). The timestamps of Startup Configuration files are just the archival times, and do not indicate the change time. In the version summary reports, the Running and Startup are links, which when clicked will retrieve in real time, the respective configuration from the device. This column does not have a timestamp associated with it. In the Out-Of-Sync report (select Configuration > Compliance > Out-of-Sync Summary), the Startup configuration column indicates the last archived startup configuration along with its timestamp, and the Running configuration column indicate the last archived running config along with its timestamp.

How Running Configuration is Archived

The workflow for archiving the Running configuration is: 1. If LMS detects an effective change, the new configuration is queued for Archival. 2. The archiver, calculates the exact effective changes, assigns a new version number for the newly collected archive, and archives it in the system. 3. The archiver, at the end, logs a change audit record that the configuration of the device has changed, along with other Audit information. 4. If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration file is also stored in a raw format for manual TFTP purposes to restore the configuration on the device, in the directory location: – On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow – On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS is installed (the default is C:\Program Files\CSCOpx)

Note Startup configurations are not ‘versioned’ and only one copy of the startup configuration of devices (which supports startup configuration), is saved in the system. No change audit records are logged for changes in the ‘Startup Configuration’ files.

LMS first compares the collected configuration file, with the latest configuration in the archive, and checks to see if there are effective configurations changes from what was previously archived.

Administration of Cisco Prime LAN Management Solution 4.2 8-42 OL-25947-01 Chapter 8 Administering Collection Settings Defining the Configuration Collection Settings

Change Audit Logging

Config change audit records include information about, who changed (which user) the configuration, when the configuration change was identified by LMS, and other change information. • Any configuration change made through the LMS system (example, using Config Editor or Netconfig), will have the user name of the user who scheduled the change job. • Any configuration change that was done outside of LMS and detected through the configuration retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB variable (ccmHistoryEventTerminalUser). • Changes identified through syslog messages, contain the user name identified in the Syslog message, if present.

Defining the Configuration Collection Settings

The configuration archive can be updated with configuration changes in two ways: • Periodic configuration archival (with and without configuration polling). To do this select Admin > Network > Collection Settings > Config > Config Collection Settings. • Manual configuration archival. To do this select using Configuration > Configuration Archive > Synchronization. You can modify how and when the configuration archive retrieves configurations by selecting one or all of the following:

Periodic Polling The configuration archive performs a SNMP query on the device. If there are no configuration changes detected in the devices, no configuration is fetched.

Periodic Collection The configuration is fetched without checking for any changes in the configuration. By default, the Periodic Collection and Polling are disabled.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

The following is the workflow for defining the configuration collection setting:

Step 1 Select Admin > Config > Config Collection Settings. The Config Collection Settings dialog box appears. Step 2 Select one or all of the following options: Periodic Polling a. Select Enable for Configuration archive to performs a SNMP query on the device to retrieve configuration. b. Click Schedule. The Config Collection Schedule dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-43 Chapter 8 Administering Collection Settings Defining the Configuration Collection Settings

c. Enter the following information:

Field Description Scheduling Run Type You can specify when you want to run the configuration polling job. To do this, select one of these options from the drop-down menu: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the day of the week and at the specified time. • Monthly—Runs monthly on the day of the month and at the specified time. The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date You can select the date and time (hours and minutes) to schedule. Job Information Job Description The system default job description, Default config polling job is displayed. You cannot change this description. E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.

d. Click OK. Periodic Collection a. Select Enable for Configuration archive to perform a periodic check on the device to retrieve configuration. b. Click Schedule. The Config Collection Schedule dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2 8-44 OL-25947-01 Chapter 8 Administering Collection Settings Defining the Configuration Collection Settings

c. Enter the following information:

Field Description Scheduling Run Type You can specify when you want to run the configuration collection job. To do this, select one of these options from the drop-down menu: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the day of the week and at the specified time. • Monthly—Runs monthly on the day of the month and at the specified time. The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date You can select the date and time (hours and minutes) to schedule. Job Information Job Description The system default job description, Default config collection job is displayed. You cannot change this description. E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.

d. Click OK. VLAN config Collection a. Check the Disable VLAN config collection check box. b. Click Apply. The VLAN config collection will be disabled for both manual and system config collection jobs. By default the Disable VLAN Config collection checkbox is unchecked. Step 3 Either click Apply to accept the new values provided. Or Click Cancel if you want to discard the changes and revert to previously saved values. If you had clicked Apply, a message appears: New settings saved successfully. You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-45 Chapter 8 Administering Collection Settings Configuring Transport Protocols

Configuring Transport Protocols

You can set the protocol order for Configuration Management features such as Archive Management, Config Editor, and NetConfig jobs to download configurations and to fetch configurations. For NetShow and VLAN Fetch, you can set the protocol order to download configurations. This setup allows you to use your preferred protocol order for fetching and downloading the configuration. The available protocols are: • Telnet • TFTP (Trivial File Transport Protocol) • RCP (remote copy protocol) • SSH (Secure Shell) • SCP (Secure Copy Protocol) • HTTPS (Hyper Text Transfer Protocol Secured) This section also explains: • Requirements to Use the Supported Protocols • Defining the Protocol Order

Requirements to Use the Supported Protocols

If the following requirements are not met, an error message appears.

To use this Protocols You must... Telnet Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password. TFTP Know read and write community strings for device. RCP Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the following commands in the device configuration: # ip rcmd rcp-enable # ip rcmd remote-host local_username {ip-address | host} remote_username [enable] where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default re- mote_username and local_username are cwuser. For example, you can enter: # ip rcmd remote-host cwuser 123.45.678.90 cwuser enable Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server. To do this, use the command, no ip rcmd domain-lookup for RCP to fetch the device configuration.

Administration of Cisco Prime LAN Management Solution 4.2 8-46 OL-25947-01 Chapter 8 Administering Collection Settings Configuring Transport Protocols

To use this Protocols You must... SSH Know the username and password for the device. If device is configured for TACACS authentication, enter the Primary Username and Primary Password. Know password for Enable modes. When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed. Some useful URLs on configuring SSHv2 are: • Configuring Secure Shell on Routers and Switches Running Cisco IOS: http://www.cisco.com/warp/public/707/ssh.shtml • How to Configure SSH on Catalyst Switches Running Catalyst OS: http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml • Configuring the Secure Shell Daemon Protocol on CSS: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/c onfiguration/security/guide/sshd.html • Configuration Examples and TechNotes: – http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples _list.html – http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-47 Chapter 8 Administering Collection Settings Configuring Transport Protocols

To use this Protocols You must... SCP Know the SSH username and password for the device. To make sure the device is scp-enabled, enter the following commands in the device configuration. To configure local User name: aaa new-model aaa authentication login default local aaa authentication enable default none aaa authorization exec default local

ip ssh authentication-retries 4 ip scp server enable User on the TACACS Server should be configured with privilege level 15: user = admin { default service = permit login = cleartext "system" service = exec { priv-lvl = 15 } }

HTTPS Know the username and password for the device. Enter the Primary Username and Password in the Device and Credential Repository. To enable the configuration archive to gather the configurations using https protocol you must modify your device configurations: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configura- tion_guides_list.html This is used for VPN 3000 device.

The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and Enable passwords.

Administration of Cisco Prime LAN Management Solution 4.2 8-48 OL-25947-01 Chapter 8 Administering Collection Settings Configuring Transport Protocols

If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom Telnet Prompts. For module configs, the passwords on the module must be same as the password on the supervisor. This section also explains Supported Protocols for Configuration Management Applications.

Supported Protocols for Configuration Management Applications

For supported protocol at individual device-level, you can either see: • The LMS device packages Online help. You can launch the LMS device packages Online help using Help > Device Packages. or • The Supported Protocols for Configuration Management table on Cisco.com: http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html

Defining the Protocol Order

The following is the workflow for defining the protocol order for Configuration Management applications to perform either Config fetch or Config update:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Collection Settings > Config > Config Transport Settings. The Config Transport Settings dialog box appears. Step 2 Go to the first drop-down list box, select the application for which you want to define the protocol order. Step 3 Select a protocol from the Available Protocols pane and click Add. If you want to remove a protocol, select the protocol and click Remove. The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons. When a configuration fetch or update operation fails, an error message appears. This message displays details about the supported protocol for the particular device and it modules, if there are any. For the list of supported protocols, see Supported Device Table for Configuration Management application on Cisco.com. Step 4 Click Apply. A message appears, New settings saved successfully. Step 5 Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-49 Chapter 8 Administering Collection Settings Overview: Common Syslog Collector

Overview: Common Syslog Collector

Common Syslog Collector (CSC) is a service to receive, filter and forward syslogs to one or more Syslog Servers, thus reducing traffic on the network as well as processing load on the server. The Common Syslog Collector can be installed on the LMS Server, or on a remote UNIX or Windows machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want to run it on a remote UNIX or Windows server. Common Syslog Collector is a service that runs independently, listens for syslogs and forwards them to the registered applications after necessary filtering. This way, the parsing/filtering is taken away from the applications and each device sends only one copy of the processed, valid syslogs to the Common Syslog Collector. Although CSC runs independently, it can run either remotely or locally on the machine where an application is running. The LMS server and the Syslog Collector exchange updates such as status, and filters. You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at: On Solaris/Soft Appliance: NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/ Collector.properties On Windows: NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\ Collector.properties See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details. In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the format is not correct. The device considers day-light-saving settings appropriately while putting the timestamps. CSC supports all the time zones that LMS supports, and alternatively you can provide the time zone information. See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details. After the Syslog Analyzer has been registered with the Collector, it: • Receives the filters it needs from the LMS server to filter Syslog messages. • Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from the Analyzer, including the number of messages read, number of messages filtered, and number of messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process. If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the Analyzer without filtering. If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on the current filters, it continues to filter the syslogs and stores them in a local file: NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server name_port\DowntimeSyslogs.log The Syslog Analyzer will automatically restore the connection after LMS server restart. For the complete instructions on installing the Common Syslog Collector, see the Installing and Migrating to Cisco Prime LAN Management Solution 4.2.

Administration of Cisco Prime LAN Management Solution 4.2 8-50 OL-25947-01 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

Viewing Status and Subscribing to a Common Syslog Collector

Using the Syslog Collector Status dialog box you can: • View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status) • Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog Collector) • Test Syslog Collector Subscription (see Testing Syslog Collector Subscription) • Understanding the Syslog Collector Properties File

Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Viewing Common Syslog Collector Status

To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to, follow this procedure: Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears, with this information:

Column Description Name Hostname or the IP address of the host on which the Collector is installed. Forwarded Number of forwarded Syslog messages Invalid Number of invalid Syslog messages. Filtered Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network > Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.) Dropped Number of Syslog messages dropped. Received Number of Syslog messages received. Up Time Time duration for which the Syslog Collector has been up. Update Time Date and time of the last update. Time and time zone are those of the LMS Server. Test Click to test a Syslog collector that’s already subscribed or that’s going to be subscribed. Collector Subscription Subscribe Click to subscribe a Syslog collector. Unsubscribe Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector.

If you want to refresh the information in this dialog box, click Update.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-51 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin > Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze processes come up. In this interval you may see the following message: Collector Status is currently not available. Check if the SyslogAnalyzer process is running normally.

Wait for the Syslog Collector status process to come up and try again. To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common Syslog Collector.

Subscribing to a Common Syslog Collector

Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met: Check whether: 1. The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on both the servers. 2. The Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup. See Setting up Peer Server Certificate for more information. 3. The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server, are restarted after Step 2. 4. Both hosts are reachable by host name. To subscribe to a Common Syslog Collector:

Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings. The Collector Status dialog box appears. For the information in the columns in the dialog box, see Viewing Common Syslog Collector Status:

Step 2 Click Subscribe. The following message appears: Check if: Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. You can perform this operation from Admin > System Administration > Multiserver Management > Peer Server Certificate Setup screen. 2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this server is restarted after step 1. 3. Both hosts are reachable by host name. 4. Certificates are valid. The Subscribe Collector dialog box appears. Step 3 Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to. Step 4 Click OK. The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.

Administration of Cisco Prime LAN Management Solution 4.2 8-52 OL-25947-01 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and click the Unsubscribe button. If you want to test the Syslog collector subscription, select the collector and click Test Collector Subscription. For more information see Testing Syslog Collector Subscription.

Testing Syslog Collector Subscription

You can test the status of the Syslog Collector that you have already subscribed or that you are going to subscribe using the Test Collector Subscription button. To test a Syslog collector:

Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings. Step 2 The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common Syslog Collector Status. Step 3 Either: • Select a Syslog collector and click Test Collector Subscription. • Test Collector Subscription popup window appears with the Syslog collector address. Or • Click Test Collector Subscription. • Enter the Syslog collector in the Test Collector Subscription popup window. Step 4 Click OK. The Test Collector Subscription Status popup window appears, displaying the following status of the Syslog collector: • SSL certificate status—Status of the SSL Certificates. For example, SSL certificates are valid and are properly imported. For more information see Syslog Collector Subscription Messages. • Collector status—Status of the Syslog collector. For example, Collector is up and reachable. For more information see Syslog Collector Subscription Messages.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-53 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

Syslog Collector Subscription Messages The following table provides the Syslog collector subscription status messages shown when you test the subscription of a Syslog Collector:

Subscription Status Problem/Info Message SSL Certification When there is an SSL certificate issue occurred, check if: issue with SSL 1. The Self-signed Certificates are valid. For Certificate example, Check the certificate expiry date on the servers. 2. The Self-signed Certificates of this server are copied to the Syslog Collector server and vice-versa. To do this, go to Admin > System Administration > Multiserver Management > Peer Server Certificate Setup and add the certificate. See the Administration User Guide for LMS for more details. 3. The SyslogCollector process on Syslog Collector server and the SyslogAnalyzer process in the current working server are restarted after Step 2. 4. Both hosts are reachable by hostname. When the SSL SSL certificates are valid and properly imported. certificates are valid Collector When the Unknown host address. Check if the host is DNS hostname is not resolvable. DNS resolvable If the SyslogCollector process is down. Check if the SyslogCollector SyslogCollector process is running on the port <>. process is down If the Syslog Cannot check SSL connectivity because the Syslog Collector is down Collector is down. If the Syslog Syslog Collector < is up and Collector is reachable. reachable

Administration of Cisco Prime LAN Management Solution 4.2 8-54 OL-25947-01 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

Understanding the Syslog Collector Properties File

After installing the Syslog Collector on a remote system, you need to check the Syslog Collector Properties file to ensure that the Collector is configured properly. The Syslog Collector Properties file is available at this location: On Solaris/Soft Appliance: $NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.pr operties On Windows: %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector. properties The following table describes the Syslog Collector Properties file:

Timezone-Related Properties Description TIMEZONE The timezone of the system where the Syslog Collector is running. Enter the correct abbreviation for the timezone. For example, the time zone for India is IST. For the correct Timezone abbreviation, see the Timezone file in the following location: On Solaris/Soft Appliance, /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/n m/LMSng/fcss/data/TimeZone.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\LMSng\fcss\data\TimeZone.lst See Timezone List Used By Syslog Collector. COUNTRY_CODE Country code for the Syslog Collector. We recommend that you set the country code variable with the appropriate country code, to make sure that the Syslog timestamp conversion works correctly. For example, if you are in Singapore, you must set the country code variable as COUNTRY=SGP.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-55 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

Timezone-Related Properties Description TIMEZONE_FILE The path of the Timezone file. This file contains the offsets for the time zones. After installing the Syslog Collector, ensure that the offset specified in this file is as expected. If it is not present or is incorrect, you can add the Timezone offset as per the convention. The default path is: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/rmeng/fcss/data/TimeZone.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\fcss\data\TimeZone.lst General Properties SYSLOG_FILES Filename and location of the file from which syslog messages are read. The default location is: On Solaris/Soft Appliance: /var/log/syslog_info On Windows: %NMSROOT%\log\syslog.log DEBUG_CATEGORY_NAME Name Syslog Collector uses for printed ERROR or DEBUG messages. The default category name is SyslogCollector. We recommend that you do not change the default value. DEBUG_FILE Filename and location of the Syslog Collector log file containing debug information: The default location is: On Solaris/Soft Appliance, /var/adm/CSCOpx/log/CollectorDebug.log On Windows, %NMSROOT%\log\CollectorDebug.log DEBUG_LEVEL Debug levels in which you run the Syslog Collector. We recommend that you retain the default INFO, which reports informational messages. Setting it to any other value might result in a large number of debug messages being reported. If you change the debug level, you must restart the Syslog Collector. The values for the Debug levels are: • Warning • Debug • Error • Info

Administration of Cisco Prime LAN Management Solution 4.2 8-56 OL-25947-01 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

Timezone-Related Properties Description DEBUG_MAX_FILE_SIZE Maximum size of the log file containing the debug information. The default is set to 5 MB. If the file size exceeds the limit that you have set, Syslog Collector writes to another file, based on the number of backup files that you have specified for the DEBUG_MAX_BACKUPS property. For example, if you have specified the number of backups as 2, besides the current log file, there will be two backup files, each 5MB in size. When the current file exceeds the 5 MB limit, Syslog Collector overwrites the oldest of the two backup files. DEBUG_MAX_BACKUPS The number of backup files that you require. The size of these will be the value that you have specified for the DEBUG_MAX_FILE_SIZE property. Miscellaneous Properties READ_INTERVAL_IN_SECS Interval at which the Collector polls the syslog file. The default is set to 1 second. QUEUE_CAPACITY Size of the internal buffer, for queuing syslog messages. The default is set to 100000 PARSER_FILE File that contains the list of parsers used while parsing syslog messages. The default path of the parser file: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/LMSng/fcss/data/FormatParsers.lst On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\fcss\data\FormatParsers.lst SUBSCRIPTION_DATA_FILE Syslog Collector data file that contains the information about the Syslog Analyzers that are subscribed to the Collector. The default path of the data file: On Solaris/Soft Appliance, opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/ cisco/nm/rmeng/csc/data/Subscribers.dat On Windows, %NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\ nm\rmeng\csc\data\Subscribers.dat FILTER_THREADS Number of threads that operate at a time for filtering syslog messages. The default is set to 1. COLLECTOR_PORT Default port of the Syslog Collector. The default is set to 4444. The port where the collector listens for registration requests from Syslog Analyzers.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 8-57 Chapter 8 Administering Collection Settings Viewing Status and Subscribing to a Common Syslog Collector

Timezone List Used By Syslog Collector

The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector Properties File. For the correct Timezone abbreviation, see the Timezone file in the following location: $NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.l st Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and the corresponding entry here is 55. You must use the same method while modifying it. The following is the timezone list used by Syslog Collector:

Time Zone List Used by Syslog Collector ACT=95 ADT=30 AET=100 AEST=100 AGT=-30 AHST=-100 ART=20 AST=-90 AT=-20 BET=-30 BST=10 BT=30 CAT=10 CCT=80 CDT=-50 CEST=20 CET=10 CNT=-35 CST=-60 CTT=80 EADT=-110 EAST=100 EAT=30 ECT=10 EDT=-40 EET=20 EST=-50 FST=-20 FWT=10 GMT=0 GST=100 HDT=90 HST=-100 IDLE=120 IDLW=-120 IET=-50 IST=55 JST=90 MDT=-60 MEST=-20 MESZ=-20 MET=10 MEWT=10 MIT=-110 MST=-70 MYT=80 NET=40 NST=120 NT=-110 NZDT=130 NZST=120 NZT=120 PDT=-70 PLT=50 PNT=-70 PRT=-40 PST=-80 SST=110 SWT=10 UTC=0 VST=70 WADT=-80 WAST=70 WAT=-10 YDT=-80 YST=-90ZP4=40ZP5=50ZP6=50

Administration of Cisco Prime LAN Management Solution 4.2 8-58 OL-25947-01

CHAPTER 9

Monitoring and Troubleshooting Settings

Monitoring and Troubleshooting Settings in the Admin menu groups all the administrative tasks that you need to perform to monitor and troubleshoot your network using LMS. This section contains: • Configuring Fault Poller Settings For Topology • Loading MIB Files • Configuring RMON • Configuring Topology Settings

Configuring Fault Poller Settings For Topology

To display Fault Poller information in Topology Maps and N-Hop view portlet, you have to enable polling as follows:

Step 1 Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology. The Fault Monitor Poller Settings page appears. Step 2 Select the Poll Fault Monitor Server for alerts check box. If you try to apply the settings when Fault Monitor module is not installed on a local or remote server, you will get an error message indicating the same. If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 9-1 Chapter 9 Monitoring and Troubleshooting Settings Loading MIB Files

You can enable this option, only if: – Fault Monitor module is installed in the local LMS Server or on a remote LMS Server in the master slave mode. AND – LMS has detected the Fault Monitor server. If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart ANI Server before enabling the above setting. Step 3 Set the time interval at which the polling should occur. Fault Monitor updates the latest event information every 6 minutes. So the time interval can be a value between six minutes and fifty nine minutes, fifty nine seconds. Step 4 Click Apply. The settings are saved to the server and polling starts within six minutes of the configuration. In addition to this, you can restrict the type of LMS event displayed in your machine. For example you can choose to display only critical events in Topology maps. The event information fetched from Fault Monitorserver can be launched from Topology Maps and N-Hop view portlet, by right clicking on the required device.

Loading MIB Files

You can load a new MIB file into LMS using the Load MIB option. The new MIB file is compiled and stored in LMS. You can use the new MIB file to create new templates by grouping MIB variables, to do this select Monitor > Performance Settings > Setup > Templates. For more information, see Creating a Template in Monitoring and Troubleshooting Online Help. You can load MIB files with the file extension .my. To load a MIB file:

Step 1 Select Admin > Network > Monitor / Troubleshoot > Load MIB. The Load MIB dialog box appears. Table 9-1 describes the field in the Load MIB dialog box.

Table 9-1 Load MIB Fields

Field Description MIB file Use the Browse button to load a MIB file from a directory location. For example, RFC1213-MIB.my You are allowed to load a MIB file only from the following directory path: • In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs • In Solaris/Soft Appliance, $NMSROOT/hum/mibmanager/mibcompiler/mibs $NMSROOT is the default Cisco Prime LMS installation directory.

Administration of Cisco Prime LAN Management Solution 4.2 9-2 OL-25947-01 Chapter 9 Monitoring and Troubleshooting Settings Loading MIB Files

Step 2 Click Browse to select the MIB file from a directory location. The Server Side File Browser dialog box appears. Step 3 Double-click the MIB file from the directory location. Step 4 Click Apply to load the MIB file into LMS or Cancel to cancel the operation. You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are available in the directory location. For example, To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and RFC-1212) must also be available at the same directory location. If the dependent MIB files are not available, an appropriate error message is displayed and RFC1213-MIB does not compile. The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same as the MIB files names present in the definition files. Load only version2 MIB. The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS: • RMON2-MIB.my • BRIDGE-MIB.my • RFC-1215.my • INET-ADDRESS-MIB.my • P-BRIDGE-MIB.my • Q-BRIDGE-MIB.my • CISCO-NETFLOW-MIB.my • CISCO-STACK-MIB.my • TOKEN-RING-RMON-MIB.my • RFC-1212.my • RMOM-MIB.my • RFC1155-SMI.my • RFC1213-MIB.my • SNMP-FRAMEWORK-MIB.my • CISCO-SMI.my • ENTITY-MIB.my • FDDI-SMT73-MIB.my • CISCO-VTP-MIB.my • SNMPv2-TC.my • SNMPv2-SMI.my • SNMPv2-MIB.my • SNMPv2-CONF.my • IF-MIB.my • IANAifType-MIB.my • EXPRESSION-MIB • CISCO-CLASS-BASED-QOS-MIB

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 9-3 Chapter 9 Monitoring and Troubleshooting Settings Loading MIB Files

• CISCO-VOICE-DIAL-CONTROL-MIB • CISCO-IPSEC-MIB • HOST-RESOURCES-MIB • CISCO-POP-MGMT-MIB • RMON-MIB • CISCO-PORT-QOS-MIB • DIAL-CONTROL-MIB • CISCO-DIAL-CONTROL-MIB • CISCO-VOICE-COMMON-DIAL-CONTROL-MIB • CISCO-VOICE-DNIS-MIB • PerfHist-TC-MIB • CISCO-QOS-PIB-MIB • INT-SERV-MIB • CISCO-ENERGYWISE-MIB • CISCO-FRAME-RELAY-MIB • CISCO-POWER-ETHERNET-EXT-MIB • CISCO-TC • CISCO-VTP-MIB • DS1-MIB • RFC1271-MIB To view the list of more dependent MIBs go to: http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file appears in the Show MIB drop-down list in Select MIB Variables page.

Administration of Cisco Prime LAN Management Solution 4.2 9-4 OL-25947-01 Chapter 9 Monitoring and Troubleshooting Settings Configuring RMON

Configuring RMON

You can enable RMON to measure Bandwidth Utilization for Topology. Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best estimate of the mean physical layer network utilization on the links, during the sampling time interval. In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them. You can customize the filters to display bandwidth utilization. For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting Online Help. This section contains: • Modifying the Parameters • Enabling RMON on All Ports in Selected Devices • Enabling RMON on Selected Ports in Selected Devices • Disabling RMON

Note LMS computes bandwidth utilization only on ethernet links, and not on any other type of link.

To compute bandwidth utilization in Campus Manager , you must enable Remote Monitoring (RMON). Enabling RMON depends on two parameters.

Parameters to Compute Bandwidth Utilization Enabling RMON depends on the following parameters: • Bucket Size—Number of samples (incoming and outgoing packets) that will be examined for a given point of time. • Interval—Duration for which samples are to be collected. The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the values through the user interface of Campus Manager , you can reconfigure these values through command line interface. For more details see Modifying the Parameters. Campus Manager computes bandwidth utilization only for those devices that have the same parametric values as configured and displayed in the RMON Settings page. This application allows you to configure only the same parametric values on all link ports. This is to avoid conflicts in computation.

Enabling RMON on Ports LMS allows you to enable RMON on: • All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices • Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices Campus Manager highlights links in the Topology Map even if the devices are managed by other applications such as HPOV, or CiscoView.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 9-5 Chapter 9 Monitoring and Troubleshooting Settings Configuring RMON

Modifying the Parameters

The default Bucket Size is 10 and the Interval is 300 seconds. Campus Manager does not compute bandwidth utilization for the links whose ports have different Interval values. You can configure new values for the parameters in the ANIServer.properties file. To reconfigure the values, you must restart the ANI server so that the file takes the new value. For computing bandwidth utilization, Campus Manager takes only the latest values in the ANIServer.properties file. You must reconfigure the link ports according to the values set in the properties file for Topology Map to highlight the links. You must reconfigure the parametric values before you enable RMON on ports.

Note You must configure the same value for Interval across the devices.

To reconfigure the values:

Step 1 Enter pdterm ANIServer at the command line to stop the ANI server. Step 2 Go to NMSROOT/campus/etc/cwsi/ANIServer.properties. Step 3 Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket Size. The maximum value that you can enter for RMON.interval is 3600 seconds (One hour). Step 4 Enter pdexec ANIServer at the command line to start the ANI server.

After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices. You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for the Interval in a range. This is a hidden property that creates a range for the Interval value. The property adds a value to the current interval that forms the upper limit and subtracts a value from the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the interval. For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330. Thus, the samples are collected for the range of 270 to 330 seconds. If you want to change this default value, you must:

Step 1 Stop the ANI server. Step 2 Enter pdterm ANIServer at the command line to stop the ANI server. Step 3 Go to NMSROOT/campus/etc/cwsi/ANIServer.properties. Step 4 Enter RMON.percentageTolerance=value. Step 5 Start the ANI server. Step 6 Enter pdexec ANIServer at the command line to start the ANI server.

Administration of Cisco Prime LAN Management Solution 4.2 9-6 OL-25947-01 Chapter 9 Monitoring and Troubleshooting Settings Configuring RMON

Enabling RMON on All Ports in Selected Devices

To enable RMON on all ports in selected devices:

Step 1 Select Admin > Network > Monitor / Troubleshoot > RMON Configuration. The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices. Step 2 Select the check box corresponding to the devices for which you want to enable RMON. The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as 300. For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds). To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters, repeat all the steps listed in this section, for enabling RMON with the new parameters. Step 3 Check the Configure on all links check box to configure all the ports of the selected devices in the Device Selector. Step 4 Click Configure to enable RMON on all the ports in the selected devices. The following command is configured on the selected ports: rmon collection history integer owner ownername buckets bucket-number interval seconds Example: rmon collection history 4 owner campusmanager buckets 10 interval 300

Enabling RMON on Selected Ports in Selected Devices

To enable RMON on selected ports in selected devices:

Step 1 Select Admin > Network > Monitor / Troubleshoot > RMON Configuration. The Enable RMON dialog box appears. The Device Selector pane displays the list of devices. Step 2 Select the check box corresponding to the devices for which you want to enable RMON. The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as 300. For a Bucket Size of 10, and interval of 300 seconds, Campus Manager collects 10 samples of bandwidth utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes). To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters, repeat all the steps listed in this section, for enabling RMON with the new parameters. Step 3 Uncheck the Configure on all Links check box since it is checked by default. Step 4 Click Select links to select the ports for which you want to enable RMON. It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2. The Select Links check box is enabled only when you uncheck the Configure on all links check box.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 9-7 Chapter 9 Monitoring and Troubleshooting Settings Configuring Topology Settings

Table 9-2 Select Links for RMON Configuration Column Description

Column Description Port Name of the port. Device Name Name of the device where the port is connected. Device Address The IP address of the device. isLink True is displayed for link ports and False for a non-link port.

Step 5 Select check boxes corresponding to the ports for which you want to enable RMON. Step 6 Click Configure to enable RMON on the selected ports. The following command is configured on the selected ports: rmon collection history integer owner ownername buckets bucket-number interval seconds Example: rmon collection history 4 owner campusmanager buckets 10 interval 300

Disabling RMON

After you have enabled RMON on a device through LMS, you can disable it using Command Line Interface (CLI) only.

Commands to Disable RMON For a device running Cisco IOS, enter the following command at the CLI prompt: no rmon

For a device running Catalyst operating system, enter the following command at the CLI prompt set snmp rmon disable

Configuring Topology Settings

You can configure the following Topology Settings: • Restrict Topology Maps to display only authorized devices. For details, see Viewing Restricted Topology. • Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps. For details, see Configuring Fault Poller Settings For Topology.

Administration of Cisco Prime LAN Management Solution 4.2 9-8 OL-25947-01 Chapter 9 Monitoring and Troubleshooting Settings Configuring Topology Settings

Viewing Restricted Topology

Topology Maps display all the devices discovered by LMS. To view the Restricted Topology:

Step 1 Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View. The configuration screen is displayed. Step 2 Select Display Only the Authorized devices in Topology Maps. Step 3 Click Apply. Topology Maps display only the devices you are authorized to view. If Topology Services is already launched, close it and relaunch for the change to take effect.

Important Notes If you change the management IP address of an authorized device: • It becomes an unauthorized device. • The device is not shown in Topology maps in the consecutive relaunches. • When the changed IP address is given as root in N-hop view portlet, it results in an error.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 9-9 Chapter 9 Monitoring and Troubleshooting Settings Configuring Topology Settings

Administration of Cisco Prime LAN Management Solution 4.2 9-10 OL-25947-01

CHAPTER 10

Notification and Action Settings

The Notification and Action Settings groups all the administrative tasks involved in setting up notification, syslog settings. You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs. This section contains: • Understanding Notifications and Subscriptions • Customizing LMS Events • Configuring Event Sets and Notification Groups for Subscriptions • Managing Fault SNMP Trap Notifications • Managing Fault E-Mail Configurations • Managing Fault Syslog Notifications • Configuring Fault SNMP Trap Receiving and Forwarding • Performance SNMP Trap Notification Groups • Performance Syslog Notification Groups • Defining Automated Actions • Defining Syslog Message Filters • Inventory and Config Collection Failure Notification • IPSLA Syslog Configuration

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-1 Chapter 10 Notification and Action Settings Understanding Notifications and Subscriptions

Understanding Notifications and Subscriptions

To use Notification Services, you must create and activate a notification subscription. The subscription requires a Notification group component. This component specifies the notification criteria (the devices to monitor, how severe an event must be to be reported, and so forth). Optionally the notification group can also contain an Event set listing the events you want to monitor; this is useful when you do not want to monitor all events that occur on a device. Notification groups can be static or dynamic. The Fault Management module in LMS 4. 0 can be set up to have either static notification groups or dynamic notification groups. • If you work with static groups, no further devices can be added to those groups. • If you set up dynamic groups, then any device that fits the criteria for the groups will be added to those groups. After you have configured your subscription, you can name it according to your needs. Regardless of whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a subscription containing a notification group. The final step in configuring your notification subscription is specifying the notification recipients.

Note If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications.

Notification Services tracks events on device types, not on device components. For details on Notifications and Subscriptions, see the following topics: • Creating a Notification Subscription • Notification Types • Notification Replay • Subscriptions • Events

Creating a Notification Subscription To create a notification subscription, perform the following steps: 1. If you want to monitor a specific set of events, create an event set that contains the events you want to monitor. Otherwise, all events will be monitored. 2. Create a notification group that specifies the criteria the Fault Management module should use when generating notifications: • One or more event sets (if no event set is specified, all events are monitored) • Devices, event severity and status You can specify the notification group name, along with entering identifying information (using the Customer ID and Customer Revision fields).

Administration of Cisco Prime LAN Management Solution 4.2 10-2 OL-25947-01 Chapter 10 Notification and Action Settings Understanding Notifications and Subscriptions

3. Create a subscription by doing the following: a. Select the notification type (SNMP Trap, E-Mail, or Syslog). b. Name the subscription and apply a notification group to it. c. Specify the recipients (hostname, e-mail address). d. Save the subscription. It will automatically start running. 4. Customize the subject of the e-mail by doing the following: a. Select the subject from the available list b. Add to the selected list c. Arrange the order of the subjects d. Save the customization of the e-mail subject

Notification Types The Fault Management module in LMS 4.2 provides three types of notifications: • SNMP Trap Notification—Fault Management module generates traps with information about the events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can also generate SNMP trap notifications for specified events. Using SNMP trap notification is different from forwarding raw traps to another server before they have been processed by LMS. • E-mail Notification—LMS generates e-mail messages containing information about the events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail in text format. You can specify that you want the e-mail to only contain an informational subject line or can customize the e-mail subject. For information on the customizing the e-mail subject, see Managing Fault E-Mail Subject Customization. • Syslog Notification—LMS generates Syslog messages that can be forwarded to Syslog daemons on remote systems. All notifications have a default maximum message size of 250 characters. You can reset this variable to any value between 250 and 1024 characters by editing the notification properties file. To do this:

Procedure

Step 1 Open the configuration file NMSROOT/objects/nos/config/nos.properties. Step 2 Locate the following lines and change the value to any value up to 1024 characters: MAX_TRAP_DES=250 MAX_EMAIL_DES=250 MAX_SYSLOG_DES=250

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-3 Chapter 10 Notification and Action Settings Understanding Notifications and Subscriptions

Step 3 Stop and restart the Cisco Prime daemon manager on the LMS server. a. Stop the daemon manager: On Windows: net stop crmdmgmt

On Solaris/Soft Appliance: /etc/init.d/dmgtd stop

b. Restart the daemon manager: On Windows: net start crmdmgmt

On Solaris/Soft Appliance: /etc/init.d/dmgtd stop

Notification Replay You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file /opt/CSCOpx/objects/nos/config/nos.properties as follows: To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to the default value (0), the notifications will not be replayed.

Subscriptions LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB: • Devices—The devices or device groups of importance to the recipients. • Event severity and status—One or more event severity levels and status. You can also customize the names of the events used by Notification Services, and Fault History. See Customizing LMS Events. • Recipients—One or more hosts to receive SNMP traps or users to receive e-mail. For Syslog notifications, the recipient would be the remote host containing a Syslog daemon configured to listen for Syslog messages. • Name—A user-defined name to identify the subscription. Subscriptions are based on user-configured event sets and notification groups. See Configuring Event Sets and Notification Groups for Subscriptions for more information.

Events LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS compares the device, severity, and state against subscriptions and sends a notification when there is a match. Matches can be determined by user-configured event sets and notification groups. The procedure for configuring notification groups is described in Configuring Event Sets and Notification Groups for Subscriptions.

Administration of Cisco Prime LAN Management Solution 4.2 10-4 OL-25947-01 Chapter 10 Notification and Action Settings Customizing LMS Events

LMS assigns one severity to each event and changes the state of an event over time, responding to user input and changes on the device. Table 10-1 lists values for severity and explains how the state of an event changes over time.

Note You can change event names to names that are more meaningful to you. See Customizing LMS Events.

Table 10-1 Event Severity and Status

LMS categorizes events by severity and status… Severity Critical Informational Status • Active—The event is live. • ACK—A user has manually acknowledged the event. A user can acknowledge only active events. • Cleared—The event is no longer active. • Events that have been cleared either expire or, if associated with a suspended device, remain in LMS until a user resumes or deletes the device.

Customizing LMS Events

Notification Services allows you to customize the names and event severity in LMS. • Customizing Names: When you customize an event name, that name is reflected in all notifications, and in Fault History. The new event name is used for all instances of an event, regardless of the component on which the event occurs. You can easily revert to the default event names as needed. The Notification Customization page also lists the new name and default name, so you can easily check which names have been changed. • Customizing Event Severity: The event severity can be customized using the New Event Severity feature. You can select Critical or Warning or Informational from the drop-down list. To customize names and event severity:

Step 1 Select Admin > Network > Notification and Action Settings > Fault Notification Customization. The Notification Customization page appears. Step 2 Select the event names you want to customize by clicking the check box beside each event name. Step 3 Enter your new names in the New Event Description fields. Step 4 Select the event severity from the New Event Severity drop-down list. You can select Critical or Informational. Step 5 Enter any notes for information in the Troubleshooting Information field. Step 6 Click Save to save your changes locally. Step 7 Click Apply for the saved settings to take effect. The confirmation window appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-5 Chapter 10 Notification and Action Settings Configuring Event Sets and Notification Groups for Subscriptions

Step 8 Click Yes. The changes are applied to LMS. To revert to default event names: a. From the Notification Customization page, select the events you want to restore to their default names, and click Restore factory settings. b. Apply your changes by clicking Yes when the confirmation window appears.

Configuring Event Sets and Notification Groups for Subscriptions

Before you can create an SNMP trap or an e-mail or Syslog notification subscription, you must create a notification group. Creating event sets is optional. • Event sets list the events you want monitored for notifications • Notification groups contain the criteria that LMS should use when generating a notification: – One or more event sets, or all events – Devices – Event status and severity – Fields for user-specified additional information you want to include with the subscription Creating event sets and notification groups are described in the following topics: • Configuring Event Sets • Configuring Fault Notification Groups

Configuring Event Sets

Event sets are groups of the events you want to monitor. You can create up to nine event sets, labeled A through I. After you have created an event set, you can apply as many of them as you want to a notification group, thereby tracking the specific events in which you are interested. If you do not specify an event set, LMS will monitor all events for notifications.

Administration of Cisco Prime LAN Management Solution 4.2 10-6 OL-25947-01 Chapter 10 Notification and Action Settings Configuring Event Sets and Notification Groups for Subscriptions

To configure event sets:

Step 1 Select Admin > Network > Notification and Action Settings > Event Sets: The Event Sets page appears. The page contains the following information:

Field Description Select/Unselect All for Event Set Select an Event Set from the drop-down list. Event Code Notification Services code for the event. This number cannot be changed and is used to map default names to customized names. Description Event description (user-defined or default). Severity Event severity. A - I Event set label. If an X appears in this column, the corresponding event belongs to that event set.

Step 2 For each event set you want to configure, select events by doing either of the following: • Select specific events by clicking the editable field under the label, and selecting X. • Select or deselect all events for an event set using the Select or the Deselect button. Step 3 Click Apply. If you want to create a notification subscription, first create a notification group that uses your event set. See Configuring Fault Notification Groups.

Configuring Fault Notification Groups

When you set up a subscription, LMS lets you choose from existing notification groups. You can then configure an SNMP trap or an e-mail or Syslog notification to use a specific notification group. The notification groups contains the following information: • One or more event sets, if desired (otherwise, the notification group will contain all events) • Devices • Event status and severity • Fields for user-specified additional information you want to include with the subscription • Whether the group is static or dynamic You can configure a maximum of 64 notification groups. Notification Services will not refilter the devices if there is a change in the device list you may access. This section contains: Setting Up a Fault Notification Group as Static or Dynamic

Note You cannot delete a notification group that is being used by a running subscription.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-7 Chapter 10 Notification and Action Settings Configuring Event Sets and Notification Groups for Subscriptions

To configure Fault Notification groups:

Step 1 Select Admin > Network > Notification and Action Settings > Fault Notification Group. Step 2 Click Add to create a notification group. The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click the appropriate button and follow the instructions.) Step 3 Specify the devices, event sets (if desired), and event severity and status. Click Next. If a subscription is monitoring all events on a device (by not using an event set), and another subscription is monitoring only specific events on a device, you will receive duplicate notifications. With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To assist you in locating devices, use the search option in the mega menu. Step 4 Specify the notification group name, and enter any desired identifying information in the Customer ID and Customer Revision fields. • For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the notification. • For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any notifications: Customer ID: -

Customer Revision: *

Step 5 Click Next. Step 6 Create the notification group by clicking Finish. Step 7 To create a notification subscription, follow the instructions in one of these topics: • Adding an SNMP Trap Notification Subscription • Adding and Editing an E-Mail Notification Subscription • Adding a Syslog Notification Subscription

Setting Up a Fault Notification Group as Static or Dynamic

Fault Notification groups in LMS can be static or dynamic. If you set up LMS to include static groups, mappings between the list of the devices and the notification events for those devices are generated. You cannot add devices to or delete devices from a static group. If you set up LMS to have dynamic groups, then any device that fits the criteria for a group will be added to that group. You can also delete devices from a dynamic group. When a device is added to a group, all similar devices are also added. For example, if you have ten routers in the network and create a dynamic group that contains five of these routers, when you add an eleventh router, that router is added to the group along with the other five routers. The group would then contain all eleven routers.

Note Notification groups can be static or dynamic; you cannot have a mix of group types.

Administration of Cisco Prime LAN Management Solution 4.2 10-8 OL-25947-01 Chapter 10 Notification and Action Settings Managing Fault SNMP Trap Notifications

To set up LMS to include dynamic groups, edit the file /opt/CSCOpx/objects/nos/config/nos.properties and set the following value: DYNAMIC_NOTIF_GROUPS=1 For additional information, see the following topics: • Customizing LMS Events • Configuring Event Sets

Managing Fault SNMP Trap Notifications

The SNMP Trap Notifications page displays the following information: • Subscription—The name of the user-defined request for notification. • Status—The subscription status; can be either of the following: – Running—LMS is using the subscription while monitoring events to determine when to send a notification. – Suspended—LMS will not use the subscription unless you resume it. • Notification Group—The name of notification group that is applied to the subscription. You are completely in control of subscriptions. LMS does not delete subscriptions under any circumstances. From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.

Table 10-2 SNMP Trap Notification Subscriptions

Task Sample Usage Reference Add • Add a subscription that will send SNMP trap notification Adding an SNMP Trap for one device with an event of any severity (critical or Notification Subscription informational) and any status (active, acknowledged, or cleared). Edit • View the notification group and hosts that comprise the Editing an SNMP Trap subscription. Notification Subscription • Change the trap recipients/notification groups that comprise the subscription. Suspend • Temporarily stop sending SNMP trap notifications to a Suspending an SNMP host. Trap Notification Subscription • Temporarily stop sending SNMP trap notifications about a device group. Resume • Start sending SNMP trap notifications to a host again. Resuming an SNMP Trap Notification Subscription • Start sending SNMP trap notifications about a device group using a previously suspended subscription. Delete • Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap longer useful. Notification Subscription • Remove redundant SNMP trap notification subscriptions.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-9 Chapter 10 Notification and Action Settings Managing Fault SNMP Trap Notifications

Adding an SNMP Trap Notification Subscription

After you add a subscription for SNMP trap notification, generated SNMP traps are forwarded to the hosts you specify until you change, suspend, or delete the subscription.

Note Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish button on the final page.

Before You Begin You must create a notification group before you can create an SNMP trap notification subscription. Refer to Configuring Fault Notification Groups. To add an SNMP trap notification subscription:

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Step 2 Click Add. Step 3 Complete the Trap Subscription Save: Add window: a. Enter a subscription name. b. Select a notification group. If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.) c. Click Next. Step 4 Enter one or more hosts as recipients for traps: a. For each host, enter: • An IP address or DNS name for the hostname. Restart the NOSServer to pick up the change in the host name when host name is used for the trap server and there is a change in that host name. • A port number on which the host can receive traps. If the port number is unspecified (empty), the port defaults to 162. (You can verify this in Step 5.) • A comment. (This is optional). b. Click Next. Step 5 Review the information that you entered and click Finish. The SNMP Trap Notifications page is displayed, showing the new subscription.

Note No information is saved until you complete Step 5.

Administration of Cisco Prime LAN Management Solution 4.2 10-10 OL-25947-01 Chapter 10 Notification and Action Settings Managing Fault SNMP Trap Notifications

Editing an SNMP Trap Notification Subscription

You can edit an SNMP trap notification subscription regardless of its status (Running or Suspended). After you edit an SNMP trap notification subscription, if the subscription status is Running, traps are forwarded as specified until you edit, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it.

Note Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish button on the final page.

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Step 2 Select the subscription you want to edit by clicking the radio button beside it. Step 3 Click Edit. No information is saved until you complete Step 5. Step 4 Edit the Trap Subscription Save: Edit window: a. Change the subscription name. b. Select another notification group. If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.) c. Click Next. Step 5 Add or delete a recipient host or change the port number for a host: a. To add one or more recipients, for each host, enter: • An IP address or DNS name for the hostname. • A port number on which the host can receive traps. If the port number is unspecified (empty), the port defaults to 162. (You can verify this in Step 6.) • A comment. This is optional. b. To delete a recipient, delete the hostname, port number, and comment, if any. c. Click Next. Step 6 Review the information that you entered and click the Finish. The SNMP Trap Notifications page is displayed.

Suspending an SNMP Trap Notification Subscription

After you suspend an SNMP trap notification subscription, LMS stops using the subscription to select and forward traps. The subscription status changes to Suspended. To do this:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-11 Chapter 10 Notification and Action Settings Managing Fault SNMP Trap Notifications

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. The SNMP Trap Notification Subscriptions page appears. Step 2 Select the subscription you want to suspend by clicking the radio button beside it. Step 3 Click Suspend. Step 4 Click OK in the confirmation dialog box. The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.

Resuming an SNMP Trap Notification Subscription

You can resume an SNMP trap notification subscription only when the subscription status is Suspended. After you resume a subscription, LMS starts using it to identify events for which to forward traps. The subscription status changes to Running. To do this:

Deleting an SNMP Trap Notification Subscription

You can delete an SNMP trap notification subscription regardless of the subscription status. Deleting a subscription removes it permanently from LMS.

Note You can also suspend a subscription. Suspending a subscription causes the subscription to not be used until a user resumes it.

To delete an SNMP trap notification subscription:

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification. Step 2 Select the subscription you want to delete by clicking the radio button beside it. Step 3 Click Delete. Step 4 Click OK in the confirmation dialog box. The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.

Administration of Cisco Prime LAN Management Solution 4.2 10-12 OL-25947-01 Chapter 10 Notification and Action Settings Managing Fault E-Mail Configurations

Managing Fault E-Mail Configurations

This section contains the following topics: • Managing Fault E-Mail Notification Subscriptions • Managing Fault E-Mail Subject Customization You can use the E-Mail Configuration page to configure E-mail notification subscription and to customize the E-mail subject. The E-Mail Configuration page displays the following information: • E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are based on Notification Groups. • E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.

Note You may not be able to use some of these functions if you do not have the required privileges.

Managing Fault E-Mail Notification Subscriptions

The E-Mail Notification Subscription page displays the following information: • Subscription—The name of the user-defined request for notification. • Status—The subscription status; can be either of the following: – Running—LMS is using the subscription while monitoring events to determine when to send a notification. – Suspended—LMS will not use the subscription unless you resume it. • Notification Group—The name of notification group that is applied to the subscription. You are completely in control of subscriptions. LMS does not delete subscriptions under any circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.

Table 10-3 E-Mail Notification Subscriptions

Task Sample Usage Add Add a subscription that will send e-mail notification to a user for one device with an event of any severity (critical or informational) and any status (active, acknowledged, or cleared). See Adding and Editing an E-Mail Notification Subscription for more information. Edit • View the notification group and e-mail recipients that comprise the subscription. • Change the e-mail recipients/notification group that comprise the subscription. Suspend • Temporarily stop sending e-mail notifications to a user. • Temporarily stop sending e-mail notifications about a device group.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-13 Chapter 10 Notification and Action Settings Managing Fault E-Mail Configurations

Table 10-3 E-Mail Notification Subscriptions (continued)

Task Sample Usage Resume • Start sending e-mail notifications to a user again. • Start sending e-mail notifications about a device group using a previously suspended subscription. Delete • Remove e-mail notification subscriptions that are no longer useful. • Remove redundant e-mail notification subscriptions.

Adding and Editing an E-Mail Notification Subscription

After you add or edit a subscription for e-mail notification, LMS sends e-mail to the users you specify whenever an event occurs that matches the subscription.

Note Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.

Before You Begin You must create a notification group before you can create an E-Mail Notification subscription. Refer to Configuring Fault Notification Groups. To add or edit a subscription for e-mail notification:

Step 1 Select Admin > Network > Notification and Action Settings > Fault - Email notification. The E-Mail Notification Subscriptions page appears. Step 2 You can do one of the following: • Click Add. • Click Edit. You can edit an e-mail notification subscription regardless of its status (Running or Suspended). After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it. • Click Delete. Click OK in the confirmation dialog box. The E-Mail Subscriptions page appears. The subscription is no longer displayed. • Select the subscription you want to suspend by clicking the radio button beside it and click Suspend. Click OK in the confirmation dialog box. The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended. After you suspend an e-mail notification subscription, LMS stops using the subscription to send e-mail notification. • Select the subscription you want to resume by clicking the radio button beside it and click Resume. Click OK in the confirmation dialog box.

Administration of Cisco Prime LAN Management Solution 4.2 10-14 OL-25947-01 Chapter 10 Notification and Action Settings Managing Fault E-Mail Configurations

The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After you resume an e-mail notification subscription, LMS starts using the subscription to determine when e-mail notification should be sent in response to an event. Step 3 When you add or edit a subscription for e-mail notification, a page appears with the following fields:

Field Description Subscription Name Enter a subscription names. Notification Group Select a notification group. If you are upgrading LMS and want to use the e-mail recipients from an earlier configuration, activate the Recipients from Upgrade check box. (This choice is only available for systems that have been upgraded from earlier versions of LMS.)

Step 4 Click Next. Step 5 Enter the following e-mail information:

Field Description SMTP Server The name of the default Simple Mail Transfer Protocol (SMTP) server may already be displayed. The server is specified using Admin > System > SMTP Default Server. You may also enter a fully qualified DNS name or IP address for an SMTP server. To select from any non-default SMTP servers in use by existing subscriptions, click the SMTP Servers button. Sender Address Enter the e-mail address that notifications should be sent from. If the sender’s e-mail service is hosted on the SMTP server specified, you need enter only the username. You do not need to enter the domain name. Recipient Addresses Enter one or more e-mail addresses that notifications should be sent to, separating multiple addresses with either a comma or a semicolon. If a recipient’s e-mail service is hosted on the SMTP server specified, you need to enter only the username. You do not need to enter the domain name. Headers Only (check box) By default, e-mail notification supplies a fully detailed e-mail message. To omit the message body and send only a subject line, select the Headers Only check box.

Step 6 Click the Next button located at the bottom of the page. Step 7 Review the information that you entered and click Finish. The E-Mail Notification Subscriptions page is displayed, showing the new subscription.

Note No information is saved until you complete Step 7.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-15 Chapter 10 Notification and Action Settings Managing Fault E-Mail Configurations

Managing Fault E-Mail Subject Customization

You can use the E-Mail Subject Customization page to customize the e-mail subject for forwarded events. You need to select the subject attributes and the order in which they are to be displayed. When you apply and save the selections, the e-mails are sent in the customized order. The E-Mail Subject Customization page displays the following information: • Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You can use these subjects along with the default available subjects while sending e-mail notifications. By default, following list of e-mail subject attributes are displayed in the Available Subjects for E-Mail box: – ifAlias – sysLocation – sysContact – user_defined_field_0 – user_defined_field_1 – user_defined_field_2 – user_defined_field_3 When you import devices from DCR, the subject information gets updated into LMS database and they are displayed as available subjects for e-mails. • Selected Subjects for E-mail: The selected subjects including the default ones in the selected order displayed by the side of the available subjects. To customize the e-mail subject:

Step 1 Select Admin > Network > Notification and Action Settings > Fault - Email subject customization. The available and selected lists of the subject attributes for e-mail are displayed. To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list. By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail box. • Event ID • Device Name • Time • Severity • Event Name • Status To add a subject: a. Select the subject attribute from Available Subjects for E-Mail. b. Click Add. The selected subject attribute is added to the Selected Subjects for E-Mail list. You can add a subject attribute only from the Available Subjects list to the Selected Subjects list. You cannot add a subject attribute from the Selected subject list to the Available Subject list.

Administration of Cisco Prime LAN Management Solution 4.2 10-16 OL-25947-01 Chapter 10 Notification and Action Settings Managing Fault Syslog Notifications

To remove a subject attribute: a. Select the subject attribute from Selected Subjects for E-Mail. b. Click Remove. The selected subject attribute is removed from the Selected list and added to the Available subjects for E-Mail list. You can remove a subject attribute only from the Selected Subjects list and not from the Available Subjects list. Step 2 Click Up or Down to rearrange the order of the selected e-mail subject attributes. Step 3 Click Apply to save the customized e-mail subject attributes.

Managing Fault Syslog Notifications

The Syslog Notifications page displays the following information: • Subscription—The name of the user-defined request for notification. • Notification Group—The name of notification group that is applied to the subscription. • Status—The subscription status; can be either of the following: – Running—Fault Management module is using the subscription while monitoring events to determine when to send a notification. – Suspended—Fault Management module will not use the subscription unless you resume it. You are completely in control of subscriptions. Fault Management module does not change or delete subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks listed in Table 10-4.

Table 10-4 Syslog Notification Subscriptions

Task Sample Usage Reference Add • Add a subscription that will send a Syslog notification to Adding a Syslog a remote machine for one device with an event of any Notification Subscription severity (critical or informational) and any status (active, acknowledged, or cleared). Edit • View the notification group and Syslog recipient that Editing a Syslog comprise the subscription. Notification Subscription • Change the Syslog recipients/notification group that comprise the subscription. Suspend • Temporarily stop sending Syslog notifications to a Suspending a Syslog remote host. Notification Subscription • Temporarily stop sending Syslog notifications about a device group.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-17 Chapter 10 Notification and Action Settings Managing Fault Syslog Notifications

Table 10-4 Syslog Notification Subscriptions (continued)

Task Sample Usage Reference Resume • Start sending Syslog notifications to a remote host again. Resuming a Syslog Notification Subscription • Start sending Syslog notifications about a device group using a previously suspended subscription. Delete • Remove Syslog notification subscriptions that are no Deleting a Syslog longer useful. Notification Subscription • Remove redundant Syslog notification subscriptions.

Adding a Syslog Notification Subscription

After you add a subscription for Syslog notification, LMS sends a Syslog message to the specified remote hosts whenever an event occurs that matches the subscription.

Note Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.

Before You Begin • You must create a notification group before you can create a Syslog Notification subscription. Refer to Configuring Fault Notification Groups. • A remote machine’s Syslog daemon must be configured to listen on a specified port, and you must enter this information in Step 3 of the following procedure. LMS uses the default port 514.

Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Step 2 Click Add. a. Enter a subscription name. b. Select a notification group. c. Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event severity are used for the PRI portion of the Syslog message, as follows: [Facility*8][Severity] Event severity values are as follows: • Critical = 2 • Information = 6 You can enter location information (up to 29 characters). This information will be populated in the Syslog message. This is optional. d. Click Next. Step 3 Enter one or more hosts as recipients for Syslog notifications. a. For each host, enter: • An IP address or DNS name for the hostname.

Administration of Cisco Prime LAN Management Solution 4.2 10-18 OL-25947-01 Chapter 10 Notification and Action Settings Managing Fault Syslog Notifications

• A port number on which the Syslog daemon is listening. If the port number is unspecified (empty), the port defaults to 514. (You can verify this in Step 5.) • A comment. This is optional. b. Click Next. Step 4 Enter the name of the subscription in the Save As field and click Next. Step 5 Review the information that you entered and click Finish. The Syslog Notification Subscriptions page is displayed with the new subscription.

Note No information is saved until you complete Step 5.

Editing a Syslog Notification Subscription

You can edit a Syslog notification subscription regardless of its status (Running or Suspended). After you edit a Syslog notification subscription, if the subscription status is Running, Syslog messages are forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended subscription automatically resumes it.

Note Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button on the final page.

Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Step 2 Select the subscription you want to edit by clicking the radio button beside it. Step 3 Click Edit. Step 4 Edit the Syslog Subscription Save: Edit window: a. Change the subscription name. b. Select a different notification group. c. Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event severity is used for the PRI portion of the Syslog message, as follows: [Facility*8][Severity] Event severity values are as follows: • Critical = 2 • Informational = 6 You can enter location information (up to 29 characters). This information will be populated in the Syslog message. This is optional. d. Click Next. Step 5 Add or delete a recipient host or change the port number for a host: a. To add one or more recipients, for each host, enter:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-19 Chapter 10 Notification and Action Settings Managing Fault Syslog Notifications

• An IP address or DNS name for the hostname. • A port number on which the Syslog daemon is listening. If the port number is unspecified (empty), the port defaults to 514. (You can verify this in Step 7.) • A comment. This is optional. b. To delete a recipient, delete the hostname, port number, and comment, if any. c. Click Next. Step 6 Click the Next button located at the bottom of the page. Step 7 Review the information that you entered and click Finish. The Syslog Notification Subscriptions page is displayed.

Suspending a Syslog Notification Subscription

After you suspend a Syslog notification subscription, LMS stops using the subscription to send Syslog notifications. The subscription status changes to Suspended.

Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. The Syslog Notification Subscriptions page appears. Step 2 Select the subscription you want to suspend by clicking the radio button beside it. Step 3 Click Suspend. Step 4 Click OK in the confirmation dialog box. The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.

Resuming a Syslog Notification Subscription

After you resume a Syslog notification subscription, LMS starts using the subscription to determine when Syslog notifications should be sent in response to an event. The subscription status changes to Running. To resume a syslog notification subscription:

Administration of Cisco Prime LAN Management Solution 4.2 10-20 OL-25947-01 Chapter 10 Notification and Action Settings Configuring Fault SNMP Trap Receiving and Forwarding

Deleting a Syslog Notification Subscription

You can delete a Syslog notification subscription regardless of the subscription status. Deleting a subscription removes it permanently from LMS.

Note You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes it.

To delete a syslog notification subscription:

Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification. Step 2 Select the subscription you want to delete by clicking the radio button beside it. Step 3 Click Delete. Step 4 Click OK in the confirmation dialog box. The Syslog Subscriptions page appears. The subscription is no longer displayed.

Configuring Fault SNMP Trap Receiving and Forwarding

LMS can receive traps on any available port and forward them to a list of devices and ports. This capability enables LMS to work with other trap processing applications. This section contains the following topics: • Enabling Devices to Send Traps to LMS • Enabling Cisco IOS-Based Devices to Send Traps to LMS • Enabling Catalyst Devices to Send SNMP Traps to LMS • Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs • Updating the SNMP Trap Receiving Port • Configuring SNMP Trap Forwarding LMS will only forward SNMP traps from devices in the LMS inventory. It will not change the trap format—it will forward the raw trap in the format in which the trap was received from the device. However, you must enable SNMP on your devices and you must do one of the following: • Configure SNMP to send traps directly to LMS • Integrate SNMP trap receiving with an NMS or a trap daemon

Note The ports and protocols used by Cisco Prime are listed in Installing and Migrating to Cisco Prime LAN Management Solution 4.2.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-21 Chapter 10 Notification and Action Settings Configuring Fault SNMP Trap Receiving and Forwarding

Enabling Devices to Send Traps to LMS

Note If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs.

Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must be enabled and the device must be configured to send SNMP traps to the LMS server. Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface appropriate for your device: • Enabling Cisco IOS-Based Devices to Send Traps to LMS • Enabling Catalyst Devices to Send SNMP Traps to LMS

Administration of Cisco Prime LAN Management Solution 4.2 10-22 OL-25947-01 Chapter 10 Notification and Action Settings Configuring Fault SNMP Trap Receiving and Forwarding

Enabling Cisco IOS-Based Devices to Send Traps to LMS

For devices running Cisco IOS software, enter the following commands: (config)# snmp-server [community string] ro (config)# snmp-server enable traps (config)# snmp-server host [a.b.c.d] traps [community string]

where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the SNMP trap receiving host (the LMS server). For more information, see the appropriate command reference guide. To enable Cisco IOS-Based devices to send traps to LMS:

Step 1 Log into Cisco.com. Step 2 Select Products & Services > Cisco IOS Software. Step 3 Select the Cisco IOS software release version used by your IOS-based devices. Step 4 Select Technical Documentation and select the appropriate command reference guide.

Enabling Catalyst Devices to Send SNMP Traps to LMS

For devices running Catalyst software, provide the following commands: (enable)# set snmp community read-only [community string] (enable)# set snmp trap enable all (enable)# set snmp trap [a.b.c.d] [community string]

Step 1 Log into Cisco.com. Step 2 Select Products & Services > Cisco Switches. Step 3 Select the appropriate Cisco Catalyst series switch. Step 4 Select Technical Documentation and select the appropriate command reference guide.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-23 Chapter 10 Notification and Action Settings Configuring Fault SNMP Trap Receiving and Forwarding

Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs

You might need to complete one or more of the following steps to integrate SNMP trap receiving with other trap daemons and other Network Management Systems (NMSs): • If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to Cisco Prime LAN Management Solution 4.2. This guide also provides information on supported versions). You do not need to install any adapters if HP OpenView or NetView is installed locally. • Add the host where LMS is running to the list of trap destinations in your network devices. See Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS will use by default.) • If your network devices are already sending traps to another management application, configure that application to forward traps to LMS. Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.

Table 10-5 Configuration Scenarios for Trap Receiving

Scenario Advantages Network devices send traps to port 162 of the host where • No reconfiguration of the NMS is required. LMS is running. LMS receives the traps and forwards • No reconfiguration of network devices is required. them to the NMS. • LMS provides a reliable trap reception and forwarding mechanism. • NMS continues to receive traps on port 162. • Network devices continue to send traps to port 162. NMS receives traps on default port 162 and forwards • No reconfiguration of the NMS is required. them to port 162 on the host where LMS is running. • No reconfiguration of network devices is required. • LMS does not receive traps dropped by the NMS.

Updating the SNMP Trap Receiving Port

By default, LMS receives SNMP traps on port 162 (or, if port 162 is occupied, port 9000). If you need to change the port, you can do so. LMS supports SNMP V1, V2, and V3 traps for trap receiving.

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings. Step 2 Enter the port number in the Receiving Port text box. Step 3 Click Apply.

For a list of ports that are already in use, see Installing and Migrating to Cisco Prime LAN Management Solution 4.2. If you have two instances of the DfmServer process running, traps will be forwarded from the first instance to the second instance.

Administration of Cisco Prime LAN Management Solution 4.2 10-24 OL-25947-01 Chapter 10 Notification and Action Settings Performance SNMP Trap Notification Groups

Configuring SNMP Trap Forwarding

Note Your login determines whether or not you can perform this task. View the Cisco Prime Permission Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user role.

LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap format—it will forward the raw trap in the format in which it was received from the device. All traps are forwarded in V1 (SNMP Version) format. In LMS 4.2, trap support is provided for SNMPv3 configured devices, unknown devices and non-Cisco devices.

Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. Step 2 For each host, enter: • An IP address or DNS name for the hostname. • A port number on which the host can receive traps. Step 3 Click Apply.

Performance SNMP Trap Notification Groups

Cisco Prime LMS allows you to create SNMP Trap Receiver Groups using the Trap Receiver Groups option.This is group of hosts that receives specified trap notifications, when any TrendWatch or Threshold violation occurs in LMS. The Trap destination is defined by the IP address or it can be a host name. From the Trap Receiver Groups page, you can create a Trap Receiver Group, modify the configuration of a Trap Receiver Group, and delete a Trap Receiver Group. To access the Trap Receiver Group page, Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups page appears. Table 10-6 describes the fields in the Trap Receiver Groups.

Table 10-6 Trap Receiver Groups Fields

Field Description Trap Group Name Name of the Trap Receiver Group. Click on the Name hyperlink to view the details of the Trap Receiver Group created. Number of Receivers Number of Trap Receivers added to the Trap Receiver Group. Create Creates a Trap Receiver Group. See Creating a Trap Receiver Group. (button) Edit Modifies an existing Trap Receiver group. See Editing a Trap Receiver (button) Group.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-25 Chapter 10 Notification and Action Settings Performance SNMP Trap Notification Groups

Table 10-6 Trap Receiver Groups Fields

Field Description Delete Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver Group. (button) Filter Filters information based on the criteria that you select from the drop-down (button) list. The drop-down list contains the following criteria: • All • Group Name See Filtering Trap Receiver Groups

You can perform the following tasks from the Trap Receiver Groups dialog box: • Creating a Trap Receiver Group • Editing a Trap Receiver Group • Deleting a Trap Receiver Group • Filtering Trap Receiver Groups

Creating a Trap Receiver Group

To create a Trap Receiver group

Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups page appears. Step 2 Click Create. The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box. Table 10-7 describes the fields in the Trap Group Configuration dialog box.

Table 10-7 Trap Group Configuration

Field Description Group Name Enter the name of the Trap Receiver Group. For example, Trap Receiver Group 1. The name can contain a mix of alphabets, numerals, and some special characters (such as - _ . # @ $ &). Receiver Details Host Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the trap message should be delivered. Port Enter the Port Number on which Trap Receiver is listening for traps. The default port value is 162. This field is optional.

Administration of Cisco Prime LAN Management Solution 4.2 10-26 OL-25947-01 Chapter 10 Notification and Action Settings Performance SNMP Trap Notification Groups

Table 10-7 Trap Group Configuration

Field Description Community Enter the community string that appears in the trap message. The default community string is public. This field is optional. Create Creates the Trap Receiver Group. (button) Add More Adds more hosts to the present Group. (button) Cancel Cancels the creation of Trap Receiver Group. (Button)

Step 3 Enter a descriptive name for the Trap Group name in the GroupName field. Step 4 Enter the IP address or hostname of the destination to which the trap should be delivered in the Host field. Step 5 Enter the Port Number on which Trap Receiver is listening for traps in the Port field. Step 6 Enter the community string that appears in the trap message in Community field. The community string will be displayed as asterisks.

Note You can add as many as five hosts or devices to the Trap Group by default.

To add more than five hosts to the Trap Group,

Step 1 Click Add More to add another host information to the Trap Group. Go to Step 4 to continue. Step 2 Click Create to create the Trap Group. Or Click Cancel to cancel the operation. The Trap Receiver Group dialog box appears, displaying the Trap Groups.

Editing a Trap Receiver Group

You can edit a Trap Receiver Group to update or change the hosts, ports and community string of the selected Trap Receiver Group using the Edit button in the List of Trap Receiver Groups. You can edit only one Trap Receiver Group at a time. If you select multiple Trap Receiver Groups using the check box, the Edit button is disabled. You cannot edit the Trap Receiver Group Name field. To edit a Trap Receiver Group:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-27 Chapter 10 Notification and Action Settings Performance SNMP Trap Notification Groups

Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The Trap Receiver Groups dialog box appears. Step 2 Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver Group Name. Step 3 Click Edit. The Edit Trap Receiver Group dialog box appears, displaying the earlier settings. Table 10-8 describes the fields in the Trap Group Configuration dialog box.

Table 10-8 Trap Group Configuration

Field Description Group Name Name of the Trap Receiver Group. For example, Trap Receiver Receiver Details Host Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the trap message should be delivered. Port Enter the Port Number on which Trap Receiver is listening for traps. For example, 162 Community Enter the community string that appears in the trap message. The default community string is public. Update Updates the Trap Receiver Group. (button) Add More Adds more hosts to the present Group. (button) Cancel Cancels the modification of the Trap Receiver Group. (Button)

Step 4 Make the necessary changes to the Receiver Details. To add more receivers to the present configuration,

Step 1 Click AddMore in the Trap Group Configuration dialog box. Step 2 Make necessary changes to the Receiver Details. Step 3 Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver Group. Or Click Cancel to cancel the operation. The Trap Receiver Group dialog box appears, displaying the Trap Groups.

Administration of Cisco Prime LAN Management Solution 4.2 10-28 OL-25947-01 Chapter 10 Notification and Action Settings Performance SNMP Trap Notification Groups

Deleting a Trap Receiver Group

You can delete one or more Trap Receiver Groups using the Delete button on the List of Trap Receiver Groups dialog box. You cannot delete a Trap Receiver Group that is associated with any Threshold or TrendWatch. If you want to delete such Trap Receiver Groups, first remove the Trap Receiver Group from the associated Threshold or TrendWatch. Before a Trap Receiver Group is deleted, you are prompted to confirm the deletion because you cannot restore a Trap Receiver Group that you have deleted from the database. To delete a Trap Receiver Group:

Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The List of Trap Receiver Groups dialog box appears. Step 2 Select the Trap Group Name by checking the appropriate check box. You can select multiple Trap Receiver Groups by checking their respective check boxes. Step 3 Click Delete. A message appears, prompting you to confirm the deletion, Step 4 Click OK to delete the Trap Receiver Groups. Or Click Cancel to cancel the operation. If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully. The Trap Receiver Groups dialog box appears.

Filtering Trap Receiver Groups

This section describes how you can use the filter option to display the Trap Receiver Group information based on a specific criteria. To filter a Trap Receiver Groups:

Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap notification. The List of Trap Receiver Group dialog box appears. Step 2 Select a criteria for filtering from the drop-down list. Step 3 Enter the data to be filtered. Step 4 Click Show. The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information based on the filter criteria. Table 10-9 describes the criteria to filter.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-29 Chapter 10 Notification and Action Settings Performance SNMP Trap Notification Groups

Table 10-9 Trap Receiver Groups Field Description

Filter Criteria Description Group Name Select Group Name and enter the data. You can use either of the following methods to filter by entering: • Complete Group name • Any wildcard characters of the Trap Receiver Group name (such as *trap, trap*)

Administration of Cisco Prime LAN Management Solution 4.2 10-30 OL-25947-01 Chapter 10 Notification and Action Settings Performance Syslog Notification Groups

Performance Syslog Notification Groups

Cisco Prime LMS allows you to create Syslog Receiver Groups using the Syslog Receiver Groups option. Syslog Receiver Groups is a group of hosts that receives Syslog messages when any TrendWatch or Threshold violation occurs in LMS. From the Syslog Receiver Groups page you can create a Syslog Receiver Group, modify the configuration of a Syslog Receiver Group, and delete a Syslog Receiver Group. To access the Syslog Receiver Group page, select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The List of Syslog Receiver Groups dialog appears. Table 10-10 describes the fields in the Syslog Receiver Groups.

Table 10-10 Syslog Receiver Groups Fields

Field Description Syslog Group Name Name of the Syslog Receiver Group. For example, Syslog Group Number of Receivers Number of Syslog Receivers added to the Syslog Receiver Group. Create Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group. (button) Edit Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver (button) Group. Delete Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver (button) Group. Filter Filters information based on the criteria that you select from the drop-down (button) list. The drop-down list contains the following criteria: • All • Group Name See Filtering Trap Receiver Groups Update Facility Sends the Syslog message to the receiver, based on the facility level selected (button) in the drop-down list. The drop-down list contains the following criteria: • local 0 • local 1 • local 2 • local 3 • local 4 • local 5 • local 6 • local 7

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-31 Chapter 10 Notification and Action Settings Performance Syslog Notification Groups

You can perform the following tasks from the Syslog Receiver Groups dialog box: • Creating a Syslog Receiver Group • Editing a Syslog Receiver Group • Deleting a Syslog Receiver Group • Filtering Syslog Receiver Groups

Creating a Syslog Receiver Group

To create a Syslog Receiver group:

Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog appears. Step 2 Click Create. The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box. Table 10-11 describes the fields in the Syslog Group Configuration dialog box.

Table 10-11 Syslog Groups Configuration

Field Description Group Name Enter the name of the Syslog Group name. For example, Syslog Group. The name can contain a mix of alphabets, numerals, and some special characters (such as - _ . # @ $ &). Receiver Details Host Enter the host name or IP address. For example 10.77.201.52 Enter the IP address or hostname of the destination to which the syslog message should be delivered. This IP address should be DNS resolvable. Port Enter the Port Number on which Syslog Receiver is listening for syslog messages. The default port value is 514. This field is optional. Create Creates the Syslog Receiver Group (button) Add More Adds more hosts to the present Group (button) Cancel Cancels the creation of Syslog Receiver Group (Button)

Step 3 Enter a descriptive name for the Syslog Group name in the GroupName field. Step 4 Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in the Host field. Step 5 Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.

Administration of Cisco Prime LAN Management Solution 4.2 10-32 OL-25947-01 Chapter 10 Notification and Action Settings Performance Syslog Notification Groups

Note You can add as many as five hosts or devices to the Syslog Group by default.

To add more than five hosts to the Syslog Group,

Step 1 Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue. Step 2 Click Create to create the Syslog Group. Or Click Cancel to cancel the operation. The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.

Editing a Syslog Receiver Group

You can edit a Syslog Receiver Group to update or change the hosts and ports of the selected Syslog Receiver Group using the Edit button in the List of Syslog Receiver Groups. You can edit only one Syslog Receiver Group at a time. If you select multiple Syslog Receiver Groups using the check box, the Edit button is disabled. You cannot edit the Syslog Receiver Group Name field. To edit a Syslog Receiver Group:

Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog box appears. Step 2 Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver Group Name. Step 3 Click Edit. The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings. Table 10-11 describes the fields in the Syslog Group Configuration dialog box.

Table 10-12 Syslog Groups Configuration

Field Description Group Name Name of the Syslog Group name. For example, Syslog Group. Receiver Details Host Enter the host name or IP address. for example 10.77.201.52 Enter the IP address or hostname of the destination to which the Syslog message should be delivered. Port Enter the Port Number on which Syslog Receiver is listening for Syslog messages. The default port number is 512.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-33 Chapter 10 Notification and Action Settings Performance Syslog Notification Groups

Table 10-12 Syslog Groups Configuration

Field Description Update Updates the Syslog Receiver Group. (button) Add More Adds more hosts to the present Group. (button) Cancel Cancels the modification of the Syslog Receiver Group. (Button)

Step 4 Make the necessary changes to the Receiver Details. To add more receivers to the current configuration:

Step 1 Click AddMore in the Syslog Group Configuration dialog box. Step 2 Make the necessary changes to the Receiver Details. Step 3 Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver Group. Or Click Cancel to cancel the operation. The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.

Deleting a Syslog Receiver Group

You can delete one or more Syslog Receiver Groups using the Delete button on the List of Syslog Receiver Groups dialog box. You cannot delete a Syslog Receiver Group which is associated with any Threshold or TrendWatch. If you want to delete such Syslog Receiver Groups, first remove the Syslog Receiver Group from the associated Threshold or TrendWatch. Before a Syslog Receiver Group is deleted, you are prompted to confirm the deletion because you cannot restore a Syslog Receiver Group that you have deleted from the database. To delete a Syslog Receiver Group:

Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The Syslog Receiver Groups dialog box appears. Step 2 Select the Syslog Group Name by checking the appropriate check box. You can select multiple Syslog Receiver Groups by checking their respective check boxes. Step 3 Click Delete. A message appears, prompting you to confirm the deletion. Step 4 Click OK to delete the Syslog Receiver Groups. Or

Administration of Cisco Prime LAN Management Solution 4.2 10-34 OL-25947-01 Chapter 10 Notification and Action Settings Performance Syslog Notification Groups

Click Cancel to cancel the operation. If you choose to click OK, a message appears that the Syslog Receiver Group is deleted successfully. The Syslog Receiver Groups dialog box appears.

Filtering Syslog Receiver Groups

You can use the Filter option to display the Syslog Receiver Group information based on a specific criteria. To filter a Syslog Receiver Groups:

Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification. The List of Syslog Receiver Group dialog box appears. Step 2 Select a criteria for filtering from the drop-down list. Step 3 Enter the data to be filtered. Step 4 Click Show. The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information based on the filter criteria. Table 10-13 describes the criteria to filter.

Table 10-13 Syslog Receiver Groups Field Description

Filter Criteria Description Group Name Select Group Name and enter the data. You can use any of the following methods to filter by entering: • Complete Group name • Any wildcard characters of the Syslog Receiver Group name (such as *Syslog, Syslog*)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-35 Chapter 10 Notification and Action Settings Defining Automated Actions

Defining Automated Actions

You can create automated actions to be executed automatically whenever Syslog Analyzer receives a specific message type. This section contains: • Creating an Automated Action • Editing an Automated Action • Guidelines for Writing Automated Script • Enabling or Disabling an Automated Action • Exporting or Importing an Automated Action • Deleting an Automated Action • Automated Action: An Example When you select Admin > Network > Notification and Action Settings > Syslog Automated Actions, a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are two system-defined automated actions (the rest are user-defined). The system-defined automated actions are: • Inventory Fetch—To fetch inventory from the device. • Config Fetch—To fetch configuration from the device. You can edit these system-defined automated actions, but you cannot delete them. These actions are enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable. Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating system device. You can then edit Config Fetch automated action and you can delete SYS-6-CFG_CHG-*SNMP* message type. In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices or not. The columns in the Automated Actions dialog box are:

Column Description Name Name of the automated action. Status Status of the automated action at creation time—Enabled, or disabled Type Type of automated action—E-mail, script or URL.

Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Administration of Cisco Prime LAN Management Solution 4.2 10-36 OL-25947-01 Chapter 10 Notification and Action Settings Defining Automated Actions

Using the automated actions dialog box, you can do the following tasks:

Task Button Create an automated action (see Creating an Automated Action). Create Edit an automated action (see Editing an Automated Action). Edit Enable or Disable an automated action (see Enabling or Disabling an Automated Action) Enable/Disable Import or Export an automated action (see Exporting or Importing an Automated Action) Import/Export Delete an automated action (see Deleting an Automated Action). Delete

If you are creating an automated action, see the example (Automated Action: An Example) of how to set up an automated action that sends an e-mail when a specific Syslog message is received. On Windows, you cannot set up an automated action to execute an.exe file that interacts with the Windows desktop. For example, you cannot make a window pop up on the desktop.

Related Topics

• Defining Automated Actions • Creating an Automated Action • Editing an Automated Action • Enabling or Disabling an Automated Action • Exporting or Importing an Automated Action • Deleting an Automated Action • Automated Action: An Example • Guidelines for Writing Automated Script

Creating an Automated Action

To create an automated action:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can choose whether to include interfaces of selected devices or not. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions. Step 2 Click Create. A dialog box appears for device selection. Step 3 Select All Managed Devices or Choose Devices. If you select the All Managed Devices option: • You cannot select the individual devices or device categories from the device selector. • All managed devices are considered. • The syslog messages from the various device interfaces are considered for creating automated actions.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-37 Chapter 10 Notification and Action Settings Defining Automated Actions

If you select Choose Devices option, you must select the required devices. Step 4 Click Next. A dialog box appears in the Define Message Type page. Step 5 Enter a unique name for the automated action that you are creating. Step 6 Select either Enabled or Disabled as the status for the action at creation time. Step 7 Select the Syslog message types for which you want to trigger the automated action from the Define New Message Type section of the dialog box. Step 8 Click Next. The Automated Action Type dialog box appears. Step 9 Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box. • If you select E-mail, enter the following information in the Automated Action Type dialog box:

Field Description Send to List of comma separated e-mail addresses. Mandatory field. Subject Subject of the e-mail. Content Content that you want the e-mail to contain.

• If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters: – $D (for the device) – $M (for the complete syslog message). When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message. • If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box. Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account. The script files must be available at this location: On Windows: NMSROOT/files/scripts/syslog On UNIX: /var/adm/CSCOpx/files/scripts/syslog

Administration of Cisco Prime LAN Management Solution 4.2 10-38 OL-25947-01 Chapter 10 Notification and Action Settings Defining Automated Actions

To select the script file: a. Click Browse. The Server Side File Browser dialog box appears. b. Select the file (*.sh on Unix and *.bat on Windows). Step 10 Click OK. Step 11 Click Finish.

If the executable program produces any errors or writes to the console, the errors will be logged as Info messages in the SyslogAnalyzer.log. This file is available at: On UNIX, /opt/CSCOpx/log directory On Windows, NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).

Editing an Automated Action

To edit an automated action:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Actions page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions. Step 2 Select an automated action from the drop-down list and click Edit. The Select Devices dialog box appears. Step 3 Select the required devices and click Next. A dialog box appears in the Define Message Type page. This dialog box allows you to: • Change the Message Filter Type—From Enabled to Disabled, or vice, versa. • Add a message type • Edit a message type • Delete a message type • Select a message type from system-defined message types Step 4 Click Next. Step 5 The Automated Action Type dialog box appears. This dialog box allows you to change the type of action. For example, you can change from E-mail to URL or Script. • For E-mail, enter or change the following information in the Automated Action type dialog box:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-39 Chapter 10 Notification and Action Settings Defining Automated Actions

Field Description Send to List of comma separated e-mail addresses. Subject Subject of the e-mail (optional). Content Content that you want the e-mail to contain.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent with the E-mail ID as the sender's address • For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters: – $D (for the device) – $M (for the complete syslog message). When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message. For example, if the URL is http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message. • If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box. Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account. The script files must be available at this location: On Windows: NMSROOT/files/scripts/syslog On UNIX: /var/adm/CSCOpx/files/scripts/syslog To select the script file: a. Click Browse. The External Config Selector dialog box appears. b. Select the file (*.sh on Unix and *.bat on Windows). Step 6 Click Finish. The edited automated action appears in the dialog box on the Automated Action page.

Administration of Cisco Prime LAN Management Solution 4.2 10-40 OL-25947-01 Chapter 10 Notification and Action Settings Defining Automated Actions

Guidelines for Writing Automated Script

To write an automated script:

Step 1 Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.2 server and put this file in: For Solaris/Soft Appliance: /var/adm/CSCOpx/files/scripts/syslog directory For Windows: NSMROOT/files/scripts/syslog Step 2 Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory. Here is an example shell script (called syslog-email.sh) for UNIX: #!/bin/sh /opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl -text_message "MEssage: $2 from device: $1" -email_ids [email protected] -subject "Syslog Message: $2" -from [email protected] -smtp mail-server-name.nowhere.com For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.

Enabling or Disabling an Automated Action

To enable or disable an automated action:

Exporting or Importing an Automated Action

You can export an automated action to a flat file and use this file on any Syslog Analyzer, using the import option. To export or import an automated action:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, displaying the list of automated actions, appears in the Automated Action page.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-41 Chapter 10 Notification and Action Settings Defining Automated Actions

For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions. Step 2 Select an automated action. You can select more than one automated action. If you do not select an automated action before clicking the Export/Import button, then only the Import option will be available. The Export option will be disabled Step 3 Click Export/Import. The Export/Import Automated Actions dialog box appears with the Export or Import options. Step 4 Select either Export or Import. Step 5 Either: • Enter the location of the file to be exported or imported. Or • Click Browse. The Server Side File Browser appears. You can select a valid file, and click OK. The file location appears in the Export/Import dialog box. Step 6 Click OK.

Deleting an Automated Action

To delete an automated action:

Automated Action: An Example

This is an example of how to set up an automated action that sends an e-mail when a specific Syslog message is received. This example assumes that devices have been imported and are sending Syslog messages to the LMS Server.

Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Administration of Cisco Prime LAN Management Solution 4.2 10-42 OL-25947-01 Chapter 10 Notification and Action Settings Defining Automated Actions

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions. A dialog box, with a list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions. Step 2 Click Create. The Devices Selection dialog box appears. Step 3 Select the required devices and click Next. The Define Message Type dialog box appears. Step 4 Enter a unique name for the automated action that you are creating. Step 5 Select either Enabled, or Disabled as the status for the action at creation time. Step 6 Click Select. The Select System Defined Message Types dialog box appears. Step 7 Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined Message Types list, and click OK. The dialog box on the Define Message Type page appears. Step 8 Click Next. The Automated Action Type dialog box appears. Step 9 Select the type of action—E-mail, Script, or URL. If you had selected Email in Step 9: Enter the following information:

Field Description Send to List of comma-separated e-mail addresses. Subject Subject of the e-mail (optional). Content Content that you want the e-mail to contain.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-43 Chapter 10 Notification and Action Settings Defining Syslog Message Filters

http://hostname/script.pl?device=$D&mesg=$M When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and $M is replaced with the URL-encoded syslog message. Step 10 Click Finish. Also see Verifying the Automated Action.

Verifying the Automated Action

To verify the automated action:

Step 1 Select a managed router that is already sending Syslog messages to the LMS server and generate a SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows: a. Connect to the managed router using Telnet and log in. b. In enable mode enter enable, then enter a password. c. At the config prompt enter configure terminal. d. Change the banner by entering: banner motd z This is a test banner z end e. Exit the Telnet session. Step 2 Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows: • On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has been configured to receive Syslog messages. • On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory. Where NMSROOT is the LMS installation directory. Step 3 Verify that there is a message from the managed router whose banner-of-the-day was changed. This message appears at the bottom of the log. • If the message is in the file, an e-mail is mailed to the e-mail ID specified. • If the message is not in the file, the router has not been configured properly to send Syslog messages to the LMS Server.

Defining Syslog Message Filters

This section contains: • Creating a Filter • Editing a Filter • Enabling or Disabling a Filter • Exporting or Importing a Filter

Administration of Cisco Prime LAN Management Solution 4.2 10-44 OL-25947-01 Chapter 10 Notification and Action Settings Defining Syslog Message Filters

• Deleting a Filter You can exclude messages from Syslog Analyzer by creating filters.

Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To launch the message filters dialog box:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box appears in the Message Filters page. A list of all message filters is displayed in this dialog box, along with the names, and the status of each filter—Enabled, or Disabled. Step 2 Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either Drop or Keep. • If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop filters from further processing. • If you select Keep, Collector allows only the syslogs that match any of the “Keep” filters, for further processing.

Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.

Step 3 Specify whether interfaces of selected devices should be included. In the dialog box that displays the message filters, you can do the following tasks:

Task Button Create a filter (see Creating a Filter). Create Edit a filter (see Editing a Filter). Edit Enable or disable a filter (see Enabling or Disabling a Filter). Enable/Disable Export or import a filter. (see Exporting or Importing a Filter). Export/Import Delete a filter (see Deleting a Filter). Delete

Creating a Filter

You can create a filter for Syslog messages by:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box with a list of filters, appears in the Message Filter page. Step 2 Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-45 Chapter 10 Notification and Action Settings Defining Syslog Message Filters

• If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop filters from further processing. • If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further processing.

Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.

Step 3 Click Create. The dialog box appears for device selection. Step 4 Select All Managed Devices or Choose Devices. If you select the All Managed Devices option: • You cannot select the individual devices or device categories from the device selector. • All managed devices are considered. • The syslog messages from the various device interfaces are considered for creating message filters. If you select the Choose Devices option, you must select the required devices. Step 5 Click Next. .A dialog box appears in the Define Message Type page. Step 6 Enter a unique name for the filter. Step 7 Select either the Enabled, or the Disabled status for the filter at creation time. Step 8 Select the Syslog message types for which you want to apply the filter. Step 9 Click Finish. The list of filters in the message filter dialog box on the Message Filters page is refreshed.

Editing a Filter

To edit a filter:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, displaying the list of filters, appears in the Message Filter page. Step 2 Select a filter by clicking on its check box, and click Edit. The Select Devices dialog box appears. Step 3 Select the required devices and click Next. A dialog box appears in the Define Message Type page. This dialog box allows you to: • Change the filter Status—From Enabled to Disabled, or vice, versa. • Add a message type • Edit a message type • Delete a message type

Administration of Cisco Prime LAN Management Solution 4.2 10-46 OL-25947-01 Chapter 10 Notification and Action Settings Defining Syslog Message Filters

• Select a message type from system-defined message types Step 4 Click Finish after you make all your changes. The edited filter appears in the dialog box on the Message Filter page.

Enabling or Disabling a Filter

To enable or disable a filter:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, with the list of filters, appears in the Message Filter page. Step 2 Select the required filter from the list in the dialog box. Step 3 Click Enable/Disable to toggle its status. The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified filter.

Exporting or Importing a Filter

You can export a filter to a flat file and use this file on any Syslog Analyzer, using the import option. To export or import a filter:

Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters. A dialog box, with the list of filters, appears in the Message Filter page. Step 2 Select a filter. You can select more than one filter. Step 3 Click Export/Import. The Export/Import dialog box appears with the Export or Import options. Step 4 Select either Export or Import.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-47 Chapter 10 Notification and Action Settings Inventory and Config Collection Failure Notification

Step 5 Either: • Enter the location of the file to be exported or imported. Or a. Click Browse. The Server Side File Browser appears. b. Select a valid file location, and click OK. The file location appears in the Export/Import dialog box. Step 6 Click OK.

Deleting a Filter

To delete a filter:

Inventory and Config Collection Failure Notification

This section contains: • Configuring Trap Notification Messages • Examples for Collection Failure Notification • Fields in a Trap Notification Message You can use the Collection Failure Notification option to configure the destination Server and Port to receive trap notification on Inventory Collection or Config Fetch failure. This failure trap is sent per device from the LMS server whenever the collection does not happen. Other network management stations can use this trap to know about LMS Inventory or Config collection failure status. You can check or uncheck the options available in this page to enable or disable the sending of trap notifications to other servers on Inventory Collection or Config Fetch failure.

Administration of Cisco Prime LAN Management Solution 4.2 10-48 OL-25947-01 Chapter 10 Notification and Action Settings Inventory and Config Collection Failure Notification

Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:

Table 10-14 Collection Failure Notification

Field Description All Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information. Config Collection Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed servers. Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information. Inventory Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed Collection servers. Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to the listed servers. The listed servers are those servers that you have configured to receive trap notifications. See the description for List of Destination field for more information. Trap Destination Information Server The name or IP address of the destination server. Port The port number of the destination server. List of The names of the destination servers along with their ports which are configured to receive the trap Destinations notifications. Buttons Add Use the Add button to add the destination server and port information. On clicking Add, the server and port information get reflected in the List of Destinations list. Delete Use the Delete button to remove server and port information from the List of Destinations. To do so, select one or more server and port entry from the list of Destinations list and click on Delete to remove the entries from the list. Apply Click to accept the changes made.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-49 Chapter 10 Notification and Action Settings Inventory and Config Collection Failure Notification

Configuring Trap Notification Messages

To configure the distribution of trap notification messages from LMS to the connected hosts:

Step 1 Select Admin > Network > Notification and Action Settings > Inventory and Config collection failure notification. The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog box. Step 2 Click Apply to accept the changes made.

Examples for Collection Failure Notification

Example for Config Fetch Failure You are providing the following information in the Collection Failure Notification screen: Destination Server: 10.77.153.47 Destination Port: 162 You are also enabling the Send Notification on Config Fetch Failure option. By enabling this option you are allowing trap notifications to be sent to the specified destination server on Config Fetch Failure using the specified port. After that you add few new devices to LMS and schedule a job to fetch the configurations for all the devices. There is a Config Fetch Failure as the scheduled job is unable to fetch the configurations for the new devices. The server 10.77.153.47 receives trap notifications for each Config Fetch Failure per device.

Example for Inventory Collection Failure You are providing the following information in the Collection Failure Notification screen: Destination Server: 10.77.153.47 Destination Port: 162 You are also enabling the Inventory Collection option. By enabling this option you are allowing trap notifications to be sent to the specified destination server on Inventory Collection Failure using the specified port. After that you add few new devices to LMS and schedule a job to fetch the inventory information for all devices. There is a Inventory Collection Failure as the scheduled job is unable to fetch the inventory details for the new devices. The server 10.77.153.47 receives trap notifications for each Inventory Collection Failure per device.

Fields in a Trap Notification Message

Table 10-15 lists the various fields that constitute a Configuration Fetch or Inventory Collection Failure trap notification message.

Administration of Cisco Prime LAN Management Solution 4.2 10-50 OL-25947-01 Chapter 10 Notification and Action Settings IPSLA Syslog Configuration

Table 10-15 Fields in a Trap Notification Message Field Description Application Name LMS application that caused this change or identified the change and generated the notification. Device Name Network device for which the inventory or configuration collection has failed. Collection Failure Time at which the inventory or configuration collection job failed. Time Error Message The message that describes the reason for the collection failure. Some examples of trap error messages: Inventory Collection Failed due to SNMP TimeOut Exception. Config Collection Failed due to authentication failure.

IPSLA Syslog Configuration

Syslog is a trap message that is sent from the device if any changes occur to the device. You can either enable or disable the IPSLA Syslog. However the IPSLA Syslog can be configured only by a Network Administrator or System Administrator. The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any Target devices. To enable or disable IPSLA Syslog:

Step 1 Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration. The IPSLA Syslog Configuration page appears. Step 2 Click Enable If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server. This enables the generation of the IPSLAs specific traps through the system logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display the Syslog details. Or If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server. (LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display the Syslog details.

Note In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be greater than LMS 4.2

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 10-51 Chapter 10 Notification and Action Settings IPSLA Syslog Configuration

Administration of Cisco Prime LAN Management Solution 4.2 10-52 OL-25947-01

CHAPTER 11

Administering Change Audit and Software Management

Change Audit tracks and reports changes made in the network. Change Audit allows other LMS to log change information to a central repository. Device Configuration, Inventory, and Software Management changes can be logged and viewed using Change Audit. LMS writes change records to Change Audit. Change Audit stores these records in the log tables (summary and details) for later use with reports. For example, Software Management records a change for each completed device upgrade. If a job has ten devices, then Software Management writes ten entries to the Change Audit log, but the Change Audit report shows only one job with ten devices. You can then access individual device information. Each application writes its own change records to Change Audit. For example, in Inventory you can set inventory change filters to filter out all kinds of information for different device types. Change Audit record maintenance is controlled by the Change Audit Delete Change History option. You can convert change records into SNMP V1 traps and forward them to a destination of your choice. This allows system administrators to forward critical network change data to their own NMS. You can define automated actions (e-mail and automated scripts) on creation of change audit record. The automated action gets triggered on creation of the change audit record. This section contains: • Setting Up Preferences • Performing Change Audit Tasks • Performing Maintenance Tasks • Defining Exception Periods • Defining Change Audit Automated Actions • Software Management Administration Tasks • Setting Change Report Filters

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-1 Chapter 11 Administering Change Audit and Software Management Setting Up Preferences

Setting Up Preferences

You can use this feature to set up your editing preferences. Config Editor remembers your preferred mode, even across different invocations of the application. You can change the mode using the Device and Version, Pattern Search, Baseline or External Configuration option but the changes do not affect the default settings. To set up preferences:

Step 1 Select Configuration > Tools > Config Editor > Edit Mode Preference. The User Preferences dialog box appears. Step 2 Set the default edit mode: • Select Processed to display the file in the Processed mode. The configuration file appears at the configlet level (a set of related configuration commands). The default is Processed. • Select Raw to display the file in the Raw mode. The entire file appears as shown in the device. Step 3 Click Apply to apply the set preferences.

Performing Change Audit Tasks

Change Audit allows you to: • Determine changes being made in the network during critical operations time System administrators can define the start and end times during the day when network changes should not be made. Based on this selection you can quickly see, for a given day, whether changes were made when they should not be. See Defining Exception Periods for defining the exception periods. • Define automated actions on creation of change audit record Automated action gets triggered on creation of the change audit record. You can define any number of automated actions. The supported automated actions are, E-mail, Traps, and Automated scripts See Defining Change Audit Automated Actions for defining the Change Audit automated actions. • Monitor your software image distribution and download history for software changes made using the Software Management application. Software Management automatically sends network change data to the Change Audit summary and details tables. • Track any configuration file changes Device Configuration automatically sends data on configuration file changes to the Change Audit log. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports.

Administration of Cisco Prime LAN Management Solution 4.2 11-2 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Performing Maintenance Tasks

• Monitor inventory additions, deletions, or changes Inventory tracks specific messages or monitors any and all changes in your network inventory. To set inventory filters, use the Inventory Change Filter option. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports. • View all the latest changes that occurred in the network over the last 24 hours 24-Hour Reports provides a quick way to access the latest changes in the Change Audit log. See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit reports. • Purging the Change Audit records Frees disk space and maintains your Change Audit records at a manageable size. You can either schedule for periodic purge or perform a forced purge of Change Audit data. See Performing Maintenance Tasks for scheduling a periodic purge. • Generating change audit data in XML format cwcli export changeaudit is a command line tool that also provides servlet access to change audit data. This tool uses the existing Change Audit log data and generates the Change Audit log data in XML format. • Set the debug mode for Change Audit application You can set the debug mode for Change Audit application in the Log Level Settings dialog box (Select Admin > System > Debug Settings > Config and Image Management Debugging settings; select Change Audit from the Application drop-down list.).

Generating 24 Hours and Standard Change Audit Reports To generate 24 Hours and Standard Change Audit Reports:

Step 1 Select Reports > Audit. Step 2 Select Change Audit from the first drop-down list box. Step 3 Select Standard from the second drop-down list box.

Performing Maintenance Tasks

You can either schedule for periodic purge or perform a forced purge of Change Audit data. This frees disk space and maintains your Change Audit data at a manageable size. You can perform these tasks: • Setting the Purge Policy • Performing a Forced Purge • Config Change Filter

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-3 Chapter 11 Administering Change Audit and Software Management Performing Maintenance Tasks

Setting the Purge Policy

You can specify a default policy for the periodic purging of Change Audit data.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To set the Change Audit Purge Policy:

Step 1 Select Admin > Network > Purge Settings > ChangeAudit Purge Policy. The Purge Policy dialog box appears in the Periodic Purge Settings pane. Step 2 Enter the following information:

Field Description Purge change audit Enter the number of days. Only Change Audit records older than the number of days that you records older than specify here, will be purged. The default is 180 days. Purge audit trail records Enter the number of days. Only Audit Trail records older than the number of days that you older than specify here, will be purged. The default is 180 days. Scheduling Run Type You can specify when you want to run the Purge job for Change Audit and Audit Trail records. To do this select one of the following options from the drop-down menu: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the day of the week and at the specified time. • Monthly—Runs monthly on the day of the month and at the specified time. The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date You can select the date and time (hours and minutes) to schedule. at Enter the start time, in the hh:mm:ss format (23:00:00).

Administration of Cisco Prime LAN Management Solution 4.2 11-4 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Performing Maintenance Tasks

Field Description Job Info Job Description The system default job description, ChangeAudit Records - default purge job is displayed. You cannot change this description. E-mail Enter e-mail addresses to which the job sends messages at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.

Caution You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted.

Step 3 Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes made to a Purge policy.

Performing a Forced Purge

You can perform a Forced Purge of Change Audit, as required.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To perform a Change Audit Forced Purge:

Step 1 Select Admin > Network > Purge Settings > ChangeAudit Force Purge. The Purge Policy dialog box appears. Step 2 Enter the information required to perform a Forced Purge:

Field Description Purge change audit Enter the number of days. Only Change Audit records older than the number of days that you specify records older than here, will be purged. Purge audit trail Enter the number of days. Only Audit Trail records older than the number of days that you specify records older than here, will be purged.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-5 Chapter 11 Administering Change Audit and Software Management Performing Maintenance Tasks

Field Description Scheduling Run Type You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records. To do this select one of the following options from the drop-down menu: • Immediate—Runs this task immediately. • Once—Runs this task once at the specified date and time. Date Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar icon and select the date. The Date field is enabled only if you have selected Once as the Run Type. at Enter the start time, in the hh:mm:ss format (23:00:00). The At field is enabled only if you have selected Once as the Run Type Job Info Job Description Enter a description for the job. This is mandatory. E-mail Enter e-mail addresses to which the job sends messages at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address.

Step 3 Click Submit for the Forced Purge to become effective.

Administration of Cisco Prime LAN Management Solution 4.2 11-6 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Defining Exception Periods

Config Change Filter

You can use this option to enable or disable VLAN Change audit filtering. When there is a change to the device configuration, a change record is created. By default, the VLAN change audit record is not created for those devices that have a VLAN configuration. To enable or disable the VLAN Change Audit Filter option:

Step 1 Select Admin > Network > Change Audit Settings > Config Change Filter. The Config Change Filter dialog box appears. Step 2 Check or uncheck the Enable VLAN Change Audit Filter option. • Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created for devices that have a VLAN configuration. By default, this option is checked. • Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for devices that have VLAN configuration. Step 3 Click either Apply to apply the option or click Cancel to discard the changes.

Defining Exception Periods

An Exception period is a time you specify when no network changes should occur. This period does not prevent you from making any changes in your network. The set of Exception periods is known as an Exception profile. You can have only one Exception period for a day. You perform the following tasks for Exception profiles:

Tasks Description Creating an Exception Period Creating an exception profile. Enabling and Disabling an Enabling and disabling a set of exception profiles. Exception Period Editing an Exception Period Editing an exception profile. Deleting an Exception Period Deleting a set of exception profiles.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-7 Chapter 11 Administering Change Audit and Software Management Defining Exception Periods

Creating an Exception Period

To create an Exception profile:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Step 2 Select: • Days of the week from the Day drop-down list box • Start and end times from the Start Time and the End Time drop-down list box. Step 3 Click Add. The defined exception profile appears in the List of Defined Exception Periods pane. To enable the exception period, see Enabling and Disabling an Exception Period.

Enabling and Disabling an Exception Period

To enable and disable a set of exceptions periods:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Step 2 Select one or more exception profiles in the List of Defined Exception Periods pane. Step 3 Click Enable/Disable. • If you have selected Enabled, then the exception period report is generated for that specified time frame. • If you have selected Disabled, then the exception period report is not generated for that whole day. For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then there will not be any exception period report generated for Monday.

Administration of Cisco Prime LAN Management Solution 4.2 11-8 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Defining Exception Periods

Editing an Exception Period

To edit an exception profile:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Change Audit Settings > Exception Periods. The Define Exception Period dialog box appears. Step 2 Select a day from the Day drop-down list box for which you want to change the exception period. Step 3 Change the start and end times in the Start Time and the End Time drop-down list box. If required you can also enable or disable the status for the exception period. Step 4 Click Add. The edited exception profile appears in the List of Defined Exception Period dialog box. This will overwrite the existing exception profile for that day.

Deleting an Exception Period

To delete a set of Exceptions Periods:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-9 Chapter 11 Administering Change Audit and Software Management Defining Change Audit Automated Actions

Defining Change Audit Automated Actions

You can define automated actions on creation of change audit record. This automated action gets triggered on creation of the change audit record. You can define any number of automated actions. The supported automated actions are: • E-mail • Traps • Automated scripts This section contains: • Understanding the Automated Action Window • Creating an Automated Action • Editing an Automated Action • Enabling and Disabling an Automated Action • Exporting and Importing an Automated Action • Deleting an Automated Action

Understanding the Automated Action Window

This window contains the following entries:

Field Description Name Name of the automated action. Status Status of the automated action—Enabled, or disabled. Type Type of automated action—Email, Script or Trap.

You perform the following tasks from this window:

Tasks Description Creating an Automated Action Creating an automated action. Enabling and Disabling an Enabling and disabling a set of automated actions. Automated Action This button gets activated only after selecting an automated action. Editing an Automated Action Editing an automated action. This button gets activated only after selecting an automated action. Exporting and Importing an Exporting and importing a set of automated actions. Automated Action Deleting an Automated Action Deleting a set of automated actions. This button gets activated only after selecting an automated action.

Administration of Cisco Prime LAN Management Solution 4.2 11-10 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Defining Change Audit Automated Actions

Creating an Automated Action

To create an automated action:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions. The Automated Action dialog box appears. Step 2 Click Create. The Define Automated Action dialog box appears. Step 3 Enter the following:

Field Description Name Name for the automated action. Status Select either Enabled or Disabled For the automated action to trigger. Application Select the name of the application on which the automated action has to be triggered. Category Select the types of the changes, for example, configuration, inventory, or software on which the automated action has to be triggered. Mode Select the connection mode on connection modes on which the automated action has to be triggered. User Select the user name on which the automated action has to be triggered.

Step 4 Click Next. The Automated Action Type dialog box appears. Step 5 Select either E-mail or Trap or Script. Based on your selection, enter the following data:

Field Description If you have selected E-mail, enter: Send To Enter the E-mail ID for which the trigger has to be notified. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). You will receive the e-mail with the E-mail ID as the sender's address. Subject Enter the subject of the e-mail. Content Enter the content of the e-mail.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-11 Chapter 11 Administering Change Audit and Software Management Defining Change Audit Automated Actions

Field Description If you have selected Trap, perform: Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit. Ensure that you have copied these files: • CISCO-ENCASE-MIB.my • CISCO-ENCASE-APP-NAME-MIB.my into the destination system to receive the traps. These files are available in the following directories on LMS server: On UNIX: /opt/CSCOpx/objects/share/mibs On Windows: NMSROOT\objects\share\mibs. Where NMSROOT is the root directory of the LMS Server. a. Enter the Server and Port details in the Define Trap field. b. Click Add. The server and port information appears in the List of Destinations text box. If you want delete, the server and port information, select the server and port information from the List of Destinations text box and click Delete. If you have selected Script, enter... You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute from within the casuser account. The following are the parameters for change audit automated action that will appear in the script: – Application Name – Category – User Name – Description – Connection Mode – Host Name The script files must be available at this location: On UNIX: /var/adm/CSCOpx/files/scripts/changeaudit On Windows: NMSROOT/files/scripts/changeaudit To select the script file: a. Click Browse. The Server Side File Browser dialog box appears with the predefined location. b. Select the script file (*.sh on Unix and *.bat on Windows) c. Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 11-12 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Defining Change Audit Automated Actions

Step 6 Click Finish. The Automated Action window appears with the defined automated action.

Editing an Automated Action

To edit an automated action:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Step 2 Select an Automated Action. Step 3 Click Edit. (See step 3 to step 5 in Creating an Automated Action.). Step 4 Click Finish. The Automated Action window appears with the updated data.

Enabling and Disabling an Automated Action

To enable or disable a set of automated actions:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Step 2 Select one or more Automated actions. Step 3 Click Enable/Disable. The Automated Action window appears with the updated data.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-13 Chapter 11 Administering Change Audit and Software Management Defining Change Audit Automated Actions

Exporting and Importing an Automated Action

To export or import an automated action:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Step 2 If you want to export an Automated action, then select the automated actions else go to next step. Step 3 Click Export/Import. The Export/Import dialog box appears. Step 4 Select the task to be performed—Export or Import. Step 5 Either: • Enter the filename along with the absolute path. Or • Click Browse, The Server Side File Browser dialog box appears. a. Select a folder. b. Click OK. c. Enter the filename. Step 6 Click OK.

Deleting an Automated Action

To delete a set of automated actions:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions. The Automated Action dialog box appears. Step 2 Select a or a set of Automated actions. Step 3 Click Delete. The Automated Action window appears with the updated data.

Administration of Cisco Prime LAN Management Solution 4.2 11-14 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

Software Management Administration Tasks

You can set your preference to download images. To do this, select Admin > Network > Software Image Management. The following section explains how to set the Software Management preferences: • Viewing/Editing Preferences

Viewing/Editing Preferences

Edit Preferences helps you to set or change your Software Management preferences. The options you specify here are applicable to Software Management tasks such as image distribution, image import, etc. This section contains: • Selecting and Ordering Protocol Order • How Recommendation Filters Work for an IOS Image

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To view and edit the preferences:

Step 1 Select Admin > Network > Software Image Management > View/Edit Preferences. The View/Edit Preferences dialog box appears. Step 2 Enter the following:

Field Description Usage Notes Repository Management Image Location New directory to store software If you enter a new name, all existing files are moved to this images. directory. If the directory does not have enough space, the files are not moved and an error message appears. By default the software images are stored at this location: If the specified directory does not exist, Software Management creates a new directory before moving the files to the new On Solaris/Soft Appliance: directory. /var/adm/CSCOpx/files/rme/ The new directory should be empty. repository/ The new directory specified by you should have the permission for On Windows: casuser:casusers in Solaris/Soft Appliance and casuser should NMSROOT/files/rme/repository have Full Control in Windows. Where NMSROOT is the Cisco Prime installed directory.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-15 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

Field Description Usage Notes Distribution Script Location You can specify only shell On UNIX, the scripts should have read, write, and execute scripts (*.sh) on UNIX and batch permissions for the owner (casuser) and read and execute files (*.bat) on Windows. permissions for group casusers. That is, the script should have 750 permission. The script files must be available at this location: On Windows, the script should have read, write, and execute permissions for casuser/Administrator. On UNIX: The other users should have only read permission. You must /var/adm/CSCOpx/files/scripts/ ensure that the scripts contained in the file have permissions to swim execute from within the casuser account. On Windows: This script is run before and after completing each device software NMSROOT/files/scripts/swim upgrade for all scheduled jobs. To select the script file: a. Click Browse. The Server Side File Browser dialog box appears with the predefined location. b. Select the script file (*.sh on Unix and *.bat on Windows) c. Click OK. You can use Clear to clear your selections for Script Location. This clears all previous values. Script Timeout Number of seconds the user’s Software Management waits for the time specified before (seconds) script can run (default = 90). concluding that the script has failed. Protocol Order Specify an order of preferred This preferred protocol order is followed only for those devices protocol for image that permit more than one protocol for image transfer. import/distribution. The In devices, where multiple protocol option is not available for supported protocols are: image transfers, Software Management uses its own knowledge • RCP and selects the relevant protocol to upgrade the device. • TFTP For fetching configuration from device, the protocol settings of Configuration Management is used. Software Management uses • SCP the same protocol for fetch and download of configurations. • HTTP You can set the Configuration Management protocol order using See Selecting and Ordering Admin > Collection Settings > Config > Config Transport Protocol Order for further Settings. details.

Administration of Cisco Prime LAN Management Solution 4.2 11-16 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

Field Description Usage Notes Use SSH for software Uses this protocol to connect to The device must support SSH for Software Management to use this image upgrade and the devices. protocol. software image By default, Telnet is used to Software Management uses command line interface to upgrade import through CLI connect to the devices. software images and to import software images. (with fallback to TELNET). If SSH fails, then Telnet is used When you select the SSH protocol for the Software Management, to connect to the devices. the underlying transport mechanism checks whether the device is running SSHv2. If so, it tries to connect to the device using SSHv2. If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1. If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2. If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the device that is being accessed and Telnet is used to connect to the device. See the Software Management Functional Supported Device tables on Cisco.com for SSH and CLI device support information. http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod ucts_device_support_tables_list.html Recommendation Filters (See How Recommendation Filters Work for an IOS Image.) Include Cisco.com During image distribution, images for image recommend Cisco.com images recommendation for Cisco devices. Include General Includes only GD images. For Cisco IOS devices only. deployment images Include latest Includes the latest major releases For Cisco IOS devices only. maintenance release of IOS images. (of each major For example, if Release 12.2(5) release). was latest maintenance version in the 12.2 major release, the recommended image is IOS 12.2(5). Include images higher Includes the images that are For Cisco IOS devices only. than running image. newer than the images running on your device. For example, if the device is running Release 11.2(3), the recommended images are 11.2(4) and later.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-17 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

Field Description Usage Notes Include same image Include only images that have For Cisco IOS devices only. feature subset as the same feature subset as the running image. current image. For example, if you want IOS images with the ENTERPRISE IPSEC feature, the recommended images contain the latest version. This version contains feature subset that fits the Flash. Password Policy Enable Job Based Enter a username and password • If you have enabled User Configurable option, you can disable Password for running a specific Software this option while scheduling the distribution jobs. Management job. • If you have disabled User Configurable option, you must enter If you enter a username and the username and password while scheduling the distribution password, Software jobs. Management application uses These passwords are used only to connect to devices for which this username and password to Software Management uses CLI, Telnet, and SSH.for software connect to the device, instead of upgrades. taking these credentials from the Device and Credential See the Software Management Functional Supported Device tables Repository. on Cisco.com for CLI, Telnet and SSH device support information. http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod ucts_device_support_tables_list.html

Step 3 Either: • Click Apply to save your changes. • Click Defaults to display the default configuration. • Click Cancel to discard the values entered and revert to previously saved values.

Administration of Cisco Prime LAN Management Solution 4.2 11-18 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

Selecting and Ordering Protocol Order

In the View/Edit Preferences dialog box (Admin > Network > Software Image Management > View/Edit Preferences) you can define the protocol order that Software Management has to use for software image download. Software Management tries to download the software images based on the specified protocol order. While downloading the images, Software Management uses the first protocol in the list. If the first protocol in the list fails, these jobs use the second protocol and so on, until Software Management finds a transport protocol for downloading the images.

To Enable the Protocols:

Step 1 Select a protocol from the Available Protocols pane. Step 2 Click Add or double click the mouse.

To Disable the Protocols:

Step 1 Select a protocol from the Selected Protocol Order pane. Step 2 Click Remove or double click the mouse.

To Reorder the Protocols

Step 1 Select the protocol from the Selected Protocol Order pane. Step 2 Click Up or Down to reorder the protocols.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-19 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

How Recommendation Filters Work for an IOS Image

This section describes how the recommendation filters that you select in the View/Edit Preferences dialog box (Admin > Network > Software Image Management > View/Edit Preferences) work for a Cisco IOS image. If you have selected the option, Include Cisco.com Images for image recommendation, Software Management checks for the images that are available on Cisco.com and the Software repository. If the same image is available in the Software repository and Cisco.com, the image is recommended from the Software repository. If you have not selected the option, Include Cisco.com Images for image recommendation, the Software Management checks and recommends images only from Software repository.

Table 11-1 Recommending Images for an Cisco IOS Image

Include Include Latest Same Mainten Include Image Include ance Images Feature General Release Higher Subset Deploy- (of Each Than as Option ment Major Running Running Number Images Release) Image Image Recommendation 1Not Not Not Not The recommendation image list includes: selected selected selected selected • All available images. • In case of, – Multiple images with the same version as that of the running image version are present, the image with a higher compatible feature than the running image is recommended. – Similar images in Cisco.com and Software Management repository, the image from the repository is recommended. • The image feature can be the same or a superset of the running image. If a higher version is not available, then no recommendation is made. 2Not Not Not Selected The recommended list contains images that have the same feature set selected selected selected as that of the running image. The images with the highest version among the recommended image list are recommended. 3Not Not Selected Not The recommend list contains all types of releases (deployment status). selected selected selected The images with the highest version among recommended image list are recommended. The feature set of the recommended image may be superior than the running image. 4Not Selected Not Not The latest maintenance version in each release is available in the selected selected selected recommend image list. The latest image version is recommended.

Administration of Cisco Prime LAN Management Solution 4.2 11-20 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Software Management Administration Tasks

Table 11-1 Recommending Images for an Cisco IOS Image (continued)

Include Include Latest Same Mainten Include Image Include ance Images Feature General Release Higher Subset Deploy- (of Each Than as Option ment Major Running Running Number Images Release) Image Image Recommendation 5 Selected Not Not Not The images with deployment status identified as GD are available in selected selected selected the recommended image list and other recommendation flow remains the same as the option 1. 6 Selected Not Not Selected Same as option5. However, the recommended list contains images that selected selected have the same feature set as that of running image. 7 Selected Not Selected Not Same as option 5. However, the image with the highest version in the selected selected recommended image list is recommended. The feature set of the recommended image may be superior than the running image. 8 Selected Not Selected Selected Same as option 6. However, the image with the highest version in the selected recommended image list is recommended. All recommend images will have the same feature subset as the running image. 9 Selected Selected Not Not The images with the highest version among recommended image list selected selected are recommended. The images of GD types of releases are available in the recommended image list. 10 Selected Selected Not Selected The images with the same feature as that of running image is available selected in the recommended list and the latest maintenance version of all release is available in the recommended list. Only an image with higher version than running image is recommended. The recommended images can have only GD status. 11 Selected Selected Selected Not Same as option 9. In addition to this, an image with the higher version selected than running image is also recommended.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-21 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Setting Change Report Filters

Using the Inventory Change Filter dialog box, you can select the attributes that you do not wish to log using Change Audit. The history of inventory changes are logged by and viewed through Change Audit. The attributes that you select in the Inventory Change Filter dialog box, are monitored for Inventory changes like other variables. However, they are not logged using Change Audit. Consequently, these changes are not displayed in your inventory change reports. For example, for Stack devices, if you do not want to log the operational status for changes in Change Audit, select the Operational Status option in the Inventory Change Filter dialog box. The Inventory Change Filter dialog box, displays each attribute group and the corresponding filters for the attribute group, for your selection. • To view all inventory change reports, select Reports > Inventory. In the Report Generator dialog box, first select the application, Change Audit, and then select the Exception Period Report from the respective drop-down lists. • To view inventory changes from the last 24 hours, select Reports > Inventory. In the Report Generator dialog box, first select the application, Inventory, and then select report 24 Hour Inventory Change report from the respective drop-down lists.

Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task.

To set Inventory change filters:

Step 1 Select Admin > Network > Change Audit Settings > Inventory Change Filter. The Inventory Change Filter dialog box appears. Step 2 Select a group from the Select a Group drop-down list. See Table 11-2. The dialog box refreshes to display the filters available for the attribute group that you selected. Step 3 Select the attributes that you do not want to monitor for changes. Step 4 Click Save. A confirmation dialog box appears. Step 5 Click OK to save the details. You can use Reset All to reset your selections for all groups. This resets all previous values to blanks.

Administration of Cisco Prime LAN Management Solution 4.2 11-22 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters

Report Inventory Group Custom Report Group/Attribute Description Asset Orderable Part Number Orderable part number of asset. Tag Asset tag. CLE Identifier Represents CLIE (Common Language Equipment Identifier) code for the physical entity. Mfg Assembly Revision Manufacturing assembly revision of asset. Mfg Assembly Number Manufacturing assembly number of asset. Physical Index Physical index of asset Back Plane Operational Status Operational status of backplane. Parent Relative Position Indicates the relative position of this child component among all its sibling components. Manufacturer Name Name of manufacturer. Physical Entity Name Name of physical entity. Slot Configuration Configuration of backplane slots Model Name Name of model. Vendor Type Type of vendor. Serial Number Serial number of backplane. Description Description of backplane. Component Type Type of component. Index Index of backplane. Field Replaceable Unit FRU of backplane. Field-replaceable unit is a hardware component that can be removed and replaced on site. Alias Name Alias name of backplane. Bridge Bridge Type Type of bridge. Number of Ports Number of ports in the bridge. Base Bridge Address Base address of bridge.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-23 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Chassis Chassis Model Name Name of the chassis model. Chassis Serial Number Serial number of the chassis. Chassis Vendor Type Type of vendor. Chassis Version Version number of the chassis. Report Published Indicates whether Report is published or not. Displays the value as True or False. Description Description of chassis. Field Replaceable Unit FRU of chassis. Component Type Type of component. Alias Name Alias name of chassis. Index Physical index of chassis. Parent Relative Position Indicates the relative position of this child component among all its sibling components. Physical Entity Name Name of physical entity. Free Slots Free slots in chassis. Slot Capacity Slot capacity of chassis. Power Available (Watts) Power available at chassis level Power Consumption (Watts) Power consumption at chassis level Power Consumption (%) Percentage of power consumption at chassis level. Power Remaining (Watts) Power remaining at chassis level. Operational Status Operational status of chassis. Manufacturer Name Name of manufacturer. Slot Configuration Slot configuration of chassis. Component Index Physical index of component. Field Replaceable Unit FRU of component. Alias Name Alias name of component. Parent Relative Position Indicates the relative position of this child component among all its sibling components. Operational Status Operational status of component. Manufacturer Name Name of manufacturer. Name Name of component. Slots Configured Slot configuration of component. Model Name Name of model. Vendor Type Vendor type of component. Serial Number Component serial number. Description Description of component. Component Type Type of component.

Administration of Cisco Prime LAN Management Solution 4.2 11-24 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Container Alias Name Alias name of container. Operational Status Operational status of container. Manufacturer Name Name of manufacturer of container. Slot Configuration Slot configuration of container. Container Model Name Model name of container. Container Vendor Type Vendor type of container. Parent Relative Position Parent Relative Position of container. Container Serial Number Serial number of container. Physical Entity Name Physical entity name of container. Description Description of container. Component Type Type of container component. Index Index of container. Field Replaceable Unit FRU of container. Fan Fan Model Name Name of model of fan. Fan Vendor Type Vendor type of fan. Parent Relative Position Parent Relative Position of fan. Fan Serial Number Serial number of fan. Description Description of fan. Physical Entity Name Physical entity name of fan. Component Type Component type of fan. Index Index of fan. Field Replaceable Unit FRU of fan. Alias Name Alias name of fan. Operational Status Operational status of fan. Manufacturer Name Name of manufacturer of fan. Slot Configuration Slot configuration of fan. Flash Module Index Module index of flash.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-25 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Flash Device Removable Indicates whether the flash device removable. Jumper Jumper of the flash device. Controller Flash device controller. Chip Count Flash device chip count. Size (MB) Total flash device size in MB. Partition Count Partition count of flash device. Maximum Partitions Maximum partitions in flash device. Minimum Partition Size (MB) Minimum partition size of flash device. Name Name of the flash device. Index Index of flash device. Description Description of flash device. Flash File Index Flash file index. Status Flash file status. Checksum Checksum of flash file. Size (MB) Size of flash file. Name Name of flash file. Flash Partition Algorithm Algorithm of the flash partition Filename Length Flash filename length. Erase Needed Whether an erase is needed. Upgrade Method Method of upgrade of flash partition. Status Status of flash partition. Free (MB) Free space in MB. Size (MB) Flash partition size in MB. Name Name of flash partition. Index Flash partition index.

Administration of Cisco Prime LAN Management Solution 4.2 11-26 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description IP Address IP Address IP Address of the device. Index IP Address index. Address State IP Address state. Address Type Type of IP Address. Protocol of Address Protocol of IP Address. Max Re-assemble Size Maximum re-assemble size. Broadcast Address Broadcast address. Network Mask Network mask of IP Address. Image ROM Sys Version ROM system software version. ROM Version Version of ROM. System Boot Variable System Boot Variable System Image File System image file. Minimum Boot Flash (MB) Minimum Boot Flash in MB. Minimum NVRAM (MB) Minimum NVRAM in MB. Minimum DRAM (MB) Minimum DRAM in MB. Media Media of image. Feature Image feature Module Image module. Image Software image present on the device. Build Time Build time of image. Family Image family. System Description Image system description. Version Version of the software image on the device. Description Description of image. Processor Index Processor index of image. Interface MTU Maximum transmission unit. Maximum packet size, in bytes, that this interface can handle. Alias Interface alias. Last Changed Time of last change. Operational Status Operational status of interface. Admin Status Administrative status of interface. Speed (Mbps) Speed of interface in Mbps. Type Type of interface. Description Description of interface. Name Name of interface Physical Address Physical address of interface.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-27 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Index Index of interface. Identifier Identifier of interface. FlexLink Enabled FlexLink status of the interface. SPAN Enabled Whether the interface is Span enabled Memory Processor Index Processor index. Total Memory (MB) Total memory in MB. Memory Pool Lowest Free Block (MB) Lowest free block of memory in MB. Largest Free Block (MB) Largest free block of memory in MB. Free (MB) Free memory in MB Used (MB) Used memory in MB. Validity Validity of memory pool. Alternate Pool Alternate memory pool. Name Name of the memory pool. Type Memory pool type.

Administration of Cisco Prime LAN Management Solution 4.2 11-28 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Module Parent Relative Position Parent Relative Position of module. Field Replaceable Unit FRU of module. Alias Name Alias name of module. Reset Reason Module reset reason. Admin Status Administrative status of module Additional Status Additional status of module Module IP Address IP Address of module Hardware Encryption Hardware encryption of module Slot Number Slot number of module Inline Power Capable Inline power capability of module Parent Type Module parent type. Multiservice Is this a multiservice module Parent Index Parent index of module Number of Slots Number of slots in module FW Version Firmware version of module SW Version Software version of module HW Version Module hardware version. Operational Status Operational status of module Manufacturer Name Name of manufacturer of module Physical Entity Name Physical entity name of module Slot Configuration Slot configuration of module Model Name Name of module. Vendor Type Vendor type of the module. Serial Number Serial number of module. Description Description of module Component Type Component type of module Index Index of module

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-29 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Port Manufacturer Name Port manufacturer name. Slot Configuration Slot configuration of port. Port Model Name Model name of port. Port Vendor Type Port vendor type. Port Serial Number Serial number of port. Parent Relative Position Parent Relative Position of port. Description Description of port. Component Type Port component type. Physical Entity Name Physical Entity Name of port. Port Index Port index. Field Replaceable Unit FRU of port. Alias Name Alias name of port. Status Status of port Operational Status Operational Status of port POE Admin Status The POE Port Admin Status. POE Power Allocated The amount of power allocated from the Power Sourcing Equipment (PSE) for the Powered device. This is a POE device specific attribute. POE Maximum Power The maximum amount of power that the PSE makes available to the Powered device connected to the Port interface. This is a POE device specific attribute. Power Consumption (%) Power consumption percentage of the port. Power Consumption Power consumption of the port. Power Available Power available for a powered device connected to the port. Power Remaining Power remaining for a powered device connected to the port. Port Interface Number Port interface number.

Administration of Cisco Prime LAN Management Solution 4.2 11-30 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Power Supply Parent Relative Position Parent Relative Position of power supply. Physical Entity Name Physical Entity Name of power supply. Admin Status Administrative status of power supply. Operational Status Operational status of power supply. Manufacturer Name Manufacturer Name of power supply. Field Replaceable Unit FRU of power supply. Slot Configuration Slot configuration of power supply. Alias Name Alias name of power supply. Power Supply Model Name Model name of power supply. Power Supply Vendor Type Vendor type of power supply. Power Supply Serial Number Serial number of power supply. Description Description of power supply. Component Type Component type of power supply. Index Index of power supply.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-31 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Processor Field Replaceable Unit Processor FRU. Alias Name Alias name of processor. Slot Number Slot number of processor. Parent Type Parent type of processor. Parent Index Parent index of processor. Reboot Config Register Value Reboot configuration register value. Config Register Value Configuration register value Physical Entity Name Name of physical entity. NVRAM Used (KB) Size of the processor NVRAM that has been utilized, in KB. NVRAM Size (KB) Size of the processor NVRAM in KB. RAM Size (MB) Size of processor RAM in MB. Operational Status Operational status of processor. Manufacturer Name Manufacturer name of processor. Slot Configuration Slot configuration of processor. Model Name Name of the processor model. Reset Reason Processor reset reason. Vendor Type Processor vendor type. Admin Status Administrative status of processor. Serial Number Serial number of processor. Additional Status Additional status of processor. Description Description of processor. Module IP Address Module IP Address of processor. Component Type Component type of processor. Hardware Encryption Hardware encryption. Index Index of processor. Inline Power Capable Inline power capability of processor. Multiservice Multiservice. Number of Slots Number of slots in processor. FW Version Firmware version of processor. SW Version Software version of processor. HW Version Hardware version of processor. Parent Relative Position Parent Relative Position of processor.

Administration of Cisco Prime LAN Management Solution 4.2 11-32 OL-25947-01 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Sensor Parent Relative Position Parent Relative Position of sensor. Physical Entity Name Name of physical entity of sensor. Operational Status Operational status of sensor Manufacturer Name Manufacturer name of sensor Field Replaceable Unit FRU of sensor Alias Name Alias name of sensor Slot Configuration Slot configuration of sensor Sensor Model Name Model name of sensor Sensor Vendor Type Vendor type of sensor Sensor Serial Number Serial number of sensor Description Description of sensor Component Type Component type of sensor Index Index of sensor Slot Serial Number Serial number of slot. Description Description of slot. Component Type Component type of slot. Index Index of slot. Parent Relative Position Parent Relative Position of slot. Physical Entity Name Physical Entity Name of slot. Operational Status Operational Status of slot. Manufacturer Name Name of manufacturer of slot. Field Replaceable Unit FRU of slot. Slot Configuration Configuration of slot. Alias Name Alias name of slot. Model Name Model name of slot. Vendor Type Vendor type of slot. Stack Field Replaceable Unit FRU of stack. Operational Status Operational status of stack. Alias Name Alias name of stack Manufacturer Name Manufacturer name of stack Slot Configuration Slot configuration of stack Stack Model Name Model name of stack Stack Vendor Type Vendor type of stack Stack Serial Number Serial number of stack Description Description of stack Parent Relative Position Parent Relative Position of stack

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 11-33 Chapter 11 Administering Change Audit and Software Management Setting Change Report Filters

Table 11-2 Inventory Change Filters (continued)

Report Inventory Group Custom Report Group/Attribute Description Component Type Stack component type. Index Index of stack. Physical Entity Name Physical Entity Name of stack. Sys Application Index Index of system application Software Serial Number Software serial number of system application. Software Version Software version of system application Software Product Name Name of software product. Software Manufacturer Software manufacturer of system application System SysUpTime System Up Time. Host Name Host name of the system Management Type Management type of system. Modular Modularity of system. OSI Layer Services OSI layer services of system. System Name System name. System Object ID System Object ID of the device. Last Updated At Date and time of last system update. Location System location. Contact System contact. Domain Name Domain name of the system. Description Description of the system.

Administration of Cisco Prime LAN Management Solution 4.2 11-34 OL-25947-01

CHAPTER 12

Managing Jobs

In LMS, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs. LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group of users designated as job Approvers approves each job before it can run. This section contains the following: • Using Job Browser • Configuring Default Job Policies • Configuring NetShow Job Policies • Enabling Approval and Approving Jobs Using Job Approval • Job Approval Workflow • Using Device Selector

Using Job Browser

In LMS 4.0, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs. The job details that you can view here include the job ID, the job type, the job status, the job description, the job owner, the time the job is scheduled to run at, the time of job completion, and the schedule type. To open the job browser, select Admin > Jobs > Browser. The Job Browser appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-1 Chapter 12 Managing Jobs Using Job Browser

Table 12-1 displays the fields in the LMS Job Browser.

Table 12-1 LMS Job Browser

Column Description Job ID Unique number assigned to this task at creation time. This number is never reused. There are two formats: • Job ID: Identifies the task. This does not maintain a history. For Example:1001 • JobID.Instance ID: Here, in addition to the task, the instance of the task can also be identified. For example: 1001.1, 1001.2 Type Type of job. The jobs include User Tracking jobs, LMS reports, Inventory Collection, Identity provisioning, Identity monitoring and so on. Run Status Job states include: • Running • Waiting for approval • Scheduled (pending) • Succeeded • Succeeded with Info • Failed • Crashed • Cancelled • Suspended • Rejected • Missed Start • Failed at Start Select a job state from the Run Status drop-down list box to view the details of the all jobs that match the job state. If there are no jobs with any of these job states, the Run Status drop-down list box will not display the respective job state. Sched Type Frequency of the job. This can be: • Once • Immediate • Periodic (calendar/time based). Description Description of the job. Run Sched Schedule details of the job.

Administration of Cisco Prime LAN Management Solution 4.2 12-2 OL-25947-01 Chapter 12 Managing Jobs Using Job Browser

Table 12-1 LMS Job Browser (continued)

Column Description Status Provides the status of the current jobs. The status of the current jobs is displayed as succeeded or failed. It also displays the failure reasons. Owner Username of the job creator. Scheduled At Date and time at which the job was scheduled. Completed At Date and time at which the job was completed.

Filtering Jobs You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria, enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs pertaining to that category are displayed.

Column Description All Displays all jobs in Job Browser. This is the default filter type. Job ID Unique ID of the job. For example, 1007.0. Job IDs have N.x format, where x stands for the number of instances of that job. For example, 1007.4 indicates that the Job ID is 1007 and it is the fifth instance of that job. You should enter a valid Job ID as filter value. You can also: • Enter multiple Job IDs separated by commas • Include the wildcard character * (asterisk) in the Job ID value • Enter a range of Job IDs Examples of valid Job IDs are: • 1002 • 1010.5 • 1004,1008.8, 1004 • 1007* • 1001-1010 • 1019.20-1019.100 Type Type of job. The jobs include User Tracking jobs, LMS reports, Inventory Collection, Identity provisioning, Identity monitoring and so on. Filters and displays all jobs that match a job type value in Job Browser. You must select a job type from the list of available types.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-3 Chapter 12 Managing Jobs Using Job Browser

Column Description Run Status Job states include: • Running • Waiting for approval • Scheduled (pending) • Succeeded • Succeeded with Info • Failed • Crashed • Cancelled • Suspended • Rejected • Missed Start • Failed at Start Select a job state from the Run Status drop-down list box to view the details of the all jobs that match the job state. If there are no jobs with any of these job states, the Run Status drop-down list box will not display the respective job state. Sched Type Frequency of the job. This can be: • Once • Immediate • Periodic (calendar/time based). Description Description of the job. Filters and displays all jobs with a specified description. You cannot leave the description field blank when you select this filter type. Owner Username of the job creator. Filters and displays all jobs that are scheduled by a user. You can select a user from the drop-down list of users as a filter value.

Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs: • Stop button—Stops or cancels a running job. You will be prompted to confirm the cancellation of the job. However, the job is stopped only after the devices currently being processed are successfully completed. This is to ensure that no device is left in an inconsistent state. • Delete button—Deletes the selected job from the job browser. You can select more than one job to delete. You will be asked to confirm the deletion.

Note You cannot delete a running job.

Administration of Cisco Prime LAN Management Solution 4.2 12-4 OL-25947-01 Chapter 12 Managing Jobs Configuring Default Job Policies

Configuring Default Job Policies

Each Configuration Management job has properties that define how the job will run. You can configure a default policy for these properties that applies to all future jobs. You can also specify for each property whether users can change the default when creating a job. You have the option of entering a username and password for running a specific Archive Management, Config Editor, NetConfig, or NetShow job. If you enter a username and password, Archive Management, Config Editor, or NetConfig applications use this username and password to connect to the device, instead of taking these credentials from the Device and Credential Repository. While the job is running, the password is retrieved from the Device and Credential Repository for each of the selected devices. For example, if the TACACS server is managing the devices, the passwords in the TACACS server and the passwords in the Device and Credential Repository should be synchronized (with every password change). This option of entering the username and password for running a job is useful in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds. To use this option of entering a username and password for running a specific job, you should enable the job password policy for Archive Management, Config Editor, NetConfig, or NetShow jobs. You can do this by using the Enable Job Password option in the Config Job Policies window. If you have enabled Enable Job Password option, you can enter these credentials while scheduling a job: • Login Username • Login Password • Enable Password This section also explains about Defining the Default Job Policies.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-5 Chapter 12 Managing Jobs Configuring Default Job Policies

Defining the Default Job Policies

The following is the workflow for defining the default job policies for Configuration Management applications like NetConfig, ArchiveMgmt, ConfigEditor, Netshow:

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

Step 1 Select Admin > Network > Configuration Job Settings > Config Job Policies. The Config Job Policies dialog box appears. Step 2 Select one application from the drop-down list. You can select one of the following options: • NetConfig • ArchiveMgmt • ConfigEditor • Netshow Step 3 Based on your selection, enter the following information:

Field Name Description Usage Notes Failure Policy Select what the job should do if it fails to run on the You can create rollback commands for a job in device. You can stop or continue the job, and roll the following ways: back configuration changes to the failed device or to • Using a system-defined template. all devices configured by the job. Rollback commands are created You can select one of the options: automatically by the template. • Stop on failure—Stops the job on failure. The Banner system-defined template does • Ignore failure and continue—Continues the job not support rollback. You cannot create on failure. rollback commands using this template. • Rollback device and stop—Rolls back the • Creating a user template. changes on the failed device and stops the job. Allows you to enter rollback commands into This is applicable only to NetConfig application. the template. • Rollback device and continue—Rolls back the When you use the Adhoc and Telnet changes on the failed device and continues the Password templates, you cannot create job. This is applicable only to NetConfig rollback commands. application. • Rollback job on failure—Rolls back the changes on all devices and stops the job. This is applicable only to NetConfig application. Note This field appears only if you select either Config Editor or NetConfig application.

Administration of Cisco Prime LAN Management Solution 4.2 12-6 OL-25947-01 Chapter 12 Managing Jobs Configuring Default Job Policies

Field Name Description Usage Notes E-mail Notification Enter e-mail addresses to which the job sends Notification is sent when the job is started and messages at the beginning and at the end of the job. completed. You can enter multiple e-mail addresses separated by Notification E-mails include a URL to enter to commas. display job details. If you are not logged in, do so using log in panel. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address. Sync Archive The job archives the running configuration before None. before Job making configuration changes. Execution Note This field appears if you select either Config Editor or NetConfig application. Copy Running The job writes the running configuration to the Does not apply to Catalyst OS devices. Config to Startup startup configuration on each device after configuration changes are made successfully. Note This appears if you select either Config Editor or NetConfig application. Enable Job The Job Password Policy is enabled for all the jobs. None. Password The Archive Management, Config Editor, and You can use this option even if you have NetConfig jobs use this username and password to configured only the Telnet password (without connect to the device, instead of taking these configuring username) on your device. credentials from the Device and Credential You must enter a string in the Login Username Repository. field. Do not leave the Login Username field These device credentials are entered while blank. scheduling a job. The Login Username string will be ignored while connecting to the device since the device is configured only for the Telnet password. See Usage Scenarios When Job Password is Configured on Devices. Fail on Mismatch The job is considered a failure when the most recent None. of Config Versions configuration version in the configuration archive is not identical to the most recent configuration version that was in the configuration archive when you created the job. Note This appears if you select either Config Editor or NetConfig application. Delete Config after The configuration file is deleted after the download. download Note This appears if you select Config Editor.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-7 Chapter 12 Managing Jobs Configuring Default Job Policies

Field Name Description Usage Notes Execution Policy Allows you to configure the job to run on multiple If you select sequential execution, you can select devices at the same time (Parallel execution) or in Device Order in the Job Schedule and Options sequence (Sequential Execution). dialog box to set the order of the device. 1. Select a device in the Set Device Order dialog box. 2. Either: • Click the Move Up or Move Down arrows to change its place in the order. Click Done to save the current order. Or • Close the dialog box without making any changes. You cannot alter the device sequence for Archive Management application jobs such as Sync Archive, Check Compliance and Deploy, etc. Sequential Execution is not supported for the following jobs: • Manual Sync Archive • Periodic Config Collection and Polling • cwcli config get User Configurable Select this check box next to any field to make You can configure a user-configurable policy corresponding policy user configurable. while defining job. You cannot modify non-user-configurable policies.

Step 4 Click Apply. A message appears, Policy values changed successfully. Step 5 Click OK.

Usage Scenarios When Job Password is Configured on Devices The following tables list the usage scenarios and their implications for Configuration application when job password is configured on devices. • Table 12-2When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP (Read or Write) • Table 12-3When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write) • Table 12-4When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP • Table 12-5When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write)

Administration of Cisco Prime LAN Management Solution 4.2 12-8 OL-25947-01 Chapter 12 Managing Jobs Configuring Default Job Policies

Table 12-2 When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP (Read or Write)

Scenario Archive Mgmt cwcli config NetConfig Config Editor Device is added into Fails Not applicable Not applicable Not applicable LMS Update archive request Fails Not applicable Not applicable Not applicable through user interface Update archive request Not applicable Fails Not applicable Not applicable through command line Config update when Fails Not applicable Not applicable Not applicable Syslog message is received Config update through Fails Not applicable Not applicable Not applicable periodic scheduled process Config update through Fails Not applicable Not applicable Not applicable SNMP poller based scheduled process Config upload/restore Not applicable Fails Not applicable Not applicable through cwcli config NetConfig Job Not applicable Fails Succeeds Not applicable Config Editor job Not applicable Not applicable Not applicable Succeeds

Table 12-3 When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)

Scenario Archive Mgmt cwcli config NetConfig Config Editor Device is added into LMS Succeeds for Not applicable Not applicable Not applicable SNMP supported devices Update archive request through user Succeeds for Not applicable Not applicable Not applicable interface SNMP supported devices Update archive request through Succeeds for Succeeds for Not applicable Not applicable command line SNMP supported SNMP supported devices devices Config update when Syslog message is Succeeds for Not applicable Not applicable Not applicable received SNMP supported devices Config update through periodic Succeeds for Not applicable Not applicable Not applicable scheduled process SNMP supported devices

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-9 Chapter 12 Managing Jobs Configuring Default Job Policies

Table 12-3 When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write) (continued)

Scenario Archive Mgmt cwcli config NetConfig Config Editor Config update through SNMP poller Succeeds for Not applicable Not applicable Not applicable based scheduled process SNMP supported devices Config upload/restore through cwcli Not applicable Succeeds for Not applicable Not applicable config SNMP supported devices NetConfig Job Not applicable Fails Succeeds Not applicable Config Editor job Not applicable Not applicable Not applicable Succeeds

Table 12-4 When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP

Scenario Archive Mgmt cwcli config NetConfig Config Editor Device is added into LMS Succeeds Not applicable Not applicable Not applicable Update archive request through user Succeeds Not applicable Not applicable Not applicable interface Update archive request through Succeeds Succeeds Not applicable Not applicable command line Config update when Syslog message is Succeeds Not applicable Not applicable Not applicable received Config update through periodic Succeeds Not applicable Not applicable Not applicable scheduled process Config update through SNMP poller Succeeds Not applicable Not applicable Not applicable based scheduled process Config upload/restore through cwcli Succeeds Succeeds Not applicable Not applicable config NetConfig Job Not applicable Not applicable Succeeds Not applicable Config Editor job Not applicable Not applicable Not applicable Succeeds

Table 12-5 When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write)

Administration of Cisco Prime LAN Management Solution 4.2 12-10 OL-25947-01 Chapter 12 Managing Jobs Configuring NetShow Job Policies

Table 12-5 When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only Through SNMP (Read or Write) (continued)

Scenario Archive Mgmt cwcli config NetConfig Config Editor Config update when Syslog message is Succeeds for Not applicable Not applicable Not applicable received SNMP supported devices Config update through periodic Succeeds for Not applicable Not applicable Not applicable scheduled process SNMP supported devices Config update through SNMP poller Succeeds for Not applicable Not applicable Not applicable based scheduled process SNMP supported devices Config upload/restore through cwcli Succeeds for Succeeds for Not applicable Not applicable config SNMP supported SNMP supported devices devices NetConfig Job Not applicable Fails Fails Not applicable Config Editor job Not applicable Not applicable Not applicable Fails

Configuring NetShow Job Policies

Each NetShow job has properties that define how the job runs. You can configure a default policy for these properties that apply to all future jobs. For each job property you can specify whether users can change the default property when creating a job. NetShow supports the following Job Policies: • Defining Default Job Policies The default job policies that NetShow support are E-Mail Notification, Enable Job Password, and Execution Policy. • Purging Configuration Management Jobs The Job Purge option provides a centralized location for you to schedule purge operations. • Defining Protocol Order You can define the protocol order for NetShow through the Protocol Ordering option in the Config Management feature in LMS. This section also gives details on Masking Credentials

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-11 Chapter 12 Managing Jobs Configuring NetShow Job Policies

Defining Default Job Policies

NetShow supports E-Mail Notification, Enable Job Password, and Execution Policy.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To define these default Job Policies:

Step 1 Select Admin > Network > Configuration Job Settings > Config Job Policies. The Job Policy dialog box appears. Step 2 Select NetShow from the Application drop-down list: Step 3 Enter the following information in the Job Policy dialog box:

Field Name Description Usage Notes E-mail Notification Enter e-mail addresses to which the job sends messages at Notification is sent when job is started the beginning and at the end of the job. and completed. You can enter multiple e-mail addresses separated by Notification e-mails include a URL to commas. enter to display job details. If you are not logged in, log in using the login panel. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the E-mail ID as the sender's address. Enable Job The Job Password Policy is enabled for all the jobs. You can use this option even if you have configured only the Telnet password Password NetShow jobs use this username and password to connect to (without configuring username) on your the device, instead of taking these credentials from the device. Device and Credential Repository. You must enter a string in the Login These device credentials are entered while scheduling a job. Username field. Do not leave it blank. The Login Username string is ignored while connecting to the device since the device is configured only for the Telnet password. Execution Policy Allows you to configure the job to run on multiple devices at None. the same time (Parallel Execution) or in sequence (Sequential Execution).

Administration of Cisco Prime LAN Management Solution 4.2 12-12 OL-25947-01 Chapter 12 Managing Jobs Configuring NetShow Job Policies

Step 4 Click Apply. A message appears, Policy values changed successfully. Step 5 Click OK.

Purging Configuration Management Jobs

The Job Purge option provides a centralized location for you to schedule purge operations for certain Configuration Management jobs including NetShow jobs. Select Admin > Network > Purge Settings > Config Job Purge Settings to invoke the Job Purge option. The Job Purge window contains the following information:

Column Description Application Lists the application for which the purge is applicable. Status Whether a purge job is enabled or disabled. Policy This value is in days. Data older than the specified value, will be purged. You can change this value as required. This is a mandatory field. The default is 180 days. Job ID Unique ID assigned to the job by the system, when the purge job was created. This Job ID does not change even if you disable or enable or change the schedule of the purge job. For the Purge Now task, a Job ID is not assigned. Also, if a Job ID already exists for that application, this Job ID is not updated for the Purge Now tasks. That is, the job scheduled for purging is not affected by the Purge Now task. Scheduled At Date and time that the job was scheduled at. For example: Nov 17 2004 13:25:00. Schedule Type Specifies the type of schedule for the purge job: • Daily—Daily at the specified time. • Weekly—Weekly on the day of the week and at the specified time. • Monthly— Monthly on the day of the month and at the specified time. (A month comprises 30 days).

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-13 Chapter 12 Managing Jobs Configuring NetShow Job Policies

To purge Configuration Management Jobs:

Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:

Button Description Schedule Schedule a job purging. Enable Enable a job for purging after you schedule it. Disable Disable the purge after enabling a job for purging. Purge Now Purge a job immediately.

Defining Protocol Order

You can define the protocol order for NetConfig, Archive Mgmt, Config Editor, and NetShow through the Protocol Ordering option in the Config Management feature in LMS.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To define the protocol order for NetShow:

Step 1 Select Admin > Collection Settings > Config > Config Transport Settings. The Transport Settings dialog box appears. Step 2 Select NetShow from the Application drop-down list: Step 3 Select a protocol from the Available Protocols pane and click Add. NetShow supports only Telnet and SSH. If you want to remove a protocol or change the protocol order, you can remove the protocol using the Remove button and then add it again. The protocols that you have selected appear in the Selected Protocol Order pane. Step 4 Click Apply. A message appears, New settings saved successfully. Step 5 Click OK. The protocol used for communicating with the device is based on the order in which the protocols are listed here.

Administration of Cisco Prime LAN Management Solution 4.2 12-14 OL-25947-01 Chapter 12 Managing Jobs Enabling Approval and Approving Jobs Using Job Approval

Masking Credentials

You can mask the credentials shown in the output of show commands. If you want to mask the credentials of a particular command, you must specify the command in the NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre dCmds.properties file. In this file you can specify all the commands whose output should be processed to mask the credentials. We recommend that you enter the complete command in the file. For example, you must enter show running-config, not show run. This file contains some default commands like show running-config.

Enabling Approval and Approving Jobs Using Job Approval

LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group of users designated as job Approvers approves each job before it can run. See Job Approval Workflow for more information. Job Approval sends job requests through e-mail to users on a job’s Approver list. If none of the Approvers approve the job before its scheduled run time, or if an Approver rejects the job, the job is moved to the rejected state and will not run. When Job Approval is enabled, applications that use it, require you to schedule the job to run in the future, rather than immediately. Job approval cannot be enabled for jobs that run immediately. A user with the appropriate privileges uses a Cisco Prime application to schedule jobs. When you use Job Approval, different people can perform different tasks:

Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform job approval tasks.

Role Responsibilities System Administrator Creates and maintains the Approver lists Approver Approves/rejects a job, or changes the schedule for a job.

To select the log level settings for the Job Approval application, select Admin > System > Debug Settings > Config and Image Management Debugging settings. Job Approval is also referred to as Maker Checker in a few places within LMS. For example, in Loglevel Settings and Permission Report (Reports > System > Users > Permission) it is mentioned as Maker Checker.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-15 Chapter 12 Managing Jobs Job Approval Workflow

Job Approval Workflow

A typical job approval workflow may look like this: A system administrator does the following: 1. Specifies user/Approver information (see Specifying Approver Details.) 2. Creates one or more job Approver lists (see Creating and Editing Approver Lists). 3. Assigns Approver lists (see Assigning Approver Lists). 4. Sets up Job Approval (see Setting Up Job Approval). The planner analyzes the network and prompts the network engineer to schedule a job to perform a needed network change. The job creator uses a Cisco Prime application to create a job.The application must have an Approver list assigned to it before Job Approval is enabled. Also, it must be scheduled to run in the future (not immediately). All Approvers on the Approver list receive an automatic email notification. The job Approvers approve or reject the job (see Approving and Rejecting Jobs) and give their comments. The job creator and all Approvers on the Approver list receive an automatic e-mail notification. A job that is not approved or rejected before its scheduled time is automatically moved to the Rejected state. E-mail notification is sent to all Approvers and the user who scheduled the job. If the job is approved, it runs as scheduled.

Specifying Approver Details

Use the option, Approver Details, to maintain information about users with Approver roles.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To specify Approver details:

Step 1 Select Admin > Network > Configuration Job Settings > Approver Details. The Approver Details dialog box appears. Step 2 Click Synchronize with Local User Database. All the approvers in with valid E-mail IDs, will appear in theApprovers list. The E-mails of the approvers will be the same as that added in LMS. (You can create a valid Cisco Prime user using the Local User Setup option under Admin > System > User Management > Local User Setup). If you want to change the E-mail ID of any of the Approvers, select the Approver from the Approvers list, and change specifying the new e-mail ID in the E-mail Address field. You can add more than one e-mail, separated by commas

Administration of Cisco Prime LAN Management Solution 4.2 12-16 OL-25947-01 Chapter 12 Managing Jobs Job Approval Workflow

Step 3 Click Save to save your changes. All approvers, have to be manually added to LMS. To do this, enter the name of the Approver that you want to add in the New Approver field, enter a valid e-mail ID for that user in the E-mail Address field, and click Save. The Approver that you added, appears in the Approvers box.

Creating and Editing Approver Lists

You can use the option Create/Edit Approver Lists to create, edit, or delete Approver lists. Before you create an Approver list, ensure that users have been added, through the Approver Details option (see Specifying Approver Details).

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To create and edit Approvers lists:

Step 1 Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists. The Create/Edit Approver List dialog box appears. Step 2 Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an alphanumeric name. Step 3 Click Add. A message appears: List Listname has no users. To save the list successfully, add users and click Save. Step 4 Click OK to proceed. The newly-created list appears in the lists box. (If previously-created lists exist, you can highlight a list to see the List Members in the Users group of fields.) Step 5 Add users to the newly-created list, by highlighting the list. In the Users group of fields, the Available Users box lists users who have Approver permissions. Only these users can be added to Approver lists to approve jobs. • To add a user to the Approver List, select the name from the Available Users list box, and click Add. The name appears in the List Members list box. • To remove a user from the Approver list, select the name from the List Members list box, then click Remove. The name is removed from the List Members list box. Step 6 Click Save. The Approver Lists box displays the name of the new Approver list and the users on this list appear in the box below Approver Lists.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-17 Chapter 12 Managing Jobs Job Approval Workflow

To edit an Approver List: a. Select the list. The approvers of the list appear in the List Members list box. b. Add new approvers, or remove existing ones in using the Add and Remove buttons in the Users group of fields. To delete an Approver List: a. Select the list. b. Click Delete. A message appears: Are you sure you wish to delete? Approval will be disabled for applications to which the Listname is assigned! c. Click OK to delete the list.

Assigning Approver Lists

You can assign an Approver list to each of the LMS applications, from the available Approver lists.

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

To assign an Approver list:

Step 1 Select Admin > Network > Configuration Job Settings > Assign Approver Lists. The Assign Approver Lists dialog box appears. Step 2 Select the required Approver list from the drop-down list box for that application. Repeat this for each of the applications listed here. Step 3 Click Assign. The selected Approver lists are assigned to the applications.

Setting Up Job Approval

The Approval Policies dialog box allows you to set up Job Approval for all applications for which you can set up job approval. The applications are: • NetConfig • NetShow • Config Editor • Archive Management. See Using Job Approval for Archive Management for details. • Software Management. See Using Job Approval for Software Management for details

Administration of Cisco Prime LAN Management Solution 4.2 12-18 OL-25947-01 Chapter 12 Managing Jobs Job Approval Workflow

Prerequisite Make sure the approver list is assigned to the application, before you enable approval for the application.

Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task.

To set up Job Approval:

Step 1 Select Admin > Network > Configuration Job Settings > Approval Policies. The Approval Policies dialog box appears. You can enable or disable Job Approval for the following applications: • NetConfig • NetShow • Config Editor • Archive Management. • Software Management. Step 2 Set up Job Approval for the various applications that support job approval, by doing one of the following: • Select the Enable check box that corresponds to an application, to enable Job Approval. • Deselect the Enable check box that corresponds to an application, to disable Job Approval. • Select the All check box to enable Job Approval, for all applications to which it is applicable. • Deselect the All check box to disable Job Approval, for all applications to which it is applicable. Step 3 Click Apply to apply your changes. After you enable Job Approval, two additional fields appear in the job schedule wizard of the applications. These are: • Maker Comments—Job creator’s comments. • Maker E-mail—Job creator’s e-mail address.

Using Job Approval for Archive Management You can enable Job Approval for Archive Management tasks, (Admin > Network > Configuration Job Settings > Approval Policies). This means all jobs require approval before they can run. Only users with Approver permissions can approve Archive Management jobs. Jobs must be approved before they can run if Job Approval is enabled on the system. For more details on enabling job approval see Setting Up Job Approval. The following Archive Management tasks require approval if you have enabled Job Approval: Out-of-Sync (Configuration > Compliance > Out-of-Sync Summary) Sync Archive jobs do not have Job Approval enabled because this job only archives the configuration from the device and there is no change to the device configuration.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-19 Chapter 12 Managing Jobs Job Approval Workflow

If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule and Options dialog box: • Approval Comment—Approval comments for the job approver. • Maker E-Mail—E-mail-ID of the job creator.

Using Job Approval for Software Management You can enable Job Approval for Software Management tasks, (Admin > Network > Configuration Job Settings > Approval Policies) which means all jobs require approval before they can run. Only users with Approver permissions can approve Software Management jobs. Jobs must be approved before they can run if Job Approval is enabled on the system. The following Software Management tasks require approval if you have enabled Job Approval: • Adding images to Software Repository (Configuration > Tools > Software Image Management > Software Distribution) using: – Cisco.com – Device – URL – Network • Distribution software images (Configuration > Tools > Software Image Management > Software Distribution) using any one of these methods: – Distributing by Devices [Basic] – Distributing by Devices [Advanced] – Distributing by Images – Remote Staging and Distribution If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options dialog box, you get these two options: • Maker Comments—Approval comments for the job approver. • Maker E-Mail—E-mail ID of the job creator.

Approving and Rejecting Jobs

Use the Approve or Reject Jobs option to approve or reject a job for which you are an Approver. The job will not run until you or another Approver approves it. If no Approver approves the job by its scheduled run time, or an Approver rejects it, the job is moved to the rejected state and will not run. For periodic jobs, only one instance of the job needs to be approved. If one instance is approved all other instances are considered approved, and vice-versa. When a job for which you are an Approver is created, you are notified by email. An Approver can edit the job schedule at the time of approving the job.

Administration of Cisco Prime LAN Management Solution 4.2 12-20 OL-25947-01 Chapter 12 Managing Jobs Job Approval Workflow

The e-mail displays these details:

Details Description Job ID ID of the job that has been put up for approval. Job Description Description of the job. Job Schedule Date and time for which the job has been scheduled. Server Name Name of the server. Server Time-zone: Time zone of the server. Maker Comments Comments for the Approver, entered by the job creator. URLS Two URLs to launch dialog boxes for: • Viewing job details. • Approving or rejecting jobs.

View the Permission Report (Reports > System > Users > Permission) to check whether you have the required privileges to perform this task. You need to be a user with an Approver role.

Note You will be able to select only those jobs for which you are a part of the Approver List. The other jobs, for which you are not a part of the Approver List, will be disabled.

To approve or reject jobs:

Step 1 Select Admin > Jobs > Approval. The Jobs Pending Approval dialog box appears with the following information about the scheduled jobs on the system:

Column Description Job ID Unique number assigned to the job when it is created. For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001. Click the Job ID hyperlink to view the details of the job. Owner Job owner. Job Type Application that registered job. Scheduled to Run at When job is scheduled to run. Approver List Name of Approver list whose members can approve job. Description Job description, entered by job creator.

You can filter the pending jobs by any specified criteria using the Filter By drop-down list. Select your criteria and click Filter.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-21 Chapter 12 Managing Jobs Job Approval Workflow

Step 2 Either: • Select the job and click Approve to approve the job. The job is approved. Or • Select Next. The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details before approving or rejecting it. Fields in the Job Details box are:

Field Description Job ID ID of the job (display only). To see the detailed description of the job, click the View Job Details hyperlink. Schedule Options Run Type Select the frequency at which the job should be run: • Immediate—Runs the report immediately. • 6 - hourly—Runs the report every 6 hours, starting from the specified time. • 12 - hourly—Runs the report every 12 hours, starting from the specified time. • Once—Runs the report once at the specified date and time. • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the day of the week and at the specified time. • Monthly—Runs monthly on the day of the month and at the specified time. The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. To change, select the required run type from the drop-down list.

Administration of Cisco Prime LAN Management Solution 4.2 12-22 OL-25947-01 Chapter 12 Managing Jobs Using Device Selector

Field Description Current Schedule Date Scheduled date and time of the job. Click Change Schedule to change the schedule of the job. You must click the Change Schedule button for the changed schedule to take effect. If you do not click this button, the changed schedule will not be set. Approver Comments Enter your comments. This field is mandatory only if you are rejecting a job.

Step 3 Click Approve. The job is approved. If you want to reject the job, enter comments in the Comments text box and then click Reject.

Using Device Selector

The Device Selector pane is used to select devices to perform LMS tasks. This pane lists all devices in a group. The devices are listed in the appropriate groups based on Device type groups and User-defined group rules. The devices name that you see in this pane is the Device Name that you have entered at the time of adding the devices in Device and Credential Repository. You can use the following search options to search for devices: • Using Simple Search • Using Advanced Search • Using the All Tab • Using the Search Results Tab • Using the Selection Tab

Note If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you while performing the tasks are based on your role and associated privileges that are defined in Cisco Secure ACS.

The Device Selector pane contains the following field/buttons:

Field/Button Description Search Input Enter the search expression in this field. You can enter single device names or multiple device names. If you are entering multiple device names, separate them with a comma. You can also enter the wildcard characters “*” amd "?". For example: 192.168.10.1*, 192.168.20.* Search Use this icon to perform a simple search of devices based on the search criteria you have specified in the Search Input text field. For information on Search, see Using Simple Search.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-23 Chapter 12 Managing Jobs Using Device Selector

Field/Button Description Advanced Search Use this icon to perform an advanced search of devices based on the search criteria you have specified in the Search Input text field. For information on Advanced Search, see Using Advanced Search. All Lists all User-defined and System-defined groups for all applications that are installed on LMS Server. For more information, see Using the All Tab. Search Results Displays all the search results from Search or Advanced Search. For more information, see Using the Search Results Tab. Selection Lists all the devices that you have selected in the Search Results or All tab. Using this tab, you can deselect devices from the list. For more information, see Using the Selection Tab.

Figure 12-1 shows the new device selector.

Figure 12-1 Device Selector

Tool-tips are provided for long device names so that you do not have to scroll to see the complete device name.

Using Simple Search

You can search for devices by entering the devices name in the Search Input field. The search is based on the Device Name that you view in the Device Selector pane. This Device Name is entered when you add devices to Device and Credential Repository.

Usage Notes The following are the usage notes for Simple Search:

Administration of Cisco Prime LAN Management Solution 4.2 12-24 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

• You can enter multiple device names separated with a comma. You can also enter wildcard character, “*” or “?” for selecting multiple devices. For example: You can enter device names in these many ways to select multiple devices: – 192.168.80.140, 192.168.135.101, rtr805 – 192.168.80.*, 192.168.* – 192.168.22.? You cannot enter multiple wildcard characters for selecting the devices For example, 192.*.80.*. This is not allowed. • You must enter either the complete device name or enter the partial device name appended with wildcard character *. That is, – No devices are selected, if you enter only 192.168 in the Device Name text box. – You have to enter either 192.168* or 192.168.10.10. • The search is not case-sensitive. • The devices that are selected is a unique list. There are no duplicate entries of devices. For example: If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20, 192.168.10.21, 192.168.10.30, and 192.168.10.31 then, a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices node. b. Enter the search criteria 192.168.10.2* c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node. However, the selected devices count that is displayed in the Device Selector is only three and not five. • The All Devices node is expanded without selecting any devices, if the search criteria is not satisfied. The objects selected text displays 0 (zero) device selected.

Using Advanced Search

You can use the Advanced Search icon to specify a set of rules for advanced search. Advanced search is based on the Grouping Services attributes of Grouping Services Server. In the Advanced Search dialog box, you can create rules to search for devices.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-25 Chapter 12 Managing Jobs Using Advanced Search

Figure 12-2 shows the Advanced Search dialog box.

Figure 12-2 Device Selector Advanced Search

This dialog box contains the following fields and buttons (See Table 12-6):

Table 12-6 Advanced Search Dialog Box

Field/Buttons Description OR, AND, EXCLUDE Logical operators. • OR—Include objects that fulfill the requirements of either rule. • AND—Include only objects that fulfill the requirements of both rules. • EXCLUDE—Do not include these objects. This field appears only after a rule expression is added in the Rule Text box. Object Type Type of object (device) that is used to form a group. All rule expressions begin with the same Object Type, RME:INVENTORY:Device. Variable Device attributes, based on which you can define the group. See Advanced Search Rule Attribute. Operator Operator to be used in the rule. The list of possible operators changes based on the Variable selected. Value The value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. The wildcard characters are not supported. Add Rule Expression Used to add the rule expression to the group rules. Rule Text Displays the rule.

Administration of Cisco Prime LAN Management Solution 4.2 12-26 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

Table 12-6 Advanced Search Dialog Box (continued)

Field/Buttons Description Check Syntax Verifies that the rule syntax is correct. Use this button if you have entered the rules manually. Search Used to search for devices based on the defined rule.

Usage Notes The following are the usage notes for Advanced Search: • If you have not selected any device nodes, then advanced search is applied only for All Devices node. • You can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule. Each rule expression contains the following: object type.variable operator value Object Type—The type of object (device) that is used to form a group. All rule expressions begin with the same Object Type, RME:INVENTORY:Device. Variable—Device attributes, based on which you can define the group. See the Advanced Search Rule Attribute. Operator—Operator to be used in the rule. The list of possible operators changes based on the Variable selected. Value—Value of the rule expression. The possible values depend upon the variable and operator selected. Depending on the operator selected, the value may be free-form text or a list of values. • If you are entering the rule expressions manually, the rule expression must follow this syntax: object type.variable operator value • If you are entering more than one rule expression, you must enter logical operators OR, AND or EXCLUDE after every rule expression. You must use Check Syntax button only when you add a rule manually or when you modify a rule expressions in the Rule Text. • The advanced search operation is not case-sensitive. • To delete the rules in the Rule Text box, select the complete rule including the logical operator and press the Delete key on your keyboard. • If you want to perform a new search, click Clear All before selecting any new devices.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-27 Chapter 12 Managing Jobs Using Advanced Search

Advanced Search Rule Attribute Table 12-7 lists the available device advanced search rule attributes that you can use for defining advanced search.

Table 12-7 Advanced Search Rule Attribute

Attribute Group Attribute Type Description Asset Asset.CLE_Identifier CLE identifier of the asset. Asset.Part_Number Orderable part number of the asset. Asset.User_Defined_Identifier User-defined identifier of the asset Chassis Chassis.Model_Name Name of the model. Chassis.Number_Of_Slots Number of slots in that chassis. Chassis.Port_Count Total port count of the chassis. Chassis.Serial_Number Serial number of the chassis. Chassis.Vendor_Type Vendor type of the chassis. Chassis.Version Version number of the chassis. Flash Flash.File_Name Name of the flash file. Flash.File_Size Flash file size in MB. Flash.Model_Name Model name of the flash device. Flash.Partition_Free Free space in MB. Flash.Partition_Name Flash partition name. Flash.Partition_Size Flash partition size in MB. Flash.Size Total flash device size in MB. Image Image.ROM_Sys_Version ROM system software version Image.ROM_Version Version of ROM. Image.Sys_Description Image system description Image.Version Running image version. IP Address IP.Address Device IP address. IP.Address_Type Version of IP, IPv4 or IPv6 IP.Network_Mask Network Mask address Memory Memory.Free Free memory in MB. Memory.Name Name of the memory. Memory.Size Total RAM size in MB. Memory.Type Memory type. Memory.Used Used memory in MB. Module Module.HW_Version Module hardware version. Module.Model_Name Name of the model. Module.Port_Count Total ports on that module. Module.Serial_Number Serial number of the module. Module.Vendor_Type Vendor type for the module.

Administration of Cisco Prime LAN Management Solution 4.2 12-28 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

Table 12-7 Advanced Search Rule Attribute (continued)

Attribute Group Attribute Type Description Processor Processor.Model_Name Name of the model. Processor.NVRAM_Size Size of the processor NVRAM in MB. Processor.NVRAM_Used Size of the processor NVRAM that has been utilized, in MB. Processor.Port_Count Total port count of the processor Processor.RAM_Size Size of the processor RAM in MB. Processor.Serial_Number Serial number of the processor. Processor.Vendor_Type Vendor type of the processor. State State Device state such as Normal, Alias, etc. System System.Contact Device contact person name. System.Description Description of the system. System.DomainName Device domain name. System.Location Device location information. System.SystemOID System Object ID of the device (sysObjectID).

Using Advanced Search—An Example The following example describes the procedure for selecting devices whose IP address starts with 192.168 or Network Mask is 255.255.255.0. Also, these devices are assumed to be in Normal state. The devices in your network are: • 192.168.101.200 with network mask 255.255.255.128 • 192.168.101.201 with network mask 255.255.255.0 • 192.168.102.251 with network mask 255.255.255.0 • 192.168.102.202 with network mask 255.255.255.19 • 192.168.200.210 with network mask 255.255.255.128 Use the following procedure for advanced search:

Step 1 Click the Advanced Search icon in the Device Selector pane. The Define Advanced Search Rule dialog box appears. Step 2 Select, a. State as Variable b. = as Operator c. Normal as Value Step 3 Click Add Rule Expression. The rule is added into the Rule Text.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-29 Chapter 12 Managing Jobs Using Advanced Search

Step 4 Select, a. And as Logical Operator b. IP.Address as Variable c. Contains as Operator d. Enter 192.168.101 for Value. Step 5 Click Add Rule Expression. The rule is added into the Rule Text. Step 6 Select, a. OR as Logical Operator b. IP.Network_Mask as Variable c. Equals as Operator d. Enter 255.255.255.0 for Value. Step 7 Click Add Rule Expression. The rule is added into the Rule Text. Step 8 Click Search. The Device Selection dialog box appears. The devices that satisfied the search condition are selected. That is these two devices are selected. • 192.168.101.200 with network mask 255.255.255.128 • 192.168.101.201 with network mask 255.255.255.0 • 192.168.102.251 with network mask 255.255.255.0

Using the All Tab

The All tab lists all the devices that are available in the LMS. The list is based on the Device Name that you entered in the Device Properties dialog box when you added devices to Device and Credential Repository.

List of Device Folders The following is the list of device folders under the All tab: • The All Devices folder lists all devices. That is, this includes devices in Normal, Alias, Pending, and Pre-deployed states. This folder does not include devices in Suspended and Conflicting states. • The Normal Devices folder lists devices that has been successfully contacted by LMS or the device has contacted LMS at least once (polling, successful job completion, Syslog receipt etc.). • The Pre-deployed folder lists Device has never ever been reachable by LMS (by protocol such as SNMP). • The Previous selection folder lists LMS devices that were selected in previous LMS task in the same session. • Saved device list folder lists devices that are saved explicitly by you while generating the Inventory Reports, View Credential Verification Report and Error Report.

Administration of Cisco Prime LAN Management Solution 4.2 12-30 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

Only one Saved device list is created within the device selector. If concurrent users have created Saved device list, only the last created Saved device list appears in the Device Selector. The previous Saved device list is overwritten with the latest.

Note You can use the Previous selection and Saved device groups only when you are working on a application. You cannot use these device groups when you are working on another Cisco Prime application. That is, if you are working on the Campus Manager application, these groups must not be used.

• The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined by you at the time of creating the User-defined groups. • Based on the applications that are installed on your LMS Server, you will also view device folders related to other Cisco Prime applications: CiscoWorks_ApplicationName@CiscoWorks_ServerHostName For example: For Cisco Prime Common Services, you will see: CS@CiscoWorks_ServerHostName. In a stand-alone system, server name is not appended. For example, for Common Services, you will see CS. • Other application folders are displayed in LMS based on the settings. For more details, see Common Services Online Help. • In Device Selector, the other Cisco Prime application device folders will list only devices. For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you will view on device list, A, B, and C. • The device appears in a disabled (greyed out) state when: – Device type is Unknown in Device and Credential Repository. In all applications device is shown as disabled except in Inventory job creation and reports. – Device type is known and correct in Device and Credentials (that is, the SysObjectID is correct and is available in Device and Credentials). However, that device is not supported by applications. (Inventory, Software Management, and Configuration Management). There are two types of device selectors in LMS: • Single Device Selector • Multiple Device Selector

Single Device Selector In the single device selector, you can select a device only at the leaf-level (device-level). The radio buttons at the node-level (folder-level) are grayed out.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-31 Chapter 12 Managing Jobs Using Advanced Search

Multiple Device Selector In the multiple device selector, you can select devices at both the node-level and leaf-level. The following are the usage notes for the multiple device selector: • If you select devices at the node-level, all devices listed under this node are selected. For example, if you select the All Devices node, all devices under this node are selected. • If you expand a device node, you cannot select devices at the node-level. You need to select devices individually at the leaf-level. For example, if you expand the All Devices node, you cannot select devices at the All Devices node-level (the check-box is grayed out). You need to select devices individually under the All Devices node. • If you select devices at a node-level and expand that particular node, you can deselect the devices only at the leaf-level and not at the node-level. For example, if you select the Normal Devices node and expand the same, you can deselect the devices only at the leaf-level. You cannot deselect all the devices at the Normal Devices node-level (the check-box is grayed out), when it is expanded. However, you can use Clear All to deselect all the devices. • You can select multiple device nodes to perform the tasks. For example, you can select the Previous selection and the Saved device list nodes together to perform the tasks.

Using the Search Results Tab

The Search Results Tab lists all the results of Simple search or advanced search operations. It displays a flat list of devices and you can do a select all , clear all , or select a few devices from the list.

Using the Selection Tab

The Selection Tab serves as a repository of all the devices that you select from the Search Results tab or the All Tab. There are three ways to select devices in the Device Selector: • Selection Using All Tab • Selection Using Search • Selection Combining All and Search

Selection Using All Tab You can select devices using the tree view in the All tab. This tab displays all devices that are available in LMS.

Selection Using Search You can search devices using Search or Advanced Search. The list of devices matching the search criteria is shown under the Search Results tab. You can select the required devices from the Search Results tab. The Selection tab reflects whatever you selected from Search Results. If you click the All tab now, the devices selected from Search Results will be shown in the All Devices group.

Administration of Cisco Prime LAN Management Solution 4.2 12-32 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

Selection Combining All and Search After you select devices using the All tab, you can add a few more devices using Search. You can enter the search criteria and search using Search or Advanced Search and the Search Results tab displays the devices matching the criteria. You can select the required devices from the Search Results tab. The Selection tab displays the accumulated list from both All and Search Results tabs. If you click the All tab, it displays the selected devices from Search Results under the All Devices group also. You can enter another search criteria and select more devices. The selected devices are accumulated in the All tab from the Selection tab, as you select more devices.

Note The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of devices you have selected. It launches the Selection tab when you click on it.

Editing Device Attributes

To edit the device attributes for a single device

Step 1 Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings. or Select Admin > Collection Settings > Config > Edit the Inventory, Config Timeout, and Retry settings. The Edit Devices dialog box appears. Step 2 Select the devices for which you want to edit the device attributes. See Using Device Selector for further information. Step 3 Click Edit Device Attributes. The Device Attributes dialog box appears. Step 4 Click Inline Edit. The Device Attributes Information dialog box appears. Step 5 Select a device from the Devices pane. Step 6 Edit the device attributes in the Device Information pane. You can check the Apply to all Devices checkbox to apply the device attributes of one device to all other devices that are listed in the Devices pane. Step 7 Click Modify in the Device Attributes Information dialog box. Step 8 Click Apply in the Device Attributes dialog box.

To edit the device attributes for the bulk of devices

Step 1 Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings. The Devices dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-33 Chapter 12 Managing Jobs Using Advanced Search

Step 2 Select the devices for which you want to edit the device attributes. See Using Device Selector for further information Step 3 Click Edit Device Attributes. The Device Attributes dialog box appears. Step 4 Click Export. The Export Device Attributes to File dialog box appears. a. Enter the folder name and the filename on the server. or – Browse to select a folder on the server. The Server Side File Browser dialog box appears. – Select a folder and enter the filename on the server. – Click OK in the Server Side File Browser dialog box. b. Click OK in the Export Device Attributes to File dialog box. The notification window displays Data exported successfully. c. Click OK in the notification window. Step 5 Edit the exported file. You can edit only the device attributes, Serial Number, SNMP Retry, SNMP Timeout, Telnet Timeout, and Natted IP Address. You cannot edit the Device Name (device_identity) and add new device entries. See Device Attributes Export File Format for more information. Step 6 Click Import in the Device Attributes dialog box. The Import Device Attributes to File dialog box appears. We recommend that you import the same file that you have exported after editing. If any new device entries are added, these device entries are ignored. Only device entries that match the existing device entries are imported. a. Enter the folder name and the filename on the server. or – Browse to select a folder on the server. The Server Side File Browser dialog box appears. – Select a folder and file on the server. – Click OK in the Server Side File Browser dialog box. b. Click OK in the Import Device Attributes to File dialog box. The notification window displays Data imported successfully. c. Click OK in the notification window. The Device Attributes window refreshes to display the updated device attributes. While importing the edited device attributes file an error message may appear, Attribute values for some selected devices are invalid. See Attribute Error Report for details. See Editing Device Attributes section to know the minimum and maximum values for the device attributes. Also see Attribute Error Report for more information. Step 7 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 12-34 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

The Devices window appears.

The device attributes are: • Device Name Name of the device. • Serial Number Cisco manufacturing serial number from chassis. You can enter alphanumeric characters up to 255. The default value is Default Not Defined. This attribute is available when you either export or edit the device attributes from the Devices window. • SNMP Retry Number of times that the system should try to access devices with SNMP options. The default value is 2. The minimum value is zero. • SNMP Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection. • Telnet Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value limit.

Note The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH Timeout.

• Natted IP Address The server ID. This is the translated address of server as seen from the network where the device resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to enable support for NAT. The default value is Default Not Defined. • TFTP Timeout Duration of time that the system should wait for a device to respond before it tries to access it again. The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value limit. This attribute is available only when you edit the device attributes from the Device Attributes window. • Read Delay—Amount of time the system will sleep in between each read iteration. Read Delay sets the client to sleep for few milliseconds. During the delay time, the client accumulates the device content in buffer and keeps it ready to be read. The default read delay is 10 milliseconds. • Transport Timeout—Amount of time the socket will be blocked for read operation. The client waits for a response from the device after which it will get timed out. The default value is 45000 milliseconds.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-35 Chapter 12 Managing Jobs Using Advanced Search

• Login Timeout—Amount of time the system should wait for a client’s input after which the client gets disconnected from the device. The default value is 2000 milliseconds. • Tune Sleep—Amount of sleep time in milliseconds set before and after sending a new line to the device. The default value is 50 milliseconds. • Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will wait for the set time before doing the next operation. The default value is 300 milliseconds. Do any one of the following to edit the device attributes: • Set the device attributes value for a single device using Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline Edit. See To edit the device attributes for a single device • Set the device attributes value for the bulk of devices using Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Export. See To edit the device attributes for the bulk of devices

Note View Permission Report to check if you have the required privileges to perform this task.

Attribute Error Report

The Attribute Error report is generated when the attribute values imported for some selected devices are invalid. This error occurs when the device attributes that are imported as a CSV file contain invalid attributes. You can click on the Attribute Error Report link that is displayed in the error message, to open the Attribute Error Report. You can also view the Attribute Error Report by clicking on the Attribute Error Report button from: Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes

Note The Attribute Error Report link is available only if importing of device attributes causes error.

Device Attributes Export File Format

The device attributes are exported in CSV 3.0 format. The exported file format is: ; This file is generated by DM Export utility Cisco Systems NM Data import, Source=DM Export; Type=DMCSV; Version=3.0

; ;Start of section 0 - DM Export ; ;HEADER: device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,TFTPTimeout,Natt edIPAddress,ReadDelay,TransportTimeout,LoginTimeout,TuneSleep,DelayAfter Connect ; 192.168.8.4,Default Not Defined,2,2,36,5,Default Not Defined,10,45000,2000,50,300

Administration of Cisco Prime LAN Management Solution 4.2 12-36 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

;End of CSV file Where, • device_identity—Device Name of the device as entered in Device and Credential Repository. • serial_number—Cisco manufacturing serial number from chassis. You can enter 0 to 255 alphanumeric characters. The default value is Default Not Defined. • SNMPRetryCount—Number of times, system should try to access devices with SNMP options. The default value is 2. The minimum value is zero. • SNMPTimeout—Duration of time the system should wait for a device to respond before it tries to access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value limit. Changing the SNMP timeout value affects inventory collection. • TelnetTimeout—Duration of time the system should wait for a device to respond before it tries to access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value limit. • Natted IP Address—server ID. This is the translated address of server as seen from the network where the device resides. This is used when LMS tries to contact devices outside the NAT boundary. The default value is not defined. • Read Delay—Amount of time the system will sleep in between each read iteration. The default read delay is 10 milliseconds. • Transport Timeout—Amount of time the socket will be blocked for read operation. The default value is 45000 milliseconds. • Login Timeout—Amount of time in milliseconds after which it will start reading the user prompt. The default value is 2000 milliseconds. • Tune Sleep—Amount of sleep time in milliseconds after sending tune command 3 to 4 times. The default value is 50 milliseconds. • Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will wait for the set time before doing the next operation. The default value is 300 milliseconds.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-37 Chapter 12 Managing Jobs Using Advanced Search

Administration of Cisco Prime LAN Management Solution 4.2 12-38 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-39 Chapter 12 Managing Jobs Using Advanced Search

Administration of Cisco Prime LAN Management Solution 4.2 12-40 OL-25947-01 Chapter 12 Managing Jobs Using Advanced Search

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 12-41 Chapter 12 Managing Jobs Using Advanced Search

Administration of Cisco Prime LAN Management Solution 4.2 12-42 OL-25947-01

CHAPTER 13

Working With Software Center

Software Center helps you to check for software and device support updates, download them to their server file system along with the related dependent packages, and install the device updates. Software Center allows you to look for software and device updates from Cisco.com, and download them to a server location. You can install the updates from this location. In the case of device updates, Software Center helps you to install the updates using a web based user interface, and command line interface, wherever possible. Most of the device family-based packages can be installed directly from the web interface while the device support packages such as IDU have to be installed based on the installation instructions in the respective Readme files. You may also uninstall a device support package. Software Center does not support installation and uninstallation of software updates. To backup what is installed on the server, Software Center maintains a package and device map in the installed packages directory of the respective applications. The package map is a list of all device packages installed on the server and device map is a list of all the supported devices on the server. Software Center also provides a Command Line Interface to download device updates and software updates, and install or uninstall device packages. This chapter explains the following: • Performing Software Updates • Performing Device Update • Scheduling Device Package Downloads • Point Patch Update • Using the Software Center CLI Utility

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-1 Chapter 13 Working With Software Center Performing Software Updates

Performing Software Updates

You can view a list of all Cisco Prime related bundles and products currently installed on your system using this option. For software updates the default site is Cisco.com. The Software Updates link under Software Center takes you to the Software Updates page. The Software Updates page has two dialog boxes: • Bundles Installed dialog box that lists the bundles installed. • Products Installed dialog box that lists the applications installed. These dialog boxes display the bundle or product name, the version, and the date on which the software was installed. To sort the table by version or date of installation, click on the Version / Installed Date link. You can click the product name links to view the Applications and Packages Installed with the Product page that gives the details of the installed applications, patches, and packages of the product. See You can navigate further down for each product to get a detailed list of all individual OS level packages installed on the system, along with the versions. The Software Updates page provides two options: • Select Software Updates • Download Software Updates This section contains the following: • Viewing the List of Installed Applications and Packages • Selecting Software Updates • Downloading Software Updates

Viewing the List of Installed Applications and Packages

You can view the information on all the applications, patches, and packages installed for a selected product. To do so:

Step 1 Select Admin > System > Software Center > Software Update. The Software Updates page appears. Step 2 Go to the Products Installed dialog box and click the link provided on a product. A new window displays the details of: • Patches Installed—Provides details about the patches installed on the product, the patch version and the date on which the patches were installed. • Application Installed—Provides details of the applications installed, the application version, and the date on which the applications were installed. • Packages Installed—Provides details about the packages installed on the product, the package version with patch level, and the date on which the packages were installed.

Administration of Cisco Prime LAN Management Solution 4.2 13-2 OL-25947-01 Chapter 13 Working With Software Center Performing Software Updates

Selecting Software Updates

You can select new software packages to update the applications or products.To select updates from Software Center:

Step 1 Select Admin > System > Software Center > Software Update. The Software Updates page appears. Step 2 Go to the Products Installed dialog box and select the check box corresponding to the product for which you want to select update. You can select multiple products by selecting the corresponding check boxes. Step 3 Click Select Updates. The Cisco.com and Proxy Server Credentials dialog box appears. Step 4 Enter your Cisco.com username and password to connect to Cisco.com, for software updates. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter the Proxy server username and password. Step 5 Click Next. A list of available Software Updates for the selected product appears. Step 6 Select the Software Update you need to download and click Next. You can filter the required images based on Type, Package Name, Product Name, and Available Version With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages with name starting as cmfSw001 will be listed. Regular expressions are not supported for the patterns. Patterns are case sensitive. For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages: Step 7 Select a destination location or browse to the location and click Next. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub-directories. By default, the destination location is: • /opt/psu_download (On Solaris/Soft Appliance) • System Drive:\psu_download (On Windows) The Download Summary window appears. Step 8 Click Finish to confirm download of the selected packages. If you do not want to add the selected packages, click Back to reselect packages or click Cancel to exit.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-3 Chapter 13 Working With Software Center Performing Device Update

Downloading Software Updates

Note The support for downloading LMS software and device packages from Admin > System > Software Center > Software Update is not currently available. You must manually download the LMS software and packages from the Software download page.

You can download the selected updates from Software Center. To download updates from Software Center:

Step 1 Select Admin > System > Software Center > Software Update. The Software Updates page appears. Step 2 Go to the Products Installed table and select the check box corresponding to the product for which you want to download the update. You can select multiple products by selecting the corresponding check boxes. Step 3 Click Download Updates. The Cisco.com and Proxy Server Credentials dialog box appears. Step 4 Enter your Cisco.com username and password. Both are mandatory. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter Proxy server username and password. Step 5 Select a destination location or browse to the location and click Next. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories. By default, the destination location is: • /opt/psu_download (On Solaris/Soft Appliance) • System Drive:\psu_download (On Windows) Step 6 Click Finish to confirm the download operation. To return to the Software Update page, click Cancel.

Performing Device Update

You can view a list of all Cisco Prime related devices packages on your system using this option. It displays a count of devices supported for each product installed in the system. For device updates the source location could be Cisco.com or the Server Side Directory. The Device Updates link under Software Center takes you to the Device Updates page. The Device Update page lists the product name and the device type count. The default summary screen shows the number of devices supported for each product installed in the system. You can view a package map and a device map for each product installed.

Administration of Cisco Prime LAN Management Solution 4.2 13-4 OL-25947-01 Chapter 13 Working With Software Center Performing Device Update

You can also check for the device updates and delete the device packages using the Device Update page. This section contains the following: • Viewing Package Map • Viewing Device Map • Checking for Updates • Deleting Packages

Viewing Package Map

A package map is a snap shot of the currently installed device packages for a Product. The backup-restore framework uses Package map during data backup. To view a package map for an installed product, click the product name link. A popup window appears with the information on the packages installed. The package name, version, and description are displayed. You can filter the device packages based on Package Name and Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you specify the Filter Source as Package Name and Pattern as Cat, all package names starting with Cat will be listed. A package name identifies the device package. For example, the package name AP350 represents Cisco Aironet 350 Device Package. You have to use package name while specifying the download policy, and while performing other Software Center operations where you have to specify the package name.

Viewing Device Map

To view a device map for an installed product, click the device type count link. A popup window appears with the information on the devices installed. The device map lists the sysObjectID, Device Name, Package Name, and Version. You can filter the packages based on sysObjectID, DeviceName, Package Name, and Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, if you specify the Filter Source as sysObjectID and pattern as 1.3.6.1.4.1.9, details of all devices with SysobjectID starting with 1.3.6.1.4.1.9 will be listed.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-5 Chapter 13 Working With Software Center Performing Device Update

Checking for Updates

You can check for updates using this option. To check for the updates:

Step 1 Select Admin > System > Software Center > Device Update. The Device Updates page appears. Step 2 Select the check box corresponding to the product for which you want to check for updates and click Check for Updates. The Source Location page appears. You can check for updates at Cisco.com or a server. • To check for updates at Cisco.com, select the Cisco.com radio button. • To check for updates from a server, select the Enter Server Path radio button and enter the path or browse to the location using the Browse tab. Step 3 Click Next. The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for updates at Cisco.com. Step 4 Enter your Cisco.com username and password. If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup, you must enter Proxy server username and password. Step 5 Click Next. The Available Packages and Installed Packages page appears. It displays: • Package Name: Name of the package. • Type: Type of the update. For example, whether the update is a device package or IDU package. • Product Name: Product for which the update is available. • Installed Version: Current version of that product installed in the server. • Available version: Version of the product that is available (Other than the installed version). • Readme Details: Links to the Readme files associated with the update. • Posted date: Date on which the update was posted on Cisco.com. • Size: Size of the update. Step 6 Select the check box corresponding to the package that you wish to update and click Next. The Device Update page appears. You can either install the device packages or download them. • To install device packages, select the Install Device Packages radio button. • To download device packages, select the Download Device Packages radio button.

Administration of Cisco Prime LAN Management Solution 4.2 13-6 OL-25947-01 Chapter 13 Working With Software Center Performing Device Update

If you select Download Device Packages: a. Enter the folder in File Selection field or click Browse to select the destination directory. By default, the destination location is: – /opt/psu_download (On Solaris/Soft Appliance) – System Drive:\psu_download (On Windows) b. Set the frequency of downloads, select the run type from the Run Type drop-down list. The options are: – Immediate – Once If you choose any of the options other than Immediate, set the date and time. – Select the date from the date picker. The date picker displays the date from the client system. – Specify the time from the drop-down lists. c. Enter a description for the download job in the Job Description field. This is mandatory. d. Enter an e-mail ID in the E-mail field. You can enter multiple e-mail addresses separated by comma. e. Click Next. The Summary window displays the details. f. Click Finish to confirm. If you select Install Device Packages: a. Click Next. The Summary window displays the details. b. Click Finish to confirm. A message that the daemons are restarted, appears. Step 7 Click OK to continue.

Deleting Packages

You can also delete packages that are outdated or you no longer use. To delete a package:

Step 1 Select Admin > System > Software Center > Device Update. The Device Update page appears. Step 2 Select the check box corresponding to the product and click Delete Packages. The wizard displays a window that has the Package name, the Product name, and the Installed version details. Step 3 Select the check box corresponding to the Package you want to delete.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-7 Chapter 13 Working With Software Center Scheduling Device Package Downloads

You can filter the available device packages based on Package Name, Product Name, Installed Version. To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in the text box. For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages with name starting as cmfSw001 will be listed. Regular expressions are not supported for the patterns. Patterns are case sensitive. For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages: Step 4 Click Next. The Summary window appears with the details of the Product and the Packages selected. Step 5 Click Finish to confirm deletion. • To make changes in the previous windows, click Back. • To cancel the operation, click Cancel. After you have confirmed the Delete Packages operation, a message that the daemons are restarted appears. Step 6 Click OK to continue.

Scheduling Device Package Downloads

You can schedule device package downloads and specify the time, frequency of the downloads. You can also specify download policies. Software Center supports the following download policies: • Download all latest device packages of products installed in the machine. • Download newer versions of currently installed packages. • Download the specified packages (comma separated). You have to provide your Cisco.com credentials and the location to which the packages should be downloaded. To schedule device package downloads:

Step 1 Select Admin > System > Software Center > Schedule Device Downloads. The Schedule Device Downloads dialog box appears. Step 2 Enter your Cisco.com username and password. Enter the Proxy server username and password only if you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup. Step 3 Enter the destination location, or browse to the location using the Browse tab. By default, the destination location is: • /opt/psu_download (On Solaris/Soft Appliance) • System Drive:\psu_download (On Windows)

Administration of Cisco Prime LAN Management Solution 4.2 13-8 OL-25947-01 Chapter 13 Working With Software Center Scheduled Job

Step 4 Specify the download policy you require: • Download the latest versions of all packages • Download only the latest versions of currently installed packages • Download specified packages

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

Step 5 Select the run type from the Run Type drop-down list, to set the frequency of downloads. Step 6 Select the date from the drop-down calendar, and specify the time using the drop-down lists. The calendar displays the date from the client system. Step 7 Enter a description for the download job in the Job Description field. This is mandatory. Step 8 Enter an e-mail ID in the E-mail field. You can enter multiple e-mail addresses separated by comma. Step 9 Click Apply to apply the changes. Or Click Cancel to exit without saving changes.

Note You can schedule only one download at a time.

You can view the scheduled job status and details from the Job Browser window (Admin > Jobs > Browser).

Scheduled Job

The Scheduled Job Details page displays the activities that are performed using Software Center. The Scheduled Job table records and displays the downloads to the server. You can view the log from the server or any client workstation. To view Scheduled Job Details: Select Admin > System > Software Center > Scheduled Job Details. The Scheduled Job Details page appears with the following information: • Job—Job ID of the job that is scheduled by Cisco Prime user. • Date—Time and the date on which the job was run. • Applicable Products—Products to which the download is applicable.

You can delete the information on a job from the list. To delete a job information, select a job from the list, and click Delete. The job information is deleted only from this page. However, this remains in the Job Browser page.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-9 Chapter 13 Working With Software Center Event Log

Event Log

The Event log page displays the activities that are performed using Software Center. The Event Log table shows the list of immediate downloads, installations and un-installations of device packages carried out. You can view the log from the server or any client workstation. To view the Event Log: Select Admin > System > Software Center > Event Log. The Event Log page appears with the following information: • Product Name—Name of the product. • Description—Summary of the activity. • Date—Date and time when the operations were carried out. • Event Type—Shows one of the following: – Device Package Downloads – Software Download – Install Device Packages / Uninstall Device Packages • Status—Status of the event (Completed Successfully, Failed or Executed). Click on the Status link to get more details on the operation. You can delete either all the event logs or specific event logs from the list. Select the log entries and click Delete to delete the selected entries.

Point Patch Update

The Point patch update allows you to download and install the point patches released after LMS 4.2. To download the Point patches:

Step 1 Select Admin > System > Software Center > Point Patch Update. The Point Patch Update page appears. Step 2 Enter your Cisco.com username and password. Enter the Proxy server username and password only if you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server Setup.

Note The Download option in the Point Patch Update page will be enabled only after entering the Cisco.com username and password.

Step 3 Enter the download location, or browse to the location using the Browse tab. By default, the download location is: • /opt/psu_download (On Solaris/Soft Appliance) • System Drive:\psu_download (On Windows) Step 4 Select Download Patches radio button. or

Administration of Cisco Prime LAN Management Solution 4.2 13-10 OL-25947-01 Chapter 13 Working With Software Center Using the Software Center CLI Utility

Select View the list of available point patches to download radio button. A point patch list containing the defect ID, point patch revision number and patch description is displayed. Step 5 Click Download to download all the latest point patch versions that are not installed in your system.

Related Topics • Downloading Point Patch Updates • Installing Point Patch Updates

Using the Software Center CLI Utility

LMS provides a command line utility that supports most of the Software Center features. The utility is available at NMSROOT/bin/, as: • PSUCli.bat (on Windows) • PSUCli.sh (on Solaris/Soft Appliance) The utility helps you do the following: • Download Software Updates. • Download Device Package Updates. • Download Point Patch Updates. • Install Device Packages. • Uninstall Device Packages. • Query Updates on the LMS Server. • List Dependent Device Packages. • List Device Packages Version. To install new device packages from Cisco.com, you have to first download the packages from Cisco.com, save them to a directory in your computer, and then install them, specifying the directory. To get help on command usage, enter: • NMSROOT\bin\PSUCli.bat -h (On Windows) • NMSROOT/bin/PSUCli.sh -h (On Solaris/Soft Appliance) This lists the commands, options, and valid product names. This section explains the following: • Querying Updates on the LMS Server • Installing Device Packages • Uninstalling Device Packages • Downloading Software Updates • Downloading Device Updates • Downloading Point Patch Updates • Installing Point Patch Updates • Listing Dependent Device Packages

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-11 Chapter 13 Working With Software Center Using the Software Center CLI Utility

• Listing Device Packages Version

Querying Updates on the LMS Server

To get a list of installed packages, enter: NMSROOT\bin\PSUCli.bat -p product -query [-src dir] {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -query [-src dir] {-all |PackageNames} (On Solaris/Soft Appliance) You have to use either the -all option or specify the package names. • -p product —Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with the -h option lists the valid product names. • -query (-q) —Lists the packages (default source location is installed repository of the product). • -all—Selects all packages available at the source location. • -src dir—Source location of the packages • PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

Example NMSROOT\bin\PSUCli.bat -p rme -q -all This lists all the installed packages for LMS in the installed repository for LMS. To list all packages in the specified directory for LMS, enter: NMSROOT\bin\PSUCli.bat -p rme -src dir -q

Installing Device Packages

To install device packages from the directory you specify, enter: NMSROOT\bin\PSUCli.bat -p product -install -src dir {-all | PackageNames}[-noprompt] (On Windows) NMSROOT/bin/PSUCli.sh -p product -install -src dir {-all |PackageNames} [-noprompt] (On Solaris/Soft Appliance) You have use either the -all option or specify the package names. • -p product —Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with the -h option lists the valid product names. • -install (-i)—Installs packages (from user specified directory). • -all—Selects all packages available at the source location. • -src dir—Source location of the packages • PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850

Administration of Cisco Prime LAN Management Solution 4.2 13-12 OL-25947-01 Chapter 13 Working With Software Center Using the Software Center CLI Utility

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

• -noprompt—Flag to turn off the prompt that appears to restart the daemon services during device packages installation

Example NMSROOT\bin\PSUCli.bat -p rme -i -src dir Cat6000 Cat4000 This installs the specified packages (Cat6000, Cat4000) for LMS, from the specified directory.

Uninstalling Device Packages

To uninstall device packages, enter: NMSROOT\bin\PSUCli.bat -p product -uninstall {-all |PackageNames} [-noprompt] (On Windows) NMSROOT/bin/PSUCli.sh -p product -uninstall {-all |PackageNames} [-noprompt](On Solaris/Soft Appliance) You have use either the -all option or specify the package names. • -p product —Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. • -uninstall (-u) —Uninstalls packages (from user specified directory). • -all—Selects all packages available at the source location. • PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

• -noprompt—Flag to turn off the prompt that appears to restart the daemon services during device packages installation

Example NMSROOT\bin\PSUCli.bat -p rme -u -all This uninstalls all packages of LMS, from the installed repository.

Downloading Software Updates

To download the Software Updates, enter: NMSROOT\bin\PSUCli.bat -p product -software -dst download directory {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -software -dst download directory {-all |PackageNames} (On Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-13 Chapter 13 Working With Software Center Using the Software Center CLI Utility

• -p product—Specify the Product for which you want to download the Software Update. Invoking CLI with -h option lists the valid product names. • -software (-s) —Download Software packages for the specified product or products. • -dst download directory—Specify the directory to which you want to download the Software Update. Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub directories in it. • -all—Selects all the available software updates on Cisco.com for download. • PackageNames—Names of the software update package available on Cisco.com, for example, cwcs3_0_4_win, cwcs3_0_6_sol_k9.

Note You must enter the software update package name without any extension. The package name is case-sensitive.

You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials. The destination location should not be the location where Cisco Prime is installed or any one of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories.

Downloading Device Updates

To download the Device Updates, enter: NMSROOT\bin\PSUCli.bat -p product -download -dst download directory {-all |PackageNames} (On Windows). NMSROOT/bin/PSUCli.sh -p product -download -dst download directory {-all |PackageNames} (On Solaris/Soft Appliance). • -p product—Specify the Product for which you want to download the Device Update. Invoking CLI with -h option lists the valid product names. • -download (-d)—Download Device packages for the specified product or products. • -dst download directory—Specify the directory to which you want to download the Device Update. Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub directories in it. • -all—Selects all available device packages for download from Cisco.com. • PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850.

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials.

Administration of Cisco Prime LAN Management Solution 4.2 13-14 OL-25947-01 Chapter 13 Working With Software Center Using the Software Center CLI Utility

The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub- directories.

Downloading Point Patch Updates

To download the Point Patch Updates, enter: NMSROOT\bin\PSUCli.bat -p product -pointpatch -dst download directory {-all |PointpatchName} (On Windows). NMSROOT/bin/PSUCli.sh -p product -pointpatch -dst download directory {-all | PointpatchName} (On Solaris/Soft Appliance). • -p product—Specify the Product for which you want to download the Point Patch Update. Invoking CLI with -h option lists the valid product names. • -pointpatch (-pp)—Download Point Patch for the specified products. • -dst download directory—Specify the directory to which you want to download the Point Patch Update

Note The directory name should not contatin spaces.

• -all—Select all available device packages for download from Cisco.com. • PointpatchName—Name of the point patch updates, for example CSCto49627, CSCtw65965.

Note You must enter the point patch update name without any filename extension and revision number. The point patch update name is case-sensitive.

You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy settings, you will be prompted for Proxy Server User credentials. The destination location should not be the location where Cisco Prime is installed or any of the OS directories. Software Center does not support downloading device, point patch or software updates in the same directory where you have installed Cisco Prime LMS, or any of its sub-directories.

Installing Point Patch Updates

To install point patch updates using CLI on Windows and Solaris/Soft Appliance: On Windows, run: NMSROOT\bin\perl NMSROOT\bin\PatchInstall.pl On Solaris/Soft Appliance, run: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/PatchInstall.pl Source directory—The directory in which the point patches are available.

Note The source directory name should not contatin spaces.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-15 Chapter 13 Working With Software Center Using the Software Center CLI Utility

The downloaded point patch revisions that are not installed in your system are installed and an installation successful message is displayed.

Listing Dependent Device Packages

To list the dependent packages of one or more device packages, or all device packages, enter: NMSROOT\bin\PSUCli.bat -p product -pkgDependents -src dir {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -pkgDependents -src dir {-all |PackageNames} (On Solaris/Soft Appliance) You have use either the -all option or specify the package names. • -p product —Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. • -pkgDependents (-pdep)—List the base or dependent packages for the specified packages present in the source location. • -all—Selects all packages available at the source location. • PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

Example NMSROOT\bin\PSUCli.bat -p rme -pdep Cat5000 This lists all dependent packages of LMS Cat5000 device package installed.

Administration of Cisco Prime LAN Management Solution 4.2 13-16 OL-25947-01 Chapter 13 Working With Software Center Using the Software Center CLI Utility

Listing Device Packages Version

To list the versions of one or more device packages, or all device packages, enter: NMSROOT\bin\PSUCli.bat -p product -pkgVersion -src dir {-all |PackageNames} (On Windows) NMSROOT/bin/PSUCli.sh -p product -pkgVersion -src dir {-all |PackageNames} (On Solaris/Soft Appliance) You have use either the -all option or specify the package names. • -p product —Product for which packages are to be downloaded. This must be short names of the products. Invoking the CLI utility with -h option lists the valid product names. • -pkgVersion (-pver)—List theversions of all or specified packages present in the source location. • -all—Selects all packages available at the source location. • PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850

Note You must enter the device package name without any filename extension. The package name is case-sensitive.

Example NMSROOT\bin\PSUCli.bat -p rme -pver Cat5000 This lists the version of the LMS Cat5000 device package installed.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 13-17 Chapter 13 Working With Software Center Using the Software Center CLI Utility

Administration of Cisco Prime LAN Management Solution 4.2 13-18 OL-25947-01

CHAPTER 14

Discrepancies and Best Practices Deviations

The Discrepancies Reporting module of LMS allows you to view the discrepancies and best practices deviations in your network. This chapter contains the following: • Understanding Discrepancies and Best Practices Deviations • Interpreting Discrepancies • Interpreting Best Practices Deviations • Customizing Discrepancies Reporting and Syslog Generation

Understanding Discrepancies and Best Practices Deviations

LMS provides reports on discrepancies, such as network inconsistencies and anomalies or misconfiguration in the discovered network. This makes it easy to identify configuration errors such as link-speed mismatches on either end of a connection. Discrepancies are computed at the end of each data collection schedule. LMS also reports Best Practices Deviations. These are variations from the normal or recommended practices in a network. These do not have any serious impact on the functioning of the network. LMS allows you to: • View Reports on Discrepancies. Select Reports > Fault and Event > Best Practices > Discrepancies. • View Reports on Best Practices Deviations. Select Reports > Fault and Event > Best Practices > Deviation. • Acknowledge Discrepancies. • Acknowledge Best Practices Deviations. • Resolve Discrepancies and Best Practices Deviations. • Customize Discrepancies Reporting. For details, see Customizing Discrepancies Reporting and Syslog Generation.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-1 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

Fixing Discrepancies and Best Practices Deviations through LMS The following Discrepancies can be fixed through LMS: • Link Duplex Mismatch • Link Speed Mismatch • Link Trunk/NonTrunk Mismatch • Port Fast Enabled on Trunk Port The following Best Practices Deviations can be fixed through LMS: • BPDU Filter Disabled on Access Ports • BPDU-Guard Disabled on Access Ports • Loop Guard and Port Fast Enabled on Ports • UDLD Disabled on Link Ports • CDP Enabled on Access Ports • High Availability not Operational

Interpreting Discrepancies

This section contains information on each of the discrepancy reported in LMS. It describes the discrepancy, the impact it has on the network, and ways to resolve it. The user interface in LMS displays commands you can use to make configuration changes on devices to resolve discrepancies. This section contains: • Trunking Related Discrepancies • VLAN-VTP Related Discrepancies • Link Related Discrepancies • Port Related Discrepancy • Device Related Discrepancy • Spanning Tree Related Discrepancy

Trunking Related Discrepancies

The trunking related discrepancies that LMS reports are: • Trunk Negotiation Across VTP Boundary • Native VLANs Mismatch • Trunk VLANs Mismatch • Trunk VLAN Protocol Mismatch

Administration of Cisco Prime LAN Management Solution 4.2 14-2 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

Trunk Negotiation Across VTP Boundary

LMS reports a discrepancy when the trunk mode on any end of the trunk link is set to Auto or Desirable. Dynamic Trunking Protocol (DTP) cannot be used for trunk negotiation across VTP domain boundary. This occurs when trunk mode on both sides has any of the following combinations: • On/Auto • On/Desirable • Desirable/Auto • Desirable/Desirable • Off/Desirable

Impact Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of different VTP domains) fails.

Fix You cannot fix this discrepancy using LMS. To fix the discrepancy on switches using Cisco IOS:

Step 1 Make sure that the Trunk mode is ON, on both sides of the link. Step 2 Enter the following command: switchport trunk encapsulation dot1q | isl switchport mode trunk end Step 3 Enter the following command to check the status: show interfaces trunk Or show interface mod interface_id trunk

To fix the discrepancy on switches using Catalyst operating system:

Step 1 Make sure that the Trunk mode is ON, on both sides of the link. Step 2 .Enter the following command: set trunk mod/port on Dot1Q | ISL Step 3 Enter the following command to check the status: show trunk mod/port

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-3 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

Native VLANs Mismatch

LMS reports a discrepancy when the native VLANs of all ports in a trunk do not match. This mismatch occurs when you have created a trunk port to connect another switch, and both ends are in different native VLANs.

Note This discrepancy is applicable only for trunks that use 802.1q encapsulation.

Impact The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link is affected. The trunk continues to remain operational.

Fix If you have altered the default native VLAN configuration, ensure that all trunks have the same native VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport trunk native vlan command for Cisco IOS switches to specify the native VLAN. You cannot fix this discrepancy through LMS.

Trunk VLANs Mismatch

LMS reports a discrepancy when the list of active or allowed VLANs between the two ends of a trunk do not match.

Impact The trunk remains operational but the network traffic across the link is affected.

Fix You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.

Trunk VLAN Protocol Mismatch

LMS reports a discrepancy when different trunk encapsulations are set on the two ends of a trunk. For example, when one end of a trunk is configured as ISL and the other as 802.1q, LMS reports a discrepancy. ISL and 802.1q are the different encapsulation types that you can configure in a trunk VLAN.

Impact The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching encapsulation types. However, the network traffic across the link is affected because of the mismatch.

Fix Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy through LMS.

Administration of Cisco Prime LAN Management Solution 4.2 14-4 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

VLAN-VTP Related Discrepancies

The VLAN-VTP related discrepancies that LMS reports are: • VTP Disconnected Domain • No VTP Server in Domain with at least One VTP Client

VTP Disconnected Domain

LMS reports a discrepancy if the devices that are part of the same VTP domain have different VTP configuration revision numbers. When a switch in the same VTP domain has a higher configuration revision number compared to the other switches, it could overwrite your server-configured switch with incorrect information.

Impact The VLAN information is not dynamically shared across the VTP domain.

Fix Ensure that you configure VTP Configuration Revision number consistently across devices of the same VTP domain. You cannot fix this discrepancy through LMS.

No VTP Server in Domain with at least One VTP Client

LMS reports a discrepancy when there is no VTP Server configured in a VTP domain. You can configure a switch to operate in any one of these VTP modes—Server, Client, Transparent, and Off. Primary and secondary servers are two types of servers that may exist on an instance in the VTPv3 domain. A VTP client cannot store VLAN information. When a VTP client boots, it needs to reacquire the entire configuration that is propagated by VTP. The primary server can initiate or change the VTP configuration. The main purpose of a VTP secondary server is to back up the configuration that is propagated over the network.

Impact LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no alternative or backup server. This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when the existing primary server or server mode device has gone down temporarily and if the server mode device does not come up. If you do not configure at least one server, the devices become unreachable. LMS discovers only the client-mode devices in the domain and ignores the rest.

Fix Configure at least one device as server in a VTP domain. If the device you have configured as server is temporarily down, configure another device as server. You cannot fix this discrepancy through LMS. For more information on VTP domain, see the document Configuring VTP at the following location: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-5 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

Link Related Discrepancies

The link related discrepancies that LMS reports are: • Link Duplex Mismatch • Link Speed Mismatch • Link Trunk/NonTrunk Mismatch

Link Duplex Mismatch

LMS reports a discrepancy when there is a duplex mismatch between links. Duplex mismatch on 10/100Mb Ethernet links occurs when one port on the link is operating at half-duplex while the other port is operating at full-duplex. This happens when one or both ports on a link are reset and the auto-negotiation process does not cause both partners to have the same configuration. It also happens when you reconfigure one side of a link and do not reconfigure the other side.

Impact Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a full-duplex device transmits whenever it has something to send, regardless of other devices. If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will consider this either a collision (during the slot time), or a late collision (after the slot time). Since the full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet. A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.

Figure 14-1 Duplex Mismatch

A (root) Half-Duplex Half-Duplex: Still runs carrier sense Does not do and collision carrier sense detection

Collision A C BPDU lost Full-Duplex to be retransmitted

X 130876

Fix LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated between devices. To fix the discrepancy on switches using Cisco IOS:

Administration of Cisco Prime LAN Management Solution 4.2 14-6 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: duplex auto end where auto enables the autonegotiation capability. Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-7 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

To fix the discrepancy on switches using Catalyst operating system:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: set port speed mod/port auto where: • mod/port refers to the number of the module and the port on the module • auto specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet ports Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Link Speed Mismatch

LMS reports a discrepancy when there is a mismatch in the link speeds, that is, different link speeds on either side of a link (for 10/100 ports or for any group of links). The IEEE 802.3u autonegotiation protocol manages the switch settings for speed (10 Mbps or 100 Mbps) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances: • A manually-set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port. • A port is in Autonegotiate mode and the connected port is set to full duplex with no autonegotiation.

Impact Link speed mismatch results in reduced performance of the link.

Fix LMS displays commands to resolve link speed mismatch. To fix the discrepancy on switches using Cisco IOS:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: speed auto end where auto enables the autonegotiation capability. Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 14-8 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

To fix the discrepancy on switches using the Catalyst operating system:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: set port speed mod/port auto where: • mod/port refers to the number of the module and the port on the module • auto specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet ports Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Link Trunk/NonTrunk Mismatch

LMS reports a discrepancy when there are trunking ports and non-trunking ports on either side of a link. This happens when one end of the trunk is set to On, and the other end is set to Off.

Impact This results in the trunk not coming up, and there would be no traffic flow across the link.

Fix LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode. To fix the discrepancy on switches using the Catalyst operating system:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: set trunk mod/port desirable where: • desirable causes the port to negotiate actively with the neighboring port to become a trunk link • mod/port specifies the number of the module and the port or ports on the module Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-9 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

To fix the discrepancy on switches using Cisco IOS:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: switchport mode dynamic desirable end where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link. Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Port Related Discrepancy

The port related discrepancy that LMS reports is Port is in Error Disabled State. See Port is in Error Disabled State

Port is in Error Disabled State

LMS reports a discrepancy when one or more of the switch ports in the discovered network have a status of errDisable.

Causes of errDisable A port enters errdisable state for any of the following reasons: • Channel misconfiguration • Duplex mismatch • BPDU port-guard • UDLD

Impact When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange and when you enter the show port command, the port status shows errdisable.

Fix To recover from errDisable:

Step 1 Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so on). Step 2 Re-enable the port.

Administration of Cisco Prime LAN Management Solution 4.2 14-10 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Discrepancies

You cannot fix this discrepancy through LMS. For more information on the errDisable state, see the document Recovering From errDisable Port State on the CatOS Platforms at the following location: http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080093dcb.html

Device Related Discrepancy

The device related discrepancy that LMS reports is Devices With Duplicate Sysname. See Devices With Duplicate SysName, page 14-11

Devices With Duplicate SysName

LMS reports a discrepancy when it discovers two devices with the same SysName. LMS stores the device details of only one of the two devices.

Impact LMS manages only one of these devices.

Fix Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.

Spanning Tree Related Discrepancy

The spanning tree related discrepancy that LMS reports is PortFast Enabled on Trunk Port. See Port Fast Enabled on Trunk Port Port Fast Enabled on Trunk Port

LMS reports a discrepancy when PortFast is enabled on trunk ports. PortFast causes a spanning tree port to immediately enter the forwarding state, bypassing the listening and learning states. You must disable STP PortFast for switch-switch links. This is because, if you enable PortFast on a port that is connected to another Layer 2 device, such as a switch, you might create network loops.

Impact If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge Protocol Data Units (BPDUs) are being transmitted and received on those ports.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-11 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Fix LMS provides commands for disabling PortFast on ports. To fix the discrepancy on switches using the Catalyst operating system:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: set spantree portfast mod/port disable where disable disables the spanning tree PortFast-start feature on the port. Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

To fix the discrepancy on switches using Cisco IOS:

Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field. The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following command: no spanning-tree portfast end This command disables PortFast on the given port. Step 2 Click Fix. A message appears indicating whether the discrepancy was successfully fixed or not.

Interpreting Best Practices Deviations

This section contains information on each of the Best Practice Deviation reported in LMS. It gives a description of the Best Practice Deviation, the impact (if any) it has on the network, and ways to resolve it. The user interface in LMS displays commands to make configuration changes on devices, to resolve some Best Practices deviations. This section contains: • Channel Ports Related Best Practices Deviations • Spanning Tree Related Best Practices Deviations • Trunk Ports Related Best Practices Deviations • VLAN Related Best Practices Deviations • Link Ports Related Best Practice Deviation • Access Ports Related Best Practice Deviation • Cisco Catalyst 6000 Devices Related Best Practice Deviation

Administration of Cisco Prime LAN Management Solution 4.2 14-12 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Channel Ports Related Best Practices Deviations

The channel ports related best practices deviations that LMS reports are: • Non-channel Port in Desirable Mode • Channel Port in Auto Mode

Non-channel Port in Desirable Mode

LMS reports a Best Practice Deviation when a non-channel port is in the Desirable mode. There are four user-configurable channel modes: • On • Off • Auto • Desirable Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable modes. Ports configured in on or off mode do not exchange PAgP packets. To form EtherChannel between, it is best to have both switches set to the Desirable mode. This gives the most robust behavior if one side or the other encounters error situations or is reset. The default mode of the channel is Auto. Both Auto and Desirable modes allow ports to negotiate with connected ports to determine whether they can form a channel. The determination is based on criteria such as port speed, trunking state, and native VLAN. Ports can form an EtherChannel when they are in different channel modes if the modes are compatible. Examples of ports that can form an EtherChannel are: • A port in desirable mode can successfully form an EtherChannel with another port that is in Desirable or Auto mode. • A port in the Auto mode can form an EtherChannel with another port in the Desirable mode. • A port in the Auto mode cannot form an EtherChannel with another port that is also in the Auto mode, since neither port initiates negotiation. • A port in the On mode can form a channel only with a port in the On mode because ports in On mode do not exchange PAgP packets. • A port in Off mode cannot form a channel with any port.

Impact When a non-channel port is in the Desirable mode, the links will not be efficiently used.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-13 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Fix To fix the Best Practice Deviation on switches using Catalyst operating system:

Step 1 Go to the Best Practice Deviation report and click the hyperlink in the Summary field. The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the following command: set port channel mod/port mode auto Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1 Go to the Best Practice Deviation report and click the hyperlink in the Summary field. The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the following command: channel-group Channel group number mode auto Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Channel Port in Auto Mode

LMS reports a Best Practice Deviation when a channel port is in Auto mode. There are four user-configurable channel modes: • On • Off • Auto • Desirable Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable mode. Ports configured in On or Off mode do not exchange PAgP packets. For switches to which you want to form an EtherChannel, it is best to have both switches set to Desirable mode. This gives the most robust behavior if one of the sides encounters error situations or is reset. The default mode of the channel is Auto. Both Auto and Desirable modes allow ports to negotiate with connected ports to determine if they can form a channel. The determination is based on criteria such as port speed, trunking state, and native VLAN. Ports can form an EtherChannel when they are in different channel modes if the modes are compatible. Examples of ports that can form an EtherChannel are: • A port in Desirable mode can successfully form an EtherChannel with another port that is in Desirable or Auto mode. • A port in Auto mode can form an EtherChannel with another port in Desirable mode.

Administration of Cisco Prime LAN Management Solution 4.2 14-14 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

• A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since neither port initiates negotiation. • A port in On mode can form a channel only with another port also in On mode, because ports in this mode do not exchange PAgP packets. • A port in Off mode cannot form a channel with any port.

Impact Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious impact on the network.

Fix To fix the Best Practise Deviation on switches using the Catalyst operating system:

Step 1 Go to the Best Practise Deviation report and click the hyperlink in the Summary field. The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the following command: set port channel mod/port mode desirable which sets the port to desirable mode. Step 2 Click Fix. A message appears indicating whether the Best Practise Deviation was successfully fixed or not.

To fix the Best Practise Deviation on switches using Cisco IOS:

Step 1 Go to the Best Practise Deviation report and click the hyperlink in the Summary field. The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the following command: channel-group Channel group number mode desirable which sets the port to desirable mode. Step 2 Click Fix. A message appears indicating whether the Best Practise Deviation was successfully fixed or not.

Spanning Tree Related Best Practices Deviations

The spanning tree related best practices deviations that LMS reports are: • BPDU Filter Disabled on Access Ports • BPDU-Guard Disabled on Access Ports • BackboneFast Disabled in Switch • UplinkFast not Enabled • Loop Guard and Port Fast Enabled on Ports

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-15 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

BPDU Filter Disabled on Access Ports

LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports.

Impact BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.

Fix LMS provides commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set spantree bpdu-filter mod/port enable where: • mod/port specifies the number of the module and the port on the module • enable enables BPDU packet filtering Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: spanning-tree bpdufilter enable end where enable enables BPDU Filtering on the particular interface. Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 14-16 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

BPDU-Guard Disabled on Access Ports

LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port. BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state.

Impact Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.

Fix LMS displays commands for enabling BPDU Filter on access ports. To fix the Best Practice Deviation on switches using Catalyst operating system:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set spantree bpdu-guard mod/port enable where: • mod/port specifies the number of the module and the port on the module • enable enables BPDUGuard Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: spanning-tree bpduguard enable end where enable enables BPDUGuard on the particular interface. Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-17 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

BackboneFast Disabled in Switch

LMS reports a Best Practice Deviation when BackboneFast is enabled on one of the switches and not enabled on all other switches in a switch cloud. Cisco recommends that BackboneFast be enabled on all switches running STP. It can be added without disruption to a production network.

Impact If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning tree operation. BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP, you can reduce convergence times from the default of 50 seconds to 30 seconds. Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects directly to Switch B is in the blocking state.

Figure 14-2 BackboneFast Example Before Indirect Link Failure

Switch A Switch(Root) A Switch B (Root) L1 Switch B L1

L2 L3 L2 L3 Blocked port Blocked port

Switch C 11241

Switch C 11241 If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to link L1. Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to move immediately to the listening state without waiting for the maximum aging time for the port to expire. BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch B to Switch A. This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the topology to account for the failure of link L1.

Administration of Cisco Prime LAN Management Solution 4.2 14-18 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Figure 14-3 BackboneFast Example After Indirect Link Failure

Switch A (Root) Switch B L1

Link failure

L2 L3

BackboneFast transitions port through listening and learning states to forwarding state

Switch C 11244

Fix Enable BackboneFast on all switches in a switch cloud. To enable BackboneFast Globally on a Catalyst operating system:

Step 1 Enter the command: set spantree backbonefast enable Step 2 Enter this command to check the status: show spantree backbonefast

To enable BackboneFast Globally on Cisco IOS:

Step 1 Enter the command: spanning-tree backbonefast Step 2 Enter this command to check the status: show spanning-tree backbonefast

You cannot fix this Best Practice Deviation through LMS. For more information on Spanning Tree related configuration, see the document Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast at the following location: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-19 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

UplinkFast not Enabled

LMS reports a Best Practice Deviation when UplinkFast is not enabled on switches.

Note This Best Practice Deviation is not applicable if the device is not an access layer switch.

Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access layer. Do not use on switches without the implied topology knowledge of a backup root link—typically, distribution and core switches in Cisco's multilayer design. It can be added without disruption to a production network.

Impact UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It operates without modifying STP, and its purpose is to speed up convergence time in a specific circumstance to less than three seconds, rather than the typical 30-second delay. Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected directly to Switch B is in the blocking state.

Figure 14-4 UplinkFast Example Before Direct Link Failure

Switch A (Root) Switch B L1

L2 L3

Blocked port

Switch C 11241

If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5 seconds.

Administration of Cisco Prime LAN Management Solution 4.2 14-20 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Figure 14-5 UplinkFast Example After Direct Link Failure

Switch A (Root) Switch B L1

L2 L3

Link failure UplinkFast transitions port directly to forwarding state

Switch C 11242

Fix Enable UplinkFast on all access layer switches. To enable Uplink Fast on Catalyst operating system:

Step 1 Enter the command: set spantree uplinkfast enable Step 2 Enter this command to check the status: show spantree uplinkfast

To enable Uplink Fast on Cisco IOS:

Step 1 Enter the command: spanning-tree uplinkfast Step 2 Enter this command to check the status: show spanning-tree uplinkfast

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-21 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Loop Guard and Port Fast Enabled on Ports

Loop Guard Assume that a switch port is receiving BPDUs, and is in the blocking state. The port makes up a redundant path. It is blocking because it is neither a Root Port nor a Designated Port. If, the flow of BPDUs stops, the last known BPDU is retained until the Max Age timer expires. When the Max Age timer expires, that BPDU is flushed, and the switch thinks there is no longer a need to block the port. The port moves through the STP states until it begins to forward traffic. The switch then forms a bridging loop. In its final state, the port becomes a Designated Port. To prevent this situation, you can use the loop guard STP feature. When you enable this feature, loop guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is allowed to behave normally. When BPDUs are missing, loop guard moves the port into the loop-inconsistent state. The port is effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role. After BPDUs are received on the port again, loop guard allows the port to move through the normal STP states and become active. In this way, Loop Guard automatically governs ports without the need for manual intervention.

STP PortFast STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes up, STP calculation occurs on that port. The result of the calculation is the transition of the port into forwarding or blocking state. The result depends on the position of the port in the network and the STP parameters. This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data passes through the port. Owing to this, some user applications can time out during the period. To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. This way the port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP blocking mode.

Impact Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best Practice Deviation.

Fix If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port. To fix the Best Practice Deviation on switches using the Catalyst operating system:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set spantree portfast disable Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 14-22 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: spanning-tree portfast disable Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Trunk Ports Related Best Practices Deviations

The trunk ports related best practices deviations that LMS reports are as follows: • Non-trunk Ports in Desirable Mode • Trunk Ports in Auto Mode

Non-trunk Ports in Desirable Mode

LMS reports a Best Practice Deviation when non-trunk ports are set to Desirable mode.

Impact Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the intended behavior.

Fix To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports. To fix it through LMS, on switches using the Catalyst operating system:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set port host mod/port Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-23 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

To fix it through LMS, on switches using Cisco IOS:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: switchport mode access Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best Practice Deviation.

Table 14-1 Trunking Configuration 1

Modes On Auto Desirable Nonegotiate Off On None. Reports None. None. Reports Best Practice Best Deviation. (Trunking) (Trunking) (Trunking) Practice (Not Trunking) Deviation. (Trunking) Auto Reports Best None. Reports Best Reports Best None. Practice Practice Practice (Not (Not Trunking) Deviation. Deviation. Deviation. Trunking) (Trunking) (Trunking) (Not Trunking) Desirable None. Reports None. Reports Best Reports Best Practice Practice Deviation. (Trunking) Best (Trunking) Practice Deviation. (Not Trunking) Deviation. (Not Trunking) (Trunking) Nonegotiate None. Reports Reports Best None. Reports Best Practice Practice Deviation. (Trunking) Best (Trunking) Practice Deviation. (Not Trunking) Deviation. (Not Trunking) (Not Trunking) Off Reports Best None. Reports Best Reports Best None. Practice Practice (Not Practice (Not Trunking) Deviation. Deviation. Trunking) Deviation. (Not (Not Trunking) (Not Trunking) Trunking)

1. Information in brackets indicate the trunking state of the interface.

Administration of Cisco Prime LAN Management Solution 4.2 14-24 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Trunk Ports in Auto Mode

LMS reports a Best Practice Deviation when trunk ports are set to Auto mode.

Impact Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1 for different trunk mode combinations.

Fix To fix the Best Practice Deviation on switches using the Catalyst operating system:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set trunk mod/port desirable Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: switchport mode dynamic desirable Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

VLAN Related Best Practices Deviations

The VLAN related best practices deviations that LMS reports are as follows: • VLAN Index Conflict • VLAN Name Conflict

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-25 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

VLAN Index Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Index. A VLAN Index conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices, where a same VLAN index has different VLAN name in transparent and server mode devices in the domain.

Impact There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names in transparent and server mode devices.

Fix Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain. You cannot fix this Best Practice Deviation through LMS.

VLAN Name Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Name. A VLAN Name conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices, where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of the server mode device in the domain.

Impact There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of the server mode device in the domain.

Fix Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the server mode devices. You cannot fix this Best Practice Deviation through LMS.

Link Ports Related Best Practice Deviation

The link port related Best Practice Deviation that LMS reports is UDLD Disabled on Link Ports. See UDLD Disabled on Link Ports

Administration of Cisco Prime LAN Management Solution 4.2 14-26 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

UDLD Disabled on Link Ports

LMS reports a Best Practice Deviation if UniDirectional Link Detection (UDLD) is disabled on link ports.

Impact If you disable UDLD, it could result in Spanning Tree loops. Unidirectional links are often caused by a failure not detected on a fiber link, or by a problem with a transceiver.

Figure 14-6 Unidirectional Links

B A Blocking X X BPDU lost this way B unblocks its port and can forward traffic this way...... 130877

In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop. To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports. For maximum protection against symptoms resulting from uni-directional links, we recommend that you enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the message interval to the default 15 seconds.

Fix LMS provides commands to enable UDLD on link ports. To fix the Best Practice Deviation on switches using Catalyst operating system:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set udld enable mod/port where enable enables the UDLD information display. Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-27 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix displays the following command: udld port end This command enables UDLD in normal mode by default on all interfaces. Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Access Ports Related Best Practice Deviation

The access ports related Best Practice Deviation that LMS reports is CDP Enabled on Access Ports. See CDP Enabled on Access Ports

CDP Enabled on Access Ports

LMS reports a Best Practice Deviation when Cisco Discovery Protocol (CDP) is enabled on the access port of a switch. CDP is enabled by default and is essential to gain visibility of adjacent devices and for troubleshooting. It is also used by network management applications to build Layer 2 topology maps.

Impact In parts of the network where a high level of security is required (such as Internet-facing de-militarized zones), you should turn off CDP.

Administration of Cisco Prime LAN Management Solution 4.2 14-28 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Interpreting Best Practices Deviations

Fix LMS provides commands to disable CDP on switches. To fix the Best Practice Deviation on switches running Catalyst operating system:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set cdp disable mod/port Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

To fix the Best Practice Deviation on switches running Cisco IOS:

Step 1 Select Reports > Fault and Event. Step 2 Select Best Practices Deviation Report from the TOC. Step 3 Click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: no cdp enable Step 4 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

Cisco Catalyst 6000 Devices Related Best Practice Deviation

The Cisco Catalyst 6000 devices related Best Practice Deviation that LMS reports is High Availability not Operational. See High Availability not Operational

High Availability not Operational

Enabling High Availability on switches is applicable only for Cisco Catalyst 6000 devices. LMS reports a Best Practice Deviation when there are two supervisor engines in Cisco Catalyst 6000 devices and High Availability is not enabled.

Impact High Availability: • Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum productivity in a network. • Allows you to minimize the switch-over time from active supervisor engine to the standby supervisor engine, if the active supervisor engine fails.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-29 Chapter 14 Discrepancies and Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation

• Allows the active supervisor engine to communicate with the standby supervisor engine, keeping feature protocol states synchronized. • Provides a versioning option that allows you to run different software images on the active and standby supervisor engines. You can enable High Availability using Command Line Interface (CLI).

Fix As a general practice with redundant supervisors, we recommend that you enable High Availability feature for normal operation. LMS provides commands for enabling High Availability. To fix the Best Practice Deviation on switches using Catalyst operating system:

Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field. The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the following command: set system highavailability enable Step 2 Click Fix. A message appears indicating whether the Best Practice Deviation was successfully fixed or not.

For more information on Supervisor engines and High Availability, see the document Configuring Redundancy at the following location: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html

Customizing Discrepancies Reporting and Syslog Generation

You can customize the Discrepancies Report and Best Practices Deviations Report to display only those discrepancies and Best Practice Deviations about which you want to be notified. To customize the reports:

Step 1 Select Admin > Network > Best Practices Deviation Settings. The discrepancies page appears. You can view the list of Network discrepancies, and Discrepancies configured to send Syslog messages by clicking the corresponding View Details link. Step 2 Click Configure. The Configuring Discrepancies dialog box appears. • To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it. Checking all the check boxes results in a report displaying all discrepancies and Best Practice Deviations in the network. • To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding check box.

Administration of Cisco Prime LAN Management Solution 4.2 14-30 OL-25947-01 Chapter 14 Discrepancies and Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation

Step 3 Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check Configure Syslog and click Next. A list of the selected Discrepancies and Best Practice Deviations appears. Step 4 Check Send Syslogs and enter the name of the server in the Syslog Server field. Step 5 Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages and click Next. A summary of the selected Discrepancies and Best Practice Deviations appears. Step 6 Click Finish.

You can use the filters to display discrepancy reports for specific devices, link or network types. This makes it easy to find a particular discrepancy for a particular type. You can use more than one filter at the same time, but results will vary. • If you select more than one filter in the same top-level category, Boolean OR is used. For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter criteria will be displayed in the report. • If you select more than one filter from different top-level categories, Boolean AND is used. For example, if you select both a Link type and a Port type filter from the discrepancy filter, any link that fulfils both filter criteria will appear in the report.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 14-31 Chapter 14 Discrepancies and Best Practices Deviations Customizing Discrepancies Reporting and Syslog Generation

Administration of Cisco Prime LAN Management Solution 4.2 14-32 OL-25947-01

CHAPTER 15

Report Setting

Describes how to configure some settings for generating reports and set a report publish location. This section contains the following sections: • Specifying User Tracking Report Purge Policy • Specifying Domain Name Display • Set Report Publish Location

Specifying User Tracking Report Purge Policy

You can specify the intervals at which old reports and jobs are to be purged, using the Purge Policy option. You can save the Purge Policy, so that the older jobs and archives are purged at the specified interval. To specify the Purge Policy:

Step 1 Select Admin > Network > Purge Settings > User Tracking Report Purge Policy. The Report Settings dialog box appears. Step 2 Check the relevant check box: • Purge Archives Older than • Purge Jobs Older than You must specify in days, or weeks, or months the period for which you want to retain the report archives or jobs. Step 3 Click Save.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 15-1 Chapter 15 Report Setting Specifying Domain Name Display

Specifying Domain Name Display

You can specify the way in which domain names are to be displayed in User Tracking Reports, using the Domain Name Display option. To specify the Domain Name display:

Step 1 Select Admin > Network > Display Settings > Domain Name Display. The Domain Name Display window appears. Step 2 Select the format for displaying the domain names in User Tracking Reports. You can: • Show full domain name suffix • Hide full domain name suffix • Hide specified domain name suffix If you want to hide the specified domain name suffix, enter the domain name suffix in the field. Step 3 Click Save.

Set Report Publish Location

Cisco Prime LMS allows you to publish the PDF, HTML and CSV format of all the reports to a directory location of your choice. This is done by setting a default directory path.

Note Ensure that the casuser is assigned the required write permission to publish the PDF format of the report to the directory path.

To set a report publish location:

Step 1 Select Reports > Report Settings > Report Publish Path. Step 2 Select Report Location. The Default Report Publish Location page appears, displaying Default Location Settings dialog box. Table 15-1 describes the field in the Default Location Settings dialog box.

Table 15-1 Default Location Settings Fields

Field/Button Description Report Location Directory path where the PDF format of the reports are published. Use the Browse button to select a directory path. The Server Side File Browser dialog box is launched. You can select the directory path in this dialog box.

Step 3 Click Browse. The Server Side File Browser dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2 15-2 OL-25947-01 Chapter 15 Report Setting Set Report Publish Location

Step 4 Select the directory path from the Server Side File Browser dialog box. Step 5 Click OK. The directory path is displayed in the Report Location field. Step 6 Click Apply to save the default directory path settings or Cancel to reset the directory path.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 15-3 Chapter 15 Report Setting Set Report Publish Location

Administration of Cisco Prime LAN Management Solution 4.2 15-4 OL-25947-01

CHAPTER 16

Purge Settings

Describes how to configure the purge settings of all modules in LMS. This section contains the following sections: • Purging Reports Jobs and Archived Reports • Purging VRF Management Reports Jobs and Archived Reports • Purging Configurations from the Configuration Archive • Syslog Administrative Tasks • Setting the Syslog Purge Policy • Purging Configuration Management Jobs • Performance Purge Jobs • Performance Purge Data • View Performance Purge Details • IPSLA Data Purging Settings • Configuring the Daily Fault History Purging Schedule

Purging Reports Jobs and Archived Reports

You can purge Layer2 services jobs or report archives in LMS. By default, purging is disabled. To enable the purge option for Layer2 services report jobs and archives:

Step 1 Select Admin > Network > Purge Settings > Layer2 Services Purge Settings. The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the Purge Policy for archives or jobs here. Step 2 Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives. For instance, if you select 44 days, LMS purges archives that are older than 44 days. Step 3 Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs. For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks. Step 4 Click Save.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-1 Chapter 16 Purge Settings Purging VRF Management Reports Jobs and Archived Reports

Purging VRF Management Reports Jobs and Archived Reports

You can purge VRF Management jobs or report archives in LMS. By default, purging is disabled. To enable the purge option for VRF Management report jobs and archives:

Step 1 Select Admin > Network > Purge Settings > VRF Lite Purge Settings. The Purge Settings dialog box appears. Step 2 Specify the Purge Policy for archives or jobs. Step 3 Check the Purge Archives Older Than to specify the periodicity at which to purge archives. For instance, if you select 44 days, VRF Management purges archives that are older than 44 days. Step 4 Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs. For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks. Step 5 Click Save.

Purging Configurations from the Configuration Archive

You can specify when to purge archived configurations. Purging archives frees disk space and keeps your archive at a manageable size. By default, the purging jobs are disabled. You can purge configurations based on two criteria: • Number of versions to retain. Maximum number of versions of each configuration to be retained. The oldest configuration is purged when the maximum number is reached. For example, if you set the maximum versions to retain to 10, when the eleventh version of a configuration is archived, the earliest (first version) is purged to retain total number of latest archived versions at 10. • Age. Configurations older than the number of days that you specify are purged. The Labeled configuration files are not purged even if they satisfy either of the purge conditions (Maximum versions to retain and Purge versions older than options in the Archive Purge Settings window) unless you enable the Purge labeled files option in the Archive Purge Settings window. The labeled files are purged only if they satisfy the conditions given in the Maximum versions to retain and Purge versions older than options. Archive Management will not purge the configuration files, if there are only two versions of these files in the archive. Archived configurations that match the purge criteria that you set are purged from the system. This purge policy applies to Running configuration only.

Caution Ensure that the configuration change detection schedule does not conflict with purging, since both processes are database-intensive. Also backup your system frequently to prevent losing versions.

Administration of Cisco Prime LAN Management Solution 4.2 16-2 OL-25947-01 Chapter 16 Purge Settings Purging Configurations from the Configuration Archive

Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

The workflow to define the Configuration Archive purge policy is:

Step 1 Select Admin > Network > Purge Settings > Config Archive Purge Settings. The Archive Purge Setup dialog box appears. Step 2 Select Enable. Step 3 Click Change to schedule a Purge job. The Config Purge Job Schedule dialog box appears. Step 4 Enter the following information:

Field Description Scheduling Run Type You can specify when you want to purge the configuration archive files. To do this, select one of these options from the drop-down menu: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the specified day of the week and at the specified time. • Monthly—Runs monthly on the specified day of the month and at the specified time. The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3. Date You can select the date and time (hours and minutes) to schedule the job. Job Information Job Description The system default job description, Default archive purge job is displayed. You cannot change this description. E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You can enter multiple e-mail addresses separated by commas. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from the E-mail ID.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-3 Chapter 16 Purge Settings Syslog Administrative Tasks

Step 5 Specify when to purge configuration files from the archive by selecting one or all of the following purge policies: • Click Maximum versions to retain and enter the number of configurations to be retained. • Click Purge versions older than and enter the number of days, weeks, or months. • Click Purge labeled files to delete the labeled configuration files. The Purge labeled files option must be used either with the Maximum versions to retain or Purge versions older than options. You cannot use this option without enabling either Maximum versions to retain or Purge versions older than options. The labeled files are purged only if they satisfy the conditions given in the Maximum versions to retain and Purge versions older than options. The Labeled configuration files are not deleted even if they satisfy either of the purge conditions (Maximum versions to retain and Purge versions older than) unless you enable the Purge labeled files option. These purge policies are applied sequentially. That is, if you have enabled all the three purge policies, LMS applies the Purge policies in this sequence: a. Maximum versions to retain b. Purge versions older than c. Purge labeled files Archive Management does not purge the configuration files, if there are only two versions of these files in the archive. Step 6 Click Apply. A message appears, New settings saved successfully. Step 7 Click OK. You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

Syslog Administrative Tasks

You can perform the following Administrative tasks: • Back up Syslog messages (see Setting the Syslog Backup Policy). • Purge Syslog messages (see Setting the Syslog Purge Policy). • Perform a Forced Purge (see Performing a Syslog Forced Purge).

Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform these tasks.

Administration of Cisco Prime LAN Management Solution 4.2 16-4 OL-25947-01 Chapter 16 Purge Settings Syslog Administrative Tasks

Setting the Syslog Backup Policy

The Backup Configuration feature allows you to save the Syslog messages to a flat file. The syslog data that is trimmed from the database will be moved to the flat file. • In Solaris/Soft Appliance, the backup file is created with -rw-r----- casuser casusers irrespective of the permissions given to the directory for backup on purge. • In Windows, the backup file inherits the permission and ownership of the directory it is created in, which is the directory selected as the backup location (on purge). View the Permission Report (Reports > System > Users > Permission) to check if you have the privileges required to perform this task. To set up the backup policy:

Step 1 Select Admin > Network > Purge Settings > Syslog Backup Settings. The Backup Policy dialog box appears. By default, the backup policy is set to disabled. Step 2 Select Enable to enable the backup process for Syslog messages, after configuring backup. Step 3 Click Browse to select the backup file location. The Server Side File Browser dialog box appears. In the Server Side File Browser dialog box: a. Specify the external directory. The external directory must be under the syslog directory, or a sub-directory within the syslog directory. For example, $NMSROOT/files/rme/syslog/sysbackup. The external directory cannot be outside the syslog directory. If you attempt to navigate outside the syslog directory, an error message appears. b. Select Directory Content, c. Click OK. Step 4 Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB. Step 5 Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter multiple e-mail addresses separated with commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail ID.) If you also want a notification to be sent when the backup is a success, select Also Notify on Success. Step 6 Either click Save to save the backup configuration details that you have specified or click Reset to clear the values that you specified and reset to the previously saved values in the dialog box. If you have clicked Save, the backup will continue to save the data even after the data has exceeded the specified size of the backup file. However, the system will send an e-mail asking you to cleanup the backup file.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-5 Chapter 16 Purge Settings Setting the Syslog Purge Policy

Setting the Syslog Purge Policy

You can specify a default policy for the periodic purging of Syslog messages. If you access a table either through immediate reports, report jobs or by any other means, the database locks the table and therefore the table will not be successfully purged. However, during the successive purge operations such a table will be purged. A purge job is enabled by default, and is scheduled to run at 1:00 AM daily. This section contains: Performing a Syslog Forced Purge To specify your default purge policy:

Step 1 Select Admin > Network > Purge Settings > Syslog Purge Settings. The Purge Policy dialog box appears. Step 2 Specify the number of days in the Purge records older than field. Only the records older than the number of days that you specify here, will be purged. The default value is 7 days. This is a mandatory field.

Caution You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted.

If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged. Step 3 Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly. Step 4 Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For example, 02-Dec-2004). This is a mandatory field. Step 5 Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field. The Job Description field has a default description—Syslog Records - default purge job. Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID. Step 6 Either click Save to save the purge policy that you have specified or click Reset. to clear the values that you specified and reset the defaults in the dialog box.

You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).

Administration of Cisco Prime LAN Management Solution 4.2 16-6 OL-25947-01 Chapter 16 Purge Settings Setting the Syslog Purge Policy

Performing a Syslog Forced Purge

You can perform a forced purge of Syslog messages, as required. If you access a table through Immediate reports, Report jobs, or by any other means, the database locks the table and therefore the table will not be successfully purged. However, during successive purge operations the locked table will be purged. To perform a Forced Purge:

Step 1 Select Admin > Network > Purge Settings > Syslog Force Purge. The Force Purge dialog box appears. Step 2 Enter the information required to perform a Forced Purge:

Field Description Purge records older than Enter the number of days. Only the records older than the number of days that you specify here, will be purged. This is a mandatory field. If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged. Scheduling Run Type Specify whether the purge is to be Immediate or Once. • If you select Immediate, all the other options will be disabled for you. • If you select Once, you can specify the start date and time and also provide the job description (mandatory) and the e-mail ID for the notification after the scheduled purge is complete. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID. Date Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy format, for example, 02-Dec-2004. This is a mandatory field. The Date field is enabled only if you have selected Once as the Run Type. at Enter the start time, in the hh:mm:ss format (23:00:00). The at field is enabled only if you have selected Once as the Run Type.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-7 Chapter 16 Purge Settings Purging Configuration Management Jobs

Field Description Job Info Job Description Enter a description for the forced purge job. The Job Description field is enabled only if you have selected Once as the Run Type. This is a mandatory field. E-mail Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You can enter more than one e-mail ID separated by commas. The e-mail field is enabled only if you have selected Once as the Run Type. Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box (Admin > System > System Preferences). We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.

Step 3 Click Submit for the Forced Purge to become effective. To clear the values that you specified and reset the defaults in the dialog box, click Reset.

You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).

Purging Configuration Management Jobs

You can periodically purge the Configuration Management jobs from Admin > Network > Purge Settings > Config Job Purge Settings. This section contains: • Scheduling a Configuration Management Purge Job • Enabling a Configuration Management Purge Job • Disabling a Configuration Management Purge Job • Performing an Immediate Purge for Configuration Management Jobs The Job Purge option provides a centralized location for you to schedule Purge operations for the following Configuration Management jobs: • Credential Verification Jobs—Purge all Credential Verification jobs. This also includes credential verification edit jobs. • Software Management Jobs—Purge all Software Management jobs such as Image Import, Image Distribution, etc. • Netconfig Jobs—Purge all NetConfig jobs. • Archive Management Jobs—Purge Archive Management jobs such as Compliance Check, and Deploy Compliance Results. • Archive Update Jobs—Purge Archive Management collection jobs, Default config collection job. • Archive Poller Jobs—Purge Archive Management polling jobs, Default config polling job. • Archive Purge Jobs--Purge Archive Management purge jobs, Default archive purge job.

Administration of Cisco Prime LAN Management Solution 4.2 16-8 OL-25947-01 Chapter 16 Purge Settings Purging Configuration Management Jobs

• Config Editor Jobs—Purge all Config Editor jobs. • CwConfig Jobs—Purge all cwcli config jobs such as Get Config, Put Config, etc. • TrustSec Jobs - Purge all TrustSec jobs. • Identity Jobs - Purge all Identity jobs.

Note TrustSec was known as Identity in the versions of LMS earlier than 4.2. Identity jobs will be available for purging only if they have been backed up from the versions of LMS earlier than 4.2 and restored.

• Inventory Collector Jobs—Purge Inventory collection jobs. • Inventory Poller Jobs—Purge Inventory polling jobs. • Reports Jobs—Purge all Reports jobs • Reports Archive Jobs—All reports that are archived are purged. You can view all reports that are archived in the Archives window (Reports > Report Archives > Inventory and Syslog). • NetShow Jobs—Purge all NetShow jobs. You cannot purge the jobs that are in the running state. The Job Purge contains the following information:

Column Description Application Lists the application for which the Purge is applicable. Status Whether a Purge job is enabled or disabled. Policy This value is in days. Data older than the specified value, will be purged. You can change this value as required. This is a mandatory field. The default is 180 days. Job ID Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not change even when you disable or enable or change the schedule of the Purge job. For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge Now task. Scheduled At Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00. Schedule Type Specifies the type of schedule for the Purge job: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the specified day of the week and at the specified time. • Monthly—Runs monthly on the specified day of the month and at the specified time. (A month comprises 30 days).

You can select the applications by checking the check boxes next to the application to perform the following tasks using the Job Purge window:

Button Description Schedule Schedules a Purge job. Enable After you schedule a job, you can enable Purge.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-9 Chapter 16 Purge Settings Purging Configuration Management Jobs

Button Description Disable After you schedule a job, if you have enabled the Purge job, you can choose to disable it. Purge Now Perform Immediate Purge. You can select more than one application to purge in a single step. After selecting the applications, click on this button to purge jobs.

Scheduling a Configuration Management Purge Job

To schedule a Purge job:

Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. To create a Purge job, Step 2 Select Schedule. The Purge Schedule dialog box appears for the selected application.

Field Description Scheduling Run Type Select the frequency at which the job should be run: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the specified day of the week and at the specified time. • Monthly—Runs monthly on the specified day of the month and at the specified time. (A month comprises 30 days). For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date 1. Click on the date picker icon and select the date, month and year. Your selection appears in the Date field in this format: dd Mmm yyyy (example: 14 Nov 2004). 2. Select the time (hh and mm) from the drop-down lists in the at fields. Job Info Days The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged. You can change this value as required. This is a mandatory field. You can enter only whole numbers for days. You cannot enter fractions of days. Job Based on the option that you selected, you see a default job description. Description For example, for Software Management Purge jobs the default description is: Purge - Software Management Jobs. For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.

Administration of Cisco Prime LAN Management Solution 4.2 16-10 OL-25947-01 Chapter 16 Purge Settings Purging Configuration Management Jobs

Step 3 Click Done. The Purge job appears in the Job Purge dialog box.

Note You cannot purge the jobs that are in the running state.

Enabling a Configuration Management Purge Job

You can enable only a scheduled Purge job. To schedule a Purge job, see Scheduling a Configuration Management Purge Job. To enable a Purge job:

Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Step 2 Click Enable. A confirmation message appears: There is a purge schedule and it is enabled. Step 3 Click OK. The Status column in the Job Purge window displays Enabled for the selected application Purge job.

Disabling a Configuration Management Purge Job

You can only disable a Purge job that is scheduled and enabled. To schedule a Purge job, see Scheduling a Configuration Management Purge Job and to enable a Purge job, see Enabling a Configuration Management Purge Job. To disable a Purge job:

Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Step 2 Click Disable. A confirmation message appears: There is a purge schedule and it is disabled. Step 3 Click OK. The Status column in the Job Purge window displays Enabled for the selected application Purge job.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-11 Chapter 16 Purge Settings Performance Purge Jobs

Performing an Immediate Purge for Configuration Management Jobs

Using this option you can purge application jobs immediately. That is, you can purge Configuration Management jobs without scheduling and enabling the Purge job. For the Purge Now task, the Job ID is not assigned. Also, if a Job ID already exists for that application, the Job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge Now task. To perform an immediate purge:

Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings. The Job Purge dialog box appears. Step 2 Click Purge Now. The Explorer User Prompt dialog box appears. Step 3 Enter the number of days jobs that have to be purged. The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged. You can change this value as required. You can enter only whole numbers for days. You cannot enter fractions of days. Step 4 Click OK. The Purge Job Details window appears displaying the purged job details.

Note You cannot purge the jobs that are in the running state.

Performance Purge Jobs

You can configure LMS to periodically purge job data that you no longer need. This is done using Job Purge. Job Purge provides a centralized location for you to schedule purging for the following LMS jobs: • Quick Report Jobs—Purge all Quick Report jobs older than the specified number of days. • Custom Report Jobs—Purge all Custom Report jobs older than the specified number of days. • Threshold Report Jobs—Purge all Threshold Report jobs older than the specified number of days. • Poller Report Jobs—Purge all Poller Report jobs older than the specified number of days. • Failure Tracker Jobs—Purge all Failure Tracker jobs older than the specified number of days. • TrendWatch jobs—Purge all TrendWatch jobs older than the specified number of days. • TrendWatch Summary jobs—Purge all TrendWatch summary jobs older than the specified number of days. • Summarizer Jobs—Purge all Summarizer jobs older than the specified number of days. • Data Purge jobs—Purge all Data Purge jobs older than the specified number of days.

Administration of Cisco Prime LAN Management Solution 4.2 16-12 OL-25947-01 Chapter 16 Purge Settings Performance Purge Jobs

• Job Purge jobs—Purge all Job Purge jobs older than the specified number of days. • Maintenance jobs—Purge all Maintenance jobs older than the specified number of days. To schedule Job Purge:

Step 1 Select Admin > Network > Purge Settings > Performance Job Purge Settings. Step 2 Select Job Purge. The Job Purge Settings page appears, displaying Job Purge Schedule dialog box. Table 16-1 describes the fields in the Job Purge Schedule dialog box.

Table 16-1 Job Purge Schedule Fields

Field/Button Description Scheduling Run Type Specify the type of schedule for job purge: • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the specified day of the week and at the specified time. • Monthly—Runs monthly on the specified day of the month and at the specified time. (A month comprises 30 days). For Daily jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete. For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3. Date Specify the date and time for which the purge is scheduled. Select the date by clicking the calendar icon and time from the drop-down list. Purge Policy Days The default setting for purging archived job data is 30 days. That is, job data older than 30 days will be deleted. You can change this value as required. This is a mandatory field. You can enter only whole numbers for days. You cannot enter fractions of days. Apply Job purge is scheduled at the specified Run Type and Date for the job data older than the days specified in the Days field. (button) Purge Now Job purge is done immediately for the job data older than the days specified (button) in the Days field.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-13 Chapter 16 Purge Settings Performance Purge Data

Step 3 Update the necessary fields in the following panes: • Scheduling • Purge Policy See Table 16-1 for the description of fields that appear in the Job Purge Schedule dialog box. Step 4 Click Apply to schedule job purge or Purge Now to immediately perform job purge. • If you click Apply, a message appears confirming that the purge settings are applied successfully. • If you click Purge Now, a message appears confirming that purge is done successfully and the Job ID appears. You can see the job details in the Job Browser at Admin > Jobs > Browser.

Note We recommend that you wait for any activity currently running in the system to stop before purging jobs. By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.

Performance Purge Data

You can configure LMS to periodically purge polled data that you no longer need in the database. You can purge data records such as summarization records, Poller failure records, threshold violation records, audit trail records. Cisco Prime LMS polls the device and stores the polled data in the database. Over a period of time, the polled data occupies a large amount of space in the database. To prevent this, LMS stores only the last 24 hours data in the database. Background tasks in LMS summarizes this polled data and categorizes the data as 5-minute summarization record, 30-minute summarization record, 3-hour summarization record and 12-hour summarization record. The summarization of polled data happens every one hour. The summarized data can be purged at regular intervals using the Data Purge option. Data Purge allows you to schedule purging for the following LMS data records: • 30 Minute Summarization records—Purge all 30-minute summarization data records older than the specified number of days. • 3 Hour Summarization records—Purge all 3-hour summarization data records older than the specified number of days. • 12 Hour Summarization records—Purge all 12-hour summarization data records older than the specified number of days. • Poller failure records—Purge all failure data records older than the specified number of days. • Threshold violation records—Purge all threshold violation data records older than the specified number of days. • Audit trail records—Purge all audit trail data records older than the specified number of days. • TrendWatch violation records—Purge all TrendWatch violation data records older than the specified number of days. • Status change details records—Purge all status change details data records older than the specified number of days.

Administration of Cisco Prime LAN Management Solution 4.2 16-14 OL-25947-01 Chapter 16 Purge Settings Performance Purge Data

Note It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running.

To schedule Data Purge:

Step 1 Select Admin > Network > Purge Settings > Performance data purge settings. Step 2 Select Data Purge. The Data Purge Settings page appears, displaying the Data Purge Schedule dialog box. Table 16-2 describes the fields in the Data Purge Schedule dialog box.

Table 16-2 Data Purge Schedule Fields

Field/Button Description Purge Schedule Run Type Specify the type of schedule to perform Data Purge: • Hourly—Runs hourly. • Daily—Runs daily at the specified time. • Weekly—Runs weekly on the specified day of the week and at the specified time. • Monthly—Runs monthly on the specified day of the month and at the specified time. (A month comprises 30 days). By default, Daily is set as the default Run Type schedule for Data Purge. For example, if you have scheduled Run Type as Daily for Data Purge job at 10:00 a.m. on November 1, the next instance of this Data Purge job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 Data Purge job has not been completed before 10:00 a.m. November 2, then the next Data Purge job will start only at 10:00 a.m. on November 3. Date Specify the date and time for which the Data Purge job is scheduled. Select the date by clicking the calendar icon and time from the drop-down list.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-15 Chapter 16 Purge Settings Performance Purge Data

Table 16-2 Data Purge Schedule Fields (continued)

Field/Button Description Purge Policy Days The following are the default settings for purging the following data: • 5 Minute's Summarization records—3 days • 30 Minute's Summarization records—15 days • 3 Hour Summarization records—90 days • 12 Hour Summarization records—365 days • Poller failure records—1 day • Threshold violation records—180 days • Audit trail records—90 days • TrendWatch violation records—180 days • Status change details records—15 days The default data purge settings provides optimal performance of Cisco Prime LMS. You can also change the default purge settings as required. However, the performance of Cisco Prime LMS may not be as expected. You can enter only whole numbers for days. You cannot enter fractions of days. This is a mandatory field. Apply Data purge is scheduled at the specified Run Type and Date for the data older (button) than the days specified in the Days field. Purge Now Data purge is done immediately for the data older than the days specified in (button) the Days field.

Step 3 Update the necessary fields in the following panes: • Purge Schedule • Purge Policy See Table 16-2 for the description of fields that appear in the Data Purge Schedule dialog box. Step 4 Click Apply to schedule the data purge or Purge Now to immediately perform the data purge. • If you click Apply, a message appears confirming that data purge settings are applied successfully. • If you click Purge Now, a message appears confirming that purge is done successfully and the Job ID appears. You can see the job details in the Job Browser at Admin > Jobs > Browser.

Note By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.

Administration of Cisco Prime LAN Management Solution 4.2 16-16 OL-25947-01 Chapter 16 Purge Settings View Performance Purge Details

View Performance Purge Details

Cisco Prime LMS allows you to view the details of the data purged using the option Purge Details. To view Data Purge details:

Step 1 Select Admin > Network > Purge Settings > Performance Data Purge Summary. Step 2 Select Purge Details. The Purge Details page appears, displaying Show Purge Details dialog box. Table 16-3 describes the fields in the Show Purge Details dialog box.

Table 16-3 Show Purge Details Fields

Field Description Details Displays the purge details of the Data Purge job. The following purge information is displayed: • Next Data Purge Job scheduled at • No. of Poll Failure records purged • No. of Audit Trail records purged • No. of Threshold Violation records purged • No. of Polled records purged • Last Job Purge completed at • No. of TrendWatch violation records purged Value Details the number of records purged and purge schedule.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-17 Chapter 16 Purge Settings IPSLA Data Purging Settings

IPSLA Data Purging Settings

The Purge Settings page allows you to set the Purge period for Historical and Audit reports. You can also set the Purge period from the Setup Center. To access Purge Settings page: Select Admin > Network > Purge Settings > IPSLA data Purge Settings. You can use the Purge Settings option to purge Historical data as well as Audit reports.

Purging Historical Data LMS purges IPSLA-related historical data automatically everyday, based on the Purge period specified on the Purge Settings page. It purges historical data that is older than the specified Purge period. If the Purge period is not specified, it purges the historical data based on the default values. The minute-based reports are purged daily by default. To purge Historical reports:

Step 1 Select Admin > Network > Purge Settings > IPSLA data Purge Settings. The Purge Settings page appears. Step 2 Specify the Purge period. For more information, see Table 16-4. Step 3 Click Apply. A message appears that the Purge settings are updated successfully. Step 4 Click OK.

Administration of Cisco Prime LAN Management Solution 4.2 16-18 OL-25947-01 Chapter 16 Purge Settings IPSLA Data Purging Settings

Table 16-4 Purging Reports

Granularity Purge Period Minute Specify the number of days for which you want to keep the minute historical data in the database. The default value is 1 day. Hourly Specify the number of days for which you want to keep the hourly historical data in the database. The default value is 32 days. Daily Specify the number of days for which you want to keep the daily historical data in the database. The default value is 180 days. Weekly Specify the number of weeks for which you want to keep the weekly historical data in the database. The default value is 12 weeks. Monthly Specify the number of months for which you want to keep the monthly historical data in the database. The default value is 12 months. Audit Reports Purge Period Allows you to purge the Audit reports.The audit reports older than the number of days you specify will be purged. The default purge period for Audit reports is 180 days. This frees disk space and maintains your audit reports at a manageable size.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 16-19 Chapter 16 Purge Settings Configuring the Daily Fault History Purging Schedule

Configuring the Daily Fault History Purging Schedule

Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform these tasks.

Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain only 31 days of data. You can select the time of day that purging begins. By default, purging begins at 00:00.

Before You Begin Review the information in Performing Scheduling Tasks to ensure that daily purging does not conflict with the other scheduled jobs listed there. Do not use the LMS Job Browser to manage Rediscovery Schedules; use the LMS Daily Purging Schedule interface. If you suspend the Fault History:DataPurge job using the Job Manager, the job is deleted from the LMS Daily Purging Schedule interface, which can be confusing to users.

Step 1 Select Admin > Network > Purge Settings > Fault History Purging Schedule. Step 2 Select the Purge Time: • Hour—From 0 to 23 • Minute—From 0 to 50 in ten-minute intervals The default purge time is 00:00. Step 3 Click Apply.

You can check the status of the Fault History data purge job from the Job Manager page each day after the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type. For more information, see Configuring Fault Management Rediscovery Schedules.

Administration of Cisco Prime LAN Management Solution 4.2 16-20 OL-25947-01

CHAPTER 17

Debugging Options

Debugging Settings menu allows the administrator to set the debugging settings of various modules in LMS. This section contains: • Configuring Discovery Logging • Maintaining Log Files • Performance Debugging Settings • Config and Image Management Debugging Settings • Configuring Logging • Fault Debugging Settings • Setting Debugging Options for Topology and User Tracking • Setting VRF Lite Debugging Options

Configuring Discovery Logging

You can enable the debugging option for components or modules of LMS Device Discovery without restarting the services. When you enable the debugging option for a selected component, the log levels in the csdiscovery.properties file is changed to DEBUG and the debug messages are recorded into the CSDiscovery.log file and ngdiscovery.log. You can only enable or disable the debugging option. You cannot choose to set different log levels such as INFO,WARNING, FATAL and ERROR. The following Device Discovery components can be enabled or disabled for debugging: • Discovery Framework • Data Collector • Discovery Util • System Module • Cluster Module • ARP Module • AUS Module • Credential Module

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-1 Chapter 17 Debugging Options Maintaining Log Files

• Neighbor Module • Pingsweep Module • RouterPeer Module • RT Module • CSDiscoveryAdaptor • Discovery DeviceInfo The debugging option for all the Device Discovery components is disabled by default. To enable the debugging option for the LMS Device Discovery components:

Step 1 Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery Logging Configuration page appears. Step 2 Select one or more Discovery modules or components from the Disabled Modules list box. Step 3 Click Add to add the components to the Enabled Modules list box. Step 4 Click Apply. Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will come into effect after 60 seconds.

To disable the debugging option, move the selected component from the Enabled Modules list box to Disabled Modules list box using the Remove button.

Maintaining Log Files

Log files can expand and fill up disk space. You must maintain the log files disk space usage by: • Deleting the unwanted log files from the Cisco Prime installation directory • Using the logrot functionality. See Configuring Log Files Rotation for more information. Most log files are located in directories in the following locations: • On Solaris/Soft Appliance—var/adm/CSCOpx/log • On Windows—NMSROOT\log

Caution As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To prevent loss of data, make sure you are not running any critical tasks.

This section explains the following: • Maintaining Log Files on Solaris/Soft Appliance • Maintaining Log Files on Windows • About Cisco Prime Common Services Log Files • Viewing and Maintaining LMS Log File Details • Fault Management Log Files

Administration of Cisco Prime LAN Management Solution 4.2 17-2 OL-25947-01 Chapter 17 Debugging Options Maintaining Log Files

Maintaining Log Files on Solaris/Soft Appliance

To maintain log files on Solaris/Soft Appliance:

Step 1 Make sure the new location has sufficient disk space. Step 2 Log in as the superuser, and enter the root password. Step 3 Stop all processes, and enter /etc/init.d/dmgtd stop. Step 4 Perform log maintenance by running logrot. See Configuring Logrot Utility and Running Logrot Script for more information. Step 5 Verify the procedure was successful by examining the contents of the log files in this location: /var/adm/CSCOpx/log/*.log Only log files that reach 90% of their size limits are backed up, and the original log file is emptied. Step 6 Restart the system, and enter /etc/init.d/dmgtd start Step 7 Select Reports > System > Status > Log File to view your log changes.

Maintaining Log Files on Windows

To maintain log files on Windows:

Step 1 Make sure the new location has sufficient disk space. Step 2 Go to the command line and make sure you have the correct permissions. Step 3 Stop all processes by entering: net stop crmdmgtd Step 4 Perform log maintenance by running logrot. See Configuring Logrot Utility and Running Logrot Script for more information. Step 5 Verify the procedure was successful by examining the contents of the log files in the following location: NMSROOT\log\ Only log files that reach 90% of their size limits are backed up, and the original log file is emptied. Step 6 Restart the system by entering: net start crmdmgtd Step 7 Select Reports > System > Status > Log File to view your log changes.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-3 Chapter 17 Debugging Options Maintaining Log Files

About Cisco Prime Common Services Log Files

The table below lists the filenames and locations of all logs produced by components of Common Services. The normal top-level log file directories refer to /var/adm/CSCOpx/log on Solaris/Soft Appliance and NMSROOT\log on Windows. For example, the path to license.log is C:\Program Files\CSCOpx\log on Windows, /var/adm/CSCOpx/log on Solaris/Soft Appliance. Paths to log files other than those in the normal log directories are listed relative to NMSROOT on each platform. For example, the path to stdout.log is mentioned as /MDC/tomcat/logs/ in the table.

Component /Module Directory Path File Description AAA Serivces /MDC/log/ core* Logs for Authentication, Authorization and Accounting process Backup and Normal top-level log directories dbbackup.log, Backup and restore logs Restore restorebackup.log, restorebackup.log.old Cico Prime /MDC/Apache/logs/ error.log Log for General Cisco Prime LMS General LMS errors Log Files Normal top-level log directories perlerr.log Log for Perl interpreter errors Normal top-level log directories Proxy.log Log for Proxy activity Normal top-level log directories event.log Log for Cisco Prime LMS events Normal top-level Solaris/Soft Appliance log daemons.log Log for all Daemon directory only Manager-controlled processes (On Solaris/Soft Appliance only). Cisco Prime Normal top-level Windows log directory syslog.log Syslogs received from Syslog Service only device/machine (On Windows only). Normal top-level Windows log directory syslog_debug.log CRMLogger debugging only information and messages from device/machine (On Windows only). Database Normal top-level log directories CmfDbMonitor.log Log for Sybase database Services operations Normal top-level log directories dbpwdChange.log Log for Database password changes Normal top-level log directories dbrestoreorig.log Log to restore the database to factory settings Normal top-level log directories dmgtDbg.log Log for Daemon Manager interactions with Sybase database /objects/db/win32/ dbcond8.log Database condition log

Administration of Cisco Prime LAN Management Solution 4.2 17-4 OL-25947-01 Chapter 17 Debugging Options Maintaining Log Files

Component /Module Directory Path File Description Device and Normal top-level log directories dcr.log Logs for Device and Credentials Credentials Administration Administration activities Normal top-level log directories DCRDevPoll.log Logs to detect and delete Unreachable devices Device and Normal top-level log directories dcrimpexp.log, Logs to import and export Credentials DCRServer.log (Windows Device and Credentials Administration Only), Administration — Import and daemons.log (Solaris/Soft Export Module Appliance Only) Device Center Normal top-level log directories SnmpWalk* Log for SNMP Walk Normal top-level log directories SnmpSet* Log for SNMP Set Device Normal top-level log directories CSDiscovery.log, Device discovery logs Discovery ngdiscovery.log Device Selector Normal top-level log directories CSDeviceSelector.log Device Selector log file Role /MDC/log/ cam.log Role Management log file Management Disk Space Normal top-level log directories diskWatcher.log Logs storing the disk space Monitoring information Services Event Normal top-level log directories EDS-GCF.log, EDS.log Logs for Event Distribution Distribution Services activities Services Event Services Normal top-level log directories ESS.log, JavaDebug.log Logs for Event Services Grouping Normal top-level log directories CMFOGSClient.log Log for Grouping Service Service client Normal top-level log directories CMFOGSServer.log Log for Grouping Service server JacORB Normal top-level Windows log directory NameServiceMonitor.log, Logs for only NameServer.log NameServiceMonitor from JacORB package (On Windows only) Job Services Normal top-level Windows log directory daemons.log (Solaris/Soft Logs for various Jobs only Appliance Only), jrm.log (Windows Only) Licensing Normal top-level log directories LicenseServer.log License Server activity Normal top-level log directories license.log Product license changes Messaging Normal top-level log directories lwms.log Lightweight Messaging Service Service activity Software Center Normal top-level log directories psu.log Log for Software Center related activities

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-5 Chapter 17 Debugging Options Maintaining Log Files

Component /Module Directory Path File Description Web Services /MDC/Apache/logs/ access.log, error.log, Logs for Apache activity mod_jk.log Normal top-level log directories ssl.log Log for Apache activity /MDC/tomcat/logs/ jasper-YYYYMMDD.log, Logs for all Tomcat activities servlet-YYYYMMDD.log, stderr.log, stdout.log, Normal top-level log directories changeport.log Port change information Logs for Normal top-level log directories CSRegistryServer.log Log for CSRegistryServer Common process Services Normal top-level log directories TomcatMonitor.log Log for TomcatMonitor backend process processes

Viewing and Maintaining LMS Log File Details

Each LMS module writes log files within the NMSROOT/log folder. Table 17-1 lists the name of the log file, LMS module for which log file is written, the location in Windows where log files is stored, the location in Solaris/Soft Appliance where log files is stored and the purpose of the log file.

Table 17-1 List of Topology and Identity Services Log File Details

Location in Location in Solaris/Soft Log File Module Windows Appliance Purpose ani.log Data Collection NMSROOT/log/ani. /var/adm/CSCOpx/l Debugs Data log og/ani.log Collection process. AniServer.log ANIServer NMSROOT/log/AN /var/adm/CSCOpx/l Debugs IServer.log og/dmgtd.log ANIServer process Campus.log LMS NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs Configuration mpus.log og/Campus.log Topology and and reports Layer 2 Services module of LMS CampusOGSSer Topology and NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs ver.log Layer 2 Services mpusOGSServer.log og/CampusOGSSer Topology and OGSServer ver.log Layer 2 Services OGSServer process CampusOGSCli OGS client NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs ent.log mpusOGSClient.log og/CampusOGSClie Topology and nt.log Layer 2 Services OGSClient

Administration of Cisco Prime LAN Management Solution 4.2 17-6 OL-25947-01 Chapter 17 Debugging Options Maintaining Log Files

Table 17-1 List of Topology and Identity Services Log File Details (continued)

Location in Location in Solaris/Soft Log File Module Windows Appliance Purpose campusportal.lo Portal NMSROOT/log/cam /var/adm/CSCOpx/l Debugs the g pusportla.log og/campusportal.lo Topology and g Layer 2 Services portlets. Cmapps.log User Tracking NMSROOT/log/Cm /var/adm/CSCOpx/l Debugs all the UI apps.log og/Cmpapps.log UI pages for User Tracking macuhic.log MACUHIC NMSROOT/log/mac /var/adm/CSCOpx/l Debugs uhic.log og/macuhic.log MACUHIC process for Dynamic UT ut.log User Tracking NMSROOT/log/ut.l /var/adm/CSCOpx/l Debugs the User og og/ut.log Tracking module utlite.log UTLITE NMSROOT/log/utlit /var/adm/CSCOpx/l Debugs UTLite e.log og/utlite.log.log Server. UTMajorAcquis User Tracking NMSROOT/log/ /var/adm/CSCOpx/l Debugs ition.log UTMajorAcquisitio og/dmgtd.log UTMajorAcquisi n.log tion process. utm.log UTManager NMSROOT/log/ /var/adm/CSCOpx/l Debugs Utm.log og/utm.log UTManager process of Dynamic UT Vnmclient.log VRF Lite UI NMSROOT/log/ /var/adm/CSCOpx/l Debugs VRF Vnmclient.log og/Vnmclient.log Lite UI Vnmcollector.lo VRF Lite NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs VRF g Collector mCollector.log og/Vnmcollector.lo Lite Collector g process. VNMDeviceSel VRF Lite NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs the ector.log Device selector mDeviceSelector.lo og/VNMDeviceSele device selector g ctor.log provided by VRF Lite. Vnmserver.log VRF Lite Server NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs VRF merver.log og/Vnmserver.log Lite Server process Vnmutils.log VRF Lite UI and NMSROOT/log/Vn /var/adm/CSCOpx/ Debugs utility Server mutils.log Vnmutils.log classes used by VRF Lite client and server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-7 Chapter 17 Debugging Options Maintaining Log Files

Fault Management Log Files

Each Fault Management module writes log files to its own folder within the NMSROOT/log/dfmLogs folder. Table 17-2 lists each Fault Management module, the name of the folder where the log files are stored, the related log files, the maximum log size, and the number of backup logs that are saved.

Note NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx.

When a log file reaches its maximum size, the module backs up the file and starts writing to a new log file. The module appends a number to the backup file, until it reaches the maximum allowed backups. In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file. 02:42 PM 4,481,607 TISServer.log 10:22 AM 5,120,447 TISServer.log.1 03:17 AM 5,120,105 TISServer.log.2

By default, Fault Management writes error messages only to log files. You can change the logging level and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings. If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.

Table 17-2 Fault Management Log Files by Module

Folder in No. of NMSROOT\log\dfmLo Maximum Backu Function/Module gs Log Files Size (KB) p Files Alerts and Activities Display AAD AAD.log 1000 3 Inventory Interactor cfi Interactor.log/Interactor1.log 1000 5 Inventory Collector cfi InventoryCollector.log/Inventory 35000 5 Collector1.log Polling and Threshold Adapter cfi PollingThresholdAdapter.log/Poll 10000 5 ingThresholdAdapter1.log Detailed Device View DDV DDV.log 1000 2 Daily Purging Schedule DPS DPS.log 100 2 Event Processing Adapters epa adapterServer.log/adapterServer1. 1000 5 log dfmEvents.log/dfmEvents1.log Event Promulgation Module EPM EPM.log 15000 5 Fault History FH FHCollector.log 1000 2 FHUI.log Logging Services LogService DfmLogService.log 500 2 Processes with multiple threads LogService MultiProcLogger.log 10000 5 License (device limit) license licenseCheck.log 100 2 Notification Services NOS nos.log 5000 2 Fault Management Object Grouping N/A1 DFMOGSServer.log 300002 152 Service Server

Administration of Cisco Prime LAN Management Solution 4.2 17-8 OL-25947-01 Chapter 17 Debugging Options Performance Debugging Settings

Table 17-2 Fault Management Log Files by Module (continued)

Folder in No. of NMSROOT\log\dfmLo Maximum Backu Function/Module gs Log Files Size (KB) p Files Polling and Threshold Manager PTM PTMClient.log 1000 5 PTMServer.log Polling and Threshold Manager PTM PTMDB.log 1000 5 (database) Polling and Threshold Manager PTM PTMOGS.log 1000 5 (grouping services) Polling and Threshold Manager (Polling PTM PTMPTA.log 1000 5 and Threshold Adapter) Rediscovery Schedule Rediscovery Rediscovery.log 100 2 Device and Credentials Repository TIS DCRAdapter.log 1000 2 Adapter Device Management TIS DeviceManagement.log 1000 2 Inventory Service TIS TISServer.log 1000 2 View Group Management VGM vgm.log 1000 3

1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance. 2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.

Table 17-3 Incharge Log Files

Function/Module Folder in NMSROOT\obj\smarts\local\logs Log Files Inventory Incharge engine DFM.log/DFM1.log

Performance Debugging Settings

You can use this option to configure and manage log level settings in Device Performance Management function of LMS. You can set log level modes (such as Fatal, Error, Warn, Info, Debug) either for all Device Performance Management modules or at a module level. Device Performance Management module log files are stored at these locations: • On Windows: $NMSROOT\log\, where $NMSROOT is the Cisco Prime LMS installation directory. • On Solaris/Soft Appliance: /var/adm/CSCOpx/log/ When a log file reaches its maximum file size of 10000 KB, the module backs up the file and starts writing to a new log file. The maximum number of backup log files stored for each application is two.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-9 Chapter 17 Debugging Options Performance Debugging Settings

This section contains IPSLA Debugging Settings To set log levels:

Step 1 Select Admin > System > Debug Settings > Performance Debugging Settings. Step 2 Select Log Level Settings. The Set Application Logging Levels dialog box appears. Step 3 Select the application module from the drop-down list. The sub-module for the selected application module appear in the Module field. Step 4 Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance Management modules are logged with appropriate log level message. The logging levels are: • Fatal • Error • Warn • Info • Debug The logging level is set as Info, by default. Table 17-4 describes the fields in the Set Application Logging Levels dialog box and also provides information on the files to which these logs are stored.

Table 17-4 Set Application Logging Levels Fields

Application Module Sub-module Log File Description All — — Set logging level for the entire system UI Poller Management upm_ui.log Set logging level for Device Template Management Performance Management User Interface modules Threshold Setup TrendWatch Setup Report Management Report Job Browser Admin Pages Trap Group Management Syslog Group Management Live Graph LMSLiveGraph.log LMS Portlets LMSPortal.log Device Center upm_ui.log

Administration of Cisco Prime LAN Management Solution 4.2 17-10 OL-25947-01 Chapter 17 Debugging Options Performance Debugging Settings

Table 17-4 Set Application Logging Levels Fields

Application Module Sub-module Log File Description UPMProcess Polling Engine upm_process.log Set logging level for Device Instance Querying Performance Management (UPMProcess) modules Threshold Monitor Device Access Layer Device Management UPMProcess UPMProcess.log PollerUPMProcess upm_process.log TemplateUPMProcess ThresholdUPMProcess IfAdmin Status IfAdminStatus.log JOBS Report Jobs HumReportJob__.log Set logging level for Device Performance Management For example, HumReportJob_1003_479.log Job modules Summarization Job upm_summarizer.log Purge Job upm_purge.log Failure Tracker Job HumReportJob__.log For example, HumReportJob_1003_479.log UPMCTMOperations UPM CTM Operations upm_ctm.log Set logging level for UPMCTMOperations modules

Step 5 Click Apply to set the logging level or Reset to apply the default logging level. A message appears confirming that the logging levels are successfully updated.

IPSLA Debugging Settings

You can use the Log Level Settings option to set the log levels for IPSLA Performance Management. You can either set the log levels for all the modules at a time or individual modules in IPSLA Performance Management. By default, the log level is ‘INFO’ for all the modules after installation. The log files are stored at the following location: • Windows: NMSROOT\log, where NMSROOT is the Cisco Prime installation directory. • Solaris/Soft Appliance: /var/adm/CSCOpx/log. To set the log level:

Step 1 Select Admin > System > Debug Settings > IPSLA Debugging Settings. The Log Level Settings page appears. Step 2 Select either All or Module Level from the Application drop-down list.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-11 Chapter 17 Debugging Options Performance Debugging Settings

Step 3 Select the appropriate log level from the Logging Level drop-down list. For more information, see Table 17-5. Step 4 Click Apply to set the log levels. A message appears that the log levels have been successfully updated. To clear the settings, click Cancel. Step 5 Click OK.

Table 17-5 IPSLA Log Level Settings

Field Description Set Application Logging Levels Module Select one of the following from the drop-down list. • All • Module Level Logging Level Select one of the following logging levels from the drop-down list. • FATAL • ERROR • WARN • INFO • DEBUG

Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.

Table 17-6 Modules and Log File Names

Modules in IPSLA Performance Management Log File Names IPMCLI ipmcli.log IPMServer ipmserver.log IPMClient ipmclient.log IPMJob jobid.log, jobid.subjobid.log IPM OGS collectorGroup.log, IPMOGSClient.log, IPMOGSServer.log IPM CTM Operations ipm_ctm.log IPMPortal ipmportal.log IPMPoller ipmpoller.log IPMBase ipm_base.log IPM TS TS_IPSLA.log

Administration of Cisco Prime LAN Management Solution 4.2 17-12 OL-25947-01 Chapter 17 Debugging Options Config and Image Management Debugging Settings

Config and Image Management Debugging Settings

You can use this option to set the logging levels for LMS packages. You can set the log levels for all LMS packages, or at a package (application) level. Log files are stored at these locations: • On Windows: NMSROOT/log, where NMSROOT is the Cisco Prime installation directory. • On Solaris/Soft Appliance: /var/adm/CSCOpx/log To set the log levels:

Step 1 Select Admin > System > Debug Settings > Config and Image Management Debugging settings. The Set Application Logging Levels dialog box appears. Step 2 Select the Application from the drop-down list. Step 3 Select the appropriate log level from the Logging Level drop-down list. The fields in the Set Application Logging Levels dialog box are:

Application Module Log File Names Description All - - Changes the logging level for the entire system. ArchiveMgmt • Archive Service dcmaservice.log Changes the logging level for Archive • Archive Client dcmaclient.log Management. BugToolkit Bug Toolkit bugtoolkit.log Changes the logging level for Bug Toolkit.

ChangeAudit • Change Audit ChangeAudit.log Changes the logging level for Change Audit. • Change Audit User ChangeAuditUI.log Changes the logging level for Change Interface Audit UI. CLIFramework CLI Framework cli.log Changes the logging level for CLI Framework. ConfigCLI • Config CLI ConfigCLI.log Changes the logging level for Config CLI. • Netconfig CLI netcfgcli.log Changes the logging level for NetConfig CLI. ConfigEditor Config Editor CfgEdit.log Changes the logging level for Config Editor. ConfigJob Config Jobs logs under Changes the logging level for %NMSROOT%\files\rme\jobs\Net Configuration Jobs. ConfigJob ConfigJobManager Config Job Manager cjp.log Changes the logging level for Configuration Job Browser. This log file is used for config purge jobs

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-13 Chapter 17 Debugging Options Config and Image Management Debugging Settings

Application Module Log File Names Description ContractConnection Contract Connection contractcon.log Changes the logging level for Contract Connections CTMJRrmServer CTM Jrm Server CTMJrmServer.log Changes the logging level for CTM JRM Server. CRI CRI • cri.log Changes the logging level for Common reporting Infrastructure. • criarvpurge.log • crijobpurge.log DeviceManagement • Device • EssentialsDM.log Changes the logging level for Device Management User Management. Interface • Check Device • cda.log Changes the logging level for Check Attributes User Device Attributes User Interface Interface • Device Credential • log files under Changes the logging level for Device Verification Jobs %NMSROOT%\files\rme\jobs\ Credential Verification jobs. cda\ • Device • EssentialsDM_Server.log Changes the logging level for Device Management Management Operations. Operations DeviceSelector Device Selector RMEDeviceSelector.log Changes the logging level for Device Selector. ICServer • Inventory IC_Server.log Changes the logging level for the IC Collection Service Server. • Inventory ICServerUI.log Changes the logging level for Collection User Inventory Collection User Interface. Interface • Inventory Creates job logs under Changes the logging level for Collection Jobs %NMSROOT%\files\rme\jobs\ICSe Inventory Collection jobs. rver Install • Restore Config and CCRImport.log Changes the logging level for the Image Management Installation modules. CCR • Config and Image Management PSU Adapter • Migration InventoryPoller Inventory Poller Creates job logs under Changes the logging level for %NMSROOT%\files\rme\jobs\InvP Inventory Poller. oller InvReports Inventory Reports invreports.log Changes the logging level for Inventory Reports. MakerChecker Maker Checker MakerChecker.log Changes the logging level for the Job Approval module.

Administration of Cisco Prime LAN Management Solution 4.2 17-14 OL-25947-01 Chapter 17 Debugging Options Config and Image Management Debugging Settings

Application Module Log File Names Description NetConfig Netconfig Client netconfigclient.log Changes the logging level for rmeextnserver.log Netconfig client. Tracks the backend functionalities when VRF Lite or IPSLA Performance Management invokes the extension API. NetShow NetShow Client NetShowClient.log Changes the logging level for NetShow client. Portlets Config and Image RMEPortlets.log Changes the logging level for Management Portlets Inventory, Config & Image Management Portlets. RMECommon Common Config and rme.log Changes the logging level for the Image Management common Inventory, Config & Image Functions Management functions such as, Job Management tasks, purge tasks, etc. RMECSTMServer Config and Image rme_ctm.log Changes the logging level for CSTM Management CSTM Server. Server SoftwareMgmt • Software swim_debug.log Changes the logging level for the user Management User interface of Software Management Interface and the Software Management job creation workflows. • Software swim_debug.log files under Changes the logging level for Management Jobs %NMSROOT%\files\rme\jobs\swi Software Management jobs. m folder SyslogAnalyzer • Syslog Analyzer SyslogAnalyzer.log Changes the logging level for Syslog AnalyzerDebug.log Analyzer. • SyslogAnalyzer.log—for Windows • AnalyzerDebug.log—for Solaris/Soft Appliance • Syslog Analyzer SyslogAnalyzerUI.log Changes the logging level for Syslog User Interface Analyzer User Interface. VirtualSwitch • Virtual Switch VirtualSwitchClient.log Changes the logging level for Virtual Client Switching System.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-15 Chapter 17 Debugging Options Config and Image Management Debugging Settings

Application Module Log File Names Description EnergyWise • EnergyWise UI EnergyWiseUI.log Changes the logging level for the user interface of EnergyWise • EnergyWise EnergyWiseConfiguration.log Log for provisioning EnergyWise Provisioning Device and EndPoints. • EnergyWise EnergyWiseMonitoring.log Log for EnergyWise Monitoring jobs. Monitoring • EnergyWise Device EnergyWiseCollection.log Log for EnergyWise Device Endpoint, and EnergyWiseNative.log Endpoint, and Domain collection. Domain collection • EnergyWise Policy EnergyWiseComplianceCheck.log Log for EnergyWise Policy Compliance EnergyWiseNativeCompliance.log Compliance check. • EnergyWise Data EnergyWise_Purge.log Log for EnergyWise Data Purge Purge Settings Settings • Applying EnergyWiseNativePolicy.log Log for applying EnergyWise to EnergyWise Endpoints. Policies to Endpoints

To track the port and module group backend evaluation exceptions and changes, the following logs are maintained: • PMCOGSServer.log • PMCOGSClient.log Step 4 Click Reset to apply the default logging levels. Step 5 Click Apply after you set the log levels, A message appears, that the log levels have been successfully updated.

Administration of Cisco Prime LAN Management Solution 4.2 17-16 OL-25947-01 Chapter 17 Debugging Options Configuring Logging

Configuring Logging

You can enable the debugging option LMS components without restarting the services. When you enable the debugging option for the selected component, the log levels in the respective properties file is changed to DEBUG and the debug messages are recorded in the corresponding log files You can only enable or disable the debugging option. You cannot choose to set different log levels such as INFO,WARNING, FATAL and ERROR. To debug Faults, see Fault Debugging Settings To enable the debugging option for the Common Services components:

Step 1 Select Admin > System > Debug Settings > Common Services Log Configurations. The CS Log Configurations dialog box displays the following details:

Item Description Component List of components for which you can enable or disable the debug option Log File(s) Location Directory of the log files for the selected application Description Brief description about the selected application Debug Mode Option to enable or disable the debug mode

Step 2 Select the component from the Component drop-down list box. You can select to enable the debugging option for the available Common Services components. The available components include: • CS Device Groups • CS Device Selector • CS Home • CS Portlets This component is listed in the drop-down list box only when you have installed the LMS Portal application in LMS Server. • Core Admin Module • DCR Bulk Import and Export • Device Center • Device and Credentials Repository • Home Page Admin • Licensing • LMS Setup Center • Getting Started This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS Server. • Product Instance Device Mapping • SMTP • Software Center

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-17 Chapter 17 Debugging Options Fault Debugging Settings

Step 3 Select the Enable option to enable debugging for the selected application. By default, the Debug Mode is set to disabled.

Note You can only choose the enable or disable option. You cannot change the log levels to some other value.

Step 4 Click Apply to save the changes. The changes will come into effect after 60 seconds. You can enable the debugging option for only one component at a time.

To disable the debug mode for all the Common Services components:

Step 1 Select Admin > System > Debug Settings > Common Services Log Configurations. The CS Log Configurations dialog box appears. Step 2 Click Reset All to disable the debug mode for all the Common Services components. The log levels are restored as they are before enabling the debugging option.

Fault Debugging Settings

Fault Management module writes application log files for all major functional modules. By default, Fault Management writes only error and fatal messages to these log files; Fault Management saves the previous three logs as backups. You cannot disable logging. However, you can: • Collect more data when needed by increasing the logging level • Return to the default logging level as the norm This task can be performed by a user logged in to Fault Management in any of the following roles: • System Administrator • Network Administrator • Network Operator You can also enable debug of the Incharge engine, and execute Incharge Commands. See Enable Incharge Debugging for more information. To set the Fault Management debug settings: Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings page is displayed.

Note You cannot disable logging. Fault Management will always write error and fatal messages to application log files.

For each Fault Management functional module, the Error check box is always selected; you cannot deselect it.

Administration of Cisco Prime LAN Management Solution 4.2 17-18 OL-25947-01 Chapter 17 Debugging Options Fault Debugging Settings

To set all modules to Error, the default logging level:

Step 1 Click the Default button. A confirmation page is displayed. Step 2 Click OK.

To change the logging level for individual modules:

Step 1 For each module that you want to change, select one (or deselect all) of the following logging levels: • Warning—Log error messages and warning messages • Informational—Log error, warning, and informational messages • Debug—Log error, warning, informational, and debug messages

Note Deselecting all check boxes for a module returns it to Error, the default logging level.

Step 2 Review your changes. To cancel your changes, click the Cancel button. Otherwise, click the Apply button. When you click Apply it starts to reset the changed logging levels for the Fault Management functional modules.

Enable Incharge Debugging To do this:

Step 1 Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging Settings page. The Incharge Command Execution page appears. Step 2 Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module in LMS. The logs are available at: • On Windows: – NMSROOT\objects\smarts\local\logs\DFM.log – NMSROOT\objects\smarts\local\logs\DFM1.log • On Solaris/Soft Appliance: – /opt/CSCOpx/objects/smarts/local/logs/DFM.log – /opt/CSCOpx/objects/smarts/local/logs/DFM1.log

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-19 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Step 3 You can execute any Incharge command in the Command text box, click Run and view the results in the Result column. Some sample commands that you can exceute are: • sm_server • brcontrol • dmctl –s geti Routers

Setting Debugging Options for Topology and User Tracking

If you face issues while running LMS, you can enable logging to debug the same. You can set debugging options for the following functions: • Data Collection (see Setting up Debugging Options for Data Collection) • Configuration and Reports (see Setting up Debugging Options for Network Reports) • Device Groups (see Setting Debugging Options for Device Groups) • Topology (see Setting Debugging Options for Topology) • User Tracking Server (see Debugging Options for User Tracking Server) • Dynamic User Tracking (see Debugging Dynamic Updates) • User Tracking Reports (see Debugging Options for User Tracking Reports) • Dynamic User Tracking Console (see Debugging Options for Dynamic User Tracking Console) • CiscoView (see Debugging Options for CiscoView)

Setting up Debugging Options for Data Collection

You can set the trace, and debugging, for Data Collection as follows:

Step 1 Select Admin > System > Debug Settings > Data Collection. The Debugging Options dialog box appears. Step 2 Modify the debugging options as specified in Table 17-7.

Table 17-7 Data Collection Debugging Options for Data Collection

Field Description Usage Notes Enable Debug Select this option to enable You can select the modules for debugging logging for Data Collection. only if you select this option. Modules Specify the modules on Click Select to view the available modules which you need to enable and select the modules in which you want to debugging. enable debug. For details on Debug modules, see Selecting Data Collection Debug Modules

Administration of Cisco Prime LAN Management Solution 4.2 17-20 OL-25947-01 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Table 17-7 Data Collection Debugging Options (continued) for Data Collection

Field Description Usage Notes File Name Name of the log file in The default log file is NMSROOT\log\ani.log which the trace messages are to be recorded. Maximum File Size Maximum size of the log file None (lines) in lines Enable Device Level Debugging Device IP(s) IP Addresses (IPv4 or IPv6 This field is enabled only when the Device Addresses) of devices for Level Debugging option is enabled. which you need to log debugging messages. You can enter multiple IP addresses, separated by commas.

Step 3 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-21 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Selecting Data Collection Debug Modules

Table 17-8 describes the debug modules available for Data Collection in LMS.

Table 17-8 Data Collection Debug Modules

Module Description framework • Constructs and maintains data in the memory. • Provides framework for LMS features. Enable debugging for this module only when requested by TAC. This is because enabling debugging for this module creates huge logs. topo Provides network topology computation and layouts. Enable debugging for this module if you have problems with Topology computation of devices. vlad • Discovers VTP domains, VLANs, port-in-VLAN configurations • Performs VLAN configuration tasks • Determines Spanning Tree state Enable debugging for this module if you have problems with VTP, VLAN reports, and configuration. ccm Discovers Cisco CallManager (CCM). Enable debugging for this module if you encounter issues with data collected for CCM. vmpsadmin • Discovers end-user hosts on the network • Records end-user host information in the ANI database • Manages requests for scheduling user and host discoveries, ping sweeps, database queries, and updates to user and notes information Enable debugging for this module if you have problems with User Tracking. dcrp Provides computation of network discrepancies. Enable debugging for this module if you have problems in Discrepancy reports. status Enables status polling on previously discovered devices. Enable debugging for this module if you have problems with device and link status polling. apps Discovers application hosts such as MCS. Enable debugging for this module if you encounter issues with data collected on application hosts. stp Discovers all STP related information from the network. Enable debugging for this module if you have problems with STP reports and configuration.

Administration of Cisco Prime LAN Management Solution 4.2 17-22 OL-25947-01 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Table 17-8 Data Collection Debug Modules (continued)

Module Description stpeng • Performs STP configuration tasks • Provides basic STP analysis for migration from one STP type to another Enable debugging for this module if you have problems with STP reports and configuration. devices Provides specific information, if any, available for device categories. Enable debugging for this module if you have problems specific to a particular device type.

Click OK to save the selected modules or click Cancel to exit.

Setting up Debugging Options for Network Reports

If you need information on Network Reports in LMS, you can enable debugging for the same. To do this:

Step 1 Select Admin > System > Debug Settings > Layer2 Configuration and Reports The debugging page appears. Step 2 Select the level of debugging. It can be any one of the following: • INFO Only informational messages are recorded in the log file. • DEBUG All messages related to Configuration and Reports are recorded in the log file. • FATAL Messages related to fatal errors are recorded in the log file. This is the default option. The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\Campus.log Step 3 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-23 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Setting Debugging Options for Device Groups

If there are errors related to System-defined or User-defined groups in LMS, you can enable debugging for the same. Its done as follows:

Step 1 Select Admin > System Administration > Debug Settings > Device Groups. The debugging page appears. Step 2 Select the level of debugging. It can be any one of the following: • INFO Only informational messages are recorded in the log file. This is the default option. • DEBUG All client side messages are recorded in the log file. • FATAL Messages related to fatal errors are recorded in the log file. The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\CampusDeviceSelector.log Step 3 Click Apply.

Setting Debugging Options for Topology

You can enable debugging for Topology Services client side activities. The debugging information will be available in the Java Console. To display Java Console:

Step 1 Select Start > Settings > Control Panel > Java. Step 2 Select the Advanced tab. The corresponding tree structure is displayed. Step 3 Go to the tree and select Java Console > Show Console. Step 4 Click Apply and then OK. The Java console is displayed when you launch Topology Services.

Note In case you close the Java Console, to reopen it, close the Topology window and relaunch it.

Administration of Cisco Prime LAN Management Solution 4.2 17-24 OL-25947-01 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

To enable debugging:

Step 1 Select Admin > System > Debug Settings > Topology. The debugging page appears. Step 2 Select the level of debugging. It can be any one of the following: • TRACE Only informational messages are displayed in the Java Console. • DEBUG All Topology Services client side messages are displayed in the Java Console. • ERROR Messages related to all errors are displayed in the Java Console. This is the default option. Step 3 Click Apply.

To change log level settings:

Step 1 Close the Topology Services window. Step 2 Change the settings in the LMS Administration page. Step 3 Re-launch Topology services.

Debugging Options for User Tracking Server

To debug events related to all User Tracking server side processes:

Step 1 Select Admin > System > Debug Settings > User Tracking Server. The debugging page appears. See Table 17-9 for a description of the fields:

Table 17-9 User Tracking Server Side Debugging Options

Field Description Usage Notes Enable Debug Check this option to enable You can select the modules for debugging logging for User Tracking only after you select this option. Server side activities. Modules Specify the modules on Click Select to view the available modules which you need to enable and select the modules in which debug is to be debugging. enabled. Table 17-8 lists the debug modules available for User Tracking Server. File Name Name of the log file in The default log file is NMSROOT\log\ut.log which the trace messages are to be recorded.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-25 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Table 17-9 User Tracking Server Side Debugging Options (continued)

Field Description Usage Notes Maximum File Size Maximum size of the file in (lines) lines Enable Device Level Debugging Device IP(s) IP addresses of devices for This field is enabled only when the Device which you need to log Level Debugging option is enabled. debugging messages. You can enter multiple IP addresses, separated by commas.

Step 2 Click Apply.

Selecting User Tracking Server Side Debug Modules

Table 17-8 describes the debug modules available for User Tracking Server in LMS.

Table 17-10 User Tracking Debug Modules

Module Description user tracking Provides user tracking functionality. Enable debugging for this if user tracking fails to discover end hosts as expected. framework • Constructs and maintains data in the memory. • Provides framework for LMS features. Enable debugging for this module only when requested by TAC. This is because enabling debugging for this module creates huge logs. devices Provides specific information, if any, available for device categories. Enable debugging for this module if you encounter issues specific to a particular device type.

Click OK to save the selected modules or click Cancel to exit.

Debugging Dynamic Updates

You can set the debugging options required for Dynamic Updates. Enabling debugging, records all the required information to the log files. To enable debugging Dynamic Updates:

Step 1 Select Admin > System > Debug Settings > Dynamic User Tracking. The debugging page appears. Step 2 Check Enable Debug to set the options.

Administration of Cisco Prime LAN Management Solution 4.2 17-26 OL-25947-01 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Step 3 Select the Service Name from the drop down list in the Service Name field. The framework modules appear in the Module Name column. The framework modules depend on the service that you select. Step 4 Select the debug level for each module. The debug level options are INFO, DEBUG, and TRACE. INFO logs minimum information required for debugging and is the default option. DEBUG is the next level of debugging. TRACE provides complete debugging information and creates huge logs. Step 5 Enter the filename for the log file in the Log Filename field. • The default log file for UT LITE is NMSROOT\log\utlite.log • The default log file for MACUHIC is NMSROOT\log\macuhic.log • The default log file for UTManager is NMSROOT\log\utm.log The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647. Giving zero or negative values or alphabets results in errors. Step 6 Click Apply to save the settings.

Dynamic User Tracking modules available for debugging are explained in Table 17-11:

Note Enabling debugging for these modules creates huge logs, which interferes with the Trap processing capability of LMS. We recommend that you enable debugging for this module only when requested by TAC.

Table 17-11 Dynamic User Tracking Debug Modules

Module Description UT Lite control plane Handles configuration events related to: • Log level Settings • Log file • Port number For example: If you changed the log file from X to Y, but logging still happens in X , enable debugging for this module. listener Listens to data sent by the UTLite script installed in the Windows or Novell server. Checks for the integrity of the data received. execution framework Handles code level execution of the data received. Enable debugging for this module to debug Java related errors. execution Processes and validates the data received. UTLite receives MACAddress, IPAddress and User logged in for the end host. This information is updated to the database only if the endhost has been discovered in last UT Major Acquisition cycle or through Dynamic User Tracking.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-27 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Table 17-11 Dynamic User Tracking Debug Modules (continued)

Module Description MACUHIC control plane Handles configuration events related to: • Log level Settings • Log file • Port number listener Listens to SNMP traps sent by devices. Checks for the integrity of the data received. execution framework Handles code level execution of data received by MACUHIC. Enable debugging for this module to debug Java related errors. decoder Validates the traps sent by devices by checking whether: • The trap is sent by a device managed by LMS. • The SNMP version is correct execution Checks whether: • The data received is duplicate data • If the data is sent by a Link port or Access port. Dynamic UT does not process traps sent from link ports. Updates the database with information received and forwards it to UTManager for further processing. UTManager control plane Handles configuration events related to: • Log level Settings • Log file • Port number listener Listens to data sent by UTLite and MACUHIC. Checks for the integrity of the data received. execution framework Handles code level execution of data received by UTManager. Enable debugging for this module to debug Java related errors. decoder Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping MIB and the other data sent by external systems. execution Processes the data received and updates the database. es framework Handles queries sent to External Systems. es.snmp Handles SNMP queries sent to External Systems. es.subnet Performs subnet calculation based on the information sent by External Systems. es.db Handles database operations.

Administration of Cisco Prime LAN Management Solution 4.2 17-28 OL-25947-01 Chapter 17 Debugging Options Setting Debugging Options for Topology and User Tracking

Debugging Options for User Tracking Reports

You can debug events related to User Tracking client side activities as follows:

Step 1 Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears. Step 2 Select the level of debugging. It can be any one of the following: • INFO Only informational messages are recorded in the log file. This is the default option. • FATAL Messages related to fatal errors are recorded in the log file. • DEBUG All User Tracking client side messages are recorded in the log file. The Log File Name field specifies the location and name of the log file. The default log file is NMSROOT\log\Cmapps.log Step 3 Click Apply. Debugging is enabled for UT client side activities and the messages are recorded in the corresponding log file.

Debugging Options for Dynamic User Tracking Console

This feature helps you to troubleshoot Dynamic User Tracking updates in a detailed way. Dynamic UT consists of three major processes: • UTLite • UTManager • MACUHIC Each process monitors different error conditions using circular buffers in the memory. For each error condition, the buffer will have the count of error occurrences and the conditions under which the error occurred. You can write this information from the memory to a file if you need to, and troubleshoot based on that. To enable Dynamic User Tracking Console:

Step 1 Select Admin > System > Debug Settings > Dynamic User Tracking Console. The debugging page appears. Step 2 Select the Service name from one of the following: • UTLite • UTM • MACUHIC The error conditions related to that process are listed under the Error Details section.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-29 Chapter 17 Debugging Options Setting VRF Lite Debugging Options

Step 3 Select the error condition for which you need details and click Generate. A new file is generated with all the error details and stored in the LMS server. It is also listed under the File list pane. Step 4 Select a file and: • Click View to see the file contents. • Click Download to save the file in your local machine. • Click Delete to delete the file from the server. You can delete multiple files at the same time.

Debugging Options for CiscoView

You can set an SNMP and activity trace and/or view the trace log. This option records trace information into the cv.log file, which is located at %NMSROOT%/MDC/tomcat, where %NMSROOT% is the directory in which CiscoView is installed.

Step 1 Select Inventory > Tools > CiscoView. Step 2 Select a device from the device selector, and select Administration > Debug Options And Display Log. The Trace Settings dialog box appears. Step 3 Select either or both of the following and then click Apply: • SNMP Trace — Displays SNMP request and response pairs, MIB instance ID, data value, data type, request method, and time stamp. • Activity Trace — Displays server activity such as which device and dialog boxes are open. Step 4 Click View Trace to see the trace activity in a separate window.

Setting VRF Lite Debugging Options

If you face issues while running VRF Lite, you can enable logging to debug the same. You can set debugging options for the following functions: • VRF Lite Server (see VRF Lite Server Debugging Settings) • VRF Lite Collector (see VRF Lite Collector Debugging Settings) • VRF Lite Client (see VRF Lite Client Debugging Settings) • VRF Lite Utility (see VRF Lite Utility Debugging Settings) You can click Reset All on the Debugging Settings page to reset the debug levels of functions listed.

Administration of Cisco Prime LAN Management Solution 4.2 17-30 OL-25947-01 Chapter 17 Debugging Options Setting VRF Lite Debugging Options

VRF Lite Server Debugging Settings

VRF Lite Server is used to serve all the requests for VRF Lite configurations tasks. The VRF Lite Server effectively controls and handles all VRF Lite configuration tasks that include deployment of VRF Lite configuration details to the selected devices and interfaces using LMS. The VRF Lite Server also fetches the data from the VRF Lite database for report generation. To apply the debugging level to the VRF Lite Server:

Step 1 Select Admin > System > Debug Settings > VRF Lite Server Debugging.

The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite Server Debugging Settings is NMSROOT\log\Vnmserver.log. The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.

Table 17-12 Settings in VRF Lite Server Debugging

Field Description Debug Level INFO Only informational messages are recorded in the log file. DEBUG All messages related to VRF Lite Server are recorded in the log file. ERROR Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Reset Click Reset to reset the debug levels applied to VRF Lite Server, to default value.

Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-31 Chapter 17 Debugging Options Setting VRF Lite Debugging Options

VRF Lite Collector Debugging Settings

VRF Lite Collector collects all the VRF Lite related information from the managed devices on your network. You can get the information on readiness details of the devices on which VRF Lite can be configured. To apply the debugging level to the VRF Lite Collector:

Step 1 Select Admin > System > Debug Settings > VRF Lite Collector Debugging.

The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log. The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:

Table 17-13 Settings in VRF Lite Collector Debugging

Field Description Debug Level INFO Only informational messages are recorded in the log file. DEBUG All messages related to VRF Lite Collector are recorded in the log file. ERROR Error is the default logging level. Messages related to fatal errors are recorded in the log file. Reset Click Reset to reset the debug levels applied to VRF Lite Collector, to default value.

Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.

Administration of Cisco Prime LAN Management Solution 4.2 17-32 OL-25947-01 Chapter 17 Debugging Options Setting VRF Lite Debugging Options

VRF Lite Client Debugging Settings

VRF LiteVRF Lite Client refers to the Graphical User Interface (GUI) pages used to perform VRF Lite tasks. When you use the GUI pages to perform a task, the logs specific to the tasks are recorded. The recorded logs can be debugged using VRF Lite client debugging settings. To apply the debugging level to the VRF Lite Client:

Step 1 Select Admin > System > Debug Settings > VRF Lite Client Debugging.

The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log. The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:

Table 17-14 Settings in VRF Lite Client Debugging

Field Description Debug Level INFO Only informational messages are recorded in the log file. DEBUG All messages related to VRF Lite Client are recorded in the log file. ERROR Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Reset Click Reset to reset the debug levels applied to VRF Lite Client, to default value.

Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.

VRF Lite Utility Debugging Settings

VRF LiteVRF Lite Client refers to the utility classes used in VRF Lite like DB, JRM and so on. When the utility classes are executed, the logs specific to the utility classes are recorded. The recorded logs can be debugged using VRF Lite utility debugging settings. To apply the debugging level to the VRF Lite Utility:

Step 1 Select Admin > System > Debug Settings > VRF Lite Utility Debugging. The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log. The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:

Table 17-15 Settings in VRF Lite Utility Debugging

Field Description Debug Level INFO Only informational messages are recorded in the log file.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 17-33 Chapter 17 Debugging Options Setting VRF Lite Debugging Options

Table 17-15 Settings in VRF Lite Utility Debugging (continued)

Field Description DEBUG All messages related to VRF Lite Utility are recorded in the log file. ERROR Error is the default logging level. Messages related to fatal errors are recorded in the log file. This is the default option. Reset Click Reset to reset the debug levels applied to VRF Lite Utility, to default value.

Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.

Administration of Cisco Prime LAN Management Solution 4.2 17-34 OL-25947-01

CHAPTER 18

Understanding LMS Tasks

This section briefly describes all the LMS tasks. See the Online help for further details. This section explains the following LMS task groups: • Understanding Admin Tasks • Understanding Report Tasks • Understanding Configuration Tasks • Understanding Monitor Tasks • Understanding Inventory Tasks • Understanding Work Center Tasks

Note You should enable the Browse Jobs task to schedule any job across LMS.

Understanding Admin Tasks

This section explains the following Admin task groups: • Understanding System Tasks • Understanding Trust Management Tasks • Understanding Network Tasks • Understanding Collection Tasks • Light Weight Messaging System • Jobs • Getting Started • Manage Portal

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-1 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Understanding System Tasks

This section explains the following System task groups: • Log Rotation • Cisco.com Settings • Licensing • Software Center • Debug Settings • System Preferences/Device Management Functions • User Management • Server Monitoring • DBReader Access • Group Management • Authentication Mode Setup • Backup • SMTP Default Server

Log Rotation You can configure log rotation settings and schedule log rotation jobs.

Cisco.com Settings You can configure Cisco.com Settings like: • Proxy Server Setup You can update the proxy server configuration. – Apply Proxy Server Settings: You can set up the proxy server details. – Remove Proxy Server Settings: You can remove the proxy server settings that are already set up. • Cisco.com User Account Setup You can add and modify Cisco.com user login names and password.

Licensing You can register your software and obtain a product license.

Administration of Cisco Prime LAN Management Solution 4.2 18-2 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Software Center This section explains the following Software Center task groups: • Schedule Device Downloads You can schedule device package downloads and specify the time, frequency of the downloads, and specify download policies if you have permissions. • Device Update You can view a list of all Cisco Prime related devices packages on your system, and the count of devices supported. The source location could be Cisco.com or the Server Side Directory. – Check For Updates You can check for new device updates. – Delete Device Packages You can delete packages that are outdated or no longer used. • Software Update You can perform the following tasks: – Download Updates You can download the selected updates from Software Center. – Select Updates You can select new software packages to update the product.

Debug Settings This section explains the following Debug Settings tasks: • Layer2 Configuration/Reports and User Tracking Debug Options You can configure the debug options for Layer2 Configuration and Reports and User Tracking. • Config and Image Management debugging settings – Loglevel Settings - Defaults/Apply You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual Config and Image Management packages. • IPSLA Debugging Settings You can view, set or reset the log levels for all the modules of IPSLA Performance Management.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-3 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

• VRF Lite Debug Settings You can set debugging options for: – VRF Lite Server – VRF Lite Collector – VRF Lite Client – VRF Lite Utility • Common Services Log Configurations You can enable or disable the debugging option for Common Services components without restarting the services. • Fault Debugging Settings You can change the logging level of all the functional modules of Fault Management. • Performance Debugging Settings You can configure and manage log level settings of Device Performance Management function of LMS.

System Preferences/Device Management Functions You can configure system-wide information on the LMS Server. You can also enable or disable LMS functions like: • Inventory, Config and Image Management • Network Topology, Layer 2 Services and User Tracking • Fault Management • IPSLA Performance Management • Device Performance Management

User Management This section explains the following User Management tasks: • Local User Setup – Edit User You can modify a local user in LMS Server, assign roles, and specify the authorization type. – Delete User You can delete a local user profile from the LMS Server. – Modify My Profile You can modify your local user profile in LMS Server. – Add User You can add a local user in LMS Server. – Import/Export Users You can import local users from the client or from ACS. You can import local users from ACS only through CLI and not from the UI. You can export the local users.

Administration of Cisco Prime LAN Management Solution 4.2 18-4 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

• Notify Users You can broadcast messages to online users. • Local User Policy Setup You can setup username and password policies for local authentication users in LMS. • Role Management Setup The Role Management tasks are listed below: – Delete Role You can delete user-defined roles. – Add Role You can add user-defined roles. – Edit Role You can edit user-defined roles. – Import/ Export Roles You can import roles in the XML format from the client.You can export roles in the XML format. The file will be saved in the client. – Copy Role You can use this option to copy a role. – Default Role You can set a role as a default role. When multiple roles are set as default role, the user will be assigned with all the roles selected as default roles.

Server Monitoring This section explains the following Server Monitoring task groups: • Process – Start Processes You can start the Cisco Prime processes. – Stop Processes You can stop the Cisco Prime processes. • Collect Server Information – Create Collect Server Information You can get the required information about the server. This includes system information, environment, configuration, logs, web server information, device and credentials administration information, and grouping services information. – Delete Collect Server Information You can delete the collected server information. • DiskWatcher Configuration You can configure disk space threshold level.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-5 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

• Selftest You can view self test reports to test some basic functions of the server. – Create Self test You can test the basic functions of server. – Delete Self test You can delete the collected self test information.

DBReader Access You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot database issues.

Group Management The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share groups of devices. This section explains the following Group Management task groups: • Device Groups – Delete Group You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that are belonging to users removed from Cisco Prime). – Edit Group You can modify some of the device groups. – Export Group You can export a selected group or all user-defined groups from all applications, to an output file. – Group Refresh You can recompute the membership of a group by re-evaluating the group's rule. The membership of Automatic groups is recomputed dynamically. – Create Group You can create device groups. – Import Group You can import user-defined device groups from an input XML file. – Group Details You can view the details of a group.

Authentication Mode Setup You can use your current authentication database for Cisco Prime authentication and select a login module (Kerberos, TACACS+, RADIUS, and others), and set their options.

Backup Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or monthly automatic database backups.

Administration of Cisco Prime LAN Management Solution 4.2 18-6 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

SMTP Default Server You can specify the default SMTP server.

Understanding Trust Management Tasks

This section explains the following Trust Management task groups: • Multi Server • Local Server

Multi Server You can perform the following multi-server management tasks: • Peer Server Certificate Setup You can add the certificate of another LMS Server into its trusted store. This allows LMS Servers to communicate with one another using SSL. – Delete Peer Certificate You can delete the peer certificate. – View Peer Certificate You can view the details of an existing peer certificate. – Add Peer Certificate You can add the certificate of a peer LMS Server into its trusted store. • System Identity Setup You can setup a System Identity user on servers that are part of a multi-server setup. This user enables communication among servers that are part of a domain. • Peer Server Account Setup You can create users who can log into LMS Servers and perform certain tasks. – Peer Server Accounts Delete You can delete a secret user set up in the LMS Servers. – Peer Server Accounts Add You can add a secret user who can programmatically login to multiple LMS Servers and perform certain tasks. – Peer Server Accounts Edit You can edit a secret user setup in the LMS Servers. • Single Sign-On Setup You can use your browser session to transparently navigate to multiple LMS Servers without authenticating to each server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-7 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Local Server • Certificate Setup You can create a self-signed certificate from the user interface. • Browser-Server Security Mode Setup You can enable browser-server security.

Understanding Network Tasks

This section explains the following Network task groups: • Best Practices Deviation Settings • Monitor/ Troubleshoot • Notification and Action Settings • CAAM Policy and PSIRT/EOS and EOL Settings • Discovery Settings • Purge Settings • Software Image Management • Configuration Job Settings • Device Credential Settings • Change Audit Settings • Resource Browser

Best Practices Deviation Settings You can customize the Discrepancies Report and Best Practices Deviations Report to display only those discrepancies and Best Practice Deviations about which you want to be notified.

Monitor/ Troubleshoot This section explains the following Monitor and Troubleshoot tasks: • NAM Configuration You can view, add, edit, or delete the NAM configuration details. • Load MIB You can load a MIB file. • RMON Configuration You can enable RMON on all ports in selected devices. • Fault Poller settings for topology You can configure fault poller settings for Topology.

Administration of Cisco Prime LAN Management Solution 4.2 18-8 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Notification and Action Settings This section explains the following Notification and Action Settings tasks: • Performance - Syslog notification You can update, create, edit, or delete a syslog receiver group. • IPSLA Syslog Configuration You can view, enable or disable IPSLA syslog configuration. • Performance - SNMP Trap notification You can create, edit, or delete a trap receiver group. • Fault Syslog Notification You can add, edit, suspend, resume, or delete a syslog notification subscription. • Fault - SNMP trap notification You can add, edit, suspend, resume, or delete an SNMP trap notification subscription. • ChangeAudit Automated Actions You can define automated actions on creation of change audit record. You can create, edit, delete, enable, disable, export, or import an automated action. • Event Sets You can configure a set of events that you want to monitor. • Fault - SNMP trap forwarding You can forward SNMP traps from devices in the LMS inventory • Fault - SNMP trap receiving settings You can update SNMP trap receiving port. • Fault - Email notification You can add, edit, suspend, or resume a subscription for e-mail notification. You can also delete e-mail notification subscriptions that are no longer useful or are redundant. • Syslog Message Filters You can create, edit, delete, enable, disable, export, or import syslog message filter. • Fault Notification Customization You can customize names and event severity. • Fault - Email subject customization You can customize the e-mail subject for forwarded events. • Inventory and Config collection failure notification You can configure the destination server and port to receive trap notification on inventory collection or config fetch failure. • Syslog Automated Actions You can create, edit, delete, enable, disable, export, or import a syslog automated action. • Fault Notification Group You can add, edit, or delete fault notification groups.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-9 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

CAAM Policy and PSIRT/EOS and EOL Settings This section explains the following CAAM Policy and PSIRT/EOS and EOL Settings task: • PSIRT/EOX reports option You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or End-of-Sale or End-of-Life report.

Discovery Settings This section explains the following Discovery Settings tasks: • Settings You can: – View Discovery Settings You can view the summary of device discovery settings. – Configure Discovery Settings You can configure the settings required to run a discovery job. – Discovery Status You can view the status of device discovery. – Start Stop Discovery You can also start or stop a device discovery. • Schedule You can add a device discovery schedule.

Purge Settings This section explains the following Purge Settings tasks: • Config Job purge settings You can configure the following config job settings: – Job Purge - Schedule/Enable/Disable/Purge Now You can schedule, enable, or disable purging of configuration management jobs. You can also immediately purge the jobs. – Job Purge You can purge the config jobs. • Syslog Backup Settings You can set the syslog backup policy. • IPSLA data Purge Settings

Administration of Cisco Prime LAN Management Solution 4.2 18-10 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

You can set the purge period for IPSLA historical data and for audit reports. You can configure the following IPSLA data Purge settings: – Apply IPSLA Purge Settings You can apply IPSLA purge settings. – IPSLA Purge Settings You can view IPSLA purge settings – Default IPSLA Purge Settings You can apply default IPSLA purge settings. • Syslog Force Purge You can perform a forced purge of syslog messages • Performance Job Purge Settings You can configure the following performance Job purge settings: – Do Immediate Job Purge You can immediately purge the performance jobs. – Schedule Job Purge You can schedule a performance job purge. • Fault History Purging Schedule Configure the daily fault history purging schedule. • VRF Lite Purge Settings You can purge VRF Lite jobs or report archives. • ChangeAudit Force Purge You can perform a forced purge of change audit. • Config Archive Purge Settings You can define the configuration archive purge policy. • ChangeAudit Purge Policy You can set the change audit purge policy. • Performance data purge settings You can configure the following performance data purge settings: – Do Immediate Data Purge You can immediately purge the performance data . – Schedule Data Purge You can schedule a performance data purge. • Syslog Purge Settings You can specify a default policy for the periodic purging of syslog messages. • Layer2 Services and User Tracking Report Purge You can purge Layer2 services jobs or report archives.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-11 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Software Image Management This section explains the following Software Image Management task: • View/Edit Preferences You can set or change software management preferences

Configuration Job Settings This section explains the following Configuration Job Settings tasks: • Assign Approver Lists You can assign an approver list to the applications • Create/Edit Approver Lists You can create, edit, or delete approver lists • Approver Details You can specify approver details • Approval Policies You can set up job approval for the applications • Config Job Policies You can define the default job policies for configuration management applications

Device Credential Settings This section explains the following Device Credential Settings tasks: • User Defined Fields You can add, rename, or delete the user-defined fields used to store additional information about a device. – Register/Unregister 3rd Party Application in DCR You can register or unregister third party applications in DCR. – Add User Defined Fields in DCR You can add a User Defined Field to to store the additional information about a device. – Rename User Defined Fields in DCR You can rename a User Defined Field. – Delete User Defined Fields from DCR You can delete a User Defined Field. • Mode Settings You can change DCR mode settings to master, slave or standalone. • Verification Settings You can select the credentials that need to be verified while adding devices.

Administration of Cisco Prime LAN Management Solution 4.2 18-12 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Change Audit Settings This section explains the following Network Administration tasks: • Inventory Change Filter You can set inventory change filters. • Exception Period You can specify the time when no network changes should occur.

Resource Browser This section explains the following Resource Browser tasks: • Browse Resources You can view the details of resources and manage resources. • Free Resources You can free-up locked resources.

Understanding Collection Tasks

This section explains the following Collection task groups: • Inventory Collection Settings • Config Collection Settings • Data Collection Settings • Syslog Collection Settings • Performance Collection Settings • User Tracking Collection Settings • Fault Collection Settings • VRF Lite Collection Settings

Inventory Collection Settings You can set the default values for inventory, config timeout, and retry settings. This section explains the following Inventory Collection Settings tasks: • Inventory Jobs You can view the Inventory job browser, and view, create, stop, delete, or edit an inventory collection or polling job. • Inventory, Config Timeout and Retry Settings You can edit the inventory, config timeout, and retry settings.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-13 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Config Collection Settings This section explains the following Config Collection Settings tasks: • Config Archive settings You can configure the Config Archive settings. You can move the configuration archive location, archive the running configuration, or enable or disable the use of shadow directory. • Config Collection Settings You can define the configuration collection setting. You can modify how and when the configuration archive retrieves configurations. • Secondary Credentials Settings You can enable or disable the secondary credentials fallback. • Config Transport Settings You can view or define the protocol order for configuration management applications • Config Job Timeout Settings You can configure the Job Result Wait Time per device for the Sync Archive jobs.

Data Collection Settings This section explains the following Data Collection Settings tasks: • Data Collection schedule You can schedule the day and time of Data Collection. • Start Data Collection You can start Data Collection. • Layer2 Administration Settings You can configure Layer2 administration settings.

Syslog Collection Settings This section explains the following Syslog collection tasks: • Subscribe/Unsubscribe Collector You can subscribe or subscribe to a Common Syslog Collector. • Collector Status/Update You can view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to.

Administration of Cisco Prime LAN Management Solution 4.2 18-14 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Performance Collection Settings This section explains the following Performance collection tasks: • IPSLA application settings You can configure the following IPSLA application settings: – Copy IPSLA Configuration to Running-config You can view the configured collectors in the running configuration. You can also retain the default settings. – Set a source interface address You can set a source interface address for the source router. You can also retain the default settings. • Performance Management SNMP timeouts and retry settings You can configure the Performance Management SNMP timeout and SNMP retries. You can also configure other Poll Settings.

User Tracking Collection Settings This section explains the following User Tracking collection tasks: • User Tracking device trap configuration You can configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. • User Tracking Acquisition Action You can trigger the following acquisitions: – Device based Acquisition – Subnet based Acquisition – IP Phone Acquisition • User Tracking trap listener configuration You can configure the trap listener to direct the traps through HP Open View (HPOV) or LMS Fault Monitor. • User Tracking Acquisition Settings You can configure User Tracking Acquisition settings to collect usernames during UT Major Acquisition and update the UT table. • User Tracking Acquisition Schedule You can modify UT acquisition schedule. • User Tracking Administration Settings You can configure the various User Tracking administration settings.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-15 Chapter 18 Understanding LMS Tasks Understanding Admin Tasks

Fault Collection Settings This section explains the following Fault collection tasks: • Fault Management Rediscovery Schedule You can suspend, or resume the Fault Management rediscovery schedule, and add, modify, or delete additional schedules. • Fault Monitoring Device Administration You can rediscover specific devices. • Fault Management SNMP timeouts and retries You can modify the Fault Management SNMP timeout and retries. • Collection Summary Portlet You can view the report of successful and failed devices for fault discovery in this portlet. • Fault Event Forensics Configuration You can enable the Event Forensics collection feature on LMS server to start collecting the event forensics data.

VRF Lite Collection Settings This section explains the following VRF Lite collection tasks: • VRF Lite SNMP Timeouts and Retries You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device with SNMP timeout exceptions. • VRF Lite Collector Schedule You can schedule the VRF Lite Collector process to run after every Data Collection. You can also add, edit and delete VRF Lite Collector Schedule jobs.

Light Weight Messaging System The Light Weight Messaging system allows you to perform the following task: • Event Listener You can use this tool to send and receive events.

Jobs You can perform the following Job tasks: • Browse Jobs You can use the job browser and view the details of individual jobs.

Note You should enable the Browse Jobs task to schedule any job across LMS.

• Delete Job You can use the job browser to delete the jobs. • Stop Job You can stop the jobs using the job browser.

Administration of Cisco Prime LAN Management Solution 4.2 18-16 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

Getting Started You can perform the Getting Started tasks.

Manage Portal You can manage all the portlets.

Understanding Report Tasks

This section explains the following Report task groups: • Understanding Fault and Event Report Tasks • Understanding Report Archives Tasks • Understanding Report Designer Tasks • Understanding Inventory Report Tasks • Understanding Audit Report Tasks • Understanding Technology Report Tasks • Understanding Performance Report Tasks • Understanding System Report Tasks • Understanding Switch Port Report Tasks • Schedule Reports in Layer2 Services and User Tracking • User Tracking Job Archives • Layer2 Services Job Archives • Inventory/Syslogs/Change Audit Generate Reports • Inventory/Syslogs/Change Audit View All Reports • Inventory/Syslogs/Change Audit View Own Reports

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-17 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

Understanding Fault and Event Report Tasks

This section explains the following Fault and Event report task groups: • Threshold Violation • Best Practices • Syslogs • History

Threshold Violation You can generate this report which displays threshold violations details for each device based on the polled data. • Thresholds You can create reports based on the threshold configured for the MIB variable. You can create, or view reports for specific threshold MIB variables. These reports are called IPSLA Threshold Violation reports. • TrendWatch Summary You can create consolidated reports based on the TrendWatches configured for the MIB variable. You can create, view summary reports of TrendWatch MIB variables.

Best Practices You can generate the following Best Practices and Discrepancy reports: • Acknowledge/Unacknowledge Discrepancy You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices. You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best Practise Deviations Report. • Discrepancies You can fix the discrepancies detected in the network. • Fix Best Practice Deviation You can the fix Best Practice Deviation detected in the network. • Fix Discrepancy You can the fix discrepancies detected in the network. • Deviation You can view best practice deviation report.

Syslogs You can use Custom Reports along with Syslogs to generate GOLD test reports. You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.

Administration of Cisco Prime LAN Management Solution 4.2 18-18 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

History You can search fault history database for device issues. • Event History You can view the fault history report for a given event ID. • Event Monitor/Device Fault You can view information on events in device for the past 31 days. Event Monitor is a centralized place where in you can view the event details of all devices and device groups.

Understanding Report Archives Tasks

This section explains the following Report Archives task groups: • IPSLA • Inventory and Syslog • Layer2 Services and User Tracking

IPSLA You can manage IPSLA archived reports. You can perform the following tasks: • List Report Archives You can list the IPSLA report archives. • Delete Report You can delete the IPSLA report archives.

Inventory and Syslog You can view the list of the completed report jobs that you own or all report jobs.

Layer2 Services and User Tracking You can view and delete archived Layer2 Services and User Tracking reports.

Understanding Report Designer Tasks

You can view, modify, or create new report templates for: • User Tracking • Syslog and Inventory

User Tracking • Custom Layouts You can view the list of Custom layouts. • Custom Reports You can customize the layout and columns displayed in the UT reports to suit your needs.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-19 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

Syslog and Inventory • Custom Report Template You can create new report templates customized according to your requirements. You can also view, add and edit, delete existing custom templates, view your own templates or view all templates.

Understanding Inventory Report Tasks

You can generate inventory reports and this section explains the following Inventory Report task groups: • Device Attributes • User Tracking • Management Status

Device Attributes You can view device attributes report.

User Tracking You can create, schedule, and view various UT reports like: • End Host History You can view the login and logout information of the endhosts • User Tracking System and Custom Reports You can view User Tracking system and custom reports

Management Status You can generate device credentials, device and credentials admin reports, and inventory and config Collection Status report. • Inventory and Config Collection Status You can generate the Inventory and Config Collection Status Report which helps you to identify possible causes for Inventory and Configuration collection failure and take timely corrective action.

Understanding Audit Report Tasks

You can generate audit reports like: • System • Performance • Inventory and Config

System You can generate system audit report.

Administration of Cisco Prime LAN Management Solution 4.2 18-20 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

Performance You can generate performance audit report.

Inventory and Config You can generate inventory and config audit report.

Understanding Technology Report Tasks

You can generate the following technology reports: • VLAN • VRF Lite

VLAN You can generate VLAN reports for devices, switch clouds, or VTP domains.

VRF Lite You can generate the following VRF Lite Reports: • VRF Lite and VRF Lite Readiness report You can generate Device Based VRF-Lite reports and VRF Based reports. You can also generate the VRF Lite Readiness report which provides the devices details that comply with the basic hardware and software support available, in contrast to the required support on the devices to configure VRF.

Understanding Performance Report Tasks

This section explains the following Performance Report task groups: • Create Performance Report • View Performance Report • Poller • Device • Create IPSLA Report • View IPSLA Job Details • View IPSLA Report • Custom

Create Performance Report You can generate, or view performance reports like: • Interface Report Displays the Interface availability information of a device during the last 24 hours. It also displays Interface utilization and error rate information for a device interface during the last 24 hours. • IPSLA Detailed Report You can generate various IPSLA detailed reports.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-21 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

• IPSLA Summary Report You can generate system reports for all collectors based on the report types and granularity after the consolidation of the statistical data. • EnergyWise Device Power Usage Displays the power usage data for each device that is polled for the EnergyWise Device Power Usage template. • EnergyWise Port Power Usage Displays the power usage data for each port that is polled for the EnergyWise Port Power Usage template. • PoE Port Utilization Report Displays the port level utilization for each device polled for the Power Over Ethernet (PoE) Port Utilization template. • PSE Consumption report Displays the power utilization and losses for each device polled for the Power Over Ethernet PSE Consumption template. • IPSLA Audit report Displays all IPSLA related audit changes that occurred in the network during a specified time period.

View Performance Report You can view performance reports like: • Interface Report • IPSLA Detailed Report • IPSLA Summary Report • EnergyWise Device Power Usage • EnergyWise Port Power Usage • PoE Port Utilization Report • PSE Consumption report • IPSLA Audit report

Poller You can: • View Poller Report You can view Poller Reports based on the template added in a given Poller. • Create Poller Job You can create Poller Reports based on the template added in a given Poller.

Device You can view device availability and performance parameters of a device. • Device Performance You can view performance parameters of a device.

Administration of Cisco Prime LAN Management Solution 4.2 18-22 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

Create IPSLA Report You can create IPSLA Reports and IPSLA Threshold Violation Reports. You can also reset the values you entered.

View IPSLA Job Details You can view details of IPSLA jobs.

View IPSLA Report You can view IPSLA Reports, IPSLA Report Archives and IPSLA Threshold Violation Reports. You can list and create IPSLA Audit Report.

Custom You can create, or view custom reports.

Understanding System Report Tasks

You can generate administration and system reports. This section explains the following System task groups: • Data Collection Metrics and Device Support • Users • ANI Server Analysis • Status

Data Collection Metrics and Device Support You can view the duration of each data collection, and the device count. You can also view the icon, name, and object ID of the supported devices.

Users You can view information about users currently logged into LMS. • Who is Logged on You can view information on users currently logged into LMS. • Permission Report You can view information on roles and privileges.

ANI Server Analysis You can analyze the ANI server performance.

Status You can view the status of the processes running on the LMS Server. • Log File You can view information on log file size and file system utilization. • Process You can view the status of the processes running on the LMS Server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-23 Chapter 18 Understanding LMS Tasks Understanding Report Tasks

Understanding Switch Port Report Tasks

You can generate reports based on switch port status. This section explains the following Switch Port Report task groups: • User Tracking Switch Port Usage • Ports

User Tracking Switch Port Usage You can view reports on: • Connected Ports—The ports that are administratively UP and are connected to a device will be listed here. • Free Ports—The Ports that are administratively UP but are not connected to a device will be listed here. • Free Down Ports—The ports that are administratively down will be listed here. You can also view the following reports: • Switch Port Capacity Report Lists switches that have crossed utilization threshold limits, along with the value of percentage port utilization. • Recently Down Ports Displays: – Link ports that were connected to a device in the previous Data collection, but found unconnected in the current Data Collection. – Access ports that were connected to an endhost in the last UT Major Acquisition cycle, but found unconnected in the current Data Collection • Reclaim Unused Down Ports Report Displays ports that have been in Unused Down state for a specified interval of time. • Reclaim Unused Up Ports Report Displays ports that have been in Unused Up state for a specified interval of time. • Switch Port Summary Report Displays the number of Connected, Free, and Free down ports in each switch.

Ports You can view status of the ports. • Port Attributes You can view information about the status of ports in the network

Schedule Reports in Layer2 Services and User Tracking You can schedule reports of the Network, Layer 2, and User Tracking function of LMS.

User Tracking Job Archives You can view archived reports of UT jobs.

Administration of Cisco Prime LAN Management Solution 4.2 18-24 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Configuration Tasks

Layer2 Services Job Archives You can view archived reports of Layer 2 services jobs.

Inventory/Syslogs/Change Audit Generate Reports You can generate all Inventory, Syslog, and Change Audit reports.

Inventory/Syslogs/Change Audit View All Reports You can view all Inventory, Syslog, and Change Audit reports.

Inventory/Syslogs/Change Audit View Own Reports You can view all Inventory, Syslog, and Change Audit reports which you have generated.

Understanding Configuration Tasks

This section explains the following Configuration task groups: • Understanding Configuration Archive Tasks • Understanding Configuration Tools Tasks • Understanding ConfigCLI Tasks • Understanding Configuration Workflows Tasks • Understanding Configuration Job Browsers Tasks • Understanding Compliance Tasks

Understanding Configuration Archive Tasks

This section explains the following Configuration Archive tasks: • Label Configs • Summary • Views

Label Configs You can select configuration files from different devices, group and label them. You can manage Label Configs.

Summary You can view the configuration archival status and summary.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-25 Chapter 18 Understanding LMS Tasks Understanding Configuration Tasks

Views You can search archives using version tree and version summary. The tasks in Views are the following: • Custom Queries You can create a custom configuration query that searches information about the specified configuration files. • Search Archive You can search the archive for configuration containing text patterns for selected devices. • Version Summary You can view all archived configurations for selected devices.

Understanding Configuration Tools Tasks

This section explains the following Configuration Tools tasks: • Software Image Management • NetConfig/Template Center • Config Editor

Software Image Management • Software Repository You can view, add, delete, or update the images that are available in the Software Management repository. • Repository Synchronization You can update the software repository. • Software/Patch Distribution You can distribute software images in the network. You can also distribute patches simultaneously to applicable devices. • Jobs You can check the status of a scheduled Software Image Management job. You can view, edit, stop, delete, retry or undo the job. • Upgrade Analysis You can analyze images before distribution.

Administration of Cisco Prime LAN Management Solution 4.2 18-26 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Configuration Tasks

NetConfig/Template Center This section explains the following NetConfig and Template Center tasks: • Assign Tasks You can assign tasks to a valid Cisco Prime user. • User Defined Tasks You can create and edit user-defined tasks. • Adhoc Configuration-Template Center You can deploy and import Adhoc Configuration template. • Jobs – View You can view all NetConfig and Template Center jobs. – Create/Configure/Deploy/Import You can deploy and import configuration templates in LMS. You can also create NetConfig jobs.

Config Editor This section explains the following Config Editor tasks: • Private Configs You can view changes made to a configuration file in the private work area. • Edit Private Configs You can save an edited configuration file in the private work area on the server and retrieve the saved file when required. • Edit Public Configs You can save an edited configuration file in the public work area on the server and retrieve the saved file when required. • Delete Private Configs You can remove a configuration file from the private work area on the server. • Delete Public Configs You can remove a configuration file from the public work area on the server. • Public Configs You can view changes made to a configuration file in the public work area. • Edit Mode Preference You can set up the default editing mode. • Config Editor You can open, edit, or print configuration files. • Jobs You can create, edit, delete, copy, or stop Config Editor jobs.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-27 Chapter 18 Understanding LMS Tasks Understanding Configuration Tasks

Understanding ConfigCLI Tasks

This section explains the following ConfigCLI tasks:

Delete You can delete configurations older than a specified date from the configuration archive.

Compare With Baseline and Deploy You can create a job that compares the given Baseline template with the latest version of the configuration for a device and download the configuration to the device if there is a non-compliance.

List Version Lists the different versions of configuration files archived in the archival system.

Create Parameter file You can create a parameter file if the Baseline template containing the parameters is specified.

Compare With Baseline You can compare the given Baseline template with the latest version of the configuration for a device.

Deploy Baseline You can deploy the given Baseline template to a device.

Reload You can reboot the devices, to load the running configuration with their startup configuration.

Get Configuration You can retrieve the running configuration from the devices and push it to the configuration archive if the running configuration is different than the latest version in the archive.

Run2Start You can create a job that overwrites the startup configuration of device with running configuration.

Get Change Audit Data You can get Change Audit data.

Write2Run You can compare the latest running configuration for the device in the configuration archive with the configuration in the file, to generate a new configuration that is downloaded to the device, so that the configuration specified in the file is available on the running configuration of the device.

Export Configuration You can retrieve the configuration for a device from the archive and write it to a specific file.

Compare You can list the difference between versions of a device configuration.

Administration of Cisco Prime LAN Management Solution 4.2 18-28 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Configuration Tasks

write2Start You can erase the contents of the device's startup configuration and then write the contents of the given file as the device's new startup configuration.

Export Configuration-xml You can retrieve the configuration for a device from the archive and write it to a XML file.

Import Configuration You can retrieve the configuration from a file, and push it to the device, adding to the device's running configuration.

Get Inventory Data You can get the inventory data for the devices.

Start2Run You can merge the running configuration of any devices with their startup configuration to give a new running configuration.

Put Configuration You can retrieve the configuration from the configuration archive and push it to the device.

Understanding Configuration Workflows Tasks

This section explains the following Configuration Workflows tasks: • VLAN • VRF Lite

VLAN This section explains the following VLAN Workflows tasks: • Configure Port Assignment You can manage ports on your network VLAN. • Create/Delete Private VLAN You can create and delete private VLANs • Configure Promiscuous Ports You can configure a promiscuous port • Create/ Modify Trunk You can create a trunk for a port, or modify trunk attributes. • Configure/ Delete VLAN You can create and delete VLANs configured on the devices in the network.

VRF Lite This section explains the following VRF Lite Workflows tasks: • VRF Configuration You can create, edit, extend, delete and assign Edge VLAN to VRF.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-29 Chapter 18 Understanding LMS Tasks Understanding Configuration Tasks

Understanding Configuration Job Browsers Tasks

This section explains the following Configuration Job Browsers tasks: • Job Approval • NetConfig • Config Editor

Job Approval You can approve or reject a job for which you are an Approver. The job will not run until you or another Approver approves it.

NetConfig You can manage NetConfig jobs.

Config Editor You can manage Config Editor jobs.

Understanding Compliance Tasks

This section explains the following Configuration Compliance tasks: • Out-of-Sync Summary • Compliance Templates

Out-of-Sync Summary You can generate Out-of-Sync report for device groups.

Compliance Templates This section explains the following Compliance Templates tasks: • Compliance Check You can run a compliance check. • Direct Deploy You can deploy a baseline template using a file system or UI. • Templates You can manage a baseline template.

Administration of Cisco Prime LAN Management Solution 4.2 18-30 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Monitor Tasks

Understanding Monitor Tasks

This section explains the following Monitor task groups: • Understanding Performance Settings Tasks • Understanding Fault Settings Tasks • Understanding Threshold Settings Tasks • Understanding Troubleshooting Tools Tasks • Understanding Monitoring Tools Tasks

Understanding Performance Settings Tasks

You can configure performance settings like: • IPSLA • Setup

IPSLA You can manage IPSLA devices, collectors, operations and outage settings • Devices You can add devices to manage IPSLA functionality. You can: – Enable IPSLA Responder You can enable IPSLA responder for the selected devices. – Update IPSLA Config You can update the IPSLA responder enable or disable status. You can also save the latest information configured in a device to the database. – View Devices You can view all the IPSLA devices managed by LMS. – Edit Device Attributes You can edit the device attributes like SNMP Retry and SNMP Timeout. – Delete devices You can delete Adhoc target devices. – Add Adhoc Target You can add adhoc target devices to the IPSLA Performance Management function in LMS if you want to manage devices from an external source. The Adhoc devices may be either Cisco devices or devices with a unique IP address. • Collectors You can create, edit, delete, monitor, start, list, view, or stop collectors. When you have the authorization to create collectors you can import, export and reconfigure collectors.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-31 Chapter 18 Understanding LMS Tasks Understanding Monitor Tasks

• Operations You can analyze IP service levels for IP applications and services. You can view operation details, list, create, edit, or delete operations. • Outage Settings You can view, list, create, edit, or delete planned outages.

Setup You can setup auto monitoring, poller and template management • Automonitor You can change the polling intervals. • Pollers You can create and manage pollers. You can: – Edit Poller You can edit pollers. – Clear Failures You can clear all the failures recorded in the database for a Poller. – Clear Missed Cycle You can clear all the polling interval cycles missed for a Poller. – Activate and Deactivate Poller You can activate an inactive Poller to poll, or stops a Poller from polling. – View Failures You can view failures that occurred during polling. – Create Poller You can create a Poller. – List Performance Devices You can view performance devices. – Delete Poller You can delete a Poller. – Debug Performance Polling Engine You can debug performance polling engine. – List / View Pollers You can list or view Pollers. • Templates You can create, copy, edit, list, delete, export, or import templates to monitor performance parameter. • Device Performance Management Summary You can view the Device Performance Management Summary portlet details. To access any custom role, you should select Device Performance Management Summary.

Administration of Cisco Prime LAN Management Solution 4.2 18-32 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Monitor Tasks

Understanding Fault Settings Tasks

You can set up the following fault settings tasks: • Setup You can setup polling parameters, group priorities, and view device fault details. – Apply Changes You can apply polling and threshold changes. – Polling Parameters You can configure polling parameters. – Fault Device Details You can view component details of a device. – Priority Settings You can set priority for polling and thresholds.

Understanding Threshold Settings Tasks

You can configure pollers, manage templates, configure trendwatch. This section explains the following Threshold Settings tasks: • TrendWatch • Performance • Fault

TrendWatch You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.

Performance You can create, edit, delete, access, or, list and view thresholds for a MIB variable.

Fault You can view the thresholds that are associated with device groups, trunk port groups, access port groups, and interface groups.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-33 Chapter 18 Understanding LMS Tasks Understanding Monitor Tasks

Understanding Troubleshooting Tools Tasks

You can troubleshoot network devices using various tools like NetShow and VRF-Lite. This section explains the following Troubleshooting Tools tasks: • VRF Lite • NetShow • Connectivity Tools • Troubleshooting Workflows

VRF Lite • Ping and Traceroute/Show Commands You can troubleshoot VRFs using Ping or Traceroute, or view the result of the VRF-specific show commands

NetShow • Job Operations You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying failed jobs, stopping jobs, and deleting jobs. • Command Set Operations You can create, edit, or delete user-defined Command Sets. • Assigning Command Sets You can assign command sets to network operators. • Command Sets You can view the details of an existing Command Set. • NetShow Jobs/Show Commands You can run NetShow commands and view NetShow jobs.

Connectivity Tools You can use the following tools: • Device Center You can launch the troubleshooting page by clicking device IPs. • Packet Capture You can capture live data from the Cisco Prime machine to aid in troubleshooting. • SNMP Walk You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering information about a certain device. • SNMP Set You can set an SNMP object or multiple objects on a device for controlling the device.

Troubleshooting Workflows You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network connectivity problems, or diagnose devices.

Administration of Cisco Prime LAN Management Solution 4.2 18-34 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Monitor Tasks

Understanding Monitoring Tools Tasks

You can use fault and event monitor tools like: • Fault Monitor • Configure Inter-VLAN Routing • View Link Bandwidth utilization • Configure EtherChannel • Device Operation Discover Devices • View Trunk Attributes • Time Domain Reflectometer Report • Device Operation Delete Link • Spanning Tree Reports • Device Operation Delete Devices • Topology Services • Spanning Tree Configuration • Device Operation Change management IP • View Data Extraction Engine

Fault Monitor You can view all the faults in a common place. It collects information of fault in devices in real-time and display the information by a selected group of devices. You can clear or annotate faults. It allows you to own the fault or clear them.

Configure Inter-VLAN Routing You can configure Inter-VLAN Routing.

View Link Bandwidth utilization You can view bandwidth utilization across links, in the Topology maps.

Configure EtherChannel You can configure EtherChannel.

View Devices at Fault and Event Monitor You can view devices available at Fault and Event Monitor.

Device Operation Discover Devices You can discover devices for device operation.

View Trunk Attributes You can view trunk attributes.

Time Domain Reflectometer Report You can generate the TDR report that detect faults in a cable. TDR checks and locates open circuits, short circuits, sharp bends, crimps, kinks, impedance mismatches, and other such defects.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-35 Chapter 18 Understanding LMS Tasks Understanding Inventory Tasks

Device Operation Delete Link You can remove a link from the Network Topology View.

Spanning Tree Reports You can generate Spanning Tree reports

Device Operation Delete Devices You can delete devices.

Topology Services You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains discovered in your network, and you can filter, access, or view network information or status.

Spanning Tree Configuration You can configure Spanning Trees on the network.

Device Operation Change management IP You can set a preferred management address to be used by LMS for devices which can have multiple IP addresses.

View Data Extraction Engine You can view Data Extraction Engine.

Understanding Inventory Tasks

This section explains the following Inventory task groups: • Understanding Group Management Tasks • Understanding Job Browsers Tasks • Understanding Device Administration Tasks • Understanding Inventory Tools Tasks

Understanding Group Management Tasks

You can create and manage fault groups, IPSLA collectors groups, or ports and modules groups. • Fault groups You can view, create, edit, delete fault groups, or refresh groups. • IPSLA Collector You can view, create, edit, delete or refresh IPSLA collector groups.

Administration of Cisco Prime LAN Management Solution 4.2 18-36 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Inventory Tasks

Understanding Job Browsers Tasks

You can view, create, edit, stop, retry, or delete device credentials verification jobs. You can also verify device credentials.

Understanding Device Administration Tasks

You can manage devices and auto update the server. This section explains the following Device Administration tasks: • Add / Import / Manage Devices • Add Managed Devices • Manage Device State • Device Allocation Policy

Add / Import / Manage Devices You can manage devices in DCR. You can: • View Credentials You can view device information for a single device or for multiple devices. • Export Devices You can export a list of device and their credentials. • View Reports You can generate the following reports: – Unreachable Devices Displays the list of devices that are unreachable. To generate this report, select Reports > Inventory > Management Status > Unreachable Devices. – Excluded Devices Displays the list of devices that should not be added in DCR. To generate this report, select Reports > Inventory > Management Status > Excluded Devices. – Imported Device Status Displays the information about the devices that are imported into DCR. To generate this report, select Reports > Inventory > Management Status > Imported Device Status. – Known Device List Displays the complete list and information of all devices in the repository. To generate this report, select Reports > Inventory > Management Status > Known Device List. – Device Administration Displays the complete device list in DCR. To generate this report, select Reports > Audit > Device Administration.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-37 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

• Add Devices You can add devices, device properties or attributes, and device credentials to the DCR. • View Devices You can view devices in DCR. • Delete Devices You can delete devices from DCR. You can also schedule device polling job and view the Unreachable device report. • Bulk import You can import multiple devices into DCR. You can also view the Imported device report. • Edit Devices You can edit device information for a single device or for multiple devices.

Add Managed Devices You can manually add managed devices without using the Device Allocation Policy.

Manage Device State You can view the states of the devices.

Device Allocation Policy You can configure the device management policy for Device Management.

Understanding Inventory Tools Tasks

You can use tools like: • CiscoView Provides real-time views of networked Cisco Systems devices • Mini-RMON Provides web-enabled, real-time, remote monitoring (RMON) information to users to facilitate troubleshooting and improve network availability.

Understanding Work Center Tasks

This section explains the following Work Center task groups: • Understanding Smart Install Tasks • Understanding Auto Smartports Tasks • Understanding Identity Tasks • Understanding EnergyWise Tasks

Administration of Cisco Prime LAN Management Solution 4.2 18-38 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Understanding Smart Install Tasks

You can configure and manage images using this plug-and-play configuration and image management feature that provides zero-touch deployment for new switches. • Jobs You can view the status, delete, stop or manage Smart Install jobs. • Readiness Assessment You can assess the readiness of your network for Smart Install. • Getting Started You can provision Smart Install for Day 1 operations. • Configure You can configure, and manage the Smart Install director.

Understanding Auto Smartports Tasks

You can configure, apply and manage Auto Smartports macros on the ASP-capable devices • Getting Started You can provision Auto Smartports for day 1 operations. • Jobs You can view the status, delete, stop or manage Auto Smartport reports. • Configure You can configure, and enable Auto Smartports on selected interfaces. • Readiness Assessment You can view Auto Smartports based device details after assessing the network.

Understanding Identity Tasks

You can create authentication, access control, and user policies to secure network resources and connectivity. • Configure You can configure Identity on Identity-capable devices. • Jobs You can view the status, delete, stop or manage Identity jobs. • Reports You can generate Identity reports. • Getting Started You can provision Identity for Day 1 operations. • Readiness Assessment You can view Identity-based device details after assess the network.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-39 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Understanding EnergyWise Tasks

You can manage and automate the energy management lifecycle of network. • Readiness Assessment You can view EnergyWise-based device details after assessing the network. • Jobs You can view the status, delete, stop or manage EnergyWise jobs. • Getting Started You can provision EnergyWise for Day 1 operations. • Reports You can generate EnergyWise reports like: – Power Usage You can generate EnergyWise power usage report. – Cost Savings You can configure EnergyWise cost savings. • EnergyWise portlets You can view EnergyWise portlets like: – EnergyWise Savings Trend Graph – EnergyWise Total Savings Graph – EnergyWise Power Consumption Graph • Manage Domains/General Settings You can manage the configured EnergyWise domains. You can configure the time to perform EnergyWise device collection, EnergyWise endpoint collection, and EnergyWise compliance check. • Configure You can configure energy management policies on devices and configure endpoints. – Manage Policies You can manage the EnergyWise policies. – Manage Endpoint Groups You can create an endpoint group of IP phones. – Configure Attributes on Endpoints You can configure EnergyWise attributes. • Settings You can configure EnergyWise collection, cost settings, and data purge settings. – Cost Savings You can configure EnergyWise cost savings. – Purge You can configure EnergyWise data purge settings.

Administration of Cisco Prime LAN Management Solution 4.2 18-40 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-41 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Administration of Cisco Prime LAN Management Solution 4.2 18-42 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-43 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Administration of Cisco Prime LAN Management Solution 4.2 18-44 OL-25947-01 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 18-45 Chapter 18 Understanding LMS Tasks Understanding Work Center Tasks

Administration of Cisco Prime LAN Management Solution 4.2 18-46 OL-25947-01

APPENDIX A

CLI Tools

This section explains all the CLI utilities that are available for the administrator in LMS 4.2. This section contains: • Setting Up Local Users Through CLI • Changing Cisco Prime User Password Through CLI • Managing Processes Through CLI • Working With Third Party Security Certificates • Setting up Browser-Server Security • Backing up Data Using CLI • Using LMS Server Hostname Change Scripts • Using DCR Features Through CLI • Using Group Administration Features Through CLI • Deleting Stale Groups Using CLI • User Tracking Command Line Interface • Using Lookup Analyzer Utility • Understanding UTLite • User Tracking Debugger Utility • Configuring Switches to Send MAC Notifications to LMS Server • Administration Command Line Interface

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-1 Appendix A CLI Tools Setting Up Local Users Through CLI

Setting Up Local Users Through CLI

You can set up the local users through CLI. This feature helps you in: • Adding Local Users • Importing Local Users • Importing Users From ACS • Migrating User Details from LMS 3.2 to LMS 4.x versions

Adding Local Users

You can add bulk local users through CLI. This feature allows you to specify a file that has information about the local users as an input. The input file you use should be a plain text file.

Note You can use this CLI command for both system and user-defined roles.

Administration of Cisco Prime LAN Management Solution 4.2 A-2 OL-25947-01 Appendix A CLI Tools Setting Up Local Users Through CLI

admin123:admin123:[email protected]:Help Desk,System Administrator:admin:roZes123:roZes

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-3 Appendix A CLI Tools Setting Up Local Users Through CLI

Importing Local Users

This feature allows you to import local user information to the local server from a remote LMS Server. You can import local users from ACS through CLI. See, Importing Users From ACS for more information. You should have the privileges to import local users from remote LMS Server through CLI. Before you import users from a remote server, you should install the peer certificate of the remote server in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more information. To import users from a remote server, enter the following commands: • NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Solaris/Soft Appliance) • NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber Username Password (on Windows) where, • Protocol — Protocol of the remote LMS Server. The supported values are HTTP or HTTPS. • Hostname — Hostname or IP Address of the remote LMS Server. • Portnumber — Port Number of the remote LMS Server. • Username — Remote LMS Server Login Username. • Password — Remote LMS Server Login Password.

Administration of Cisco Prime LAN Management Solution 4.2 A-4 OL-25947-01 Appendix A CLI Tools Setting Up Local Users Through CLI

For example, enter the following command to import the local users from the remote LMS Server lmsdocpc: NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin

Importing Users From ACS

To import users from ACS through CLI, enter the following commands: • NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on Solaris/Soft Appliance) • NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on Windows) where, • Filename — Ouput of executing CSUtil.exe. • Password — ACS password which is the default password assigned to all users.

Migrating User Details from LMS 3.2 to LMS 4.x versions

To migrate user details from LMS 3.2 to LMS 4.x:

Step 1 Enter the command given below: For Solaris and Soft Appliance: /NMSROOT/lib/jre/bin/java -cp /NMSROOT/lib/classpath:/NMSROOT/www/classpath:/NMSROOT/MDC/tomcat/shared/lib/ castor-0.9.5-xml.jar:/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration where, NMSROOT is the directory where you have installed Cisco Prime. Example: /opt/CSCOpx/lib/jre/bin/java -cp /opt/CSCOpx/lib/classpath:/opt/CSCOpx/www/classpath:/opt/CSCOpx/MDC/tomcat/shared/lib/ castor-0.9.5-xml.jar:/opt/CSCOpx/MDC/tomcat/shared/lib/castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration /cwpass /output.xml For Windows: /NMSROOT/lib/jre/bin/java -cp /NMSROOT/lib/classpath;/NMSROOT/www/classpath;/NMSROOT/MDC/tomcat/shared/lib/ castor-0.9.5-xml.jar;/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration where, NMSROOT is the directory where you have installed Cisco Prime.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-5 Appendix A CLI Tools Changing Cisco Prime User Password Through CLI

Example: C:/Progra~1/CSCOpx/lib/jre/bin/java -cp C:/Progra~1/CSCOpx/lib/classpath;C:/Progra~1/CSCOpx/www/classpath;C:/Progra~1/CSCOpx/MD C/tomcat/shared/lib/castor-0.9.5-xml.jar;C:/Progra~1/CSCOpx/MDC/tomcat/shared/lib/ castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration C:/cwpass C:/output.xml Step 2 Move the output file to the client machine to import the user details. Step 3 Go to Admin > System > User Management > Local User Setup. The Local User Setup page appears. Step 4 Click Import Users. Step 5 Click Browse and select the output file from the client machine. Step 6 Click Submit.

Migrating User Details using Selective Backup Method The user details can be migrated from LMS 3.2 to LMS 4.x versions by remote upgrade procedure. The inline upgrade does not support the direct migraiton of user details from LMS 3.2 to LMS 4.2.

Step 1 Take selective backup from LMS 3.2 using the command given below: NMSROOT\bin>perl NMSROOT\bin\backup.pl -dest= –system where, NMSROOT is the directory where you have installed Cisco Prime. Step 2 Move the backup to LMS 4.x server where data has to be restored. Step 3 Stop the daemons on 4.x server Step 4 Restore backup using the command given below: NMSROOT\bin>perl NMSROOT\bin\restorebackup.pl -d Step 5 Check for any errors on Restorebackup.log Step 6 Start the daemons and check the user details once all the processes are up.

Note Selective backup includes system settings, user details and jobs.

Changing Cisco Prime User Password Through CLI

You can change the Cisco Prime user password using the Cisco Prime user password recovery utility. To change the user password on Solaris/Soft Appliance:

Step 1 Enter /etc/init.d/dmgtd stop to stop the Daemon Manager. Step 2 Set the LD_LIBRARY_PATH manually. The path is to be set as follows: setenv LD_LIBRARY_PATH /opt/CSCOpx/MDC/lib:/opt/CSCOpx/lib This environment variable set is applicable to the current working shell only.

Administration of Cisco Prime LAN Management Solution 4.2 A-6 OL-25947-01 Appendix A CLI Tools Changing Cisco Prime User Password Through CLI

Now, you can change the password using the Cisco Prime user password recovery utility. Step 3 Enter NMSROOT/bin/resetpasswd username at the command prompt. Here NMSROOT refers to the Cisco Prime Installation directory. A message appears: Enter new password for username: Step 4 Enter the new password. Step 5 Enter /etc/init.d/dmgtd start to start the Daemon Manager.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-7 Appendix A CLI Tools Managing Processes Through CLI

To change the user password on Windows:

Step 1 Enter net stop crmdmgtd to stop the Daemon Manager. Step 2 Enter NMSROOT\bin\resetpasswd username at the command prompt. A message appears: Enter new password for username: Step 3 Enter the new password. Step 4 Enter net start crmdmgtd to start the Daemon Manager.

Managing Processes Through CLI

You can also manage the Cisco Prime processes through CLI. You can perform the following activities through CLI: • Viewing Process Details Through CLI • Viewing Brief Details of Processes • Viewing Processes Statistics • Starting a Process • Stopping a Process

Viewing Process Details Through CLI

The pdshow command displays the details of the specified processes or all processes in the CLI prompt. • To display the details of all processes, enter: – /opt/CSCOpx/bin/pdshow (on Solaris/Soft Appliance) – pdshow (on Windows) • To display the details of one or more specified processes, enter: – /opt/CSCOpx/bin/pdshow ProcessName1 ProcessName2 (on Solaris/Soft Appliance) – pdshow ProcessName1 ProcessName2 (on Windows) where ProcessName1 and ProcessName2 are the name of the processes. The command displays the process details of one or more processes. See Viewing Process Details for description of each of these items. • Process Name • Process State • Process ID • Process Return Code • Process Signal Number • Process Start Time • Process Stop Time

Administration of Cisco Prime LAN Management Solution 4.2 A-8 OL-25947-01 Appendix A CLI Tools Managing Processes Through CLI

The pdshow command additionally displays the following process details.

Process Details Description Core Not applicable means the program is running normally. CORE FILE CREATED means the program is not running normally and the operating system has created a file called core*. The core file stores important data about processes. core* refers to the name of the core file. The core file name contains the executable file name of the program and the process ID. For example, the name of the core file created for the Perl module is: core.perl.51234 Information Describes what the process is doing and how it is started. Not applicable means the program is not running normally.

During the startup of Daemon Manager, sometimes the pdshow command may display information message requesting you to wait and enter the command again. This happens particularly when the Daemon Manager is busy in running the tasks one by one in the queue. You must enter the command again to view the process details.

Viewing Brief Details of Processes

The pdshow -brief command displays the brief status of all processes or specified processes in tabular format in the CLI prompt. • To display the brief details of all processes, enter: – /opt/CSCOpx/bin/pdshow -brief (on Solaris/Soft Appliance) – pdshow -brief (on Windows) • To display the details of one or more specified processes, enter: – /opt/CSCOpx/bin/pdshow -brief ProcessName1 ProcessName2 (on Solaris/Soft Appliance) – pdshow -brief ProcessName1 ProcessName2 (on Windows) where ProcessName1 and ProcessName2 are the name of the processes. The command displays the following details in tabular format: • Process Name • Process State • Process ID For example, if you enter /opt/CSCOpx/bin/pdshow -brief Tomcat Apache in the command prompt, the following output is displayed: ProcessStatePid *************** Tomcat Program Started - No mgt msgs received13824 Apache Running normally 13847

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-9 Appendix A CLI Tools Managing Processes Through CLI

Viewing Processes Statistics

The pdshow -stat command displays the statistics of all processes or specified processes in tabular format.

Note You can enter this command only on Solaris systems.

To display the brief details of all processes, enter: /opt/CSCOpx/bin/pdshow -stat (on Solaris/Soft Appliance) To display the details of one or more specified processes, enter: /opt/CSCOpx/bin/pdshow -stat ProcessName1 ProcessName2 (on Solaris/Soft Appliance) where ProcessName1 and ProcessName2 are the name of the processes. The command displays the following details in tabular format in the command line.

Process Details Description Pid Process ID %CPU CPU usage of a process at a particular time expressed in terms of percentage RSS Resident set size displayed in terms of KB VSZ Virtual memory size of process displayed in terms of KB %MEM Ratio of resident set size and physical memory expressed in terms of percentage NLWP Number of light weight processes of the specified process Process Name of the process

Starting a Process

You must enter the following commands to start a process through CLI: • /opt/CSCOpx/bin/pdexec ProcessName (on Solaris/Soft Appliance) • pdexec ProcessName (on Windows) The dependent processes are started first before the specified process is started. If the process is being restarted after a shutdown, any dependent processes registered with the Daemon Manager is not automatically restarted. Dependent processes are automatically restarted only when the Daemon Manager itself is restarted.

Stopping a Process

You must enter the following commands to stop a process through CLI: • /opt/CSCOpx/bin/pdterm ProcessName (on Solaris/Soft Appliance) • pdterm ProcessName (on Windows) The dependent processes are also shut down using this CLI command.

Administration of Cisco Prime LAN Management Solution 4.2 A-10 OL-25947-01 Appendix A CLI Tools Working With Third Party Security Certificates

Working With Third Party Security Certificates

Cisco Prime provides an option to use security certificates issued by third party certificate authorities (CAs). You may want to use this option in cases where your organizational policy prevents you from using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a particular CA. You can use these certificates to enable SSL when you need secure access between LMS Server and your client browser. You can do the following: • Uploading Third Party Security Certificates to LMS Server • Using the SSL Utility Script to Upload Third Party Security Certificates

Uploading Third Party Security Certificates to LMS Server

You can upload Third Party Security Certificates using the SSL Utility Script.

Note Cisco Prime does not support third-party certificates with “Subject Alternative Names”.

This utility is available at: • NMSROOT\MDC\Apache (On Windows) • NMSROOT/MDC/Apache/bin (On Solaris/Soft Appliance)

Note The maximum supported public key value is 1024 bits.

This utility has the following options:

Numbe r Option What it Does... 1 Display LMS Server • Displays the Certificate details of the LMS Server. certificate For third party issued certificates, this option displays the details information of the server certificate, the intermediate certificates, if any, and the Root CA certificate. • Verifies if the certificate is valid. 2 Display the input This option accepts a certificate as an input and: certificate • Verifies whether the certificate is in encoded X.509 certificate information format. • Displays the subject of the certificate and the details of the issuing certificate. • Verifies whether the certificate is valid on the server. 3 Display Root CA Generates a list of all Root CA Certificates. certificates trusted by LMS Server

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-11 Appendix A CLI Tools Working With Third Party Security Certificates

Numbe r Option What it Does... (continued) 4 Verify the input Verifies whether the server certificate issued by third party CAs, can certificate or be uploaded. certificate chain When you choose this option, the utility: • Verifies if the certificate is in Base64 Encoded X.509Certificate format. • Verifies if the certificate is valid on the server • Verifies if the server private key and input server certificate match. • Verifies if the server certificate can be traced to the required Root CA certificate using which it was signed. • Constructs the certificate chain, if the intermediate chains are also given, and verifies if the chain ends with the proper Root CA certificate. After the verification is successfully completed, you are prompted to upload the certificates to LMS Server. The utility displays an error: • If the input certificates are not in required format • If the certificate date is not valid or if the certificate has already expired. • If the server certificate could not be verified or traced to a root CA certificate. • If any of the intermediate Certificates were not given as input. • If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key. You must contact the CA who issued the certificates to correct these problems before you upload the certificates to Cisco Prime.

Administration of Cisco Prime LAN Management Solution 4.2 A-12 OL-25947-01 Appendix A CLI Tools Working With Third Party Security Certificates

Numbe r Option What it Does... (continued) 5 Upload single server You must verify the certificates using option 4 before you select this certificate to LMS option. Server Select this option, only if there are no intermediate certificates and there is only the server certificate signed by a prominent Root CA certificate. If the Root CA is not one trusted by Cisco Prime, do not select this option. In such cases, you must obtain a Root CA certificate used for signing the certificate from the CA and upload both the certificates using option 6. When you select this option, and provide the location of the certificate, the utility: • Verifies whether the certificate is in Base64 Encoded X.509 certificate format. • Displays the subject of the certificate and the details of the issuing certificate. • Verifies whether the certificate is valid on the server. • Verifies whether the server private key and input server certificate match. • Verifies whether the server certificate can be traced to the required Root CA certificate that was used for signing. After the verification is successfully completed, the utility uploads the certificate to LMS Server. The utility displays an error: • If the input certificates are not in required format • If the certificate date is not valid or if the certificate has already expired. • If the server certificate could not be verified or traced to a root CA certificate. • If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key. You must contact the CA who issued the certificates to correct these problems before you upload the certificates in Cisco Prime again.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-13 Appendix A CLI Tools Working With Third Party Security Certificates

Numbe r Option What it Does... (continued) 6 Upload a certificate You must verify the certificates using option 4 before you select this chain to LMS Server option. Select this option, if you are uploading a certificate chain. If you are also uploading the root CA certificate also, you must include it as one of the certificates in the chain. When you select this option and provide the location of the certificates, the utility: • Verifies whether the certificate is in Base64 Encoded X.509 Certificate format. • Displays the subject of the certificate and the details of the issuing certificate. • Verifies whether the certificate is valid on the server • Verifies whether server private key and the server certificate match. • Verifies whether the server certificate can be traced to the root CA certificate that was used for signing. • Constructs the certificate chain, if intermediate chains are given and verifies if the chain ends with the proper root CA certificate. After the verification is successfully completed, the server certificate is uploaded to LMS Server. All the intermediate certificates and the Root CA certificate are uploaded and copied to the Cisco Prime TrustStore. The utility displays an error: • If the input certificates are not in required format. • If the certificate date is not valid or if the certificate has already expired. • If the server certificate could not be verified or traced to a root CA certificate. • If any of the intermediate certificates were not given as input. • If the server private key is missing or if the server certificate that is being uploaded could not be verified with the server private key. You must contact the CA who issued the certificates to correct these problems before you upload the certificates in Cisco Prime again. 7 Modify Certificate This option allows you to modify the Host Name entry in the LMS Certificate. You can enter an alternate Hostname if you wish to change the existing Host Name entry.

Administration of Cisco Prime LAN Management Solution 4.2 A-14 OL-25947-01 Appendix A CLI Tools Working With Third Party Security Certificates

Using the SSL Utility Script to Upload Third Party Security Certificates

To upload the certificates:

Step 1 Stop the Daemon Manager from the Cisco Prime CLI: On Windows: • Enter net stop crmdmgtd On Solaris/Soft Appliance: • Enter /etc/init.d/dmgtd stop Step 2 Navigate to the directory where the SSL Utility script is located. On Windows: a. Go to NMSROOT\MDC\Apache b. Enter NMSROOT\bin\perl SSLUtil.pl On Solaris/Soft Appliance: a. Go to NMSROOT/MDC/Apache/bin b. Enter NMSROOT/bin/perl SSLUtil.pl Step 3 Select option 4, Verify the input Certificate or Certificate Chain. Step 4 Enter the location of the certificates (server certificate and intermediate certificate). The script verifies if the server certificate is valid. After the verification is complete, the utility displays the options. If the script reports errors during validation and verification, the SSL Utility displays instructions to correct these errors. Follow the instructions to correct those errors and then try to upload the certificates. Step 5 Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed by a Root CA certificate. Or Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and intermediate certificates. Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime Daemon Manager. The utility displays a warning message if there are hostname mismatches detected in the server certificate being uploaded, but you can continue to upload the certificate. Step 6 Enter the following required details: • Location of the certificate • Location of intermediate certificates, if any. SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime requirements for security certificates. Step 7 Restart the Daemon Manager for the new security certificate to take effect. Enable SSL to establish a secured connection between LMS Server and your client browser, if you have not enabled already.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-15 Appendix A CLI Tools Setting up Browser-Server Security

Note The maximum supported public key value is 1024 bits.

Note Cisco Prime does not support third-party certificates with “Subject Alternative Names”.

Setting up Browser-Server Security

This section contains: • Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms • Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms • Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms • Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms

Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms

To enable Browser-Server Security from CLI:

Step 1 Go to the command prompt. Step 2 Navigate to the directory NMSROOT\MDC\Apache. Step 3 Enter NMSROOT\bin\perl ConfigSSL.pl -enable Step 4 Press Enter. • If you have the required security certificates available on the server, Cisco Prime enables SSL. • If you do not have the security certificates on the server, Cisco Prime prompts you to create your own self-signed certificate and enter the details required to create a self-signed certificate. Step 5 Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA). The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS Server from your client browser. Step 6 Log out from your Cisco Prime session, and close all browser sessions. Step 7 Restart the Daemon Manager from the LMS Server CLI: a. Enter net stop crmdmgtd b. Enter net start crmdmgtd Step 8 Restart the browser, and the Cisco Prime session.

Administration of Cisco Prime LAN Management Solution 4.2 A-16 OL-25947-01 Appendix A CLI Tools Setting up Browser-Server Security

When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes: • The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. • Change the port number suffix from 1741 to 443. If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with port number 443. The port numbers mentioned above are applicable for LMS Server running on Windows.

Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms

To enable Browser-Server Security from CLI:

Step 1 Go to the command prompt. Step 2 Navigate to the directory NMSROOT\MDC\Apache\bin. Step 3 Enter ./ConfigSSL.pl -enable Step 4 Press Enter. • If you have the required security certificates available on the server, Cisco Prime enables SSL. • If you do not have the security certificates on the server, Cisco Prime prompts you to create your own self-signed certificate and enter the details required to create a self-signed certificate. Step 5 Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA). The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS Server from your client browser. Step 6 Log out from your Cisco Prime session, and close all browser sessions. Step 7 Restart the Daemon Manager from the LMS Server CLI: a. Enter /etc/init.d/dmgtd stop b. Enter /etc/init.d/dmgtd start Step 8 Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following changes: • The URL should begin with https instead of http to indicate secure connection. Cisco Prime will automatically redirect you to HTTPS mode if SSL is enabled. • Change the port number suffix from 1741 to 443. If your LMS Server is integrated with any Network Management Station (NMS) in your network using the integration utility (NMIM), you must perform the integration every time you enable or disable SSL in the LMS Server. This is required to update the application registration in NMS. For more information, see the Integration Utility Online Help.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-17 Appendix A CLI Tools Setting up Browser-Server Security

Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms

To disable Browser-Server Security from CLI:

Step 1 Go to the command prompt. Step 2 Navigate to the directory NMSROOT\MDC\Apache. Step 3 Enter NMSROOT\bin\perl ConfigSSL.pl -disable Step 4 Press Enter. Step 5 Log out from your Cisco Prime session, and close all browser sessions. Step 6 Restart the Daemon Manager from the LMS Server CLI: a. Enter net stop crmdmgtd b. Enter net start crmdmgtd Step 7 Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes: • The URL should begin with http instead of https to indicate that connection is not secure. • Change the port number suffix from 443 to 1741. The port numbers mentioned above are applicable for LMS Server running on Windows.

Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance Platforms

To disable Browser-Server Security from CLI:

Step 1 Go to the command prompt. Step 2 Navigate to the directory NMSROOT\MDC\Apache\bin. Step 3 Enter ./ConfigSSL.pl -disable Step 4 Press Enter. Step 5 Log out from your Cisco Prime session, and close all browser sessions. Step 6 Restart the Daemon Manager from the LMS Server CLI: a. Enter /etc/init.d/dmgtd stop b. Enter /etc/init.d/dmgtd start Step 7 Restart the browser, and the Cisco Prime session. When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the following changes: • The URL should begin with http instead of https to indicate that connection is not secure. • Change the port number suffix from 443 to 1741.

Administration of Cisco Prime LAN Management Solution 4.2 A-18 OL-25947-01 Appendix A CLI Tools Setting up Browser-Server Security

If your LMS Server is integrated with any Network Management Station (NMS) in your network using the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL in the LMS Server. This is required to update the application registration in NMS. For more information, see Integration Utility Online Help.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-19 Appendix A CLI Tools Backing up Data Using CLI

Backing up Data Using CLI

To back up data using CLI on Windows and Solaris/Soft Appliance: On Windows, run: NMSROOT\bin\perl NMSROOT\bin\backup.pl BackupDirectory [LogFile] email=[comma_separated_email_ids] [Num_Generations] On Solaris/Soft Appliance, run: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl BackupDirectory [LogFile] email=[comma_separated_email_ids] [Num_Generations] where, • BackupDirectory—Directory that you want to be your backup directory. This is mandatory. • LogFile— Log file name that contains the details of the backup • comma_separated_email_ids—Email IDs seperated by comma • Num_Generations—Maximum backup generations to be kept in the backup directory. To back up only selective data using CLI on Windows and Solaris/Soft Appliance: On Windows, run: NMSROOT\bin\perl NMSROOT\bin\backup.pl -dest=BackupDirectory -system [-log=LogFile] -gen=Num_Generations] On Solaris/Soft Appliance, run: /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl -dest=BackupDirectory -system [-log=LogFile] [-gen=Num_Generations] where, • -dest=BackupDirectory—Directory where the backed up data to be stored. This is mandatory. • -system—Command line option that allows you to back up only the selected system configurations from all applications instead of backing up the complete databases. This is mandatory. • -log=LogFile— Log file name that contains the details of the backup. • -gen=Num_Generations—Maximum backup generations to be retained in the backup directory.

Using LMS Server Hostname Change Scripts

When you change the hostname of the LMS Server, you need to change the hostname related entries in the Cisco Prime directories and files, registry entries, and databases. LMS provides a CLI utility to update the new hostname information in the LMS related directories and files, registry entries, and databases, after you have changed your hostname. You can use the hostnamechange.pl script to update the hostname changes in all files, database entries and registry entries.

Caution Make sure that you run this command after you have changed your hostname and the appropriate entries specific to the operating system are updated.

Administration of Cisco Prime LAN Management Solution 4.2 A-20 OL-25947-01 Appendix A CLI Tools Using LMS Server Hostname Change Scripts

Prerequisites Before running the hostname change script, you should do the following:

Step 1 Update the hostname entries specific to operating system in your machine. On Solaris: • /etc/hosts - Modify loghost to the new hostname. • /etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname. • /etc/nodename or the appropriate interface file - Modify nodename to the new hostname. For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you through the server-renaming process. You can also do this when you change the hostname in the hosts, hostname.hme0, and nodename files in the /etc directory. On Soft Appliance: To change the hostname in Soft Appliance operating system: a. Login to vSphere client. b. Select the server where you want to Run hostnamechange.pl. c. Login to the selected server as system admin. d. Stop the daemons before changing the hostname in CARS CLI, by runing the command /etc/init.d/dmgtd stop in shell mode. e. Enter “config terminal” in the console. Config prompt appears. Enter “hostname ” f. Exit from the configure prompt. g. Enter “write memory”. On Windows: To change the hostname in Windows operating system: a. Right-click the My Computer icon from the desktop and click System Properties. Or Click Start > Settings > Control Panel > System. The System Properties dialog box opens. b. Click the Computer Name tab. c. Click Change... on the Windows 2008 machine to open the Computer Name Changes dialog box. d. Enter the new hostname in the Computer Name field. e. Click OK to go back to System Properties dialog box. f. Click Apply to apply the changes. Step 2 Restart the machine. You must restart the machine when you: • Update the operating system specific hostname entries. Step 3 Stop the Daemon Manager by entering the following commands: • /etc/init.d/dmgtd stop (on Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-21 Appendix A CLI Tools Using LMS Server Hostname Change Scripts

• net stop crmdmgtd (on Windows) Step 4 Run the hostname script without command line options. See Running the Hostname Change Script for more information. Step 5 Start the Daemon Manager by entering the following commands: • /etc/init.d/dmgtd start (on Solaris/Soft Appliance) • net start crmdmgtd (on Windows)

Administration of Cisco Prime LAN Management Solution 4.2 A-22 OL-25947-01 Appendix A CLI Tools Using LMS Server Hostname Change Scripts

Running the Hostname Change Script

You can either: • Run the hostname change script without specifying any command line options After you have restarted your system, ensure that you stop the Daemon Manager and then enter the following command to run the hostname change CLI utility. – NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl (on Windows) – NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl (on Solaris/Soft Appliance) Or • Run the hostname change script with command line options Use this option to change the hostname only if the previous attempt of running this script had failed and the hostname changes were unsuccessful. You need not restart your machine to run the hostnamechange.pl CLI utility with command line options Enter the following command to run the hostnamechange.pl CLI utility: – NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl -ohost Old_ Hostname -nhost New_Hostname -domain Domain (on Windows) – NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl -ohost Old_Hostname -nhost New_Hostname -domain Domain (on Solaris/Soft Appliance) where, Old_ Hostname —Old Hostname of the LMS Server New_Hostname —New Hostname of the LMS Server Domain —Domain name of the LMS Server. Entering domain name is optional.

The hostnamechange.pl script performs the following: 1. Updates the new hostname of LMS Server in the following files: – /opt/CSCOpx/lib/classpath/md.properties (on Solaris/Soft Appliance) – /var/sadm/pkg/CSCOmd/pkginfo (on Solaris) – NMSROOT\lib\classpath\md.properties (on Windows) 2. Changes ASName to the new hostname of LMS Server in the following files: – /opt/CSCOpx/lib/classpath/sso.properties (on Solaris/Soft Appliance) – NMSROOT\lib\classpath\sso.properties (on Windows) 3. Updates the hostname in the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager\CurrentVersion\Environment The CLI utility looks for all the instances of hostname under these registry entries, and replaces them with the new hostname. 4. Changes the hostname in regdaemon.xml (NMSROOT/MDC/etc/regdaemon.xml). 5. Changes the hostname in web.xml (NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml).

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-23 Appendix A CLI Tools Using LMS Server Hostname Change Scripts

6. Creates a file NMSROOT/conf/cmic/changehostname.info, with the information on the updated hostname in the format: OldhostName:NewhostName OldhostName—Previous hostname as registered with CCR(regdaemon.xml) NewhostName—Current hostname as registered with CCR(regdaemon.xml) The entries for hostname in regdaemon.xml and changehostname.info should be identical. The changehostname.info file resides in the LMS Server until you restart the Daemon Manager. This file will not be available in LMS Server after the Daemon Manager is restarted. 7. Deletes NS_Ref file on the following directories: – NMSROOT\lib\csorb (on Windows) – /opt/CSCOpx/lib/csorb (on Solaris/Soft Appliance) The NS_Ref file is restored in LMS Server after the Daemon Manager is restarted. 8. Starts the LMS 4.0 database and updates the database table entries with the new hostname. After updating the database table entries, it stops the LMS 4.0 database. 9. Detects and displays the details of the certificate in the LMS Server. – If the certificate is a third party certificate, you should regenerate your certificate with the new hostname. Or – If the certificate is a self-signed certificate, the script allows you to regenerate the certificate. You can enter y to re-generate the certificate with the new hostname or n to re-generate the certificate later. See Creating Self Signed Certificates for details. After you have completed running the script, ensure that you: • Start the Daemon Manager by entering the following commands: – /etc/init.d/dmgtd start (on Solaris/Soft Appliance) – net start crmdmgtd (on Windows) • Redo the integration, if you have integrated any third party network management application to Cisco Prime, using Integration Utility. • Re-import the certificates and redo the Multi-Server setup if the machine is part of a Multi-Server setup. For example, if you are changing the hostname of a machine that is configured as a Slave, then it needs to reregister with the Master. If you are changing the hostname of a machine that is configured as a Master, then all its Slaves need to be updated with the new Master hostname. If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some cases.

Administration of Cisco Prime LAN Management Solution 4.2 A-24 OL-25947-01 Appendix A CLI Tools Using DCR Features Through CLI

Using DCR Features Through CLI

Using Command Line Interface, you can add, delete, and modify devices, and change the DCR modes. You can also view the list of attributes that can be stored in DCR, and view the current DCR mode. The dcrcli provided with LMS helps you perform these tasks using CLI. The Device Name and the Host Name/Domain Name combination must be unique for each device in DCR. A device will be considered duplicate if: • The Device Name of a device is the same as that of any other device • The Host Name/Domain Name combination of a device is the same as that of any other device • Auto Update Device ID is the same as that of any other device (in case of AUS managed device) • Cluster and Member Number, together is same as that of any other device (in case of Cluster managed device) dcrcli operates in both the Shell and Batch modes. The Shell mode is interactive whereas the Batch mode runs the specified command and exits to the prompt after the command is run. You can set DCRCLIFILE environment to point to the file where LMS password is present. If you set DCRCLIFILE variable, password will not be asked when you run dcrcli in shell or batch mode. The password file should contain an entry in the format username password. Make sure that there is only one blank space between the username and the password in the password file. For example, if admin is the username and the password for the Cisco Prime user, the password file must contain the following entry: admin admin This section has the following: • Viewing the Current DCR Mode Using CLI • Viewing Device Details • Changing DCR Mode Using CLI

Viewing the Current DCR Mode Using CLI

To view the current DCR mode in Shell mode:

Step 1 Enter NMSROOT/bin/dcrcli -u username. Step 2 Enter the password corresponding to the username. Step 3 Enter lsmode It lists the DCR ID, the DCR Group ID, the current DCR mode, and the associated Master and Slaves.

To view the current DCR mode in Batch mode:

Step 1 Go to NMSROOT/bin Step 2 Enter dcrcli -u Username cmd=lsmode

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-25 Appendix A CLI Tools Using DCR Features Through CLI

Viewing Device Details

To view device details using dcrcli in Shell mode:

Step 1 Enter NMSROOT/bin/dcrcli -u username. Step 2 Enter the password corresponding to the username. Step 3 Enter details id=DeviceID This lists all the details about the device with the ID you have specified. For example, detail id=54341 lists the details for the device with device ID 54341.

To view device details using dcrcli in Batch mode:

Step 1 Go to NMSROOT/bin Step 2 Enter dcrcli -u Username cmd=detail id=DeviceID

Changing DCR Mode Using CLI

To change mode to Master in Shell mode:

Step 1 Enter NMSROOT/bin/dcrcli -u username. Step 2 Enter the password corresponding to the username Step 3 Enter setmaster The DCR mode gets changed to Master.

To change mode to Master in Batch mode:

Step 1 Go to NMSROOT/bin Step 2 Enter dcrcli -u Username cmd=setmaster

To change mode to Standalone in Shell mode:

Step 1 Enter NMSROOT/bin/dcrcli -u username. Step 2 Enter the password corresponding to the username Step 3 Enter setstand The DCR mode gets changed to Standalone.

Administration of Cisco Prime LAN Management Solution 4.2 A-26 OL-25947-01 Appendix A CLI Tools Using Group Administration Features Through CLI

To change mode to Standalone in Batch mode:

Step 1 Go to NMSROOT/bin Step 2 Enter dcrcli -u Username cmd=setstand

To change mode to Slave in Shell mode:

Step 1 Enter NMSROOT/bin/dcrcli -u username. Step 2 Enter the password corresponding to the username Step 3 Enter setslave master=value You have to specify the Master for this slave. The DCR mode gets changed to Slave. For example, setslave master=1.2.1.3 port=443

To change mode to Slave in Batch mode:

Step 1 Go to NMSROOT/bin Step 2 Enter dcrcli -u Username cmd=setslave master=value

Using Group Administration Features Through CLI

You can use OGSCli command line utility to: • Export Groups to an output XML file • Import Groups to Grouping Server from an input XML file You should have Network Administrator, System Administrator, or Super Admin privileges to use OGSCli command line utility. OGSCli runs in only Batch mode. It runs the specified command and exits to the prompt after the command is run. This section explains: • Exporting Groups Through CLI • Importing Groups Through CLI

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-27 Appendix A CLI Tools Using Group Administration Features Through CLI

Exporting Groups Through CLI

To export groups through CLI:

Step 1 Go to the command prompt. Step 2 Enter either one of the following: • NMSROOT/bin/OGSCli.sh -u CiscoPrime_Username (on Solaris/Soft Appliance) Or • NMSROOT\bin\OGSCli -u CiscoPrime_Username (on Windows) where, NMSROOT is the directory where you have installed Cisco Prime. CiscoPrime_Username is the login username of a Cisco Prime user. For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems. The system prompts you to enter your Cisco Prime password. Step 3 Enter your Cisco Prime password. The system prompts you to enter a task name, import or export. The default task is export. Step 4 Enter export. The system prompts you to enter an output file name. Step 5 Enter a file name for export output file with its absolute path name. If you do not enter file name with its absolute path name, the export file will be stored on \nmsroot\bin. A warning message appears indicating that the selected file will be overwritten with the new information on exported groups. The system uses the file name that you have entered to generate the output XML file irrespective of whether the file exists on the server. You should have the required directory-level permissions where you want to save the output XML file. You must either enter y to continue or n to exit. The system prompts you to enter an export group hierarchy. Step 6 Enter All or the export group hierarchy name. Default value is All. For example, you can enter the group hierarchy name as /CS@doc-pc2/User Defined Groups/Group1. The system generates an export format XML file and stores on the specified directory on the server.

Administration of Cisco Prime LAN Management Solution 4.2 A-28 OL-25947-01 Appendix A CLI Tools Using Group Administration Features Through CLI

Importing Groups Through CLI

To import groups through CLI:

Step 1 Go to the command prompt. Step 2 Enter either one of the following: • NMSROOT/bin/OGSCli.sh -u CiscoPrime_Username (on Solaris/Soft Appliance) Or • NMSROOT\bin\OGSCli -u CiscoPrime_Username (on Windows) where, NMSROOT is the directory where you have installed Cisco Prime. CiscoPrime_Username is the login username of a Cisco Prime user. For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems. The system prompts you to enter your Cisco Prime password. Step 3 Enter your Cisco Prime password. The system prompts you to enter a task name, import or export. The default task is export. Step 4 Enter import. The system prompts you to enter the input XML filename. Step 5 Enter the input XML filename with its absolute path name. The system lists the groups to be imported from the source XML file. Step 6 Enter your choices using the item numbers displayed for the listed groups. You can enter one or more item numbers separated by comma. The system lists the Grouping Server locations where you can import the groups. Step 7 Enter your choices using the item numbers displayed for the listed Grouping Servers. You can enter one or more item numbers separated by comma. You must enter 1 to import the selected groups to all listed servers. A message appears indicating whether the import of groups is successful. See Exporting Groups for the possible causes for the import groups job to fail.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-29 Appendix A CLI Tools Deleting Stale Groups Using CLI

Deleting Stale Groups Using CLI

You can delete groups that belonged to users removed from Cisco Prime. To delete a stale group, you must run the DeleteStaleGroups utility. To run the DeleteStaleGroups utility: On Windows:

Step 1 Enter NMSROOT\bin Step 2 Enter DeleteStaleGroups -user username -pfile passwordfile -staleuser StaleUser

On Solaris/Soft Appliance:

Step 1 Enter NMSROOT/bin Step 2 Enter DeleteStaleGroups.sh -user username -pfile passwordfile -staleuser StaleUser

The explanation for these optional entries are as follows: -user: Current user who has the necessary privileges to delete groups. -pfile: Absolute Path of the text file with Cisco Prime login password of the current user, in one line. -staleuser: The user whose group has to be deleted. If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale groups will be deleted.

User Tracking Command Line Interface

You can run User Tracking commands from the command line in Solaris/Soft Appliance and Windows 2000. Enter ut -cli options -u username -p password. The options can be one or more of those shown in Table A-1. • Use the -prompt command if you do not want to enter your password from the command line. Using -prompt prevents other users from running ps and seeing your password. • The -host option is required when you run the CLI command on a remote LMS Server.

Administration of Cisco Prime LAN Management Solution 4.2 A-30 OL-25947-01 Appendix A CLI Tools User Tracking Command Line Interface

Table A-1 User Tracking CLI Commands

Option Arguments Function -prompt No keywords or This command is required if you do not enter your arguments. password from the command line. If -prompt is specified, User Tracking prompts you to enter your password. -help No keywords or Prints the command line usage. arguments. -ping {enable | disable} Enables the Ping Sweep option so that the ANI Server pings every IP address on known subnets before discovery. The default is the last setting used. User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not display the IP addresses. In larger subnets, the ping process leads to numerous ping responses that might increase the traffic on your network and result in extensive use of network resources. To perform Ping Sweep on larger subnets, you can: • Configure a higher value for the ARP cache time-out on the routers. To configure the value, you must use the arp time-out interface configuration command on devices running Cisco IOS. • Use any external software, which will enable you to ping the host IP addresses. This ensures that when you run User Tracking Acquisition, the ARP cache of the router contains the IP addresses. -performMajorAcquisition No keywords or Acquires data about all users and hosts on the network arguments. and updates the LMS database. This option starts an acquisition but does not wait for it to complete.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-31 Appendix A CLI Tools User Tracking Command Line Interface

Table A-1 User Tracking CLI Commands (continued)

Option Arguments Function -query This option takes one of Queries the Topology and Layer 2 services module the following database and updates the User Tracking table. arguments: all Gets all User Tracking entries. Similar to “All Host Entries” or a simple query in the GUI. name Runs the named advanced or simple query, created earlier in the GUI. dupMAC Finds duplicate MAC addresses. dupIP Finds duplicate IP addresses. hub Finds ports with multiple MAC addresses (hubs). -queryPhone all Gets all IP Phone entries. name Runs the named advanced query, created earlier in the GUI. -layout layout_name Uses the specified main table layout while performing a query to fetch User Tracking display entries. -layoutPhone layout_name Uses the specified IP phone table layout while performing a query to fetch IP phone display entries. -host ANI Server device name Specifies the host name or IP address of the LMS or IP Address Server. Use this argument when you need to run the CLI command on a remote LMS Server. -port ANI Server web port Specifies the web server port number of the ANI Server. number The default is 1741. -export filename Exports data to a text file. You must first specify the -query option to fetch the data that you want to export. -import filename Imports lost or deleted UserName and Notes fields from the last exported file. -importMACToAcceptableOUI filename Imports MACs and converts them to OUI and adds the MACs to the Acceptable OUI List. For example: cd NMSROOT/bin ut -cli -importMACToAcceptableOUI filename -u username -p password -stat No keywords or Displays statistical information, such as time of last arguments. acquisition, acquisition status, number of records in the User Tracking database, and so on. -debug No keywords or Enables trace and debug messages for the User Tracking arguments. client application.

Administration of Cisco Prime LAN Management Solution 4.2 A-32 OL-25947-01 Appendix A CLI Tools User Tracking Command Line Interface

Table A-1 User Tracking CLI Commands (continued)

Option Arguments Function -wireless No keywords or Displays detailed information on Wireless clients arguments. connected to the network. If you enter this option along with the export option, data can be exported to a text file. For example: NMSROOT/campus/bin ut -cli -wireless -export c:/sample -u username -p password -switchPortCapacity For complete details on this, see Exporting Switch Port Usage Report. -switchPortreclaimreport For complete details on this, see Exporting Switch Port Usage Report -switchPortSummary For complete details on this, see Exporting Switch Port Usage Report

For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-33 Appendix A CLI Tools User Tracking Command Line Interface

Exporting Switch Port Usage Report

Switch Port Capacity report lists switches whose utilization percentage falls in the specified range. Switch Port Reclaim reports lists: • Ports that are administratively up or down and • Ports that were previously connected to an endhost or a device but are unconnected at least for a period of one day. Switch port usage reports can be generated from the command prompt as given in Table A-2:

Table A-2 Switch Port Reports from the Command Prompt

Purpose Command Switch Port Capacity Report To generate reports where the utilization is NMSROOT/campus/bin ut -cli less than the specified percentage (for all -switchPortCapacity lessthan 60 -devices all devices managed by LMS) -export c:/sample -u username -p password To generate reports where the utilization is NMSROOT/campus/bin ut -cli less than the specified percentage (for -switchPortCapacity lessthan 60 -devices specific devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password To generate reports where the utilization is NMSROOT/campus/bin ut -cli greater than the specified percentage (for all -switchPortCapacity greaterthan 60 -devices all devices managed by LMS) -export c:/sample -u username -p password To generate reports where the utilization is NMSROOT/campus/bin ut -cli greater than the specified percentage (for -switchPortCapacity greaterthan 60 -devices specific devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password To generate reports where the utilization falls NMSROOT/campus/bin ut -cli between the specified range (for all devices -switchPortCapacity between 10 60 -devices all managed by LMS) -export c:/sample -u username -p password To generate reports where the utilization falls NMSROOT/campus/bin ut -cli between the specified range (for specific -switchPortCapacity between 10 60 -devices devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u username -p password

Administration of Cisco Prime LAN Management Solution 4.2 A-34 OL-25947-01 Appendix A CLI Tools Using Lookup Analyzer Utility

Table A-2 Switch Port Reports from the Command Prompt

Purpose Command Switch Port Reclaim Report Generates reports for unused ports that are in up or down state. To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli (for all devices managed by LMS) -switchPortReclaimReport type up days 2 -devices all -export c:/sample -u username -p password To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli (for specific devices) -switchPortReclaimReport type up days 2 -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password To generate Reclaim Unused Down Ports NMSROOT/campus/bin ut -cli report (for all devices managed by LMS) -switchPortReclaimReport type down days 2 -devices all -export c:/sample -u username -p password To generate Reclaim Unused Down Ports NMSROOT/campus/bin ut -cli report (for specific devices) -switchPortReclaimReport type down days 2 -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password Switch Port Summary Report Generates reports that gives the number of Connected, Free, and Free down ports in each switch. To generate Switch Port Summary report for NMSROOT/campus/bin ut -cli all devices -switchPortSummary -devices all -export c:/sample -u username -p password To generate Switch Port Summary report for NMSROOT/campus/bin ut -cli select devices -switchPortSummary -devices 10.77.1.2,10.77.3.4 -export c:/sample -u username -p password

where NMSROOT is the directory where you installed Cisco Prime.

Note The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in Windows, replace all forward slash (/) with reverse slash (\).

The report generated by the above options is saved as a file in the CSV format, at the specified location. You can generate various Switch Port Usage reports, select Reports > Switch Port.

Using Lookup Analyzer Utility

Lookup Analyzer is a utility used to analyze the performance of DNS servers and provide the following information: • DNS Server Efficiency for each DNS Server • Overall Summary of DNS Servers

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-35 Appendix A CLI Tools Using Lookup Analyzer Utility

• Namelookup related settings in ut.properties file • Issues found and recommendations to overcome them For Solaris/Soft Appliance: The utility file is NMSROOT/campus/bin/LookupAnalyzer.sh If dir is the directory where the file is present, run the following command to run the utility: dir# ./LookupAnalyzer For Windows: The utility file is NMSROOT\campus\bin\LookupAnalyzer.bat If dir is the directory where the file is present, run the following command to run the utility: dir> LookupAnalyzer Example output of the Lookup Analyzer script: Host IP: 172.20.123.74, DNS Server: 64.104.76.247, Time taken: 35, Status: FAILURE Host IP: 172.20.123.74, DNS Server: WINS, Time taken: 22, Status: FAILURE Host IP: 10.77.209.254, DNS Server: 64.104.128.248, Time taken: 18, Status: FAILURE .. .. DNS Server : 64.104.128.248 Success Count: 12 Failure Count: 76 Failure % : 86 % Total Time : 1 secs 561 ms Min Time : 0 ms Max Time : 52 ms Avg Time : 17 ms Server Efficiency(successCount/totalTime): 7.0 ------DNS Server : 64.104.76.247 Success Count: 0 Failure Count: 76 Failure % : 100 % Total Time : 2 secs 729 ms Min Time : 0 ms Max Time : 61 ms Avg Time : 35 ms Server Efficiency(successCount/totalTime): 0.0 ------DNS Server : WINS Success Count: 0 Failure Count: 76 Failure % : 100 % Total Time : 750 ms Min Time : 0 ms Max Time : 23 ms Avg Time : 9 ms Server Efficiency(successCount/totalTime): 0.0 ------Overall Summary ------Success Count: 12 Failure Count: 76 Failure % : 86 % ------Current Namelookup Related Settings ------UTMajorUseDNSSeperateThread: false UT.nameResolution: both

Administration of Cisco Prime LAN Management Solution 4.2 A-36 OL-25947-01 Appendix A CLI Tools Understanding UTLite

UT.nameResolution.threadCount: 1 UT.nameResolution.winsTimeout: 2000 UT.nameResolution.threadThresholdPercentage: 10 UT.nameResolution.dnsTimeout: 2000 UTMajorUseDNSCache: false nameserver.usednsForUT: true DB.dsn: ani ------ISSUES/RECOMMENDATIONS ------Issue #1: Failure Percent is greater than 20% Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured

Issue #2: DNS reverse lookup is NOT done as separate process Recommendation: Enable UTMajorUseDNSSeperateThread=true in ut.properties

Issue #3: Name Resolution DNS server order is not optimal Recommendation: Change dns server order as 64.104.128.248=7.0, 64.104.76.247=0.0, WINS=0.0,

Other Recommendations: * If hostnames in your network are less likely to change often, set UTMajorUseDNSCache=true * If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout, UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage * Optimal timeout values are: UT.nameResolution.winsTimeout=0, UT.nameResolution.dnsTimeout=48

The script can also be run by setting properties in the ut.properties file.

Understanding UTLite

UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active Directory, and Novell servers. To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell servers. You can also install UTLite in an Active Directory server. UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at the rate of 150 traps per second, with a default buffer size of 76800. If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400. To increase the buffer size:

Step 1 Enter pdterm UTLITE at the command line to stop the UTLite process. Step 2 Open utliteuhic.properties located at NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\ Step 3 Set Socket.portbuffersize=102400 Step 4 Enter pdexec UTLITE at the command line to start the UTLite process.

Caution Increasing the buffer size beyond 102400 results in performance degradation of UTLite.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-37 Appendix A CLI Tools Understanding UTLite

To receive UTLITE events:

Step 1 Open utliteuhic.properties located at NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\ Step 2 Change the property of URTlite state by changing the value from "URTlite.state=disable" to "URTlite.state=enable". Or You can change the property of URTlite state by launching LMS. Select the Acquisition Settings option from Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings page appears. In the Acquisition Settings page, check the Get user names from hosts in NT and NDS domains and click Apply.

Note The servers should be DNS resolvable to get the events from the clients. Else we have to make entry in %WINDIR%\system32\drivers\etc\hosts.

The UTLite script is supported on these platforms: • Windows NT • Windows 2000 • Windows XP • Windows 2003 • Windows Vista • Novell Directory Services (NDS) • Windows 7 (Client OS support) The UTLite script is not supported on these UNIX hosts: • Solaris • HP-UX • AIX This section contains: • Installing UTLite Script on Active Directory/Windows • Installing UTLite Script on NDS • Uninstalling UTLite Scripts From Windows • Uninstalling UTLite Scripts From Active Directory • Uninstalling UTLite Scripts From NDS

Installing UTLite Script on Active Directory/Windows

You must install the UTLite script on the Active Directory server and update the server’s logon script to get user logon information from Active Directory hosts.

Administration of Cisco Prime LAN Management Solution 4.2 A-38 OL-25947-01 Appendix A CLI Tools Understanding UTLite

You must have Administrator privileges on the Active Directory server to install the UTLite logon script. To install the script:

Step 1 Copy the required files to the Active Directory server: a. Log into the Active Directory server as Administrator. b. Obtain the UTLite files from the Server Configuration: NMSROOT\campus\bin\UTLite33.exe NMSROOT\campus\bin\UTLiteNT.bat where NMSROOT is the directory in which you installed Cisco Prime. c. Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder. NETLOGON is located at: %SystemRoot%\sysvol\sysvol\domain DNS name\scripts, where %SystemRoot% is usually c:\winnt and domain DNS name is the DNS name of the domain

Note For Windows 2000 and NT servers, the NETLOGON folder is located at: %SYSTEMROOT%\system32\Repl\Import\Scripts

Step 2 Edit the UTLiteNT.bat file: a. Open the UTLiteNT.bat file. b. Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the Campus Manager server: start %WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236 For example: start %WINDIR%\UTLite33 -domain cdiclab.cisco -host 192.168.152.228 -port 16236 If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings. Step 3 Edit the user profile on the Active Directory server to run the UTLiteNT.bat file when users log in to the network by editing the profile of the user as shown in Figure A-1:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-39 Appendix A CLI Tools Understanding UTLite

Figure A-1 Active Directory User Profile

Here, in the User profile section of the window, the Profile path is set to be: C:\windows\sysvol\sysvol\domain\scripts The Logon script is set to be: UTLiteNT.bat Step 4 Update the domain controller logon script for each Windows domain that you add. The first time users log into the network after you edit this script, UTLite33.exe is copied to the local WINDIR directory on their Windows client system.

Installing UTLite Script on NDS

You must install the UTLite script on the Novell Server and update the domain controller logon script, to get user logon information from Windows hosts. You only need to do this once for each domain. You must have ZenWorks installed and running on the Novell Server, and you must be using NDS 5.0 or later. To install the script:

Step 1 Copy the required files to the Novell Server. Step 2 Log into the Novell Server as Administrator.

Administration of Cisco Prime LAN Management Solution 4.2 A-40 OL-25947-01 Appendix A CLI Tools Understanding UTLite

Step 3 Obtain the UTLite files from the LMS Server: • NMSROOT\campus\bin\UTLite33.exe • NMSROOT\campus\bin\UTLiteNDS.bat where NMSROOT is the directory in which you installed Cisco Prime. Step 4 Create a folder in \\Novell Server Name\SYS\public and copy UTLiteNDS.bat and UTlite33.exe to the folder. Step 5 Edit the UTLiteNDS.bat file: Step 6 Open the UTLiteNDS.bat file. Step 7 Locate the following line and replace domain and ipaddress with the domain name of the Windows domain controller and IP address of the computer running the LMS server: start %WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236 If port 16236 is already in use, enter a different number. This port number must match the number that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page (Select Admin > Collection Settings > User Tracking > Acquisition Settings). For more details, see Modifying UT Acquisition Settings. Edit the logon scripts. Step 8 Enter \\Novell_Server_Name\SYS\public\NaL.exe at the command prompt. Step 9 Click NWAdmin32 to run the Novell Netware Administrator program. Step 10 Right-click on the users or organizational units whose logon scripts you want to modify and select Details. Step 11 Click Login Script and enter: @\\%FILE_SERVER%\sys\public\your_folder_name\UTLiteNDS.bat where your_folder_name is the name of the folder you created in Step 1.

Uninstalling UTLite Scripts From Windows

If you choose not to have LMS server automatically collect user names, follow these instructions to properly remove the UTLite scripts. To uninstall the script:

Step 1 Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller. Step 2 Remove the call to run UTliteNT.bat from users' logon scripts. Step 3 Delete UTLite33.exe from the WINDIR directory of all Windows clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.

Uninstalling UTLite Scripts From Active Directory

If you choose not to have LMS server automatically collect user names, follow these instructions to properly remove the UTLite scripts. To uninstall the script:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-41 Appendix A CLI Tools User Tracking Debugger Utility

Step 1 Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server. Step 2 Remove the call to run UTliteNT.bat from users' logon scripts. Step 3 Delete UTLite33.exe from the WINDIR directory of all Windows clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.

Uninstalling UTLite Scripts From NDS

If you choose not to have LMS server automatically collect user names, you must perform these steps to properly remove the UTLite scripts. To uninstall the script:

Step 1 Remove UTLiteNDS.bat and UTLite33.exe files from the Novell Server. Step 2 Remove the line added to the login scripts for all users and organizational units. Step 3 Delete UTLite33.exe from the WINDIR directory of all clients. To quickly locate the WINDIR directory, enter set windir from a command prompt window on each client.

User Tracking Debugger Utility

The User Tracking Debugger Utility is a command line tool to help debug common problems with User Tracking. This section contains: • Understanding Debugger Utility • Using Debugger Utility

Understanding Debugger Utility

The utility displays a report on the reasons why User Tracking failed to discover end hosts on specific ports. In many cases, User Tracking may not perform as expected. This may be because of problems in other LMS applications. For instance LMS Server may have devices that are not discovered or inadequate VLAN discovery in Topology Services. You can run the utility to troubleshoot problems, or provide the report and log generated by the utility when you contact TAC for help in diagnosing problems. The debugger utility uses the data collected by LMS Server and reports the reasons for the missing ports in User Tracking. This tool also has an SNMP component embedded which runs an SNMP query for the table as a part of verification for SNMP failure. For example, SNMP bugs in Catalyst operating system because of which User Tracking may fail to discover devices. This generates an Action Report that you can use to analyze the data.

Administration of Cisco Prime LAN Management Solution 4.2 A-42 OL-25947-01 Appendix A CLI Tools Configuring Switches to Send MAC Notifications to LMS Server

The Debugger Utility: 1. Checks the switch ports in a sequential order. 2. Reports violation of basic rules for each of the missing ports such as link ports and trunk ports. 3. Checks for SNMP retrieval of data, if the ports pass the validity check. 4. Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.

Using Debugger Utility

The Debugger Utility is available at $NMSROOT/campus/bin/ (where $NMSROOT is the directory where you have installed Cisco Prime). To run the Debugger Utility, run the command: utdebug -switch switch-ip -port port1[,port2 ...] [-export filename] where, switch is the switch to which the end hosts are connected. ports are the ports on the switch which have missing end hosts User Tracking. -export filename specifies that the debug messages be stored in the file specified. If this option is not used, the messages are displayed on the console. For example, utdebug -switch 10.29.6.12 -port 5/12 utdebug -switch 10.29.100.10 -port Fa0/10 utdebug -switch 10.29.6.14 -port Gi6

Configuring Switches to Send MAC Notifications to LMS Server

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port. Even if the device is managed with SNMPv3, Network Topology, Layer-2 Services, and User Tracking, it processes only SNMPv1/SNMPv2 traps. You can configure the ports only through Command Line Interface (CLI). If you do not have Configuration Management functionality enabled on your LMS Server, you have to manually configure the switches for the switches to send MAC Notifications to the LMS server. Ensure that you have configured System Identity User under Admin > Trust Management > Multi Server > System Identity Setup and the same username and password is configured under Admin > System > User Management > Local User Setup. For a list of commands to be run on each device, see the Appendix Commands to Enable MAC Notification Traps on Devices. For complete list of devices supported by LMS, see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/device_suppo rt/table/lms42sdt.html

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-43 Appendix A CLI Tools Administration Command Line Interface

Administration Command Line Interface

This section describes how to administer LMS database from the command line. This is explained in the following topics: • Replacing Corrupted Database • Re-initializing the Database • Deleting all Active Entries from User Tracking, and Restarting Servers • Deleting all Inactive Entries from User Tracking, and Restarting Servers • Deleting all History Entries from User Tracking, and Restarting Servers • Deleting all User Tracking Entries, and Restarting Servers • Restoring the Original Data in the Server • Restoring Data from Another Server • Performance Tuning Tool This section also explains SNMP Configuration on Devices

Replacing Corrupted Database If you have a corrupted database, you can use the database administration tools to restore the database from a previous backup. However, if you do not have a previous backup, you must re-initialize the database. When you run this command, if Data Collection is running, it is automatically stopped and then restarted when the database initialization is complete.

Caution If you re-initialize the database, information from discovered devices will be lost. However, user and host information is retained. Replace the database only if recommended by a Cisco technical representative.

Note Your login determines whether you can use this option.

Re-initializing the Database From the command prompt or shell window, enter: • On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl • On Windows: perl NMSROOT\campus\bin\reinitdb.pl The following message appears: This will erase all data from the database. Are you sure [y/n] ?

If you enter y, it erases all data (database tables Wbu*...) from the server.

Administration of Cisco Prime LAN Management Solution 4.2 A-44 OL-25947-01 Appendix A CLI Tools Administration Command Line Interface

Deleting all Active Entries from User Tracking, and Restarting Servers From the command prompt or shell window, enter: • On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -active • On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -active where active entries are hosts that are currently logged in

Deleting all Inactive Entries from User Tracking, and Restarting Servers From the command prompt or shell window, enter: • On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -inactive • On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -inactive where inactive entries are hosts that are currently not logged in

Deleting all History Entries from User Tracking, and Restarting Servers From the command prompt or shell window, enter: • On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -history • On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -history where history entries are complete entries. That is, hosts that have a login and logout in the past.

Deleting all User Tracking Entries, and Restarting Servers From the command prompt or shell window, enter: • On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -all • On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -all

Restoring the Original Data in the Server From the command prompt or shell window, enter: • On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -restore • On Windows: perl NMSROOT\campus\bin\reinitdb.pl -restore

Note Before executing the -restore command, you should stop the daemon manager and start again manually. For details, see Using Daemon Manager.

Restoring Data from Another Server When you take database backup for LMS in one server and restore it in another server, the NMSROOT logfile location may not be the same in both servers. In that case, LMS will log messages to the log file stored in the default NMSROOT location in the restored machine. where NMSROOT is the root directory where you installed Cisco Prime.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-45 Appendix A CLI Tools Administration Command Line Interface

Performance Tuning Tool When you get out of memory errors in LMS, the following command can be used to tune the performance: NMSROOT/bin/perl NMSROOT/campus/bin/CMPTT.pl ProcessName HeapSize MaxPermSize • ProcessName should be either one of the following: – ANIServer – UTMajorAcquisition • Heap size should be multiples of 512 and should not exceed 1536 MB. Ensure you have enough swap space in the server before tuning the heap size. • MaxPermSize will set the JVM MaxPermSize option to 64m.

SNMP Configuration on Devices

SNMP v3 Device Configuration Settings LMS supports the following Authentication protocols for SNMP v3: • md5 • SHA LMS supports the following Privacy protocols for SNMP v3: • des • 3des • aes128 • aes192 • aes256. For using various LMS features in devices running SNMPv3, you must make specific configurations on the devices. The commands that need to be configured are: • Configuring MIB Views • Configuring Access Groups • Configuring Device with Context Name • Configuring a New User • Configuring Password for a User • Relating a User to a Group • Configuring Privacy Protocol

Configuring MIB Views For Catalyst devices, enter the following command: set snmp view campusview 1.3.6.1 included nonvolatile

For IOS devices, enter the following command: snmp-server view campusview oid-tree included

Administration of Cisco Prime LAN Management Solution 4.2 A-46 OL-25947-01 Appendix A CLI Tools Administration Command Line Interface

Configuring Access Groups You must set the access rights for a group with a certain security model in different security levels. For Catalyst devices, enter the following command: set snmp access campusgroup security-model v3 authentication read campusview write campusview nonvolatile

For IOS devices, enter the following command: snmp-server group campusgroup v3 auth read campusview write campusview access access-list

Configuring Device with Context Name For Catalyst devices, enter the following commands: set snmp access campusgroup security-model v3 authentication read campusview write campusview context vlan- prefix nonvolatile

Context exact is also supported. The following is an example:

set snmp access campusgroup security-model v3 authentication read campusview write campusview context vlan-1 exact nonvolatile

For IOS devices, enter the following command: snmp-server group campusgroup v3 auth context vlan-1 read campusview write campusview

IOS image versions prior to12.4 support only exact context name. IOS image versions 12.4 or higher, support both exact or prefix context names. You need to configure the device with and without context name, since Data Collection manages the device without context name and User Tracking requires context name to contact the device.

Configuring a New User For Catalyst devices, enter the following command: set snmp user campususer authentication md5

For IOS devices, enter the following command: snmp-server user campususer campusgroup v3 auth md5 password1

Configuring Password for a User For Catalyst devices, enter the following command:

set snmp user campususer authentication md5 password1

For IOS devices, enter the following command: snmp-server user campususer campusgroup v3 auth md5 password1

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-47 Appendix A CLI Tools Administration Command Line Interface

Relating a User to a Group Using a specified security model you can relate a user to a group. For Catalyst devices, enter the following command: set snmpw group campusgroup user campususer security-model v3 nonvolatile

For IOS devices, enter the following command:

snmp-server user campususer campusgroup v3

Configuring Privacy Protocol For Catalyst devices: set snmp user campususer authentication md5 password1privacy des password2

For IOS devices:

snmp-server user campususer campusgroup v3 auth md5 password1 priv des password2

Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device, associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS. You can enable it by creating a view and by including and excluding MIBs. To create a SNMP view:

Step 1 Create a SNMP view as follows in device x: snmp-server view iso included snmp-server view internet included snmp-server view internet.6.3.15 excluded snmp-server view w1 internet.6.3.16 excluded snmp-server view internet.6.3.18 excluded snmp-server view cTapMIB excluded snmp-server view internet.6.3.16.1.1 included Step 2 Associate the view with SNMP v2 RO community string. snmp-server community view RO Step 3 Shut down a vlan in device x. Step 4 In ANIServer.properties, set vacmContextNameEnabled=1 and restart ANIServer. Step 5 Run DC for device x.

Note During data collection LMS is quering vacmContextName variable of SNMP-VACAM-MIB. From this MIB variable LMS can find out which vlans are in shut down state so that LMS will try to connect to that vlan context. This MIB will be not supported by the device by default.

Administration of Cisco Prime LAN Management Solution 4.2 A-48 OL-25947-01 Appendix A CLI Tools Administration Command Line Interface

In LMS, by default the property vacmContextNameEnabled in ANIServer.properties under NMSROOT/campus/ect/cwsi has the value 0. This value has to be changed to 1 and then restart the daemons.

Note The device side configuration has to be done on all the devices in the network before changing the property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 A-49 Appendix A CLI Tools Administration Command Line Interface

Administration of Cisco Prime LAN Management Solution 4.2 A-50 OL-25947-01

APPENDIX B

Troubleshooting and FAQs

This section provides the following information for the Administration module of LMS: • Troubleshooting Guidelines • Frequently Asked Questions

Troubleshooting Guidelines

This section provides guidelines on the following: • Troubleshooting User Tracking • Troubleshooting the Cisco Prime LMS Server

Troubleshooting User Tracking

Use the information in Table B-1 to troubleshoot the User Tracking application.

Table B-1 Troubleshooting User Tracking

Symptom Probable Cause Possible Solution User Tracking cannot discover any There may not be information in the For more details, see users or hosts LMS database. • Discovering Devices in Inventory or The device might not be part of DCR and Management with Cisco Prime LAN you must run Device Discovery and Management Solution 4.2 User Tracking cannot display any Data Collection. IP phones. • Administering Data Collection User Tracking cannot discover The LMS server might not have 1. Check the Topology services for the certain users or hosts. discovered one or more devices to which missing devices users and hosts are connected. 2. Ensure that CDP and SNMP are enabled on the devices, rediscover these devices, 3. Verify that they appear on the topology view.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-1 Appendix B Troubleshooting and FAQs Troubleshooting Guidelines

Table B-1 Troubleshooting User Tracking (continued)

Symptom Probable Cause Possible Solution User Tracking cannot discover The LMS server might not have 1. Check the Topology services for the certain IP phones. discovered the specific Media missing MCS that runs the instance of Convergence Server (MCS) that runs the Cisco CallManager to which the phones instance of Cisco CallManager to which are registered. the IP phones are registered. 2. Ensure that Cisco CallManager is shown as a service running on the MCS and is discovered by the LMS Server. 3. Rediscover all IP phones. User Tracking table does not User Tracking cannot find the most Enable Ping Sweeps when User Tracking contain device name, IP address, recent network information. performs Discovery. Ping Sweeps are enabled by default. and subnet information for some Network changes are not currently hosts. reflected in ARP information (routers) To perform Ping Sweep on larger subnets, you or bridge tables (switches). can either: User Tracking does not perform Ping • Configure a higher value for the ARP Sweep on large subnets; for example, cache time-out on the routers. subnets containing Class A and B To configure the value, you must use the addresses. arp time-out interface configuration Hence, ARP cache might not have some command on devices running Cisco IOS. IP addresses and the User Tracking may Or not display the IP addresses. • Use any external software, which will In larger subnets, the ping process leads enable you to ping the host IP addresses. to numerous ping responses that might increase the traffic on your network and This will ensure that when you run User result in extensive use of network Tracking Acquisition, the ARP cache of resources. the router contains the IP addresses. You have: A complete Device Discovery process 1. Run Device Discovery. has not run since you added your • Made changes to the network. 2. Run a complete Data collection. changes. • Run User Tracking Major 3. Generate a new report after data User Tracking Major Acquisition is not Acquisition. collection is complete to see the changes. a full network discovery. The process The changes do not appear in discovers only the user and host data in the User Tracking display. your network. Changes that you make to your network might not appear after a User Tracking Major Acquisition.

Troubleshooting the Cisco Prime LMS Server

Use these tools and suggestions to diagnose problems with the Cisco Prime LMS server: • Verifying Server Status • Troubleshooting Suggestions

Administration of Cisco Prime LAN Management Solution 4.2 B-2 OL-25947-01 Appendix B Troubleshooting and FAQs Troubleshooting Guidelines

Verifying Server Status

There are several tools that enable you to gather and analyze information about your Cisco Prime LMS Server. See Table B-2 and Table B-4.

Table B-2 Server Status

Task Purpose Action Administrative Tasks Perform self test. Runs self-tests and Select Admin > System > Server Monitoring > generates a report with the Selftest. results. All Users Check process Checks whether back-end Select Admin > System > Server Monitoring > status. processes are in an interim Processes. state. Collect server Provides system Select Admin > System > Server Monitoring > information. information, environment, Collect Server Information configuration, logs, and Or web server information. Enter the following command: • NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows) • NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance) where NMSROOT is the directory where you installed Cisco Prime.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-3 Appendix B Troubleshooting and FAQs Troubleshooting Guidelines

Table B-2 Server Status

Task Purpose Action MDC Support The MDC Support utility For Windows go to, collects: NMSROOT\MDC\bin and run the command: • Log files MDCSupport.exe • Configuration settings The utility creates a tar file in NMSROOT\MDC\etc • Memory information directory. • Complete system If \etc directory is full, or if you want to preserve the related information data collected previously by not over writing the tar file, you may create another directory by running the • Process status following command: • Host environment MDCSupport.exe Directory information For Solaris/Soft Appliance, It also collects any other relevant data, into a 1. Set the LD_LIBRARY_PATH environment deliverable tar variable to /opt/CSCOpx/MDC/lib: (compressed form) file to /opt/CSCOpx/lib: support the MDCs 2. Go to /opt/CSCOpx/MDC/bin and run the installed. command:./mdcsupport The MDC Support utility The utility creates a tar file in also queries CCR for any CSCOpx/MDC/etc directory. other support utilities registered, and run them. If \etc directory is full, or if you want to preserve the data collected previously by not over writing the tar Other MDCs need to file, create another directory by running the register their own support following command: utilities that will collect ./mdcsupport Directory their relevant data. Before you close the command window, ensure that the MDC Support utility has completed its action. If you close the window prematurely, the subsequent instances of MDCSupport Utility will not function properly. If you happen to close the window, delete the mdcsupporttemp directory from NMSROOT\MDC\etc directory, for subsequent instances to work properly.

Administration of Cisco Prime LAN Management Solution 4.2 B-4 OL-25947-01 Appendix B Troubleshooting and FAQs Troubleshooting Guidelines

Troubleshooting Suggestions

Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.

Table B-3 Troubleshooting Suggestions

Symptom Probable Cause Possible Solutions Authorization Incompatible browser Verify that you have Accept all cookies enabled. Refer to the installation required. Please causing cookie failure documentation for supported Internet Explorer and Mozilla Firefox log in with your (unable to retrieve software and setup procedures. username and cookie). password. Daemon Manager The operating system has Make sure all Cisco Prime processes are terminated (/usr/ucb/ps -auxww could not start. not yet reallocated the | grep CSCO). Wait five to ten minutes, then try to restart the Daemon The port is in use. port. Manager. User has forgotten LMS cannot recover A system administrator-level user must either change the password or his password. forgotten passwords. delete the user account and add it again. You are logged out of Changes in the login 1. Log into Cisco Prime LMS Server. the Cisco Prime module configuration file 2. Enter the following commands: Server. might not be correct. – NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl Authentication server (on Windows) might be down and there were no fallback logins – NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl set. (on Solaris/Soft Appliance) 3. Restart Daemon Manager. The Log File Status Files need to be backed up 1. Stop all processes. window displays so that file size will be 2. Enter the log file maintenance commands: files that exceed their reset to zero. limit. – NMSROOT\cgi-bin\admin\ (on Windows) – NMSROOT/cgi-bin/admin/ (on Solaris/Soft Appliance) 3. Restart all processes. Error message in the Device is not SSH enabled 1. Check whether the device is up or not. logfile: Connection or the server is not 2. Try connecting to the device with a commercial SSH client. Refused. Check the authorized to initiate SSH Device is SSH connection. If you are able to connect, go to step 3. supported or not. If you are not able to connect, check whether the device is running SSH enabled (K2 or K9) image. • If it is not the correct image, download the appropriate image to the device. • If you have the correct image, check whether you have created RSA key pairs in the device. Creating RSA keys will enable SSH in the device. 3. Check whether your server or network is authorized to initiate SSH connections to device.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-5 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Table B-3 Troubleshooting Suggestions (continued)

Symptom Probable Cause Possible Solutions While launching the The Group Administration Start the Group Administration server from the user interface or from the Group server is either not running CLI. Administration page, or yet to be up. To start the server from the user interface: the following error message is 1. Select Admin > System > Server Monitoring > Processes. displayed: The Process Management Dialog Box appears. Error in 2. Check the CMFOGSServer check box in the Process Management communicating with Group dialog box Administration 3. Click Start. Server. To start the server from the CLI, enter: NMSROOT/bin/pdexec CMFOGSServer where NMSROOT is the Cisco Prime LMS Installation directory. DCRServer is down Check wheter Make sure the following two files have proper content by checking the and services are not ctm_config.txt file is contents with the sample ctm_config.txt: starting properly. corrupted. • /NMSROOT/MDC/tomcat/shared/lib/ctm_config.txt • /NMSROOT/MDC/tomcat/webapps/cwhp/WEB-INF/lib/ctm_config.tx t where NMSROOT is the Cisco Prime LMS Installation directory. Sample ctm_config.txt SERVER_PORT=40050 MAX_VM_PORTS=20 MAX_THREADS=100 CTM_SSL=1 CTM_URL=:443/cwhp/CTMServlet MAX_VM_CLIENT_CONNECTION=25 REGISTRY_LOCATION=NMSROOT\\MDC\\tomcat\\webapps\\cwhp\\W EB-INF\\lib

See Installing and Migrating to Cisco Prime LAN Management Solution 4.2 for troubleshooting tips on Cisco Prime installation.

Frequently Asked Questions

This section provides FAQs on the following: • User Tracking FAQs • VRF Lite FAQs • Cisco Prime LMS Server FAQs • Fault Management FAQs

Administration of Cisco Prime LAN Management Solution 4.2 B-6 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

• Device Performance Management FAQs • IPSLA Performance Management FAQs

User Tracking FAQs

This section lists the FAQs on User Tracking: • Q.Why are outdated entries appearing in my User Tracking table? • Q.How does User Tracking acquisition process differ from that of the LMS Server? • Q.How does User Tracking user and host acquisition process work? • Q.Why is User Tracking not performing Ping Sweeps on some subnets? • Q.How long does User Tracking maintain data? • Q.Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP) devices? • Q.Where does User Tracking log errors? • Q.Why am I getting a parse error when trying to parse some of the output files? • Q.Why is user tracking not discovering end hosts that are connected to port-channels?

Q. Why are outdated entries appearing in my User Tracking table? A. Outdated entries result when: – A user or host is assigned to new VLAN/port/VTP domain. – A power failure occurred. – A workstation has been switched off or removed from the network. User Tracking does not automatically delete outdated end-user host entries. To delete these entries: – Manually delete selected entries. Or – Configure delete interval for purging old records more than the given number of days. – Select Admin > Network > Purge Settings > User Tracking Purge Policy

Q. How does User Tracking acquisition process differ from that of the LMS Server? A. User Tracking is a LMS client application. The LMS Server provides several types of global discoveries, including: – Device and physical topology acquisition, resulting in baseline network information such as device identity, module and port information, and physical topology. This type of acquisition is required for logical, user, and path acquisition. – User acquisition, resulting in information about users and hosts on the network. The LMS Server stores this information in the database. User Tracking discovers the host and user information in the LMS server database, correlates this information, and displays it in the User Tracking Reports. For more information about the various acquisition processes, see Various Acquisitions in User Tracking.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-7 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. How does User Tracking user and host acquisition process work? A. Before collecting user and host information, LMS must complete Data Collection. After the completion of Data Collection User Tracking performs steps described in Table B-4. Table B-4 User Tracking User and Host Acquisition Process

Process Description Performs Ping Sweeps Pings all IP addresses on all known subnets, if you have Ping Sweeps enabled (the default). This process updates the switch and router tables before User Tracking reads those tables. This ensures that User Tracking displays the most recent information about users and hosts. Obtains MAC addresses from Reads the switch's bridge forwarding table. switches The bridge forwarding table provides the MAC addresses of end stations, and maps these MAC addresses to the switch port on which each workstation resides. Obtains IP and MAC Reads the Address Resolution Protocol (ARP) table in routers to addresses from routers obtain the IP and corresponding MAC addresses. Obtains hostnames Performs a Domain Name Service (DNS) lookup to obtain the hostname for every IP address. Obtains usernames Attempts to locate the users currently logged in to the hosts and tries to obtain their username or login ID. Records discovered Records the discovered information in the LMS database. information

Q. Why is User Tracking not performing Ping Sweeps on some subnets? A. The criterion for whether or not User Tracking performs Ping Sweeps on a subnet is the number of hosts in the subnet: You must check if you have excluded the subnets from Ping Sweep. If a subnet has 256 or fewer hosts, User Tracking performs Ping Sweeps on that subnet. User Tracking does not perform Ping Sweeps on the subnets, which have more than 256 hosts. If Ping Sweeps are not performed, User Tracking still obtains information from the router and switch mapping tables during a discovery. For more details on Ping Sweep, see Notes on Ping Sweep Option.

Q. How long does User Tracking maintain data? A. It depends on the delete interval you have set. For more details, see Deleting User Tracking Purge Policy Details.

Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP) devices? A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in the network connected to non-CDP devices.

Administration of Cisco Prime LAN Management Solution 4.2 B-8 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. Where does User Tracking log errors? A. User Tracking major acquisition errors are logged in the User Tracking error log. Data Collection errors are logged in the respective log file. The log files are located at Solaris/Soft Appliance : /var/adm/CSCOpx/log Windows: NMSROOT\log Where NMSROOT is the directory where you have installed Cisco Prime.

Q. Why am I getting a parse error when trying to parse some of the output files? A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most of the XML parsers do not support these characters and hence fail to parse them. To overcome this, you have to manually search for those elements with special characters and append CDATA as given in the example below: If there is an element ¢Úo Change it to:

Q. Why is user tracking not discovering end hosts that are connected to port-channels? A. LMS supports only PAgP protocol configured ether-channel ports. User tracking discovers only those end hosts that are connected to port-channels which are configured with PAgP protocol. LMS does not support LACP protocol for IOS devices. Nexus devices do not support the PAgP protocol. Hence LMS supports LACP protocol only for Nexus devices. Devices using LACP protocol ether channel do not support topology view and user tracking end discovery and other LMS features.

VRF Lite FAQs

This section lists the FAQs on VRF Lite: • Q.What is VRF Lite ? • Q.What is Network Virtualization? • Q.What are the pre-requisites to manage a device using VRF Lite? • Q.The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired device is not listed in the device selector for the VRF Lite configuration workflows. What is the reason for a device not listed in the device selector? • Q.What are the different categories in which the devices are managed by Virtual Network Manager? Or what criteria are used by Virtual Network Manager to categorize the devices in the network? • Q.Sometimes, while performing VRF Lite configuration, I get the following message: • Q.What are the details of the VRF Lite log files? In which location are the VRF Lite log files located? • Q.When is the VRF Lite Collection process triggered? • Q.After the completion of the Data collection process, the VRF Lite Collector failed to run, What is the reason for failure? • Q.How can I configure SNMP timeout and retries details for VRF Lite?

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-9 Appendix B Troubleshooting and FAQs Frequently Asked Questions

• Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the Create VRF Lite and Extend VRF Lite workflows ? • Q.How do I enable the debug messages for Virtual Network Manager? • Q.Why are some port-channels not discovered in VRF Lite? • Q.What are the processes newly introduced for VRF Lite ? • Q.What is tested number of devices support in VRF Lite? • Q.What are the property files associated with VRF Lite? • Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why are values for the IP Address and SubnetMask fields empty? • Q.What is protocol order for configuration workflows? • Q.What is protocol ordering for troubleshooting? • Q.If you configure commands to be deployed to two different devices, will the commands be deployed parallelly or serially? • Q.Which VRF Lite configuration jobs that are failed can be retried? • Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page? • Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?

Q. What is VRF Lite ? A. Virtual Routing and Forwarding Lite (VRF Lite) is the one of the simplest form of implementing virtualization technology in an Enterprise network. A Virtual Routing and Forwarding is defined as VPN routing/forwarding instance. A VRF Lite consists of an IP Routing table, a derived forwarding table, a set of interfaces that use the forwarding table and set of routing protocols that determine what goes into the forwarding table. VRF Lite is an application that allows you to pre-provision, provision and monitor Virtual Routing and Forwarding-Lite (VRF Lite) technology on an enterprise network.

Q. What is Network Virtualization? A. Virtualization deals with extending a traditional IP routing to a technology that helps companies utilize network resources more effectively and efficiently. Using virtualization, a single physical network can be logically segmented into many logical networks. The virtualization technology supports multiple virtual routing instances of a routing table to exist within a single routing device and work simultaneously.

Q. What are the pre-requisites to manage a device using VRF Lite? A. The pre-requisites to manage a device in VRF Lite are: 1. The device must be managed by LMS. 2. The device must either be L2/L3 or L3 device 3. The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite. The device must have the necessary hardware support. For more information on hardware support, see http://www.cisco.com/en/US/products/sw/cscowork/ps563/products_device_support_tables_list.ht ml. If the device hardware is not supported then the device will be classified as Other devices 4. If a device supports MPLS VPN MIB, it is classified as a capable device.

Administration of Cisco Prime LAN Management Solution 4.2 B-10 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

5. VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB, VRF Lite will not manage VTP Clients.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-11 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired device is not listed in the device selector for the VRF Lite configuration workflows. What is the reason for a device not listed in the device selector? A. A device is not listed in the device selector due to the following reasons: All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration. A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management with Cisco Prime LAN Management Solution 4.2. If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN Configuration then a device will not be listed in the Device Selector, if a device is not participating in the selected VRF Lite. In the Readiness Report, a device listed as a supported device may be because it is not managed by LMS. You can check if a device is managed by using the Device Management State Summary (Inventory > Device Administration > Manage Device State). In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not participating in the selected VRF Lite. In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3 devices that are not participating in the selected VRF Lite.

Q. What are the different categories in which the devices are managed by Virtual Network Manager? Or what criteria are used by Virtual Network Manager to categorize the devices in the network? A. Virtual Network Manager identifies the devices based on the minimum hardware and software support required to configure VRF Lite on the devices. Based on the available hardware and software support in the devices, Virtual Network Manager classifies the devices into following categories: – VRF Lite Supported Devices– Represents the devices with required hardware and software support available to configure VRF Lite on the devices. – VRF Lite Capable Devices – Represents the devices with required hardware support available. But the device software must be upgraded to support MPLS VPN MIB. For information on the IOS version that supports MPLS VPN MIB, refer http://tools.cisco.com/ITDIT/MIBS/MainServlet. VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite Capable devices as these devices do not have the required MPLS VPN MIB support. – Other – Represents the devices without required hardware support to configure VRF Lite. SysOID of the device needs to be checked.

Administration of Cisco Prime LAN Management Solution 4.2 B-12 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. Sometimes, while performing VRF Lite configuration, I get the following message: The device(s) with device name(s) are already locked as they are used by configuration workflows. You cannot configure these devices. Wait for some time Or Ensure the devices are not used by configuration workflows and free the devices from Admin > Network > Resource Browser. Or Selected Device(s) are locked as they are used by configuration workflows. You cannot configure these devices. Wait for some time OR Ensure the devices are not used by configuration workflows and free the devices from Admin > Network > Resource Browser. Can I get the details of the user who has locked the devices to perform VRF Lite configuration? A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations.

Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located? A. The following are the details of the VRF Lite log files: 1. Vnmserver.log – This log file logs the messages pertaining to the VRF Lite Server process. 2. Vnmcollector.log – This log file logs the messages pertaining to the VRF Lite collection. 3. Vnmclient.log – This log file logs the messages related to the User Interface. 4. Vnmutils.log – This log file logs the messages pertaining to the utility classes used by VRF Lite client and server. The above-mentioned VRF Lite log files are located in the following location: In Solaris/Soft Appliance : /var/adm/CSCOpx/log/ In Windows: NMSROOT\logs

Q. When is the VRF Lite Collection process triggered? A. Manually: You can manually schedule to run the VRF Lite Collection process by: Providing the setting details using Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule option. Automatically: If you enable the Run VRF Lite Collector After Every Data Collection in the VRF Lite Collector Schedule page. The VRF Lite Collection process will be automatically triggered after the completion of Data Collection. You can reach the VRF Lite Collector Schedule page using Admin > Collection Settings > VRF Lite > VRF Lite Collection Settings page.

Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is the reason for failure? A. Check if the Run VRF Lite Collector After Every Data Collection option is enabled in the VRF Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin > Network > VRF Lite Collection Settings page.

Q. How can I configure SNMP timeout and retries details for VRF Lite? A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six seconds and retry attempt of 1 second.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-13 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the Create VRF Lite and Extend VRF Lite workflows ? A. The VLAN to VRF Lite Mapping page lists the links connecting the source and the destination device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the following procedure 1. An SVI, VRF Lite searches for free VLANs in the range 1- 1005 2. An SI, VRF Lite searches for free VLANs in the range 1006-4005

Q. How do I enable the debug messages for Virtual Network Manager? A. You can enable the debugging levels for a particular module using • Admin > System > Debug Settings > VRF Lite Client Debugging Options. • Admin > System > Debug Settings > VRF Lite Collector Debugging • Admin > System > Debug Settings > VRF Lite Server Debugging • Admin > System > Debug Settings > VRF Lite Utility Debugging You can manually change the name and the size of the log file. The configuration log files are available under NMSROOT/MDC/tomcat/webapps/vnm/WEB-INF/classes. The changes made will be reflected after approximately 60 seconds.

Q. Why are some port-channels not discovered in VRF Lite? A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only 802.1Q

Q. What are the processes newly introduced for VRF Lite ? A. To run VRF Lite , VRF Lite Server process is newly introduced in the application. The VRF Lite Collector process is executed as a Job.

Q. What is tested number of devices support in VRF Lite? A. In an Enterprise network, VRF Lite is tested to support the configuration of 32 VRFs with VRF Lite configuration supported in 550 devices in your network. However, at a given time, you can select up to 20 devices and configure VRF Lite using the Create, Edit and Extend VRF Lite workflow.

Q. What are the property files associated with VRF Lite? A. The following property files are associated with VRF Lite: 1. NMSROOT/vnm/conf/VNMClient.properties – This property file is used to provide the settings for Purge and Home page auto Refresh 2. NMSROOT/vnm/conf/VNMServer.properties – This property file is used to provide the SNMP and VRF Lite Server settings. 3. NMSROOT/vnm/conf/VRFCollectorSnmp.conf – This property file stores the SNMP Timeout and Retries that you have configured.

Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why are values for the IP Address and SubnetMask fields empty? A. If the physical interface that links two devices is not configured with an IP Address, then the IP Address and the SubnetMask fields are empty.

Administration of Cisco Prime LAN Management Solution 4.2 B-14 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. What is protocol order for configuration workflows? A. Configuration workflow uses the protocol order similar to ordering used by NetConfig in Resource Manager Essentials. Choose the NetConfig as Application Name from using Admin > Collection Settings > Config > Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.

Q. What is protocol ordering for troubleshooting? A. Troubleshooting VRF Lite workflow uses the protocol ordering similar to ordering used by NetShow in Resource Manager Essentials. Choose the NetShow as Application Name from using Admin > Collection Settings > Config > Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.

Q. If you configure commands to be deployed to two different devices, will the commands be deployed parallelly or serially? A. The commands will be deployed to multiple devices parallelly, where as a series of commands with-in a single device, will be deployed in serial manner.

Q. Which VRF Lite configuration jobs that are failed can be retried? A. You can retry all the VRF Lite Configuration jobs which are failed. VRF Lite Configuration jobs are the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration workflow.

Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page? A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management. This button is enabled only when IPSLA Performance Management is enabled in the local server.

Q. Why the FHRP and DHCP configurations are not shown in VRF Lite? A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF Lite won’t put the list of VLANs allowed on a trunk The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the selected devices.

Cisco Prime LMS Server FAQs

The following sections lists the Frequently Asked Questions (FAQs) of Cisco Prime LMS application. • General • Security • Important URLs • Software Center • Event Distribution Services and Event System Services • Backup and Restore • Database • Apache and Tomcat

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-15 Appendix B Troubleshooting and FAQs Frequently Asked Questions

General

The section lists you the general FAQs on LMS: • Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly? • Q.Why cannot I start my Cisco Prime application? • Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine? • Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access? • Q.Do I need to change the Cisco Prime configuration after changing the IP address? • Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it for a while? • Q.How do I change the port for osagent in Windows? • Q.How do I change port for osagent in Solaris? • Q.How do I ensure that jrm is running fine? • Q.How do I change the casuser password in Windows? • Q.How do I change the Cisco Prime user password? • Q.How do I enable debugging for Session Management Services? • Q.What does a diskWatcher process do? • Q.Cisco Prime Time is not synchronized with System time. What should I do? • Q.How do I change the configuration details of the server after installing LMS Soft Appliance? • Q.How can I increase the timeout value of Cisco Prime LMS user interface? • Q.How should I change the syslog port of Cisco Prime from 514 to another number? • Q.What should I do when Daemon Manager and multiple processes are not started on a Windows machine? • Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running it for a while? • Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime? • Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets? • Q.What are the specific ports required for Internet HTTP features? • Q.Why is the device name not available in the home page after importing? • Q.How do you ensure to register using a template and launch the links properly? • Q.I am getting timeout exception in cmdsvc (command service library) during a device connection/socket establishment. How do I change the default timeout and delays in cmdsvc? • Q.What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC tickets does not use the proxy to connect, even after setting the proxy in proxy server setup? • Q.I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly in FF, what could be the reason?

Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running it for a while? A. You can change the IP address on the server, and then access it using the new IP address.

Administration of Cisco Prime LAN Management Solution 4.2 B-16 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

To change the IP address on Windows:

Step 1 Click Start > Settings > Network and Dial-up Connections > Local Area Connection. The Local Area Connection Status dialog box appears. Step 2 Click Properties. The Local Area Connection Properties dialog box appears. Step 3 Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/IP) Properties dialog box appears. Step 4 Select the radio button Use the following IP address. Step 5 Change the IP address as required, in the IP address field. For the subnet mask and default gateway values, enter the ipconfig command at the command prompt. The subnet mask and default gateway values appear. Step 6 Enter these values in the Subnet mask and Default gateway fields. Step 7 Click OK to go back to Local Area Connection Status dialog box. Step 8 Click OK. Step 9 Restart the server.

To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP address of the required interface. For example, at the command prompt, you can enter: ifconfig interfacename inet ipv4address where the variable interfacename represents the name of the interface and ipv4address represents the new IP address.

Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime? A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE. To do so:

Step 1 Launch Internet Explorer and click Tools > Internet Options. Step 2 Click the Security tab and select Trusted Sites. Step 3 Add the Cisco Prime LMS Server to the trusted zone. Step 4 Clear the selection in Require server verification for all sites in this zone. Step 5 Click OK to return to the Security tab. Step 6 Click the Custom level button from the Security level for this zone panel. Step 7 Select the Enable option for scripting of Java applets. Step 8 Click OK to return to the Security tab. Step 9 Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-17 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets? A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by default. To re-enable the Telnet protocol:

Step 1 Click Start > Run. The Run dialog box opens. Step 2 In the Open box, enter: Regedit, then click OK. The Registry Editor opens. Step 3 Go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl. Step 4 Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl, create a new key named FEATURE_DISABLE_TELNET_PROTOCOL. Step 5 Add a DWORD value named iexplore.exe and set the value to 0 (decimal). Step 6 Close the Registry Editor. Step 7 Restart the browser, the Telnet protocol is enabled

Q. What are the specific ports required for Internet HTTP features? A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and Cisco.com, including the Software Center interactions.

Q. Why is the device name not available in the home page after importing? A. The probable causes for this problem could be: – There is a mismatch between the hostname in the template imported and the hostname specified in the UI during importing. – The application imported from a remote server does not belong to the server from which it is imported.

Q. How do you ensure to register using a template and launch the links properly? A. Before you register through a template, you should ensure that: – The host is reachable. – Port information specified is correct and reflects the current port of the bundle. – The application is available and can be launched by entering the application URL in the browser.

Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly? A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function properly.

Administration of Cisco Prime LAN Management Solution 4.2 B-18 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. Why cannot I start my Cisco Prime application? A. If you cannot start your Cisco Prime application and see error messages, it may be because the web server may not be running. This may occur although pdshow indicates that those processes are running. You need to check how your machine resolves its server name and IP address. The Cisco Prime CORBA applications require name resolution to work properly. Domain Name Service (DNS) is mandatory for Cisco Prime CORBA applications to work properly. Configure the name resolution mechanism and restart the Cisco Prime LMS Server to access the application correctly.

Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine? A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH tag is disabled in the browser. To enable the META-REFRESH tag in the browser:

Step 1 Click Tools > Internet Options. The Internet Options dialog box opens. Step 2 Click the Security tab. Step 3 Select the Internet zone. Step 4 Click Custom level... The Security Settings dialog box opens. Step 5 In the Miscellaneous options, select the Enable option for Allow Meta Refresh field. Step 6 Click OK, and then Apply to update the settings. Step 7 Close the IE 7 or IE 8 open windows. Step 8 Launch a new IE 7 or IE 8 window and login into LMS.

Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access? A. There are several reasons why you are locked out. It is probably caused by the changes made using the Select Login Module option. You must replace the incorrect login module with a default configuration, log into Cisco Prime, and return to the login module to correct one or more of the following: – Session Time out – Change from SSL mode to non-SSL mode – Change from non-SSL mode to SSL mode – Log out from any other Cisco Prime application – Visit other sites and then return to Cisco Prime Do not alter the existing technologies in the default configuration file. If all of the parameters listed are correct, see Troubleshooting Suggestions.

Q. Do I need to change the Cisco Prime configuration after changing the IP address? A. You need not change the Cisco Prime configuration whenever you change the IP address. Cisco Prime uses hostname for most of the communication. Only devices need to point to the new IP address. However, after changing the IP address, you must reboot the system on a Solaris server and restart the Daemon Manager on a Windows server. This is to make the changes effective.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-19 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it for a while? A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and windows registry entries. You can use the hostnamechange.pl CLI utility to update the new host name information in files and windows registry entries. See Using LMS Server Hostname Change Scripts for more information.

Q. How do I change the port for osagent in Windows? A. Before you change the port for osagent in Windows: – Ensure that the daemons are not running. Enter the following command to stop the Daemon Manager: net stop crmdmgtd – Backup your Windows registry. To change the port for osagent in Windows, run the following script at the command prompt: NMSROOT\bin\perl NMSROOT\bin\ChangeOSAGENTPort.pl Port_Number where, Port_Number refers to any unused port number between 1026 to 65535. The script completes the following: • Updates the value of the following registry entries with the new port numbers. – HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current Version > Daemon > RmeOrb – HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current Version > Daemon > RmeGatekeeper – HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current Version > Environment • Changes the value of the port number to new port number in NameServer and NameServiceMonitor processes. • Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file with the new port numbers. Reboot the server and start the Daemon Manager after you have completed running the script.

Q. How do I change port for osagent in Solaris? A. Before you change the port for osagent in Solaris: – Ensure that the daemons are not running. Enter the following command to stop the Daemon Manager: /etc/init.d/dmgtd stop – Make sure that no CSCO processes are running. – Back up NMSROOT/objects/dmgt/dmgtd.conf file. To change the port for osagent in Solaris, run the following script at the command prompt: NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_Number where, Port_Number refers to any unused port number between 1026 to 65535.

Administration of Cisco Prime LAN Management Solution 4.2 B-20 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

The script completes the following: • Changes the value of the port number to new port number in NameServer and NameServiceMonitor processes. • Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file with the new port numbers. • Updates the new port number in /etc/services file. • Updates the entry in /var/sadm/pkg/CSCOmd/pkginfo file. Reboot the server and start the Daemon Manager after you have completed running the scripts.

Q. How do I ensure that jrm is running fine? A. To check whether jrm is working on Windows, at the command prompt enter: cwjava -cw NMSROOT com.cisco.nm.cmf.jrm.jobcli

To check whether jrm is working on Solaris, at the command prompt enter: cwjava -cw NMSROOT com.cisco.nm.cmf.jrm.jobcli

– If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are running. – If you do not get the above message, contact the technical assistance center with the error message. – If your jrm in down or inaccessible, you’ll get a message while accessing the UIs.

Q. How do I change the casuser password in Windows? A. You can change the casuser password using resetCasuser.exe. It can be run only by an administrator or casuser. To change the casuser password:

Step 1 Enter NMSROOT\setup\support resetCasuser.exe at the command prompt You can: 1. Randomly generate the password 2. Enter the password 3. Exit. Step 2 Enter 2, and press Enter. It prompts you to enter the password. Step 3 Confirm the password.

Note You must know the password policy. If the password entered does not match the password policy, it exits.

Q. How do I change the Cisco Prime user password? A. See Changing Cisco Prime User Password Through CLI for details.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-21 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. How do I enable debugging for Session Management Services? A. To enable debugging for Session Management Services:

Step 1 Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml. You should edit the following section of the file: DEBUG false mice debug enabling Step 2 Change false to true.

Q. What does a diskWatcher process do? A. The diskWatcher process monitors disk space availability on the Cisco Prime LMS Server. This process calculates the disk space information of a drive (in Windows machine) or a file system (in Solaris machine) at regular intervals and stores them in diskWatcher.log file. See Configuring Disk Space Threshold Limit for more information.

Q. Cisco Prime Time is not synchronized with System time. What should I do? A. You should complete the following: a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine. b. Set the TZ=standard_timezone. For example, you can specify TZ=MET. c. Save the TIMEZONE file. d. Reboot the machine. Now the system displays the modified time zone information. If you need to change the time zone to daylight, you change only the time and date but not the TIMEZONE.

Q. How can I increase the timeout value of Cisco Prime LMS user interface? A. You can configure the timeout value in the following file. NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml where NMSROOT is your Cisco Prime Installation directory. You should change the value of an XML tag by name session-timeout. You should specify the value in minutes. The default timeout value is set to 2 hours. You cannot disable this option as this may increase the load in the server.

Q. How do I change the configuration details of the server after installing LMS Soft Appliance? A. To change the configuration details of the server after installation:

Step 1 Login with Soft Appliance console administrator user account. This is the sysadmin username that you provided during installation. Step 2 Enter the password.

Administration of Cisco Prime LAN Management Solution 4.2 B-22 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Step 3 Enter the command shell. Step 4 Enter the following command to stop the Daemons: /etc/init.d/dmgtd stop Step 5 Enter exit to go to the sysadmin mode. Step 6 Enter the following command, in sysadmin view: /sysadmin# config terminal Enter the configuration commands, one per line. End with CNTL/Z. In all the examples, sysadmin represents the sysadmin username that you provided during installation. Step 7 Change the required configuration details of the server. You can change the hostname, Default DNS Domain, IP Address, IP Netmask, IP Default Gateway, Primary Name Server, Primary NTP Server, Time Zone, Username or Password. See Table B-5 for more details. Step 8 Enter the command end. The following will be displayed: /sysadmin# Step 9 Enter the following command to update the changes: /sysadmin# write memory Step 10 Right-click the server and select Power > Reset to start the server. Or Enter the following command:

/sysadmin# reload Save the Current ADE-OS running configuration ?(yes/no)[yes]?yes

Note You should reboot the server only if you change the following configuration details: • Hostname • Default DNS Domain • IP Address, IP Netmask • IP Default Gateway • Primary Name Server • Primary NTP Server • Time Zone

The Daemons Manager will start automatically. Step 11 Enter the following command to run the hostnamechange file: /sysadmin# shell Enter shell password: /etc/init.d/dmgtd stop [/root-ade ~]# /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/hostnamechange.pl -ohost -nhost

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-23 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Note You should execute this command only when you change the hostname. Each time you change the hostnameof the server, you must perform, steps 1 to 9 to reflect the hostname changes in LMS.

Step 12 Enter the following command to start the Daemons: sysadmin#/etc/init.d/dmgtd start

Note You must restart the Daemon Manager before and after you change the hostname.

Note You must change the server configuration details only through Soft Appliance admin console.

Table B-5 lists the examples of how to change the Soft Appliance server configuration details.

Table B-5 Soft Appliance Server Configuration Details

Tasks Configuration Details Change the HostName /sysadmin(config)# hostname Changing the hostname may result in undesired side effects on any installed application(s). Are you sure you want to proceed? [y/n] y LNX-LMS-05/admin(config)# Change the Domain, LNX-LMS-05/sysadmin(config)# ip domain-name Gateway and Name server Changing the domain name may result in undesired side effects on any installed application(s). Are you sure you want to proceed? [y/n] y LNX-LMS-05/sysadmin(config)# ip default-gateway LNX-LMS-05/sysadmin(config)# ip name-server Change the NTP Server LNX-LMS-05/sysadmin(config)# ntp server Change the IP address and LNX-LMS-05/sysadmin(config)# interface GigabitEthernet 0 Subnet Mask LNX-LMS-05/sysadmin(config-GigabitEthernet)# LNX-LMS-05/sysadmin(config-GigabitEthernet)# ip address Change the TimeZone LNX-LMS-05/sysadmin(config)# clock timezone See Supported Server Time Zones and Offset Settings for more details. Change the Username/ LNX-LMS-05/sysadmin(config)# username password Password plain role admin LNX-LMS-05/sysadmin(config)# end

Q. How should I change the syslog port of Cisco Prime from 514 to another number? A. You can change the syslog port by modifying the value of CrmLogPort registry key located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters.

Administration of Cisco Prime LAN Management Solution 4.2 B-24 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

After you have changed the syslog port, you need to restart the syslog service.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-25 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. What should I do when Daemon Manager and multiple processes are not started on a Windows machine? A. Sometimes, Windows may prevent to run some processes for security reasons. You should do the following on a Windows 2003 Operating system:

Step 1 Right-click the My Computer icon on your desktop and click Properties to open the System Properties dialog box. Step 2 Click the Advanced tab. Step 3 Click Settings from the Performance panel to open the Performance Options dialog box. Step 4 Click the Data Execution Prevention tab. Step 5 Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove the programs from the blocked list. Step 6 Click OK to close the Performance Options dialog box. Step 7 Click OK to close the System Properties dialog box. Step 8 Reboot the server.

Q. I am getting timeout exception in cmdsvc (command service library) during a device connection/socket establishment. How do I change the default timeout and delays in cmdsvc? A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available in the following directory: $NMSROOT/objects/cmf/data To change the default timeout and delay values:

Step 1 Go to the directory $NMSROOT/objects/cmf/data Step 2 Open the cmdsvc.properties file. Various timeout and delay values are listed in the file. Step 3 Remove the Hash symbol (#) to uncomment a particular timeout or delay value. Step 4 Remove the existing timeout or delay value. Step 5 Enter new timeout or delay value. Step 6 Save the cmdsvc.properties file.

Q. What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC tickets does not use the proxy to connect, even after setting the proxy in proxy server setup? A. Check whether the following production urls are reachable in the server, where product is installed. • SASI_SERVER—https://wsgx.cisco.com • RSR_SERVER—https://wsgx.cisco.com • CSC_SERVER—https://supportforums.cisco.com • CCOLOGINURL—https://sso.cisco.com/autho/apps/nmtgSSapp/index.html • CCOLOGOUTURL—https://sso.cisco.com/autho/logout.html

Administration of Cisco Prime LAN Management Solution 4.2 B-26 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

• CASE_QUERY_URL—https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction. do?caseType=ciscoServiceRequest&method=doQueryByCase&SRNumber= • LOGIN_REDIRECT_URL—https://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.c om&TargetResource= • CSC_REDIRECT_URL—https://supportforums.cisco.com

Q. I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly in FF, what could be the reason? A. You are not able to access LMS in IE because of the cache issue. Clear the browser cookies and cache from IE.

Important URLs

Q. What are the URLs that are most commonly used in LMS? A. The following URLs are most commonly used in LMS and should be added in the proxy server: General http://www.cisco.com Device update/Software update/Point Patch update • https://tools.cisco.com/software/catalog/swcs/softwaremetadata • https://tools.cisco.com/software/catalog/swcs/image • https://www.cco.cisco.com IOS image download • http://www.cisco.com/cgi-bin/smarts/swim/crmiosbridge.pl • http://www.cisco.com/techsupport Smart Services • SASI_SERVER—https://wsgx.cisco.com • RSR_SERVER— https://wsgx.cisco.com • CSC_SERVER—https://supportforums.cisco.com • CCOLOGINURL—https://sso.cisco.com/autho/apps/nmtgSSapp/index.html • CCOLOGOUTURL— https://sso.cisco.com/autho/logout.html • CASE_QUERY_URL—https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction. do?caseType=ciscoServiceRequest • LOGIN_REDIRECT_URL—https://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.c om • CSC_REDIRECT_URL—https://supportforums.cisco.com PSIRT • EoS/EoL Hardware Report—http://www.cisco.com/cisco/software/release.html?mdfid=282253606 &flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE &rellifecycle=&reltype=latest# • EoS/EoL Software Report—http://www.cisco.com/cisco/software/release.html?mdfid=282253606 &flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE& rellifecycle=&reltype=latest#

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-27 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Bug Toolkit • http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl • http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do??method=getAllBugs • http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getAffectedBugdata&bu gid= • http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getBugsReport Contract Connection • http://www.cisco.com/cgi-bin/front.x/cconx/conx_userinfo.pl • https://www.cisco.com/cgi-bin/front.x/cconx/conx_recv_data.pl • https://www.cisco.com/cgi-bin/front.x/cconx/conx_sortdetail_js.pl Compliance and Audit Management • Download Contracts—https://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do ?method=viewContractMgr • Download Compliance Policy Updates—http://www.cisco.com/cisco/software/release.html?mdfid =284259296&flowid=31102&softwareid=284270571&release=1.0.0&relind=AVAILABLE& rellifecycle=&reltype=latest

Security

The following are the FAQs on LMS Security: • Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This makes the process tedious. Is there a way to reduce the number of dialog boxes and steps? • Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a security alert related to the site's security certificate. It asks for my input to proceed further. Why? • Q.My server certificate for Cisco Prime has expired. What should I do? • Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the problem? • Q.What are the minimum and maximum length of user account names? How do I control them? • Q.What are the rules to enter a valid username and password? • Q.Where is the SSL log present? • Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?

Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This makes the process tedious. Is there a way to reduce the number of dialog boxes and steps? A. Yes. You have the following options: – If you are using Self-signed certificates in Internet Explorer, install the certificate in the browser’s trusted certificate stores, if you are confident about the identity of the server. – Use a server certificate issued by a prominent third party certificate authority (CA). – Configure the hostname in your server certificate properly, and use the same hostname to invoke Cisco Prime.

Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a security alert related to the site's security certificate. It asks for my input to proceed further. Why?

Administration of Cisco Prime LAN Management Solution 4.2 B-28 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior (Microsoft Internet Explorer or Mozilla Firefox), to ensure proper security. This appears if any of the following conditions is not satisfied: – The certificate of the server (Cisco Prime Server in this case) must be issued by trusted Certificate Authority. – The date of the certificate must be valid. (Each certificate is assigned a validity period. It can range from 21 days to 5 years). – The name of the certificate and name of the page (or the name typed in the address bar of the browser) are the same. To view the certificate information: – Click View Certificate, in the alert box for Internet Explorer. – Click Examine Certificate in the alert box for Mozilla Firefox. The server should be invoked with the name same as the Issued to' field of the certificate. To install the certificate in Internet Explorer:

Step 1 Click View Certificate in the alert box. The Certificate dialog box displays the Certificate information. Step 2 Click Install Certificate.

Q. My server certificate for Cisco Prime has expired. What should I do? A. If you are using a self-signed certificate, you can create a new certificate using the Create Self Signed Certificate option. For more information, see Creating Self Signed Certificates. If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.

Note Before you perform any certificate management operations—creating or modifying certificates, back up the certificate files, the server private key in particular, and keep them in a safe location.

Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the problem? A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this:

Step 1 Login as Admin. Step 2 Select Admin > System > Authentication Mode Setup. The Select Login Module dialog box appears. Step 3 Select a login module from the Available Login Modules list box and Click on Edit Options. The Login Module Options dialog box appears. Step 4 Select the radio button True and click Finish. This enables the Debug option. Enabling debug mode allows the login module to add the detailed progress and failure information to log files. The log files are located at:

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-29 Appendix B Troubleshooting and FAQs Frequently Asked Questions

NMSROOT/MDC/Tomcat/logs/stdout.log For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the failure. For example, if the Usersroot configuration is incorrect, then the login module cannot match the complete DN string with any entries in the Active Directory database. It indicates which portion of the DN matched and which portion did not match. You can verify your Active Directory setup and the entries for the Usersroot. In some cases, the log file contains error messages with NameError. This indicates that either you entered a wrong user ID or there is some spelling error in the Usersroot configuration.

Q. What are the minimum and maximum length of user account names? How do I control them? A. The minimum length of a user account name is 5 characters. The maximum length of a user account name is 255 characters. You can control the length of user account names using the Local User Policy Setup page. See Setting up Local User Policy for more information.

Q. What are the rules to enter a valid username and password? A. The username can contain the alphabets in lower and upper cases, numerals, hyphens (-), underscores (_), periods (.), tilde (~), commercial At character (@), number sign (#), Apostrophe ('), solidus or leading slash (/), trailing slash (\), and space. The username should start with alphabets, numerals and underscore characters. The password can contain the alphabets, numerals, leading and trailing spaces, and any special characters. The length of username and password can span from 5 to 256 characters.

Administration of Cisco Prime LAN Management Solution 4.2 B-30 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. Where is the SSL log present? A. The SSL log is present in the NMSROOT directory, where NMSROOT is your Cisco Prime Installation directory.

Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages? A. You should check whether the casuser is assigned with the required local security policies. To check whether the casuser is assigned with the required policies:

Step 1 Click Start > Settings > Control Panel> Administrative Tools. Step 2 Click the Local Security Policy shortcut from the Administrative Tools folder. The Local Security Policy window opens. Step 3 Click Local policies > User Rights Assignment in the Local Security Policy window. Step 4 Check whether the casuser is assigned with the following privileges: • Access this computer from the network • Log on as a batch job

If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again. Enter the following commands to run the resetCasuser utility: • NMSROOT/CSCOpx/setup/support/resetCasuser (On Solaris/Soft Appliance) • NMSROOT\CSCOpx\setup\support\resetCasuser.exe (On Windows) where NMSROOT refers to the Cisco Prime Installation directory. The other possible solutions are: • Remove or disable the anti-virus software • Restart Daemon Manager • Uninstall or disable IIS • Log on as a batch job • Disable Cisco Security Agent • Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so, kill the stray processes from the Task Manager or stop them from the Services panel. • Ensure that the casuser or administrator has the read permission for the CSCOpx, CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.

Software Center

The following are the FAQs on Software Center: • Q.How do I find out which devices are supported by a particular application? • Q.What are the prerequisites for downloading Software Updates from Cisco.com? • Q.Does the Software Center list only the software updates that are not installed in this machine? • Q.What should I do if I see errors when using Software Center or having issues with LMS not correctly working with supported devices?

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-31 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. How do I find out which devices are supported by a particular application? A. Select Admin > System > Software Center > Software Update. Under Applications Installed, click the application name to see a list of the supported devices. See Selecting Software Updates for more information.

Q. What are the prerequisites for downloading Software Updates from Cisco.com? A. You should check for the following: – Valid Cisco.com credentials are configured during Server administration – Valid proxy details are configured and Cisco Prime support basic authentication of proxy server. See Downloading Software Updates for more information.

Q. Does the Software Center list only the software updates that are not installed in this machine? A. The Software Center module lists all software updates including those that are installed. However, it performs the filtering for device updates.

Q. What should I do if I see errors when using Software Center or having issues with LMS not correctly working with supported devices? A. Under rare circumstances, internal LMS files that contain information on which device support packages are installed and which devices are supported, become corrupted. If such files become corrupted, you may notice one or more of the following symptoms: – "HTTP 500" error occurs while trying to view package information from Admin > System > Software Center > Device Update. One possible exception is: java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:259) at com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.getPackageMap(Unknown Source) at com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.perform(Unknown Source) – The following errors will be seen in NMSROOT\log\psu.log:

[ ] ERROR [CreateMaps : removeDupEntries] :String index out of range: -1 – Devices shown as supported in "Supported Devices Table for Cisco Prime LAN Management Solution" and may have been working previously, show as not supported/unknown and displays device icons in Device Selectors with a question mark (?) in one or more areas of LMS. – Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards > Device Status > Collection Summary) fails for all devices of a particular model, but succeeds for other devices with identical configuration, yet different models. – Specific models of devices are not available in Device Selectors to have reports, jobs or other functionality run on them, however Inventory Collection and/or Config Archive has succeeded for them. This is frequently seen with Configuration related functionality. To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files which store information on which device support packages are installed and devices they support. Run the following script: NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance) or NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)

Administration of Cisco Prime LAN Management Solution 4.2 B-32 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

where NMSROOT is your Cisco Prime installation directory. If issues persist after running this script, contact the Cisco Technical Asssistance Center for further assistance.

Event Distribution Services and Event System Services

The following are the FAQs on Event Distribution Services and Event System Services: • Q.How do I change the ESS port? • Q.Why do the EDS process is not starting? • Q.How should I configure EDS in a multi-homed machine?

Q. How do I change the ESS port? A. You can change the ESS port by running the following commands: – NMSROOT/objects/ess/conf/Ports2Alternate.pl – NMSROOT/objects/ess/conf/Ports2Primary.pl where NMSROOT is the default installation directory of Cisco Prime.

Q. Why do the EDS process is not starting? A. You should check: – If the hostname is correct and is not changed recently. – If the osagent is in use in port 42342.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-33 Appendix B Troubleshooting and FAQs Frequently Asked Questions

If the osagent is not in use, you should:

Step 1 Stop the Daemon Manager. Step 2 Run the ChangeOSAGENTPort.pl script to change the port number. Enter the following command: NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_number where, NMSROOT — Cisco Prime Installation directory Port_number— Osagent port Step 3 Restart the Daemon Manager.

Q. How should I configure EDS in a multi-homed machine? A. To run Cisco Prime LMS and configure EDS on a multi-homed machine, you must all the IP Addresses in DNS.

Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other network? A. This could because the domain name of the Cisco Prime LMS server may not be resolved. To access the CORBA services in a server that is not DNS resolvable, you must:

Step 1 Change the value of attribute jacorb.dns.enable in orb.properties file from on to off. Step 2 Regenerate the self-signed certificate with IP address instead of hostname. Step 3 Restart the Daemon Manager.

Backup and Restore

The following are the FAQs on Backup and Restore: • Q.What kind of directory structure does Cisco Prime use when backing up data? • Q.What should I do when backup fails and displays a Backup.LOCK file exists error message? • Q.Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?

Q. What kind of directory structure does Cisco Prime use when backing up data? A. Cisco Prime uses a standard database structure for backing up all suites and applications. See Table B-6 for a sample directory structure on Cisco Prime LMS Server.

Table B-6 Sample Backup Directory

Directory Path Description Usage Notes /tmp/1 Number of backups 1, 2, 3... /tmp/2/cmf Application or suite Backs up Cisco Prime LMS Server applications.

Administration of Cisco Prime LAN Management Solution 4.2 B-34 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Table B-6 Sample Backup Directory (continued)

Directory Path Description Usage Notes /tmp/1/cmf/fileb Cisco Prime LMS Server Application data is stored in the datafiles.txt which are ackup.tar application tar files compiled into the tar file. /tmp/1/cmf/data Cisco Prime LMS Server Includes the following files for each database: base database directory • xxx_DbVersion.txt • xxx.db (database files) • xxx.log (database log files) • xxx.txt (database backup manifest file) where xxx is the name of the database.

Q. What should I do when backup fails and displays a Backup.LOCK file exists error message? A. You should try removing the Backup.LOCK file from the Cisco Prime installation directory and start backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI for more information.

Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts? A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the Daemon Manager to run the backup.pl scripts. See Backing up Data Using CLI and Restoring Data for more information.

Database

The following are the FAQs on Database: • Q.How can I find the version of a Sybase Database? • Q.What if the database is inaccessible?

Q. How can I find the version of a Sybase Database? A. Run the following command: opt/CSCOpx/objects/db/bin64/dbsrv10 –v

Q. What if the database is inaccessible? A. If the server is not able to connect to the database, the database might be corrupt or inaccessible. This can occur if processes are not running. Try the following:

Step 1 Log in to Cisco Prime LMS server as admin. Step 2 Select Admin > System > Server Monitoring > Processes. A list of Cisco Prime back-end processes appears. You can check if there are any failed process appear in the list. Step 3 Select Admin > System > Server Monitoring > Selftest. • Click Create to create a report. • Click Display to display the report.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-35 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Step 4 Select Admin > System > Server Monitoring > Collect Server Information. Step 5 Click Product Database Status to get detailed database status. Step 6 Contact the Cisco TAC or your customer support to get the information you need to access the database and find out details about the problem. After you have the required information, perform the following tasks for detecting and fixing database errors.

Depending upon the degree of corruption, the database engine may or may not start. For certain corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed. Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires the database engine to be running. To detect database corruption:

Step 1 Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows). Step 2 Stop the Daemon manager if it is already running: • /etc/init.d/dmgtd stop (on Solaris/Soft Appliance) • net stop crmdmgtd (on Windows) Step 3 Make sure no database processes are running and there is no database log file. For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is /opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly. Step 4 Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris machines. If not, change the ownership of these files to user casuser and group casusers. Step 5 Run the commands on the command prompt: cd NMSROOT/objects/db/conf

NMSROOT/bin/perl configureDb.pl action=validate dsn=cmf

The dbvalid command displays a list of tables being validated. The Validation utility scans the entire table, and looks up each record in every index and key, defined on the table. If there are errors, the utility displays a message such as: Validating DBA.xxxx run time SQL error -- Foreign key parent_is has invalid or duplicate index entries 1 error reported

If the above command reports any error, you may try: • Restoring from a previous good backup or • Reinitializing database

Caution All the current data will be lost.

To do this, you have to run the following command: NMSROOT\bin\perl NMSROOT\bin\dbRestoreOrig.pl dsn=dsn dmprefix=dmprefix

Administration of Cisco Prime LAN Management Solution 4.2 B-36 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

For LMS, dsn is cmf and dmprefix is Cmf.

Apache and Tomcat

The following are the FAQs on Apache and Tomcat: • Q.How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the same system? • Q.Why does the Apache process not come up after installation or why does the process go down suddenly? • Q.How do I change web server port numbers? • Q.How should I enable or disable web server SSL mode from the command line? • Q.How do I increase Tomcat heap size? • Q.How do I validate a Server certificate? • Q.How do I modify a certificate which is not self-signed? • Q.What is the maximum number of connections allowed by Cisco Prime to access the web interface? • Q.What version of Tomcat is installed on my server? • Q.Why does Apache server does not start during reboot process?

Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the same system? A. The new installer detects IIS web server running on the machine and prompts you to enter a different port number for Cisco Prime LMS Server to avoid the conflict.

Q. Why does the Apache process not come up after installation or why does the process go down suddenly? A. This could be a problem with the Apache configuration syntax or the validity of the server certificate. You should first check the Apache configuration syntax. To do this: On Windows: Go to NMSROOT\MDC\Apache\bin and run the command Apache.exe -t -d .

Note Do not omit the .

On Solaris/Soft Appliance: Go to NMSROOT/MDC/Apache/bin and run the command ./web_server –t If the Apache configuration syntax is correct, a message appears: Syntax OK

If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL Utility Script.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-37 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. How do I change web server port numbers? A. To change the web server port numbers, you must run separate commands for both Windows and Solaris. On Solaris: You can change the web server port numbers for the webservers. You can also change both the HTTP and HTTPS port numbers. To change the port numbers you must login as Cisco Prime LMS Server administrator, and run the following command at the prompt: NMSROOT/MDC/Apache/bin/changeport If you run this command without any command line parameter, Cisco Prime displays: *** CiscoWorks Webserver port change utility *** Usage: changeport [-s] [-f] where port number—The new port number that should be used -s—Changes the SSL port instead of the default HTTP port -f—Forces port change even if Daemon Manager detection FAILS.

Note Do not use this option by default. Use it only when Cisco Prime instructs you to.

For example, you can enter: changeport 1744—Changes the Cisco Prime web server HTTP port to use 1744. Or, changeport port number -s—Changes the Cisco Prime web server HTTPS port to use the specified port number. If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs > Cisco Prime). You have to manually invoke the browser, and specify the URL, with the changed port number. The restrictions that apply to the specified port number are: • Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number. • The specified port should not be used by any other service or daemon. The utility checks for active listening ports, and ports listed in /etc/services. If there is any conflict, it rejects the specified port. • The port number must be a numeric value in the range 1026 – 65535. Values outside this range, and non-numeric values are not allowed. • If port 443 is specified for any of the web servers, that web server process is started as root. This is because ports lower than 1026 are allowed to be used only by root in Solaris. However, according to Apache behavior, only the main web server process run as root, and all the child processes run as casuser:casusers. Only the child processes serve the external requests. The main process that runs as root monitors the child processes. It does not accept any HTTP requests. Owing to this, Apache ensures that a root process is not exposed to the external world, and thus ensures security. • If you do not want Cisco Prime processes to run as root, do not use the port 443. When you run the utility with the appropriate options, it displays messages on the tasks it performs.

Administration of Cisco Prime LAN Management Solution 4.2 B-38 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

This utility lists all the files that are being updated. Before updating, the utility will back up all affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories. It also creates a new file called index.txt. This text file contains information about the changed port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory. • If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443. When you run the utility with the appropriate options, it displays messages on the tasks it performs. This utility lists out all the files that are being updated. Before updating, the utility will back up all affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories. It also creates a new file index.txt. This text file contains information about the changed port and a list of all files that are backed up and their actual location in the Cisco Prime directory. A sample backup maybe similar to: /opt | `--/CSCOpx | `--/conf | `--/backup | |--README.txt (Note the purpose of this directory as it is initially empty) | `--/AAAtpaG03_Ciscobak (Autogenerated unique backup directory). | |--index.txt (The backup file list) |--httpd.conf (Webserver config file) |--md.properties (CiscoWorks config elements) |--mdc_web.xml (Common Services application config file) |--regdaemon.key (Common Services config registry key file) |--regdaemon.xml (Common Services config registry data file) |--rootapps.conf (CiscoWorks daemons using privileged ports) |--services (The system /etc/services file) `--ssl.properties (CiscoWorks config elements for SSL mode)

Note All of the above files and the unique directories are stored with read only permission to casuser:casusers. To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write permissions.

The change port utility displays messages to the console during execution. These messages contain information about the directory where the backup files are being stored. These messages are also logged to a file, changeport.log. This file is saved to the directory: /var/adm/CSCOpx/log/changeport.log This file contains the date and time stamps to indicate when the log entries were created. On Windows: You can change the web server port numbers for the LMS Webserver. You can also change both the HTTP and HTTPS port numbers. To change the port numbers you must have administrative privileges. Run the following command at the prompt: NMSROOT\MDC\Apache\changeport.exe

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-39 Appendix B Troubleshooting and FAQs Frequently Asked Questions

If you run this utility without any command line parameter, Cisco Prime displays the following usage text: *** Common Services Webserver port change utility *** Usage: changeport [-s] [-f]

where: port number—The new port number that should be used -s—Change the SSL port instead of the default HTTP port -f—Force port change even if Daemon Manager detection fails.

Note Do not use this option by default. Use it only when Cisco Prime instructs you to.

For example, you can enter: changeport 1744—To change the Cisco Prime web server HTTP port to use 1744. Or, changeport port number -s—Changes the Cisco Prime web server HTTPS port to use the specified port number. If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs > Cisco Prime). You have to manually invoke the browser and specify the URL, with the changed port number. The restrictions that apply to the specified port number are: • Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number. • The specified port should not be used by any other service or daemon. The utility checks for active listening ports, and if any conflict is found, the utility rejects the specified port. There is no reliable way to determine whether any other service or application is using a specified port. If the service or application is running and actively listening on a port, it can be easily detected. However, if the service is currently stopped, there is no way that the utility can determine what port it uses. This is because on Windows there is no common port registry equivalent to /etc/services as in Solaris. • The port number must be a numeric value in the range 1026 – 65535. Values outside this range, and non-numeric values are not allowed. When you run the utility with the appropriate options, it displays messages on the actions it is performing.Cisco Prime It lists out all the files that are being updated. Before updating, the utility backs up all the affected files in CSCOpx\conf\backup, and creates, appropriate, unique, sub-directories. It also creates a new file called index.txt. This text file contains information about the changed port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory. A sample backup may be similar to: [drive:] | `--\Program Files | `--\CSCOpx | `--\conf |

Administration of Cisco Prime LAN Management Solution 4.2 B-40 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

`--\backup | |--README.txt (Notes the purpose of this dir as it is initially empty) | `--\skc03._Ciscobak (Autogenerated unique backup directory). | |--index.txt (The backup file list) |--httpd.conf (Webserver config file) |--md.properties (CiscoWorks config elements) |--mdc_web.xml (Common Services application config file) |--regdaemon.key (Common Services config registry key file) |--regdaemon.xml (Common Services config registry data file) `--ssl.properties (CiscoWorks config elements for SSL mode)

Note All the above files and the unique directories are stored with read only permissions. Only the administrator and casuser have write permissions, to ensure the security of the backup files.

Q. How should I enable or disable web server SSL mode from the command line? A. To enable or disable the web server SSL mode:

Step 1 Stop the Daemon Manager. Step 2 Run the ConfigSSL.pl script. Enter the commands: • NMSROOT/bin/perl ConfigSSL.pl -enable (to enable the web server SSL mode from the command line) • NMSROOT/bin/perl ConfigSSL.pl -disable (to disable the web server SSL mode from the command line) Step 3 Start the Daemon Manager.

Q. How do I increase Tomcat heap size? A. To increase Tomcat heap size:

Step 1 Stop the Daemon Manager. • On Solaris/Soft Appliance: Run /etc/init.d/dmgtd stop • On Windows: Run net stop crmdmgtd Step 2 Run NMSROOT/bin/perl NMSROOT/bin/ModifyTomcatHeap.pl max heap in MB

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-41 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Step 3 Start the Daemon Manager. • On Solaris/Soft Appliance: Run /etc/init.d/dmgtd stop • On Windows: Run net start crmdmgtd

If Tomcat is already configured for higher memory than what you specify when you run the command, the following message is displayed: INFO: Tomcat is already configured with a higher heap value.

Q. How do I validate a Server certificate? A. To do this:

Step 1 Navigate to the directory where the SSL Utility Script is located. On Windows: a. Go to NMSROOT\MDC\Apache b. Enter NMSROOT\bin\perl SSLUtil.pl On Solaris/Soft Appliance: a. Go to NMSROOT/MDC/Apache/bin b. Enter NMSROOT/bin/perl SSLUtil.pl After you have entered this command, the system displays a set of options. Step 2 Select the fourth option Verify the input Certificate/Certificate Chain by entering 4. Step 3 Enter the location of the server certificate NMSROOT/MDC/Apache/conf/ssl/server.crt The script verifies if the server certificate is valid. If the script reports errors during validation and verification, you have to regenerate the certificate by running SignTool.pl from the above directory. Step 4 Enter NMSROOT/bin/perl SignTool.pl [-SSL=true | -SSL=false]

Note NMSROOT is the directory where Cisco Prime is installed.

Q. How do I modify a certificate which is not self-signed? A. LMS does not allow modifying certificates other than the self-signed certificates.

Q. What is the maximum number of connections allowed by Cisco Prime to access the web interface? A. Tomcat, the servlet engine, shipped with Cisco Prime handles a maximum of 500 connections or http requests.

Administration of Cisco Prime LAN Management Solution 4.2 B-42 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. What version of Tomcat is installed on my server? A. To find out the version of Tomcat installed on your server, you should:

Step 1 Navigate to the NMSROOT/MDC/tomcat/server/lib directory. Step 2 Unzip the catalina.jar file available in this directory. Step 3 Navigate to the location where you have extracted this jar file. Step 4 Open the Serverinfo.properties file under the orgapachecatalinautil directory. This file displays the version of Tomcat installed on the Cisco Prime LMS Server.

Q. Why does Apache server does not start during reboot process? Anti-virus causes the processes to come up slowly after reboot. Delay the anti-virus during startup to solve the issue. Ensure that the NMSROOT folder is excluded correctly from anti-virus and reboot the server after shutting down the anti-virus completely.

Fault Management FAQs

The following section lists the frequently asked questions about Fault Management. • Q.How do I enable Incharge debugging, and execute Incharge commands? • Q.What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event Trap Forwarding? Does LMS support both of these methods? • Q.How can I receive Syslog messages from the LMS server? • Q.How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?

Q. How do I enable Incharge debugging, and execute Incharge commands? A. Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings page appears. Click the Enable Incharge Debugging, and execute Incharge Commands link. See, Enable Incharge Debugging for more information.

Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event Trap Forwarding? Does LMS support both of these methods? A. Yes, LMS supports both ways of Trap forwarding. Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. When LMS receives certain SNMP traps, it analyzes the data found in fields such as Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap message. If needed, LMS changes the property value of the object property. These are Processed Traps. To configure Processed event/alert trap forwarding, select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap notifications if there is a threshold violation in the LMS managed devices. For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN Management Solution 4.2

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-43 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Q. How can I receive Syslog messages from the LMS server? A. To receive Syslog messages from a LMS server:

Step 1 Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog notification Step 2 Point it to any Solaris machine and run the following: • /etc/init.d/syslog start • tail -f /var/adm/messages

Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x? A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla Plugins directory. To create the link, go to the command prompt and enter:

Step 1 cd /plugins Step 2 ln -s /plugin/sparc/ns610/libjavaplugin_oji.so .

Include the period at the end. For Netscape 6.x/7.x or Mozilla browsers, restart your browser. In Netscape, go to Help > About Plug-ins to confirm that the Java Plug-in is loaded.

Device Performance Management FAQs

Q. Can I set log levels for individual application modules? Where are these log files stored? A. Yes. You can set log levels for all Device Performance Management modules. Log files are stored at these locations: • On Windows: NMSROOT\log\, where NMSROOT is the Cisco Prime DPM installation directory. • On Solaris/Soft Appliance: /var/adm/CSCOpx/log/ Report specific logs are stored under DPMReportJobs under the log directory.

Administration of Cisco Prime LAN Management Solution 4.2 B-44 OL-25947-01 Appendix B Troubleshooting and FAQs Frequently Asked Questions

IPSLA Performance Management FAQs

This section provides the FAQs on IPSLA Performance Management: • Q.How can I enable debugging in IPSLA Performance Management? • Q.I have problems while migrating the IPSLA Performance Management data. What should I do?

Q. How can I enable debugging in IPSLA Performance Management? A. Do the following:

Step 1 Select Admin > System > Debug Settings > IPSLA Debugging Settings. The IPSLA Debugging Settings page appears. Step 2 Select the module and log level from the Module and Logging Level drop-down lists. The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG. Step 3 Click Apply.

Q. I have problems while migrating the IPSLA Performance Management data. What should I do? A. Check the following log files for information: – restorebackup.log – migration.log – ipmclient.log – ipmserver.log

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 B-45 Appendix B Troubleshooting and FAQs Frequently Asked Questions

Administration of Cisco Prime LAN Management Solution 4.2 B-46 OL-25947-01

APPENDIX C

Data Extraction Engine

Cisco Prime Data Extraction Engine (DEE) is a utility to export User Tracking, Topology, and Discrepancy application data. This utility provides servlet and command line access to User Tracking, Topology and Discrepancy) and allows you to extract data in Extensible Markup Language (XML) format. This appendix contains: • Overview of Data Extraction Engine • The cmexport Command • cmexport User Tracking • cmexport Topology Command • cmexport Discrepancy Command • cmexport Manpage

Overview of Data Extraction Engine

Data Extraction Engine (DEE) is a utility that provides servlet access to User Tracking, Layer 2 topology, and discrepancy data. It also includes a command line utility that you can use to fetch user tracking data, Layer 2 topology, and discrepancy data for devices discovered by LMS server. This utility supports the following features: • Generating user tracking data in XML format: Allows you to access servlet and command line utilities that can generate user tracking data for devices discovered by LMS Server. • Generating Layer 2 topology data in XML format: Allows you to generate the latest Layer 2 topology data including information on neighbor devices. Elements in XML file are created at the device level. • Generating discrepancy data in XML format: Allows you to use discrepancy APIs to retrieve latest discrepancy data from LMS server.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-1 Appendix C Data Extraction Engine The cmexport Command

• Archiving XML Data: Data generated through CLI is archived at the following locations:

Table C-1 Data Archive Locations

For… Location User Tracking PX_DATADIR/cmexport/ut/timestamput.xml Layer 2 Topology PX_DATADIR/cmexport/L2Topology/ timestampL2Topology.xml Discrepancy PX_DATADIR/cmexport/Discrepancy/ timestampDiscrepancy.xml

where PX_DATADIR is either %NMSROOT%/files folder (on Windows) or /var/adm/CSCOpx/files directory (on Solaris/Soft Appliance). NMSROOT is the directory where you installed LMS; timestamp is the time at which the log was written in YearMonthDateHourOfDayMinuteSecond format. You can also specify a directory to store the output. This utility does not delete the files created in the archive. You should delete these files when necessary. While generating data through the servlet, the output appears at the client terminal. • Generating user tracking and configuration data in XML format using the Servlet: Allows you to generate and download the user tracking, topology and discrepancy XML files using the servlet. You must upload a payload XML file, which contains the cmexport and utexport command options and Cisco Prime user credentials. You should write your own script to invoke the servlet with a payload of this XML file. If the credentials are correct and options are valid, the servlet returns the exported file in XML format.

The cmexport Command

cmexport is the Cisco Prime LMS command line interface for exporting discrepancy and Layer 2 topology data details into XML format. This section contains the following topics: • Running cmexport Command • cmexport Arguments and Options

Running cmexport Command

This section contains: • Command Line Syntax • Commands

Administration of Cisco Prime LAN Management Solution 4.2 C-2 OL-25947-01 Appendix C Data Extraction Engine The cmexport Command

Command Line Syntax The command line syntax of the utility is in the following format: cmexport command arguments options

where: • cmexport is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2 topology, and discrepancy data details into XML format. • command specifies the core operation that is to be performed. • arguments are the additional parameters required for each core command. • options are the optional parameters, which modify the behavior of the specific DEE core command. The order of the arguments and options are not important. However, you must enter the core command immediately after cmexport.

Commands Table C-2 lists the command part of the cmexport syntax.

Table C-2 Command Descriptions

Core Command Description ut Generates User Tracking data in XML format. l2topology Generates layer 2 topology data in XML format. discrepancy Generates discrepancy data in XML format.

You must invoke the cmexport command with one of the core commands specified in the above table. If you do not specify any core commands, cmexport can only execute the -v or -h options: • Option -v displays the version of the cmexport utility • Option -h (or null option) lists the usage information for this utility. cmexport Arguments and Options

This section contains: • Mandatory Arguments • Optional Arguments • Function-Specific Options • Displaying Help • Uses of cmexport

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-3 Appendix C Data Extraction Engine The cmexport Command

Mandatory Arguments

The arguments that must be specified with all functions are: • -u userid: Specifies the Cisco Prime userid. • -p password: Specifies the password for Cisco Prime userid. – If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. – If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. You must enter the password in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. If there are duplicate entries the password that matches the first user name is considered.

Note If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.

Optional Arguments

The arguments you can specify with any function are: • -d debuglevel Sets the debug level based on which debug information is printed. There are two levels of debugging—TRACE and DEBUG. If you do not specify the -d option, logging will not occur. • -l logfile Logs the results of the cmexport command to the specified log file name. By default the command output is displayed in the standard output.

Administration of Cisco Prime LAN Management Solution 4.2 C-4 OL-25947-01 Appendix C Data Extraction Engine The cmexport Command

Function-Specific Options

DEE supports the following function-specific option: -f filename If used with: • User Tracking function Specifies the name of the file to which the user tracking information is to be exported. • Topology function Specifies the name of the file to which the layer 2 topology information is to be exported. • Discrepancy function Specifies the name of the file to which the discrepancy information is to be exported.

Displaying Help

To display help for cm export Enter the following at a CLI prompt: cmexport -h. This displays a list of options for cmexport. On Solaris, you can also enter the following at a CLI prompt: man cmexport

Uses of cmexport

If you enter: cmexport ut {–u userid} –p password –host -f filename.xml User Tracking XML output for host will be generated and it is stored in the file filename.xml. If you want to export the latest topology details for all Layer 2 devices enter: cmexport L2Topology {–u userid} –p password -f filename.xml If you want to export the latest discrepancy details, enter: cmexport Discrepancy {–u userid} –p password -f filename.xml

Notations The notations followed in describing the command line arguments are explained below: {argument}—Argument is a mandatory parameter. [argument]—Argument is an optional parameter. argument—Argument is a variable. argument 1 | argument 2—Either argument 1 or argument 2 may be specified but not both. Table C-3 lists the notations part of the cmexport syntax.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-5 Appendix C Data Extraction Engine cmexport User Tracking

Table C-3 Notations Descriptions

Command Description ut cmexport ut {-u userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ] l2topology {-u userid} [-p password] [-f filename] discrepancy {-u userid} [-p password] [-f filename] empty [-v | -h]

-v—Displays the version of the cmexport utility. -h—Lists the options available and function of each option. cmexport User Tracking

This topic describes the cmexport User Tracking command, and the various options available to you. It contains the following sections: • Name • Synopsis • Description • Mandatory Arguments • Accessing Help • Examples

Name cmexport ut: CiscoWorks cmexport user tracking function

Synopsis cmexport ut: {-u userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ] Table C-4 lists the command part of the cmexport syntax.

Administration of Cisco Prime LAN Management Solution 4.2 C-6 OL-25947-01 Appendix C Data Extraction Engine cmexport User Tracking

Table C-4 Command Descriptions

Argument Can be one of the Following… host-options -query queryname -query queryname -view viewname -layout layoutname -layoutlayoutname -view viewname -query queryname -layout layoutname -query queryname -layout layoutname -view viewname phone-options -queryPhone queryname -layoutPhone layoutname -queryPhone queryname --layoutPhone layoutname options -f filename -d debuglevel -l logfile

Description User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined schema.

Mandatory Arguments The options that must be specified with the cmexport ut function are: • -u userid: Specifies the Cisco Prime userid. • -p password: Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-7 Appendix C Data Extraction Engine cmexport User Tracking

You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.

Note If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.

• -host: Specifies host data to be exported. • -phone: Specifies phone data to be exported.

Options The options you can specify with the ut function are: • -d debuglevel Sets the debug level based on which debug information is printed. There are two levels of debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur. • -l logfile Logs the results of the cmexport command to the specified logfile name. By default the command output will be displayed in the standard output. • -f filename The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option, an XML file of the format timestamput.xml is stored in the following directory: PX_DATADIR/cmexport/ut • -view Specifies the format in which the user tracking XML data is to be presented. It supports two optional arguments: a. switch: User Tracking data is displayed based on the type of switch. b. subnet: User Tracking data is displayed based on the subnet in which they are present. The -view options are not case sensitive. • -query queryname User Tracking host data is exported in XML format for the query provided in queryname. This option must be used with the -host argument. For this option: – Create a Custom report for end hosts from the mega menu: Reports > Report Designer > User Tracking > Custom Reports. – Use the Custom report name as a value here. • -layout layoutname User Tracking host data is exported in XML format for the layout provided in layoutname. This option must be used with the -host argument. For this option: – Create a Custom layout for end hosts in the following screen: Reports > Report Designer > User Tracking > Custom Layouts. – Use the Custom layout name as a value here.

Administration of Cisco Prime LAN Management Solution 4.2 C-8 OL-25947-01 Appendix C Data Extraction Engine cmexport Topology Command

Note The Custom layouts are defined per user. An invalid layout name error message will be displayed if layout name created by another user is entered as custom layout name.

• -queryPhone queryname User Tracking phone data is exported in XML format for the query given in queryname. This option must be used with the -phone argument. For this option: – Create a Custom report for IP phones in the following screen: Reports > Report Designer > User Tracking > Custom Reports. – Use the Custom report name as a value here. • -layoutPhone layoutPhone User Tracking phone data is exported in XML format for the layout given in layoutPhone. This option must be used with the -phone argument. For this option: – Create a Custom layout for IP phones in the following screen: Reports > Report Designer > User Tracking > Custom Layouts. – Use the Custom layout name as a value here.

Accessing Help Enter the following in the CLI: • cmexport -h: Displays a list of options for cmexport. • cmexport ut -h: Displays a list of options for the cmexport ut command. On Solaris, you can also enter the following in the CLI: man cmexport

Examples Considering userid: admin, password: admin, queryname: host1Query, layoutname: host1Layout, queryphone: phone1Query, layoutphone: phone1Layout, filename: file1.xml, we can have the following: cmexport ut -u admin -p admin -host cmexport ut -u admin -p admin -phone cmexport ut -u admin -p admin -host -query host1Query -layout all cmexport ut -u admin -p admin -host -query host1Query -layout layoutname cmexport ut -u admin -p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout cmexport ut -u admin -p admin -host -f file1.xml cmexport ut -u admin -view switch -host cmexport Topology Command

This section contains: • Name • Synopsis • Description • Mandatory Arguments • Accessing Help

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-9 Appendix C Data Extraction Engine cmexport Topology Command

• Examples

Name cmexport L2Topology: Cisco Prime cmexport layer 2 topology function

Synopsis cmexport l2topology {-u userid} [ -p password ] [ options ]

Table C-5 Command Description

Argument can be one of the following… options -f filename -d debuglevel -l logfile

where cmexport l2topology -h lists the options available and function of each option.

Description Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based on a predefined schema.

Mandatory Arguments The options that you must specify with the cmexport L2Topology function are: The options that you must specify with the cmexport L2Topology function are: • -u userid: Specifies the Cisco Prime user ID. • -p password Specifies the password for Cisco Prime user ID. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space.

Administration of Cisco Prime LAN Management Solution 4.2 C-10 OL-25947-01 Appendix C Data Extraction Engine cmexport Topology Command

Note If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.

Options The options you can specify with the layer 2 topology function are: • -d debuglevel Sets the debug level based on which debug information is printed. There are two levels of debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur. • -l logfile Logs the results of the cmexport command to the specified logfile name. By default the command output will be displayed in the standard output. • -f filename The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option an XML file of the format timestampL2Topology.xml is stored in the following directory: PX_DATADIR/cmexport/L2Topology

Accessing Help Enter the following in the CLI: cmexport -h: Displays a list of options for cmexport. cmexport l2topology -h: Displays a list of options for the cmexport l2topology command. On Solaris, you can also enter the following at a CLI: man cmexport

Examples Considering userid: admin, password: admin, filename: file1.xml, you can have the following: cmexport L2Topology -u admin -p admin cmexport L2Topology -u admin -p admin -f file1.xml cmexport L2Topology -u admin -l file.log

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-11 Appendix C Data Extraction Engine cmexport Discrepancy Command cmexport Discrepancy Command

This section contains: • Name • Synopsis • Description • Mandatory Arguments • Accessing Help • Examples

Name cmexport Discrepancy: Cisco Prime cmexport Discrepancy function.

Synopsis cmexport discrepancy {-u userid} [ -p password ] [ options ] where

Table C-6 Command Description

Argument Can be one of the Following options -f filename -d debuglevel -l logfile

cmexport discrepancy -help lists the options available and the function of each option.

Description Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a predefined schema.

Mandatory Arguments The options that you must specify with the cmexport Discrepancy function are: • -u userid: Specifies the Cisco Prime userid. • -p password Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option.

Administration of Cisco Prime LAN Management Solution 4.2 C-12 OL-25947-01 Appendix C Data Extraction Engine cmexport Discrepancy Command

The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.

Note If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.

Options The options you can specify with the Discrepancy function are: • -d debuglevel Sets the debug level based on which debug information is printed. There are two levels of debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur. • -l logfile Logs the results of the cmexport command to the specified log file name. By default the command output will be displayed in the standard output. • -f filename The file option specifies the filename where the XML output is to be stored. If the filename is not specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the following directory: PX_DATADIR/cmexport/Discrepancy

Accessing Help Enter the following in the CLI: cmexport -h: Displays a list of options for cmexport. cmexport discrepancy -h: Displays a list of options for the cmexport discrepancy command. On Solaris, you can also enter the following in the CLI: man cmexport

Examples Considering userid: admin, password:admin, filename: file1.xml, you can have the following: cmexport Discrepancy -u admin -p admin cmexport Discrepancy -u admin -p admin -f file1.xml cmexport Discrepancy -u admin -d 2

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-13 Appendix C Data Extraction Engine cmexport Manpage cmexport Manpage

This sections contains: • Command Line Syntax • Commands • Arguments and Options • Accessing Help

Command Line Syntax

The command line syntax of the utility is in the following format: cmexport command arguments options where: • cmexport is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2 topology, and discrepancy data details into XML format. • command specifies the core operation that is to be performed. • arguments are the additional parameters required for each core command. • options are the optional parameters, which modify the behavior of the specific DEE core command. The order of the arguments and options is not important. However, you must enter the core command immediately after cmexport.

Commands

Table C-7 lists the command part of the cmexport syntax.

Table C-7 Command Description

Core Command Description ut Generates User Tracking data in XML format. l2topology Generates Layer 2 topology data in XML format discrepancy Generates discrepancy data in XML format

You must invoke the cmexport command with one of the core commands specified in the above table. If no core command is specified, cmexport can execute the -v or -h options only: • Option -v displays the version of the cmexport utility. • Option -h (or null option) lists the usage information of this utility.

Administration of Cisco Prime LAN Management Solution 4.2 C-14 OL-25947-01 Appendix C Data Extraction Engine cmexport Manpage

Arguments and Options

This sections contains: • Mandatory Arguments • Function-Specific Options

Mandatory Arguments

The options that must be specified with all functions are: -u userid: Specifies the Cisco Prime userid. Optional Arguments The options you can specify with any function are: • -p password Specifies the password for Cisco Prime userid. If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store your userid and password in a file and set a variable CMEXPORTFILE which points to this file. You must maintain this file and control access permissions to prevent unauthorized access. cmexport looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the full path. If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you do not use this option. The password must be provided in the file in the following format: userid password where userid is the Cisco Prime user name given in the command line. The delimiter between the userid and password is a single blank space. You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the password. The password file can contain multiple entries with different user names. The password that matches the first user name is considered in case of duplicate entries.

Note If -p password is used, the password is read from the command line instead of CMEXPORTFILE. This is not secure and we recommend that you do not use this option.

• -d debuglevel Sets the debug level based on which debug information is printed. There are two levels of debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur. • -l logfile Logs the results of the cmexport command to the specified log file name. By default the command output will be displayed in the standard output.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-15 Appendix C Data Extraction Engine DEE Developer’s Reference

Function-Specific Options

The following function-specific option is supported -f filename If used with the: • User Tracking function—Specifies the name of the file to which the user tracking information is to be exported. • Topology function—Specifies the name of the file to which the layer 2 topology information is to be exported. • Discrepancy function—Specifies the name of the file to which the discrepancy information is to be exported.

Accessing Help

Enter the following in the CLI: • cmexport -h: Displays a list of options for cmexport. • cmexport command -h: Displays a list of options for the cmexport command. On Solaris, you can also enter the following in the CLI: man cmexport

DEE Developer’s Reference

The cmexport command exports data to XML format, as per the schema defined. When you need data only for a few columns, remove the unwanted columns in the schema file. The schema files are available in the following path in the LMS Server: NMSROOT/campus/bin (Solaris/Soft Appliance) NMSROOT\campus\bin (Windows) The following are the schemas used for exporting the user tracking data in XML format: • Schema for User Tracking Data • User Tracking Schema for Switch Data • User Tracking Schema for Phone Data • User Tracking Schema for Subnet Data • Schema for Topology Data • Schema for Discrepancy Data • Using Servlet to Export Data from LMS

Administration of Cisco Prime LAN Management Solution 4.2 C-16 OL-25947-01 Appendix C Data Extraction Engine DEE Developer’s Reference

Schema for User Tracking Data

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-17 Appendix C Data Extraction Engine DEE Developer’s Reference

User Tracking Schema for Switch Data

Administration of Cisco Prime LAN Management Solution 4.2 C-18 OL-25947-01 Appendix C Data Extraction Engine DEE Developer’s Reference

User Tracking Schema for Phone Data

It gives the Phone details

User Tracking Schema for Subnet Data

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-19 Appendix C Data Extraction Engine DEE Developer’s Reference

Schema for Topology Data

Administration of Cisco Prime LAN Management Solution 4.2 C-20 OL-25947-01 Appendix C Data Extraction Engine DEE Developer’s Reference

Schema for Discrepancy Data

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-21 Appendix C Data Extraction Engine DEE Developer’s Reference

Using Servlet to Export Data from LMS

The servlet allows you to access DEE features using simple scripts. You can invoke DEE functions by running the script that connects to the LMS server and retrieves the data. You can send the commands to export user tracking, topology, and discrepancy data (cmexport and utexport) as HTTP or HTTPS requests to a special LMS server URL. This URL identifies a servlet that accepts the request and authenticates the requesting user identity and credentials before authorizing the information exchange. • To export User Tracking data, use UTExportServlet. • To export Discrepancy and Layer 2 Topology data, use CMExportServlet.

Administration of Cisco Prime LAN Management Solution 4.2 C-22 OL-25947-01 Appendix C Data Extraction Engine DEE Developer’s Reference

• To invoke cmexport and utexport commands, the servlet requires a payload file that contains details such as: – User credentials – The command you want to execute. – Optional details such as log and debug options as inputs in XML format. The servlet then parses the payload file encoded in XML, performs the operations, and returns the results in XML format. You must create the payload file to include the input details and submit it when you ask for servlet access. Typically, servlet access is used when you need to use the data export feature from a client system. To use DEE export features, you can write a script to upload the payload file and perform the data export functions. See the following sample scripts: • Sample Perl Script (test.pl) to Access the Servlet • Sample Java Code to Access the Servlet For example, if you are using the script test.pl, you can invoke the servlet in either of these modes: • HTTP Mode • HTTPS Mode

HTTP Mode • For Discrepancy and Layer 2 topology data export, enter: perl test.pl http://campus-server:1741/campus/servlet/CMExportServlet payload.xml • For User Tracking data export, enter: perl test.pl http://campus-server:1741/cmapps/UTExportServlet payload.xml

HTTPS Mode • For Discrepancy and Layer 2 topology data export, enter: perl test.pl https://campus-server/campus/servlet/CMExportServlet payload.xml • For User Tracking data export, enter: perl test.pl https://campus-server/cmapps/UTExportServlet payload.xml

Sample Perl Script (test.pl) to Access the Servlet #!/opt/CSCOpx/bin/perl

use LWP::UserAgent; $| = 1; $temp = $ARGV[0] ;

$fname = $ARGV[1] ; if ( -f $fname ) { open (FILE,"$fname") || die "File open Failed $!"; while ( ) { $str .= $_ ; } close(FILE); } url_call($temp);

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-23 Appendix C Data Extraction Engine DEE Developer’s Reference

#-- Activate a CGI: sub url_call { my ($url) = @_; my $ua = new LWP::UserAgent; $ua->timeout(5000); my $hdr = new HTTP::Headers 'Content-Type' => 'text/html'; my $req = new HTTP::Request ('GET', $url, $hdr); $req->content($str); my $res = $ua->request($req); my $result; if ($res->is_error) { print "ERROR : ", $res->code, " : ", $res->message, "\n"; $result = ''; } else { $result = $res->content; if($result =~ /Authorization error/) { print "Authorization error\n"; } else { print $result ; }

} }

Sample Java Code to Access the Servlet import java.io.*; import java.net.URL; import java.net.HttpURLConnection; import java.lang.String; import java.lang.Byte;

class CMExportServletRun {

static void main (String args[]) { try { URL url = new URL("http://localhost:1741/campus/servlet/CMExportServlet");

String payload = "adminadminut_hostdee.log1";

HttpURLConnection con; InputStream is; //opens connection to servlet con = (HttpURLConnection)url.openConnection(); con.setRequestMethod("POST"); con.setRequestProperty("Content-type", "text/xml"); con.setDoOutput(true); con.setUseCaches(false);

OutputStream bos = new BufferedOutputStream(con.getOutputStream()); PrintWriter out = new PrintWriter(bos); out.println(payload); out.flush(); out.close();

Administration of Cisco Prime LAN Management Solution 4.2 C-24 OL-25947-01 Appendix C Data Extraction Engine DEE Developer’s Reference

//prints out response from CMExportServlet byte [] strBytes=new byte[10]; int noOfBytes = 0;

is = con.getInputStream();

BufferedReader bfr = new BufferedReader(new InputStreamReader(is)); String str = null ;

while ( ( str = bfr.readLine()) != null ) { System.out.println(str); } } catch (Exception e) { System.out.println(e.toString()); } } }

Payload File The payload file is an XML file that contains inputs required for the DEE servlet to process requests for data export. Schema for the payload XML file is given in Schema for Payload File. Table C-8 describes the elements in the schema.

Table C-8 Elements in the Schema

Element Description username Cisco Prime user name. password Password for Cisco Prime username. command Command inside this tag can be ut_host, ut_phone, l2topology or discrepancy. view Use this option when you specify ut_host. This is optional. This specifies the presentation of the User Tracking data in the hierarchical format with either switch or subnet as the root. queryname User Tracking host data is exported in XML format for the query provided in queryname. You can use this option when you specify ut_host layoutname User Tracking host data is exported in XML format for the layout provided in layoutname. You can use this option when you specify ut_host queryphone User Tracking phone data is exported in XML format for the query given in queryphone. You can use this option when you specify ut_phone

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 C-25 Appendix C Data Extraction Engine DEE Developer’s Reference

Table C-8 Elements in the Schema (continued)

Element Description layoutphone User Tracking phone data is exported in XML format for the layout given in layoutPhone. You can use this option when you specify ut_phone debug Optional. Debug messages can be collected only if log file is specified in the log option. The debug level could be 1 or 2. You can set the value to: 1—For basic debug information. 2—For detailed debug information. This is optional.

This section also describes: • Sample Payload File • Schema for Payload File

Sample Payload File username password ut_host 1

Schema for Payload File You can use the following schema for creating the payload file in XML format.

Administration of Cisco Prime LAN Management Solution 4.2 C-26 OL-25947-01

APPENDIX D

Understanding Cisco Prime Security

The Cisco Prime LMS Server provides some of the security controls necessary for a web-based network management system. It also relies heavily on the end user’s own security measures and controls to provide a secure computing environment for Cisco Prime applications. The Cisco Prime LMS Server provides and requires three levels of security to be implemented to ensure a secure environment: • General Security—Partially implemented by the client components of Cisco Prime and by the system administrator. • Server Security—Partially implemented by the server components of Cisco Prime and by the system administrator. • Application Security—Implemented by the client and server components of the Cisco Prime applications. For more information on security related features, see Setting up Security. The following sections describe the general and server security levels.

General Security

The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network management applications. Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure than the standard computing model that only requires a system login to execute applications. The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco Prime applications and data. However, Cisco Prime applications can change the behavior and security of your network devices. Therefore, it is critical to limit access to applications and servers as follows: • Limit access to personnel who need access to applications or the data that the applications provide. • Limit Cisco Prime LMS Server logins to just the systems administrator. • Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 D-1 Appendix D Understanding Cisco Prime Security Server Security

Server Security

The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the code and data files that reside on the server. The following Cisco Prime LMS Server security control elements apply: • Server–Imposed Security • System Administrator-Imposed Security

Server–Imposed Security

The Cisco Prime LMS Server has many dimensions, such as: • Files, File Ownership, and Permissions • Runtimer • Remote Connectivity • Access to Systems Other Than the Cisco Prime LMS Server • Access Control

Files, File Ownership, and Permissions

The following describes the file ownership and permissions. • UNIX Systems—Cisco Prime must be installed by a user with root privilege. It should be installed as the user, casuser with a casusers group. If the system administrator needs to work on causer files, a user with a name chosen by the system administrator, must be created and added to the causers group. All files and directories are owned by casuser with group equal to casusers. Temporary files are created as the user casuser with permissions set to read-write for the user casuser and read for members of group casusers. The only exception to this rule is the log files created by the Cisco Prime web server and diskWatcher. The Cisco Prime web server and diskWatcher must be started as root. Therefore, their log files are owned by the user root with “group=casusers.” • Windows Systems—Cisco Prime must be installed by the administrator and must be installed as the user casuser. – If it is a new installation, the system displays a message prompting you to either create or to cancel the process. You can enter the password or it can be automatically generated. – If it is not a new installation, the system displays a message prompting you to either continue resetting the password or to retain the old password. The Cisco Prime LMS Server uses the password but the casuser user is not intended as a general user of the Windows system. No user is required to log on the Windows system as casuser. All files and directories are owned by the user casuser. Read and write access are restricted to the user casuser and the administrator. Temporary files are created as the user casuser with permissions set to read-write for the user casuser. The Cisco Prime LMS Server relies on the security mechanisms of the NTFS filesystem to provide access control on Windows systems. If Cisco Prime is installed on a FAT filesystem, most security assumptions made about controlled access to files and network management data are not valid.

Administration of Cisco Prime LAN Management Solution 4.2 D-2 OL-25947-01 Appendix D Understanding Cisco Prime Security Server Security

Runtimer

This describes the runtime activities. • UNIX Systems—Typically Cisco Prime back-end processes are run with permissions set to the user ID of the binary file. For example, if user “Joe” owns an executable file, it will be run by the Cisco Prime daemon manager under the user ID of “Joe”). The exception are files owned by the root user ID. To prevent a potentially harmful program from being run by the daemon manager with root permissions, the daemon manager will run only a limited set of Cisco Prime programs that need root privilege. This list is not documented to preclude any user from trying to impersonate these programs. All back-end processes are run with a umask value of 027. This means that all files created by these programs are created with permissions equal to “rwxr-x,” with an owner and group of the user ID and group of the program that created it. Typically this will be “casuser” and “group=casusers.” Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web server’s child processes or the servlet engine, which all run as the user casuser. Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser have access to the directories that these services read and write to. The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the Resource Manager Essentials Software Management application to run image download jobs. • Windows—Cisco Prime back-end processes are run with permissions set to the user casuser. Some of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID. These processes include: – Daemon manager – Web server – Servlet engine – Rcp/rsh service – TFTP service – Corba service – Database engine Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control of the web server and the servlet engine that run as the user localsystem. The local system user has special permissions on the local system but does not have network permissions. Cisco Prime provides several services for RCP, TFTP communication with devices. These services are targeted for use by Cisco Prime applications, but can be used for purposes other than network management. The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager Essentials Software Image Manager application. Jobs run by the at command, run with system level privileges.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 D-3 Appendix D Understanding Cisco Prime Security Server Security

Remote Connectivity

The remote connectivity details for Windows and Solaris are: • UNIX Systems—The Cisco Prime daemon manager only responds to requests to start, stop, register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server. • Windows Systems—The Cisco Prime daemon manager only responds to requests to start, stop, register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.

Access to Systems Other Than the Cisco Prime LMS Server

The access details for UNIX and Windows are: • UNIX Systems—Systems used by the Cisco Prime LMS Server as remote sources of device information for importing into the LMS Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information. • Windows Systems—Systems used by the Cisco Prime Server as remote sources of device information for importing into the LMS Inventory Manager application must allow the user casuser to perform remote shell operations on the user who owns the device information.

Access Control

The access control details are: • UNIX Systems—The UNIX user casuser is a user ID that is not typically enabled for login. Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies the installation process and ensures limited access to the Cisco Prime Server. This is because casuser is not a valid login ID as there is no password assigned to it. However, the casuser user on UNIX systems can perform system and possibly network-wide operations that could be harmful to the system or the network. • Windows Systems—The user casuser, created as part of the install process, has no special permissions or considerations on a system so it is a “safe” user ID under which to run the Cisco Prime Server and application code. The localsystem user can perform harmful system operations. Therefore, consider that by using the localsystem user ID to run some of the backend processes, the localsystem user ID cannot perform network operations.

Note The system administrator should review and adopt the security recommendations in System Administrator-Imposed Security.

Administration of Cisco Prime LAN Management Solution 4.2 D-4 OL-25947-01 Appendix D Understanding Cisco Prime Security Server Security

System Administrator-Imposed Security

To maximize Cisco Prime LMS Server security, follow these security guidelines: • Do not allow users other than the systems administrator to have a login on Cisco Prime LMS Server. • Do not allow the Cisco Prime LMS Server file systems to be mounted remotely with NFS or any other file-sharing protocol. • Limit remote access (for example, FTP, RCP, RSH) to Cisco Prime LMS Server to those users who are permitted to log into Cisco Prime LMS Server. • Place your network management servers behind firewalls to prevent access to the systems from outside of your organization. • Change the database password after installation and periodically based on your company’s security policies. • Back up the security certificates in a safe location, if you are using SSL in Cisco Prime LMS Server.

Connection Security

The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection between the client browser and management server, and Secure Shell (SSH) to provide secure access between the management server and devices.

Security Certificates

Security certificates are similar to digital ID cards. They prove the identity of the server to clients. Certificates are issued by Certificate Authorities (CAs) such as VeriSign® or Thawte. A certificate vouches for the identity and key ownership of an individual, a computer system (or a specific server running on that system), or an organization. It is a general term for a signed document. Typically, certificates contain the following information: • Subject public key value. • Subject identifier information (such as the name and e-mail address). • Validity period (the length of time that the certificate is considered valid). • Issuer identifier information. • The digital signature of the issuer. This attests to the validity of the binding between the subject public key and the subject identifier information.

Note The maximum supported public key value is 1024 bits.

A certificate is valid only for the period of time specified within it. Every certificate contains Valid From and Valid To dates, which are the boundaries of the validity period. For example, a user's certificate verifies that the user owns a particular public key. The server certificate for the server named myserver.cisco.com verifies that a specific public key belongs to this server. Certificates can be issued for a variety of functions such as web user authentication, web server authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code signing.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 D-5 Appendix D Understanding Cisco Prime Security Server Security

Cisco Prime LMS Server supports security certificates for authenticating secure access between client browser and management server. Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates. For more information, see Creating Self Signed Certificates.

Terms and Definitions

The following explains the terms and corresponding definitions in Cisco Prime: • Secure Socket Layer (SSL) • Public Key, Private Key • Secure Shell (SSH) • PKCS#8 • Base64- Encoded X.509 Certificate Format • Certificate Authority • Cisco Prime TrustStore or KeyStore

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys.

Public Key, Private Key

Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is shared quite freely, the private key is never given out. Each public-private key pair works together. Data encrypted with the public key can only be decrypted with the private key.

Secure Shell (SSH)

Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are currently available: SSH Version 1 and SSH Version 2.

PKCS#8

Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography, developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple, Microsoft, DEC, Lotus, Sun and MIT. The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation of OSI standards. The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509 standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13 and #14 are currently being developed. PKCS #8 describes a format for private key information. This information includes a private key for some public-key algorithm, and optionally a set of attributes.

Administration of Cisco Prime LAN Management Solution 4.2 D-6 OL-25947-01 Appendix D Understanding Cisco Prime Security Server Security

Base64- Encoded X.509 Certificate Format

X.509 certificate format is an emerging certificate standard. It is part of the OSI group of standards. X.509 certificates are very clearly defined using a notation called ASN.1 (Abstract Syntax Notation 1) which specifies the precise kinds of binary data that make up the certificate. ASN.1 can be encoded in many ways, but the emerging standard is an encoding called DER (Distinguished Encoding Rules), which results in a compact binary certificate. For e-mail exchange purposes the binary certificate is often Base64 encoded, resulting in an ASCII text document that looks like the following: -----BEGIN CERTIFICATE----- MIIC4jCCAkugAwIBAgIEA0E1UDANBgkqhkiG9w0BAQBhMC VVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYNQ2lz Y28gU3lzdGVtczENMAsGA1UECxMERU1CVTEqMCgG0ZXN0 MiBDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTAyMDas3DA4 NTgwOVowgYIxCzAJBgNVBAYTAklOMQswCQYDVQQIQ2hl bm5haTEMMAoGA1UEChMDSENMMQ0wCwYDVQQLEtzZGlu YWthci1wYzEhMB8GCSqGSIb3DQEJARYSc2RpbmFrYXfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV1o9PyO7txr5vme FU/f9tp5To/HaLIWHVx9zpihPnVuKaepp8kcEXO8Sed8crXeU8BP 9qHoIswGn1oJEGFXm9gs5uupJyAgeDd6O9eCuQbiSKgE1sFGFSL xNGQJZbCrQIDAQABo2UwYzARBglghkgBhvhCAQEEB/BAQD -----END CERTIFICATE-----

Cisco Prime requires the Certificates to be uploaded in this format.

Note Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you confirm with the CA the format of the certificate, and request specifically for Base64 Encoded X.509Certificates formats.

Certificate Authority

A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA then issues a certificate.

Cisco Prime TrustStore or KeyStore

Cisco Prime TrustStore or KeyStore is the location where Cisco Prime maintains the list of Certificates that it trusts. The KeyStore location is: • NMSROOT\MDC\Apache\conf\ssl (on Windows) • NMSROOT/MDC/Apache/conf/ssl (on Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 D-7 Appendix D Understanding Cisco Prime Security Server Security

Administration of Cisco Prime LAN Management Solution 4.2 D-8 OL-25947-01

APPENDIX E

Commands to Enable MAC Notification Traps on Devices

This appendix provides information on the list of commands that needs to run on each device to enable MAC Notification traps. This appendix contains the following: • Overview of Dynamic Updates • Configuring Switches With MAC Notification Commands • Device Operating System Version-Specific Commands • List of Commands to Enable MAC Notification Traps on Devices

Overview of Dynamic Updates

Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps sent by devices to Network Topology, Layer 2 Services and User Tracking . These traps are sent as and when there are changes to the network. You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification traps when a host is connected to or disconnected from that port. If you do not have Configuration Management enabled on your LMS server, you have to manually configure the switches, for the switches to send MAC Notifications to the LMS server. To manually configure the switches:

Step 1 Choose Admin > Trust Management > Multi Server > System Identity Setup. Step 2 Renter the password for the System Indentity user.

Ensure that the System Indentity User user name and password are are valid, also under Admin > System > User Management > Local User Setup.

See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more information.

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 E-1 Appendix E Commands to Enable MAC Notification Traps on Devices Configuring Switches With MAC Notification Commands

Configuring Switches With MAC Notification Commands

The list of commands that needs to be run on the devices are stored on the built-in XML file namely, MACCommands.XML in a hierarchical manner. The list of commands available are: • Global commands • Device Family-specific commands • Device Type-specific commands • Device Operating System version-specific commands While configuring, Network Topology, Layer 2 Services and User Tracking selects the commands for each device based on the fallback rule in the following order: 1. Device Operating System version-specific commands 2. Device Type-specific commands 3. Device Family-specific commands 4. Global commands If a device OID matches an OS version, the Device OS version-specific commands should be selected to configure the device. Otherwise, the Device Type-specific commands should be selected. If a device OID could not find a specific match on both Device OS version-specific commands and Device Type-specific commands, the Device-Family specific commands should be selected. The Global commands are selected for configuring the device when there is no match of Device OS version-specific, Device Type-specific, or Device Family-specific commands available for the device. The device is considered as an unknown device type when there is no match of any of the command sets available. In other words, for an unknown device type, command set will not be generated.

Device Operating System Version-Specific Commands

A device OID finds a match from the OS versions first, in the XML file. A range of OS versions for which the command set remains the same, are indicated in the osversion tag in the XML file. The range of OS versions are represented using brackets [ ] and parantheses ( ). Brackets [ ] indicate an inclusive list of OS versions. Parantheses ( ) indicate an exclusive list of OS versions. The following are the examples for OS version ranges: • [12.2(40),12.2(43)) denotes all OS versions between 12.2(40) and 12.2(43) including 12.2(40) and excluding 12.2(43). • [,12.2(40)] denotes all OS versions prior to 12.2(40) and including version 12.2(40). • [12.1(19)EA1,12.2(46)SE) denotes all OS versions 12.1(19)EA1 and later, and prior to 12.2(46)SE.

Administration of Cisco Prime LAN Management Solution 4.2 E-2 OL-25947-01 Appendix E Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices

List of Commands to Enable MAC Notification Traps on Devices

Table E-1 explains the list of commands that needs to be run on the devices. Table E-1 List of Commands to Enable SNMP Traps in Devices

Interface Device Family Device Type SysOID Global Command Set Command Set OS Version default - - mac address-table snmp trap - notification:mac mac-notification address-table notification added:snmp trap interval 15:snmp-server mac-notification enable traps removed MAC-Notification:snmp-ser ver host HOST version TRAPVERSION COMMUNITY udp-port PORT mac-notification

Administration of Cisco Prime LAN Management Solution 4.2 OL-25947-01 E-3 Appendix E Commands to Enable MAC Notification Traps on Devices List of Commands to Enable MAC Notification Traps on Devices