Professional Documents
Culture Documents
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Administration of Cisco Prime LAN Management Solution 4.2
Copyright 2012 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
xxiii
Notices
xxvii
CHAPTER
Overview of Administration
How the guide is organized?
Administration Tasks
1-1
1-1
1-3
CHAPTER
Setting up Security
1-9
2-1
iii
Contents
2-21
CHAPTER
2-26
2-36
2-15
2-39
2-40
3-1
3-2
3-19
iv
OL-25947-01
Contents
3-28
3-29
Managing Resources
3-31
3-33
3-34
3-35
3-36
3-38
3-43
3-44
3-44
CHAPTER
3-30
3-31
3-26
3-45
4-1
4-1
Contents
CHAPTER
Managing Groups
4-23
5-1
5-2
5-3
5-35
vi
OL-25947-01
Contents
5-50
5-52
5-72
5-82
vii
Contents
CHAPTER
6-1
6-1
6-3
6-4
CHAPTER
7-1
7-3
7-23
7-26
viii
OL-25947-01
Contents
CHAPTER
8-1
8-9
8-9
8-11
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX
System 8-12
Changing the Schedule for System Inventory Collection or Polling Settings 8-12
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings 8-13
PSIRT or End-of-Sale or End-of-Life Data Administration 8-14
Changing the Data Source for PSIRT/EOS/EOL Reports 8-14
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com 8-16
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
Administering VRF Lite 8-18
Using VRF Lite Collector Settings 8-18
Scheduling VRF Lite Collector 8-19
Modifying VRF Lite SNMP Timeouts and Retries
8-16
8-20
8-21
8-24
8-25
Administration of Cisco Prime LAN Management Solution 4.2
OL-25947-01
ix
Contents
8-26
8-27
8-29
8-43
8-49
8-50
8-51
OL-25947-01
Contents
CHAPTER
9-1
9-1
9-2
9-7
CHAPTER
10
10-1
10-2
10-5
10-14
xi
Contents
10-24
10-25
10-51
xii
OL-25947-01
Contents
CHAPTER
11
11-1
11-2
11-2
11-8
CHAPTER
12
Managing Jobs
11-20
11-22
12-1
12-1
12-13
12-15
xiii
Contents
CHAPTER
13
13-1
13-2
13-8
13-9
13-10
13-10
xiv
OL-25947-01
Contents
CHAPTER
14
14-1
14-1
14-5
xv
Contents
CHAPTER
15
Report Setting
Purge Settings
14-30
15-1
CHAPTER
14-29
15-1
15-2
15-2
16-1
16-1
16-2
16-2
16-5
16-7
16-12
16-14
16-17
16-18
CHAPTER
17
Debugging Options
16-12
16-20
17-1
17-1
xvi
OL-25947-01
Contents
17-8
17-13
17-17
17-18
CHAPTER
18
18-1
18-7
18-25
Administration of Cisco Prime LAN Management Solution 4.2
OL-25947-01
xvii
Contents
APPENDIX
CLI Tools
A-1
A-5
A-6
A-15
xviii
OL-25947-01
Contents
A-20
A-25
A-27
A-30
A-35
A-43
APPENDIX
B-1
B-1
xix
Contents
B-2
APPENDIX
B-32
C-1
C-1
C-6
C-9
C-12
xx
OL-25947-01
Contents
APPENDIX
D-1
D-1
APPENDIX
E-1
E-1
E-2
E-2
APPENDIX
E-3
F-1
F-1
D-4
F-1
F-4
F-6
F-6
xxi
Contents
INDEX
xxii
OL-25947-01
Preface
Administration in Cisco Prime LAN Management Solution (LMS) 4.2 groups all the activities and tasks
that a user with Network or System Administrator privileges needs to perform.
This preface details the related documents that support the Admin feature, and demonstrates the styles
and conventions used in this guide. This preface contains:
Audience
Document Conventions
Product Documentation
Audience
This guide is for users who are skilled in network administration and management, and for network
operators who use this guide to make configuration changes of devices using LMS. The network
administrator or operator should be familiar with the following:
Document Conventions
Table 1 describes the conventions followed in the user guide.
Table 1
Conventions Used
Item
Convention
boldface font
italic font
screen
boldface screen
font
font
xxiii
Preface
Table 1
Note
Item
Convention
italic screen
boldface font
font
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Product Documentation
Note
We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
Table 2 describes the product documentation that is available.
Table 2
Product Documentation
Document Title
Administration of Cisco Prime LAN Management
Solution 4.2 (this document)
Available Formats
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/admin/admin.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/getting_started/
lms42_getstart_guide.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/configuration/config.html
xxiv
OL-25947-01
Preface
Table 2
Document Title
Available Formats
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/lms_monitor/lms_mnt.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/inventory/inventory.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/workcenters/wcug.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/reports/lms42_reports_guide.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/in
stall/guide/install.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/N
avigation/guide/lms42_nav_guide.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/da
tabase_schema4.2/guide/dbviews.html
xxv
Preface
Table 2
Document Title
Release Notes for Cisco Prime LAN Management
Solution 4.2
Available Formats
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/re
lease/notes/lms42rel.html
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/de
vice_support/table/lms42sdt.html
xxvi
OL-25947-01
Notices
The following notices pertain to this software license.
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgment: This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
4.
The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
xxvii
Notices
5.
Products derived from this software may not be called OpenSSL nor may OpenSSL appear in
their names without prior written permission of the OpenSSL Project.
6.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
The word cryptographic can be left out if the routines from the library being used are not
cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: This product includes software written
by Tim Hudson (tjh@cryptsoft.com).
xxviii
OL-25947-01
Notices
xxix
Notices
xxx
OL-25947-01
CH A P T E R
Overview of Administration
This guide is intended for Local Area Network (LAN) administrators and management professionals
who perform LAN configurations and monitor LAN performance.
The Admin menu groups all the activities and tasks that a user with Network or System Administrator
privileges can perform.
This section explains:
Administration Tasks
Chapter
Description
Describes how to use administrative features to ensure that the server is performing properly.
You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the Cisco Prime LMS Server.
1-1
Chapter 1
Overview of Administration
Table 1-1
Chapter
Description
Fault Group
Chapter 9, Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform
ing Settings
to monitor and troubleshoot your network using LMS.
Chapter 10, Notification and Action
Settings
Describes how to configure the the administrative tasks involved in setting up notification, syslog settings.
You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks
and syslogs.
Chapter 11, Administering Change Audit Describes how to perform Change Audit tasks and set your preference to
and Software Management
download images.
Chapter 12, Managing Jobs
Describes how to manage jobs in LMS, and set up job approval for certain
modules in LMS.
Describes how to use the Software Center to check for software and device
support updates, download them to their server file system along with the related
dependent packages, and install the device updates.
Describes how to use the Discrepancies Reporting module of LMS to view the
discrepancies and best practices deviations in your network.
Describes how to configure some settings for generating reports and set a report
publish location.
Describes all the CLI utilities that are available for the administrator in LMS 4.2.
1-2
OL-25947-01
Chapter 1
Overview of Administration
Administration Tasks
Table 1-1
Chapter
Description
Appendix D, Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS.
Security
Appendix E, Commands to Enable MAC Provides information on the list of commands that needs to run on each device
Notification Traps on Devices
to enable MAC Notification traps
Administration Tasks
The System Administration tasks are grouped into:
Backup
Cisco.com Settings
Debug Settings
Group Management
License Management
Log Rotation
Server Monitoring
Software Center
System Preferences
User Management
Discovery Settings
Display Settings
Purge Settings
Resource Browser
Config
1-3
Chapter 1
Overview of Administration
Administration Tasks
Data Collection
Fault
Inventory
Performance
Syslog
User Tracking
VRF Lite
Apart from the system administration and network administration tasks, you can also perform:
Trust Management
Local Server
Multi Server
Job Management
Job Browser
Job Approval
System Dashboard. For more information, see Understanding the System Dashboard
1-4
OL-25947-01
Chapter 1
Overview of Administration
Administration Tasks
Application
Common Services
Device Discovery
Common Services Device Discovery allows you to discover devices
from IPv6 networks, using CDP and Ping Sweep on IP Range Device
Discovery modules.
Device Polling
The device polling feature allows you to poll device using IPv6 address.
Device Selector
The device selector feature allows you to search a device using IPv6
address either in a compressed format or in a expanded format.
You can now create group rules based on IPv6 management addresses.
LMS supports IPv6 Addressing scheme in the following Device Discovery
pages:
1-5
Chapter 1
Overview of Administration
Administration Tasks
Application
CiscoView
Medianet
Configuring Syslogs
1-6
OL-25947-01
Chapter 1
Overview of Administration
Administration Tasks
Application
Network Topology,
Layer 2 Services and
User Tracking
Data Collection
The following tasks related to Data Collection are supported in the IPv6
environment:
SNMP Timeout and Retry configuration for IPv6 devices
Viewing Data Collection Metrics and reports for IPv4/IPv6 devices
Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks
Device-based debugging for IPv6 devices
Topology
The following tasks related to Topology are supported in the IPv6
environment:
Setting an IPv6 Address as the preferred Management Address
VLAN Configuration
The following VLAN related configurations are supported in the IPv6
environment:
Configure VLAN
Delete VLAN
Create Private VLAN
Delete Private VLAN
Configure Port Assignment
Configure Promiscuous Ports
Create Trunk
Modify Trunk Attributes
Monitoring and
Troubleshooting
Note
1-7
Chapter 1
Overview of Administration
Note
The data in these portlets does not appear based on any role-based authorization, both device-level or
user-level authorization.
Process Status
Job Approval
License expiration
1-8
OL-25947-01
Chapter 1
Overview of Administration
Understanding the System Dashboard
Single Sign On (SSO) master unreachability, which is applicable only for a slave server.
Use the log rotate functionality, to rotate the logs to other drives.
Note
The Authentication modes appear in the Critical Message Window portlet (in red) if you do not
have full privileges in the Device Credential and AAA Information portlet.
Details
Description
All the processes that are down are displayed in red in the
portlet.
However, when Fault processes such as DFMCTMStartup
and Data Purge are down, they are not displayed in the
Critical Message Window portlet.
1-9
Chapter 1
Overview of Administration
Table 1-3
Field
Description
Authentication Mode
Mode selected to authenticate the LMS server when logging into the LMS
application. For example, TACACS+, MS Active Directory.
The status is in red when you log into the Cisco Prime application in fallback
mode.
Authorization Mode
Mode used to authorize the user after authentication. From LMS 4.0, only the
Local Authentication mode is used to authenticate users, and authorize them to
access Cisco Prime LMS. ACS mode is not available.
No. of Devices
Number of devices. Click on the number to view the DCR Device Management
page details.
DCR Mode
Every 6 hours
Every 12 hours
Daily
Weekly
Monthly
1-10
OL-25947-01
Chapter 1
Overview of Administration
Understanding the System Dashboard
Table 1-4
Field
Description
Log File
Directory
File Size
Process Status
In Process Status portlet, you can manage all the activities or jobs.
Table 1-5 lists the Process Status portlet details.
Table 1-5
Field
Description
State
No. of Process
1-11
Chapter 1
Overview of Administration
Table 1-6
Field
Description
Backup Schedule
You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.
Table 1-7
Field
Description
Users
Log-in details of all users and the number of sessions opened by each user.
Note
You can send broadcast messages to logged-in users by clicking the Send Message to all users
link displayed in the User Login Information and the users will receive the message within 60
seconds by default.
You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report
page.
For more information on setting up local users, see Setting up Local Users.
1-12
OL-25947-01
Chapter 1
Overview of Administration
Understanding the System Dashboard
Field
Description
Job ID
Unique ID assigned to the job by the system, when the job is created. The Job IDs are
displayed in ID.No.of.Instances format in periodic jobs.
For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job
whose ID is 1002.
When you click the Job ID, the job details, if available, are displayed.
Job Type
Status
Job Description
Owner
Scheduled At
Field
Description
User Name
Name of the person who performed the change. This is the name entered
when the person logged in.
It can be the name under which the LMS application is running, or the name
under which the Telnet connection is established.
Application Name
Name of the LMS component involved in the network change. For example,
Change Audit, Device Management, ICServer, NetConfig, and NetShow.
Creation Time
Date and the time at which the changes were performed on the LMS server.
Description
1-13
Chapter 1
Overview of Administration
Job Approval
In Job Approval portlet, you can view the list of all jobs.
To configure Job Approval portlet, see Configuring the Job Approval portlet.
Table 1-10 lists the Job Approval portlet details.
Table 1-10
Field
Description
Job ID
Job Description
Job Schedule
Step 2
Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Step 3
Select the number of records to be displayed in the portlet from the Show Last Records drop-down list.
Step 4
1-14
OL-25947-01
Chapter 1
Overview of Administration
Understanding the System Dashboard
Field
Description
Name
Status
Received
Move the mouse over the title bar of the Syslog Collector
Step 2
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The
items in the portlet get refreshed at the changed Refresh frequency.
Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to
view the respective columns in the Syslog Collector portlet.
FilteredNumber of filtered messages. Filters are defined with the option Message Filters
1-15
Chapter 1
Overview of Administration
Get the latest updates on devices that are supported and those that will be supported in the upcoming
releases.
Raise a request through mail to support a new device that is not supported.
You can search the support of devices added to the DCR using the following search options:
IP Address
Host Name
Device Name
Model Name
SysObjectID
If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.
If the requested device is supported in later releases, and not available with your present installation,
the following message appears:
Not supported in Installed version <<version number>>. Support available in version
<< version number>>
Note
If the device is not currently supported with your existing package, you can install the latest IDU
from Cisco.com to get the device support.
If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.
Step 2
Step 3
Disclaimer: Please note that all efforts will be made to provide support to this request, however we
are unable to commit to a time-line at this moment.
Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or
Model name.
The SysobjectID or the Model Name appears based on the entries made in the portlet.
The default mail client is launched.
The To field and Subject field has the following address and entries:
To field: lms-dev-supreq@external.cisco.com
Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>
Enter Yes against the respective application names for which device support is required.
1-16
OL-25947-01
Chapter 1
Overview of Administration
Understanding the System Dashboard
Step 5
IP Address
You can use the IP Address option to search the devices that are supported in the LMS application.
To search using the IP Address:
Step 1
Step 2
If the requested device is supported in the later releases and you have not installed it, the following
support details are displayed:
Supported in LMS 3.2. Click here to download
If the requested devices is in the roadmap of next recent releases, the following supported details
message is displayed.
Support expected by Sept 08.
If the requested device is not supported in any release, the following supported details are displayed.
Click here to send a request to support team.
Host Name
You can use the Host Name option to search the devices that are supported in the LMS applications.
To search using the Host Name:
Step 1
Step 2
Enter a Host Name in the Host Name field and click Submit.
Note
All LMS functions are displayed. The supported servers are also displayed.
The LMS applications are:
Fault Management
For more information on the server supported details, see Step 2 of IP Address.
1-17
Chapter 1
Overview of Administration
Device Name
You can use the Device Name option to search the devices that are supported in the LMS applications.
To search using the Device Name:
Step 1
Note
Step 2
Enter a Device Name in the Device Name field and click Submit.
All LMS functions are displayed. The supported servers are also displayed.
For more information on the server supported details, see Step 2 of IP Address.
SysObjectID
You can use the SysObjectID option to search the devices that are supported in the LMS application.
To search using the SysObjectID:
Step 1
Step 2
Model Name
You can use the Model Name option to search the devices that are supported in the LMS application.
To search using the Model Name:
Step 1
Step 2
Enter a Model Name in the Model Name field and click Submit.
All LMS functions are displayed. The supported servers are also displayed.
For more information on the server supported details, see Step 2 of IP Address.
Note
You can also use a wildcard search, (*), to search for the model name.
1-18
OL-25947-01
Chapter 1
Overview of Administration
Understanding the System Dashboard
Field
Description
Total number of VRFs discovered. Click the number to launch the Virtual Network
Manager Report.
VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but
S/W Update Required]
these devices do not have the supported IOS image for VRF. Click the number to
launch the VRF Readiness report.
Field
Description
Collector Name
Succeeded
Inventory Collection
Config Archive
EnergyWise Collection
Device Discovery
Fault Discovery
UT Major Acquisition
VRF Collection
1-19
Chapter 1
Overview of Administration
Table 1-13
Field
Description
Failed
Note
Current Status
Schedule
Click the Schedule link next to the respective collector to launch the corresponding
page. You can now schedule the collector.
To configure this portlet:
Step 1
Move the mouse over the title bar of the Collection Summary Portlet.
Step 2
Step 3
Step 4
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Step 5
Note
The data in the above portlets is not populated based on device-level or user-level authorization.
Role-based access control is not applicable to the portlets.
Note
From LMS 4.2.2, the Collection Summary Portlet page will display the total number of managed devices
in LMS server. The customer can view the detailed list of the devices managed by the LMS server by
clicking the Managed Device count link on the Collection Summary Portlet page.
1-20
OL-25947-01
CH A P T E R
Setting up Security
LMS 4.2 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS
applications, and data. LMS provides features for managing security while operating in single-server and
multi-server modes.
You can specify the user authentication mode using the Authentication Mode Setup.
This chapter explains the following:
Managing Roles
Support Settings
Browser-Server Security Mode Setup: LMS 4.2 Server uses Secure Socket Layer encryption to
provide secure access between the client browser and management server and also among the
management server and the devices. You can enable or disable SSL depending on your need to use
secure access between the client browser and management server.
Local User Policy Setup: Set up username and password policies for local users using this option.
Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a
user, or view a users settings using this option.
Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections
between the client browser and the management server.
You can set up browser-server security, add and modify users, and create self signed certificate using the
features that come under Single-Server Management in the Security Settings user interface.
The Single-Server Management page displays the mode of server security and the information on self
signed certificate.
2-1
Chapter 2
Setting up Security
Step 2
2-2
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2
Step 3
Click Apply.
Step 4
Log out from your Cisco Prime session and close all browser sessions.
Step 5
b.
On Solaris/Soft Appliance:
Step 6
a.
b.
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
If you do not make the above changes, LMS Server will automatically redirect you to https mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2
Step 3
Click Apply.
Step 4
Log out from your Cisco Prime session, and close all browser sessions.
2-3
Chapter 2
Setting up Security
Step 5
b.
On Solaris/Soft Appliance:
Step 6
a.
b.
The URL should begin with http instead of https to indicate that connection is not secure.
The port numbers mentioned above are applicable for LMS Server running on Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Include at least characters from lowercase, uppercase, digits and special characters in password.
2-4
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
Select Admin > System > User Management > Local User Policy Setup.
The Local User Policy Setup page appears.
Step 2
Select Allow Special Characters in username to allow special characters in the username.
You can include the following special characters in the username:
Special Character
Description
Tilde
Commercial At character
Number sign
Underscore
'
Apostrophe
Hyphen
Trailing slash
Period
space
Non-breaking space
Note
Step 3
You can add the special characters including hyphen and period in local username only when
you have selected this check box. You cannot start a local username with special characters
except _ (Underscore).
Select Allow Username to start with numbers to allow the first character of a local username to be a
numeral.
You can enter any number between 0 to 9 in the username as the first character if you have enabled this
option.
Step 4
Step 5
Step 6
2-5
Chapter 2
Setting up Security
Import users
Export users
You can also set up local users and reset Cisco Prime password through CLI.
This section explains:
guestAfter authentication and authorization, user will have the default role. After a fresh
installation, the default role is Help Desk. You can change the default roles, see Managing Roles for
more information.
adminThis login provides the user access to all Cisco Prime tasks.
However, as an administrator, you can create additional unique login IDs for users in your company.
Note
The LMS Server Administrator can set the passwords for admin and guest users during installation.
Contact the LMS Server Administrator if you do not know the password for admin.
2-6
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
Note
When you import local users, if there are no roles associated with the users, the default role will be
associated with them.
You can also export the local users to an output file.
You can import local users from the client through CLI. See, Importing Local Users Using CLI for more
information.
You can import local users from ACS through CLI. See, Importing Users From ACS for more
information.
Before you import users from the client, you must install the peer certificate of the remote server in the
local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more
information.
2-7
Chapter 2
Setting up Security
Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2
Import:
Click Import Users. You can import only files in the XML format.
Click Browse and select a file from the client.
Click Submit. To return to the Local User Setup page, click Cancel.
Export:
Select the users for whom you want to export information. If you want to select all the users,
you can check the check box next to the User field.
Click Export. The files exported are in XML format.
A message appears prompting you to open or save the LMSuserExport.xml file. This file is
saved in the client. Click Cancel to return to the Local User Setup page.
where,
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
2-8
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
where,
Step 2
Step 3
Step 4
Step 5
Execute the command <ACS install directory>/bin/CSUtil.exe -q -d <output file> from CLI.
The output file which we got by running the CSUtil.exe should be given as the input while importing
users.
Log Files
The information on the users added or imported into the LMS Server is stored in the following files,
when you use the import local user CLI commands:
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages, and other information that you can use for
troubleshooting.
Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2
2-9
Chapter 2
Setting up Security
The User Information dialog box appears with the following fields:
Field
Description
Username
Password
Verify Password
Enter the e-mail ID. This is mandatory if you assign the approver role to the
local user. Otherwise, this is optional.
Authorization Type
Select the radio button corresponding to the authorization type. You can
choose from:
group can perform the tasks that are assigned to the chosen roles on
the chosen device groups.
Roles
Select the check box corresponding to the role to specify the roles to be
assigned to the user from the Roles pane. The user group can perform the
tasks that are assigned to the chosen role on all devices and device groups.
The following roles are available:
Help Desk
Approver
Network Operator
Network Administrator
System Administrator
Super Admin
Enter the network device login credentials for LMS to communicate with the
network devices.
Username
2-10
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
Step 3
Field
Description
Password
Verify Password
Enable Password
Verify Password
Click OK. To return to the Local User Setup page, click Cancel.
Note
You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
Roles Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
Help Desk
Approver
System Administrator
Network Administrator
Network Operator
Super Admin
2-11
Chapter 2
Setting up Security
The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes
where,
Password Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.
For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin
Log Files
The user information added or imported into the LMS Server is stored in the following files, when you
use the import local user CLI command:
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages and other information that you can use for
troubleshooting.
Deleting Stale Users From LMS Portal
This section describes how to delete stale users from LMS Portal.
When you delete the user names from Cisco Prime Common Services application, they are deleted only
from the Common Services database and not from LMS Portal database.
The usernames remain in LMS Portal as stale users.
2-12
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
Step 2
In the URL, enter a server name and launch the URL in the browser window.
The Portal Stale User Deletion page is displayed.
Step 3
If you have assigned a Network Device Group to your AAA client (LMS Server and network
devices), you must assign that device group to a role.
You cannot have role and device group combinations assigned to a user without assigning the
Network Device Group to your AAA client.
If a user requires privileges other than those associated with the current role, to operate on an NDG,
a custom role should be created. All necessary privileges to enable the user to operate on the NDG
should be given to this role.
For example, if a user needs to have Approver and Network Operator privileges to operate on
NDG1, you can create a new custom role with Network Operator and Approver privileges, and
assign the role to the user to operate on NDG1.
You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device
group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen.
To assign the proper role, the network access server (NAS) should be added to device groups other
than DEFAULT.
Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2
Click Modify My Profile to modify the credentials of the logged in user and the network device login
credentials.
Step 3
Enter the user login details like username, password, and e-mail address.
The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.
2-13
Chapter 2
Setting up Security
Step 4
Enter the network device login credentials for LMS to communicate with the network devices.
Enter the values for username, password, and enable password.
Step 5
Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.
Note
If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break.
The peers need to re-import the certificate in this scenario.
This section explains the following:
2-14
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Single-Server Mode
Select Admin > Trust Management > Local Server > Certificate Setup.
The Certificate Setup page appears.
Step 2
Enter the values required for the fields described in the following table:
Field
Usage Notes
Country Name
State or Province
City
Two character city or town code or the complete name of the city or
town.
Organization Name
Server Name
Email Address
Step 3
You can use the CSR file to request a security certificate, if you want to use a third party security
certificate.
If the certificate is not a Self signed certificate, you cannot modify it.
To return to the Cisco Prime home page, click Cancel.
2-15
Chapter 2
Setting up Security
Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform
certain tasks. These users should be set up to enable communication among multiple LMS Servers.
System Identity Setup: Enables communication among multiple LMS Servers based on a trust model
addressed by Certificates and shared secrets. System Identity setup should be used to create a trust
user on slave or regular servers for communication to happen in multi-server scenarios.
Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This
allows LMS Servers to communicate with one another using SSL.
Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple
LMS Servers without authenticating to each server.
The Current Multi-Server Settings page displays the mode of server security and the information on self
signed certificate.
To open the Current Multi-Server Settings page:
Step 1
Step 2
2-16
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Multi-Server Mode
This section has the following information that helps you to understand better, the features that enable
secure communication between peer servers in a multi-server domain:
This section contains:
Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2
Click Add.
The Peer Server Account Setup page appears.
Step 3
Step 4
Step 5
Step 6
Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
Step 2
Click Edit.
The Peer Server Account Setup page appears.
Step 3
Step 4
Step 5
Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
2-17
Chapter 2
Setting up Security
Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2
Select the check box corresponding to the user you want to delete.
Step 3
Click Delete.
The confirmation dialog box appears.
Step 4
Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click
Cancel.
The user is a Local User with all privileges. If the user is not present, or if the user does not have all
privileges, an error message appears.
The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User.
For peer to peer communication to work in a multi-server domain, you have to configure the same
System Identity User on all the machines that are part of the domain.
For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say
Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on
all the other servers, S2, S3, and S4, to enable communication between them.
See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage
of this features.
2-18
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Multi-Server Mode
Select Admin > Trust Management > Multi Server > System Identity Setup
Step 2
Step 3
Step 4
Step 5
Click Apply.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
The Peer Server Certificate page appears with a list of certificates imported from other servers.
Step 2
Click Add.
Step 3
Step 4
Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the
peer LMS Server is 443.
Step 5
Click OK. To return to the Peer Server Certificate page, click Cancel.
2-19
Chapter 2
Setting up Security
Select the check box corresponding to the certificate you want to delete.
Step 2
Click Delete.
The confirmation dialog box appears.
Step 3
Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.
You can also view the details of the client certificates. For this, select the check box corresponding to
the certificate and click View.
One of the LMS Servers should be set up as the Authentication Server (AS).
Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate
is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is
maintained by the certificate management framework in LMS.
Each LMS Server should setup a shared secret with the authentication server. The System Identity
user password acts as a secret key for Single Sign-On.
The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server
(RS) is called the Slave.
You must perform the following tasks if the server is configured either as Master or as Slave:
Configure the System Identity User and password in both Master and Slave. The System Identity
User name and password you specify in Master and Slave should be the same.
Single Sign-On uses System Identity user password as the secret key to provide confidentiality and
authenticity between Master and Slave. We recommend that you have the same user name and password
for both Master and Slave.
The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise
it would not be considered as a valid certificate.
2-20
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Multi-Server Mode
Single Sign-On is used only for authentication and not for authorization. In Single Sign-On,
authentication always takes place from the Single Sign-On Master server (Authentication Server-AS).
Hence, you need to provide the username and password as configured in Single Sign-On AS.
Authorization happens at the respective servers.
If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active
Directory (AD), and AS is configured for Local Authentication, then authentication happens as per the
credentials in Local Authentication (AS) and vice versa.
For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active
Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is
Local Authentication:
When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS)
and you get authenticated according to the username and password configured in AD. However,
authorization happens only in server B.
The privileges for the logged in user in any server within the Single Sign-On domain will depend upon
the user roles configured in that server. If the user is present only in the Single Sign-On Authentication
Server and not in the Regular Server, then that user gets authenticated according to the credentials in the
authentication server, but has only HelpDesk privileges in the Regular Server.
We recommend that you:
Add the user across all servers within the Single Sign-On domain.
See Setting up System Identity Account for more information on how to set up System Identity User.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management >
Multi Server > Peer Server Certificate Setup.
The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it
would not be considered as a valid certificate.
You can register the links of the servers part of the Single Sign-On domain, in any of the servers, using
the Link registration feature.
The registered links will appear either under Third Party or Custom tools, depending on what you specify
during registration. If you click on the registered link, it launches the page corresponding to the
registered link.
2-21
Chapter 2
Setting up Security
You must specify the URL, with the context while registering the server link.
For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for
ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
In the above example, clicking on the registered link will launch the Cisco Prime home page of server
ABC.
Launching a New Browser Instance
After logging into any of the servers that are part of the Single Sign-On domain, you can open a new
browser instance from that server, and provide the URL of any other server of the Single Sign-On
domain, to which you need to navigate.
Note
We recommend that you do not use the IP address of the servers that are part of Single Sign-On or
localhost, while specifying the URL.
For example, suppose ABC and XYZ are part of an Single Sign-On domain.
Step 1
Login to ABC.
Step 2
Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser
window.
Step 3
Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new
browser instance.
This launches the Cisco Prime home page of XYZ, directly.
Master modeThe Single Sign-On Authentication Server does the authentication and sends the
result to the Regular Server.
Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular
servers. Login requests for all the Single Sign-On regular servers will be served from the Master.
Slave modeSingle Sign-On Regular server for which authentication is done at the Master.
While logging into regular server, if the authentication server is not reachable, the following
message appears:
SSO unreachable
2-22
OL-25947-01
Chapter 2
Setting up Security
Managing Security in Multi-Server Mode
Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If
the server is configured as an Single Sign-On Regular server (Slave), you should provide the following
details:
Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2
Step 3
Click Apply. To return to the Cisco Prime home page, click Cancel.
Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign On mode.
Step 2
Step 3
Click Apply. To return to the Cisco Prime home page, click Cancel.
Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2
Step 3
2-23
Chapter 2
Setting up Security
Step 4
Click Apply.
It checks if:
The System Identity user password of the Slave matches that of the Master.
The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common
Name (CN) in the certificate matches with the Master server name.
In case any of these checks fail, you are prompted to perform these steps before proceeding.
To return to the Cisco Prime home page, click Cancel.
After you select and configure a login module, all authentication transactions are performed by that
module.
To assign a user to a different role, such as the System Admin role, you must configure the user locally.
Such users must have the same user ID locally, as they have in the alternative authentication source.
Users log in with the user ID and password associated with the current login module.
Debugging
2-24
OL-25947-01
Chapter 2
Setting up Security
Setting up the Authentication Mode
By default, Cisco Prime LMS uses LMS Server authentication (Local Authentication) to authenticate
users, and authorize them to access Cisco Prime LMS.
After authentication, your authorization is based on the privileges that have been assigned to you.
A privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role. It dictates how much, and what type of system access you have.
The LMS Server authorization scheme has the following default or predefined roles. You can also create
user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing
Roles for more information. The predefined roles are listed here in order from the least privileged to
most privileged:
Help Desk Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device, or schedule a job that will reach the network.
Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
Network Administrator Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
System Administrator Can perform all Cisco Prime system administration tasks.
Super Admin Can perform all Cisco Prime operations including administration and approval
tasks. By default, this role has full privileges.
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
Understanding Fallback Options
Fallback options allow you to access the software if the login module fails, or you accidentally lock
yourself or others. There are three login module fallback options. These are available on all platforms.
The following table gives you the details:
Option
Description
Allow all Local Authentication users to fallback to All users can access Cisco Prime using the Local
the Local Authentication login.
login if the current login module fails and only if
PAM is unreachable.
Warning
2-25
Chapter 2
Setting up Security
Debugging
Cisco Prime allows you to enable debugging on the current login module so that you have additional
information in the log files that you can use for troubleshooting. Turn debugging on only when requested
to do so by your customer service representative.
Enabling debugging does not alter the behavior of the modules.
Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the
following locations:
Note
Step 2
The Authentication Mode Setup page displays the current login module, and the available login modules.
The available login modules are:
2-26
OL-25947-01
Chapter 2
Setting up Security
Setting up the Authentication Mode
Local Authentication
Local NT System
MS Active Directory
RADIUS
TACACS+
2-27
Chapter 2
Setting up Security
The login username is case sensitive when you use the following login modules:
Step 3
Step 4
Click Change.
The Login Module Options popup window appears.
Step 5
Step 6
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 2
Step 3
Click Change.
The Login Module Options popup window appears.
Step 4
Step 5
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 2
Step 3
Click Change.
The Login Module Options popup window appears with the following details:
Field
Description
Description
2-28
OL-25947-01
Chapter 2
Setting up Security
Setting up the Authentication Mode
Field
Description
Debug
Step 4
Set the option for fallback to the Local Authentication module if the
alternative service fails.
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 2
Step 3
Click Change.
The Login Module Options popup window appears with the following details:
Field
Description
Local NT System.
Description
Debug
Step 4
Domain
Set to localhost.
Set the option for fallback to the Local Authentication module if the
alternative service fails.
Click OK. To return to the Authentication Mode Setup page, click Cancel.
The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP).
Before a user logs in, the user account should be set up in the LDAP server.
When you change the login module to MS Active Directory, you should configure any one of the
following options to integrate LMS Server with Active Directory server for authentication services:
2-29
Chapter 2
Setting up Security
You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to
RDN-Prefix when the user logs into Cisco Prime.
For example, a distinguished name could be represented as:
cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and
Usersroot is ou=org1 dc=embu, dc=cisco.
A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
You can specify more than one usersroot value. Each usersroot value should be separated by a
semicolon.
Domain name
You should configure the Active Directory domain name in Cisco Prime that contains a set of users
which needs to be integrated, for a domain based authentication.
For example, if you want the users of MyDomain domain in MS Active Directory server to be
authenticated in LMS Server, you should specify MyDomain in this field.
Each domain also has a pre-Windows 2000 domain name for use by computers running operating
systems released earlier than Windows 2000 operating systems. Similarly each user account has a
pre-Windows 2000 user login name.
The user account in the DomainName\UserName format used to log into the operating systems
released earlier than Windows 2000 operating systems is called Security Account Manager (SAM)
account. You can also configure SAM account in the LDAP server and enter the same name in Cisco
Prime when you change the login module to Microsoft Active Directory.
When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime
attempts to authenticate the Active Directory server using the User Principal Name string.
When both the Distinguished Name based authentication and the User Principal Name based
authentication fails, LMS Server tries to authenticate using the Domain name.
To change login module to MS Active Directory:
Step 1
Step 2
Step 3
Click Change.
2-30
OL-25947-01
Chapter 2
Setting up Security
Setting up the Authentication Mode
The Login Module Options popup window appears with the following details:
Field
Description
Name of the login module (MS Active Directory) you have selected in the
Authentication Mode setup page.
Description
Server
Usersroot
RDN-Prefix
UPN-Suffix
String suffixed with login username, usually the domain in which the user
account is located to form a User Principal name.
You should configure this field for a UPN based authentication.
For example, if the UPN of Active Directory users who need to be
integrated with Cisco Prime are user1@mydept.mycompany.com,
user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you
should mention @mydept.mycompany.com in this field.
2-31
Chapter 2
Setting up Security
Field
Description
AD-Domain
Debug
Set the option for fallback to the Local Authentication module if the
alternative service fails.
You can set any of the following options:
Note
Step 4
You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You
cannot leave all the three fields blank.
To allow only particular group of users to log into LMS, do not configure UPN-Suffix, and
AD-Domain.
Click OK. To return to the Authentication Mode Setup page, click Cancel.
After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with
an Active Directory username and the corresponding password.
MS Active Directory server provides authentication services to LMS Server by the default simple
authentication mechanism.
To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Step 1
Edit the Account Options of a user in the MS Active Directory Server and enable the Store password
using reversible encryption option.
Step 2
Step 3
Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is
your Cisco Prime Installation directory.
You must change the following line in the cam.properties file from:
2-32
OL-25947-01
Chapter 2
Setting up Security
Setting up the Authentication Mode
#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
If you want the secure authentication mechanism to fallback to simple authentication mechanism, you
must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property.
You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True
to
LDAP_FALLBACK_AUTHENTICATION_NEED=True
Step 4
Note
Digest-MD5 authentication supports only User Principal Name and Security Account Manager user
accounts. You cannot log into LMS Server with the User login name.
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name.
For example, to assign the System Administrator privileges to a MS Active Directory users User1 and
User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator
role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Changing Login Module to RADIUS
Step 2
2-33
Chapter 2
Setting up Security
Step 3
Click Change.
The Login Module Options popup window appears with the following details:
Field
Description
RADIUS.
Description
Server
Port
Key
Debug
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Step 2
Step 3
Click Change.
The Login Module Options popup window appears with the following details:
Field
Description
TACACS+.
Description
Server
Port
Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Secondary Server
Secondary Port
Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
2-34
OL-25947-01
Chapter 2
Setting up Security
Setting up the Authentication Mode
Field
Description
Tertiary Server
Tertiary Port
Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Key
Debug
The values True or False should not be entered in the Server, Secondary Server and Tertiary
Server fields, the corresponding Port fields or the Key field.
Note
Step 4
Click OK. To return to the Authentication Mode Setup page, click Cancel.
After you change the login module, you do not have to restart Cisco Prime. The user who logs in after
the change, automatically uses the new module. Changes to the login module are logged in the following
files:
(On Windows)
or
Step 2
/etc/init.d/dmgtd stop
2-35
Chapter 2
Setting up Security
Managing Roles
Step 3
(On Windows)
or
/etc/init.d/dmgtd start
Step 5
Step 6
Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A
privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role.
The LMS authorization scheme provides you with the following system-defined roles.
Help Desk Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device or schedule a job which will reach the network.
Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
Network Administrator Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
System Administrator Can perform all Cisco Prime system administration tasks.
Super Admin Can perform all Cisco Prime operations including the administration and approval
tasks. This role has full privileges.
You can select a role and set it as the default role. After installing LMS 4.2, Help Desk will be the default
role.
If you do not want to use the system-defined roles, you can create custom roles and associate tasks to
them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool,
see, Removing Custom Roles Using CLI.
To manage roles:
Step 1
Select Admin > System > User Management > Role Management Setup. The Role Management
Setup Page appears with the available roles, their descriptions, and the default role.
Note
2-36
OL-25947-01
Chapter 2
Setting up Security
Managing Roles
Step 2
Button
Description
Add
Click Add to add user-defined roles. The Role Management Page appears.
To add a role:
1.
2.
3.
Click OK to add the new role or click Cancel to return to the Role Management Setup Page.
For more information on the various tasks in LMS 4.2, see Understanding LMS Tasks.
Edit
Delete
Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit
a role:
1.
2.
3.
Click OK to save the changes, or click Cancel to return to the Role Management Setup Page.
To delete a role:
1.
Select one or more user-defined roles and click Delete to delete the roles.
2.
If the deleted role is assigned to any user, then it will remove the association of this role with the user.
Copy
Export
1.
Select a role from the roles and click Copy. The Role Management Page appears.
2.
3.
4.
Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.
You can export roles only in the XML format. The file will be saved in the client.
To export roles:
Select the user-defined roles that you want to export and click Export. A message appears prompting
you to open or save the LMSRoleExport.xml file.
2-37
Chapter 2
Setting up Security
Managing Roles
Button
Description
Import
Click Import.
2.
3.
Specify if you want to to overwrite, merge or backup the existing roles when you import
roles:
4.
Click Submit to import the roles or Cancel to return to the Role Management Setup Page.
Set as Default
MergeRoles with the same names will be updated with details of the existing role and details
of the imported role.
BackupRoles with the same names will be overwritten. The existing role will be renamed as
CopyOf<Role name>.
Have logged in using an external authentication server, like PAM, and are not available in the
local database.
When multiple roles are set as default role, the user will be assigned with all the roles selected as
default roles.
If there is no default role configured, then authorization will fail for users who:
Have logged in using an external authentication server, like PAM, and are not available in the
local database.
Clear Default
1.
Select a role from the roles listed in the Role Management Setup Page.
2.
Click Set as Default. The selected roles will be the default roles.
Click Clear Default to clear the default role. After you clear the default role, authorization will fail
for any user assigned without this role.
Note
After adding roles you must assign one or more roles to your users, select Admin > System > User
Management > Local User Setup.
Specify the exact task name or the first few characters of the task name in the search text box and click
the search icon. The task name is case-insensitive.
2-38
OL-25947-01
Chapter 2
Setting up Security
Managing Cisco.com Connection
For example enter admin or *admin or admin* or *change* in the search text box.
admin will search for the task and task description that contains the exact term admin.
*admin will search for the task and task description that ends with the term admin either in task
name or description.
admin* will search for the task and task description that begins with the term admin either in task
name or description.
*change* will search for the task and task description that contains the term change.
Note
Step 2
You are not allowed to use any other wildcard character apart from *.
Click the Search Results tab to see the corresponding search result.
In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree
will be in the expanded state.
You will note that when you select or unselect a particular set of tasks in the Search Results tab, the
same set of tasks will be automatically selected or unselected in the All tab.
You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles.
To do this:
On Windows, run:
NMSRoot\bin\ResetToFactoryRole.pl
On Solaris/Soft Appliance, run:
NMSRoot/bin/ResetToFactoryRole.pl
To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings >
Connection Management. The Cisco.com Connection Management page displays the current Proxy
Server settings.
2-39
Chapter 2
Setting up Security
Support Settings
Step 1
Step 2
Step 3
Step 4
Step 5
Click Apply.
Step 2
Step 3
Enter the Proxy Server host name or IP address, and the port number.
Optionally, you can enter the Username and Password for accessing the proxy server.
If you have entered your password, re-enter the same password in the Verify Password field.
Step 4
Click Apply.
Support Settings
From LMS 4.2.2, Cisco Prime LAN Management Solution will support the Support Settings feature to
allow user to set the following two types of interactions:
For more information on creating a new service request and updating an existing service request, see
Creating/Updating Support Case section in Getting Started with Cisco Prime LAN Management
Solution 4.2.
2-40
OL-25947-01
CH A P T E R
Managing Processes
Backing Up Data
Managing Processes
Backing Up Data
Managing Resources
Managing Resources
3-1
Chapter 3
Configuring TFTP
The Daemon Manager is useful to applications that have long-running processes that must be monitored
and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start
transient jobs.
Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager
will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you
start the Daemon Manager.
If the System resources are less than the resources required to install the application, the Daemon
Manager restart displays warning messages that are logged into dmgtd.log.
You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server
when SSL is enabled in LMS.
Restarting Daemon Manager on Solaris/Soft Appliance
Log in as root.
Step 2
Step 3
Step 2
Step 3
Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager
will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute
before you start the Daemon Manager.
If the System resources are less than the required resources to install the application, Daemon Manager
restart displays warning messages that are logged into syslog.log.
3-2
OL-25947-01
Chapter 3
Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The
process management tools enable you to manage these backend processes to optimize or troubleshoot
the LMS Server.
You can do the following activities:
All mandatory processes are started when you start the system.
See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS.
You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for
more information.
Note
Your role and privileges determine whether you can use this option.
This section contains the following:
Process States
Starting a Process
Stopping a Process
Process States
The state of the Cisco Prime backend processes fall under either one of the following categories:
State
Description
Running normally
This indicates that the processes are started automatically at boot and are
running normally.
Never started
Failed to run
Administratively
shutdown
3-3
Chapter 3
Managing Processes
State
Description
Transient Terminated
Waiting to Initialize
Processes that are yet to run normally and are in initialization phase.
Description
ProcessName
Name of the process. Describes how the process is registered. See LMS
Back-end Processes for more information on process description. For
information on suite-specific processes, see the relevant Online help.
You cannot view the details of Apache and Tomcat processes or restart them from
the user interface. But you can view the details of these processes in Process
Status report (Reports > System > Status > Process).
Step 2
ProcessState
Process status and a summary of the log file entries for the process. If the process
fails, this column is highlighted in red.
ProcessId
Unique number by which the operating system identifies each running program.
ProcessRC
ProcessSigNo
Signal number. 0 represents normal program operation. Any other number is the
last signal delivered to the program before it terminated.
ProcessStartTime
ProcessStopTime
Description
Process
Path
File Location.
Flags
Startup
Dependencies
Other processes that are running, and that are required for this process to
run.
3-4
OL-25947-01
Chapter 3
Step 3
Click OK.
You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the
updated information of the processes.
Viewing Processes of a Specific State
Step 2
Never started
Waiting to initialize
Running normally
Failed to run
Transient terminated
Starting a Process
To start a process:
Step 1
Step 2
Step 3
Click Start.
Stopping a Process
To stop a process:
Step 1
Step 2
3-5
Chapter 3
Managing Processes
Step 3
Click Stop.
On Solaris/Soft Appliancevar/adm/CSCOpx/log
You can also manage the Cisco Prime processes through CLI. You can perform the following activities
through CLI:
Starting a Process
Stopping a Process
3-6
OL-25947-01
Chapter 3
Table 3-1
Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Process Name
Description
Apache
Normal Process
State
Dependent Process
Log Files
NMSRoot\MDC\
Apache\logs
(On Windows)
/opt/CSCOpx/MDC/
Apache/logs
(On Solaris/Soft Appliance)
CmfDbMonitor
CmfDbEngine
NMSRoot/MDC/log/
daemons.log
(On Solaris/Soft
Appliance only)
NMSRoot\log\
CmfDbMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/CmfDbMonitor.log
(On Solaris/Soft Appliance)
CMFOGSServer
NMSRoot\log\
CMFOGSServer.log
(On Windows)
/var/adm/CSCOpx/log
/CMFOGSServer.log
(On Solaris/Soft Appliance)
CSDiscovery
Transient Terminated
NMSRoot\log\
CSDiscovery.log
(On Windows)
/var/adm/CSCOpx/log
/CSDiscovery.log
(On Solaris/Soft Appliance)
3-7
Chapter 3
Managing Processes
Table 3-1
Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Process Name
Description
Normal Process
State
Dependent Process
Log Files
NMSRoot\log\
CSRegistryServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
DCRDevicePoll
Running
normally
Transient Terminated
TomcatMonitor,
CmfDbMonitor,
EssMonitor
NMSRoot\log\
DCRServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
NMSRoot\log\
DCRDevicePoll.log
(On Windows)
/var/adm/CSCOpx/log
/DCRDevicePoll.log
(On Solaris/Soft Appliance)
diskWatcher
Running
normally
EDS
NMSRoot\log\
diskWatcher.log
(On Windows)
/var/adm/CSCOpx/log
/diskWatcher.log
(On Solaris/Soft Appliance)
NameServiceMonitor
NMSRoot\log\
EDS.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
3-8
OL-25947-01
Chapter 3
Table 3-1
Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Process Name
Description
EDS-GCF
ESS
EssMonitor
Normal Process
State
Dependent Process
Running
normally
EDS, CmfDbMonitor
Log Files
NMSRoot\log\
EDS-GCF.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
NMSRoot\log\ESS.log
(On Windows)
NMSRoot\log\
EssMonitor.log
(On Windows)
ESS
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
EventFramework
No log files
FDRewinder
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
(Solaris/Soft
Appliance Only)
jrm
LicenseServer
NMSRoot\log\
jrm.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
NMSRoot\log\
LicenseServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
3-9
Chapter 3
Managing Processes
Table 3-1
Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Normal Process
State
Process Name
Description
NameServiceMonitor
Running
Name Service agent that monitors
Normally
objects and messages and acts as a
gateway between the JacORB clients and
the Name Server.
Dependent Process
NameServer
Log Files
NMSRoot\log\
NameServiceMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
NameServer
Program started -
No mgt msgs
received
NMSRoot\log\
NameServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
Tomcat
Program started -
No mgt msgs
received
/opt/CSCOpx/MDC/
tomcat/logs/stdout.log(On
Solaris/Soft Appliance)
NMSRoot\MDC\
tomcat\logs\stdout.log
(On Windows)
Running
normally
Tomcat
NMSRoot\log\
TomcatMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
3-10
OL-25947-01
Chapter 3
Process Name
Dependency
(Sequential)
Log Information
Description
RMEDbEngine
None
NA
ConfigMgmtServer
EssentialsDM
dcmaservice.log
ConfigUtilityService EssentialsDM
cfgutilservice.log
SyslogCollector
ESS
SyslogCollector.log
3-11
Chapter 3
Managing Processes
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Process Name
Dependency
(Sequential)
EssentialsDM
ESS
DCRServer
LMSDbEngine
Log Information
Description
EnergyWise
EssentialsDM ICServer
EnergyWise.log
EnergyWiseUI.log
EnergyWiseConfiguratio
n.log
EnergyWise monitoring
EnergyWiseMonitoring.l
og
EnergyWiseCollection.lo
g
EnergyWiseNative.log
EnergyWiseComplianceC
heck.log
EnergyWiseNativeCompl
iance.log
EnergyWise_Purge.log
EnergyWiseNativePolicy.
log
CTMJrmServer
EssentialsDM
CTMJrmServer.log
ChangeAudit.log
jrm
Tomcat
ChangeAudit
EssentialsDM
CTMJrmServer
jrm
3-12
OL-25947-01
Chapter 3
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Process Name
Dependency
(Sequential)
Log Information
Description
ICServer
ESS
IC_Server.log
CTMJrmServer
ESS
EssentialsDM
CTMJrmServer
SyslogAnalyzer.log for
Windows
AnalyzerDebug.log for
Solaris/Soft Appliance
jrm
PMCOGSServer
LMSOGSServer
PMCOGSServer.log
ANIDbEngine
None
None
ANIServer
EDS
ani.log
macuhic.log
utlite.log
UTMajorAcquisition ANIServer
ut.log
UTManager
utm.log
ANIDbEngine
MACUHIC
EssMonitor
ANIDbEngine
UTLITE
EssMonitor
ANIDbEngine
EssMonitor
ANIDbEngine
DCRServer
VNMServer
ANIDbEngine
Vnmserver.log
WlseUHIC
ANIDbEngine
wlseuhic.log
Compliance and
Audit Manager
(CAAM) Server
Essentials DM
caam_server.log
cammserverui.log
caamservercollection.log
If you stop or restart any of these processes you must stop and restart their dependency processes. See
Table 3-2 for the list of dependent processes.
You can stop and restart the process using Admin > System > Server Monitoring > Processes.
3-13
Chapter 3
Managing Processes
Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes
Process Name
Dependency
(Sequential)
Log Information
Description
ANIDbEngine
None
None
ANIServer
EDS
ani.log
macuhic.log
utlite.log
ANIDbEngine
MACUHIC
EssMonitor
ANIDbEngine
UTLITE
EssMonitor
ANIDbEngine
UTMajorAcquisition
ANIServer
ut.log
UTManager
EssMonitor
utm.log
ANIDbEngine
DCRServer
VNMServer
ANIDbEngine
Vnmserver.log
WlseUHIC
ANIDbEngine
wlseuhic.log
3-14
OL-25947-01
Chapter 3
LMS 4.2 IPSLA Performance Management Process and the Dependency Processes
Dependency (Sequential)
Process Name
Description
IPMProcess
DCRServer,
IpmDbEngine
Log Files
Program
Started
ipmserver.log,dmgtd.log
Program
Started
IPMOGSServer.log,
Program
Started
dmgtd.log
jrm
CmfDbMonitor,
IpmDbEngine
NA
Default State
EssMonitor,
IPMOGSClient.log
DCRServer,
IpmDbEngine
Dependent
Process
Process Name
Description
UPMDbEngine
None
This is the Device
Performance Management
database engine process. If
this process is down, you will
not be able to access Device
Performance Management
module of LMS, and polling,
threshold monitoring, and
trendwatch monitoring will
fail.
Default
State
Log Files
Started
None
3-15
Chapter 3
Managing Processes
Table 3-5
Process Name
Description
Dependent
Process
Default
State
Log Files
UPMDbEngine
Started
UPMDbMonitor.log
DCRServer,
Started
Responsible for the Polling
UPMDbMonitor
engine, Threshold
monitoring and Poller
Management features of
LMS. If this process is down,
poller management,
threshold management,
trendwatch management will
fail.
upm_process.log
Name
Description
Dependency
AdapterServer/
AdapterServer 1
None
Program
Started
DataPurge
adapterServer.log,
adapterServer1.log
, daemons.log
Administrato DPS.log,
daemons.log
r has shut
down this
server
3-16
OL-25947-01
Chapter 3
Table 3-6
Name
Description
Dependency
DfmBroker
brstart.log
None
Program
Started
DfmLogService.lo
g, daemons.log
None
Program
Started
MultiProcLogger.l
og, daemons.log
DFMOGSServer
CmfDbEngine,
Program
ESS, DCRServer, Started
TISServer
DFMOGSServer.l
og
DfmServer/DfmSe
rver 1
DfmBroker
Running
Normally
DFM.log,
DFM1.log
None
Administrato DFMCTMStartup.
log, daemons.log
r has shut
down this
server
EPMDbEngine
None
Program
Started
EPM.log
EPMServer
EPMDbEngine
Running
Normally
EPM.log
FHDbEngine
None
Program
Started
daemons.log
3-17
Chapter 3
Managing Processes
Table 3-6
Name
Description
Dependency
FHPurgeTask
None
Transient
terminated
FHCollector.log,
FHUI.log
FHServer
EPMServer,
EPMDbEngine,
FHDBEngine
Running
Normally
FHServer.log
Interactor
InventoryCollect
or
Program
Started
Interactor.log
Interactor 1
Inventory
Collector 1
Program
Started
Interactor1.log
InventoryCollector
/
InventoryCollector
1
ESS, TISServer,
DFMOGSServer
Running
Normally/Pr
ogram
Started
InventoryCollector
.log,
InventoryCollector
1.log
INVDbEngine
None
Program
Started
daemons.log
NOSServer
EPMDbEngine,
EPMServer,
INVDbEngine,
DFMOGSServer
Running
Normally
nos.log
PTMServer
DFMOGSServer
Running
Normally
PTMServer.log
PMServer
INVDbEngine
Running
Normally
PMServer.log (For
Windows)
EssMonitor
daemons.log (For
Solaris/Soft
Appliance)
Inventory server.
EssMonitor,
INVDbEngine
Program
Started
TISServer.log
3-18
OL-25947-01
Chapter 3
Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule
immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges
to use this option.
You cannot back up the database while restoring the database. LMS uses multiple databases to store
client application data. These databases are backed up whenever you perform a backup.
Backup requires enough storage space on the target location for the backup to start.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
Caution
You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes,
storing the backup data in this location may corrupt the Cisco Prime installation.
This section explains:
Scheduling a Backup
Restoring Data
Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up
Data Using CLI for more information.
To schedule a backup:
Step 1
Step 2
Generations
Time
Description
Location of the backup directory. We recommend that your target location be on
a different partition than the Cisco Prime installation location.
The backup directory should not contain any special character.
Maximum number of backups to be stored in the backup directory.
From the lists, select the time period between which you want the backup to
occur. Use a 24-hour format.
3-19
Chapter 3
Backing Up Data
Field
E-mail
Description
Enter a valid e-mail ID in this field.
You can enter multiple e-mail IDs separated by commas.
The system uses the e-mail ID or e-mail IDs to notify you the following:
Warning
Frequency
Weekly - The database is backed up once a week on the day and time
specified. Select a day from the Day of week list.
Monthly - The database is backed up once a month on the day and time
specified. Select a day from the Day of month list.
You cannot schedule more than one backup at a time. The new schedule
overwrites the previous schedule, if any.
Step 3
Click Apply.
The Schedule Backup message verifies your schedule and provides the location of backup log files.
Examine the log file at the following location to verify backup status:
On Solaris/Soft Appliance:
/var/adm/CSCOpx/log/dbbackup.log
On Windows:
NMSROOT\log\dbbackup.log
You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job.
The Remove button appears only if you have scheduled any backup.
Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from
versions 3.1, 3.2. The restore framework checks the version of the archive.
If the archive is of the current version, then the restore from current version is run.
If the backup archive is of an older version, the backup data is converted to LMS format, if needed,
and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and
restart Cisco Prime while restoring data.
3-20
OL-25947-01
Chapter 3
In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is
restored on the same machine A, or on a different machine B.
Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data
of such tasks.
For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on
DCR and Effects of Backup-Restore on Groups.
Caution
Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on the LMS
Server where you want to restore the data. You should not continue the restore when there is a mismatch,
as it may cause problems in the functionality of Cisco Prime applications.
This section explains the following:
Step 2
Step 3
[-t temporary directory]The restore framework uses a temporary directory to extract the content
of backup archive.
By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData.
You can customize this, by using this t option, where you can specify your own temp directory.
This is to avoid overloading NMSROOT
[-h]Provides help. When used with -d <backup directory> syntax, shows correct syntax along
with available suites and generations.
Examine the log file in the following location to verify that the database was restored by entering:
/var/adm/CSCOpx/log/restorebackup.log
Step 5
3-21
Chapter 3
Backing Up Data
To restore the data on Windows, make sure you have the correct permissions, and do the following:
Step 1
Step 2
Step 3
Examine the log file in the following location to verify that the database was restored by entering:
NMSROOT\log\restorebackup.log
Step 4
Note
For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.2 in
Installing and Migrating to Cisco Prime LAN Management Solution 4.2
Caution
You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes
to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data.
This section explains the following:
3-22
OL-25947-01
Chapter 3
Step 2
Step 3
NMSROOT/bin
Enter the following command to list the different formats available for changing the database password:
NMSROOT/bin/perl dbpasswd.pl
Step 5
When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.
Step 6
At the command line, make sure you have the correct permissions.
Step 2
Step 3
NMSROOT\bin
Enter the following command to list the different formats available for changing the database password:
NMSROOT\bin\perl dbpasswd.pl
Step 5
When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.
Step 6
3-23
Chapter 3
Backing Up Data
The different formats available and the commands for changing the database passwords on Windows,
Solaris and Soft Appliance platforms are tabulated below:
Format
Command
On Solaris/Soft Appliance:
On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl listdsn
On Windows:
NMSROOT\bin\perl dbpasswd.pl listdsn
On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource
On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes
On Solaris/Soft Appliance:
encryption=yes
Change modes.
3-24
OL-25947-01
Chapter 3
For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is
performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from
which the backup was taken (source machine), and the machine on which the data was restored
(target machine).
For detailed information on DCR, see Managing Device and Credentials in Inventory Management
Guide.
The following scenarios helps you understand the implications of Restore operations on DCR.
If you restore the data backed up from a machine in the Standalone mode, on any machine whose
working mode is either Standalone, Master, or Slave, the end mode will be Standalone.
Let X be a machine in Standalone mode.
If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a
Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to
Standalone mode.
Further scenarios can be better explained based on the following DCR set up.
Let us assume there are two DCR domains.
Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1
will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1
is available.
However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize
after the restore on S1. The changes that have taken place after the backup was taken from S1 will be
reflected in S1, even if S1b is restored on S1.
In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the
end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1
is down.
Restoring Data From S1 to M1
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to
Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to
Standalone mode.
3-25
Chapter 3
Backing Up Data
At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices.
Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However,
after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent
than the data on M1.
Restoring Data From S1 on M2
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master
in the DCR Domain 2 in our example.
After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3,
and S4, which were Slaves of M2, will switch to the Standalone mode.
Restoring Data From M1 on M1
Suppose you take a back up from M1. After the backup you would be performing several operations that
would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example.
Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older
than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that
on the Master.
To avoid this, you must perform the Restore operation in the following sequence:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
This ensures that Master has more recent data than the Slaves.
Note
To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take
a back up of all machines at the same time.
Restoring Data From M1 to M2
Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2.
S3, and S4 which were Slaves of M2, will switch to Standalone mode.
3-26
OL-25947-01
Chapter 3
Restore operations can affect Master-Slave relationships because they may modify these pre-configured
parameters.
For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server.
Suppose you take a backup from S1, and restore the backed up data, say S1b on X.
Now, X has to be in Slave mode.
Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1,
and S1 will have the certificate of M1.
After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not
present on M1, X will not be able to have M1 as its Master.
So you have to ensure that the certificates of the peer machines are in place, before you do a Restore.
Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer
Server Account user configuration might get affected by Restore operations.
For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user.
You take a backup from S1.
After you take the backup, say you change the Peer Server User and System Identity User to Bob.
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This
will upset the Master-Slave relationship.
During restore you are prompted to confirm whether you need to overwrite the SSL certificate.
SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it
on another, you should be careful not to overwrite the SSL certificate.
However, if you backup data from a machine and restore it to the same machine, you may overwrite the
SSL certificate.
3-27
Chapter 3
The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.
Restoring Data From S1 on S1
No impact on CS groups.
There may be applications installed on S1. Say you create 10 groups in the Applications before you
backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore,
the 10 groups you created after backup will not be present. This loss of newly added groups also
propagates to other Slaves in the domain.
Restoring Data From S1 on M1
After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups
pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other
Slaves of M1 will switch to Standalone mode.
Restoring Data From S1 on M2
After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all
the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of
M2 (before restore) will now switch to Standalone mode.
Restoring Data From M1 on M2
Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be
deleted from M2.
In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated
in the target machine.
Exporting Device Credentials Repository (DCR) data from LMSUser can export the Device List
and Credentials to a CSV file that would be shown as a link. The data backup status and backup
location will be displayed at the bottom of the Export Data to Prime Infrastructure page.
3-28
OL-25947-01
Chapter 3
Exporting complete data of LMSThis option enables you to store data in an external server or
LMS server. The default backup location will be populated in the Backup location field at the bottom
of the Export Data to Prime Infrastructure page. If the user chooses storing data in external server,
the external server credentials namely Server IP or Host name, username, password and backup
location will be required.
Updating Licenses
To obtain a product license for your Cisco Prime applications, register your software at one of the
following websites. You will need to provide the Product Authorization Key (PAK), which is printed on
a label affixed to the Bundle sub-box.
If you are a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license
If you are not a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license/public
The product license will be sent to the e-mail address you provide during registration. Retain this license
with your Cisco Prime software records.
Licensing the Application
After you obtain the product license, perform these steps to license your software:
Step 1
Copy the new license file to the LMS Server, with read permission for casuser/casusers.
Step 2
Step 3
Click Update.
Step 4
Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 5
Click OK.
3-29
Chapter 3
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise an error message is displayed.
To return to the License Information page, click Cancel.
Note
You must have Compliance and Audit Manager (CAAM) server license for accesing the CAAM features
in LMS 4.2. For more details, refer Compliane and Audit Manager (CAAM) Server License.
Viewing License Information
To view details of your current software license, select Admin > System > License Management to
open the License Information page.
The license name, license version, size (device limit for the licensed application), status of the license,
and the expiration date of the license appear under License Information.
The license version shows the major version of the application.
Updating Licenses
You can view details of your current software license, or update to a new license from the License page.
To update to a new license from the Licensing page:
Step 1
Step 2
Click Update.
Step 3
Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 4
Click OK.
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise, an error message is displayed.
To return to the License Information page, click Cancel.
3-30
OL-25947-01
Chapter 3
The following Compliance and Audit Reports are supported only by LMS license and do not require
CAAM server license.
Service Reports
Step 2
Step 3
Click Apply.
Status of LMS grouping server. The status values are Running, and Not Running.
Error encountered if the grouping servers are not running or if they are not reachable.
3-31
Chapter 3
You can look into this collected information to find out the errors with grouping servers and debug them.
You can also collect server information using CLI. See Collecting Server Information Using CLI
To collect the server information:
Step 1
Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.
Step 2
Step 3
System Information Displays the server type, operating system version, installation date of
operating system, and other system information.
Cisco Prime Registry Displays the registry entries of Cisco Prime components installed in the
server.
Tomcat Log Files Displays the log files corresponding to the application server.
Grouping Service Displays the information of grouping servers and the groups created in the
grouping server.
Application Registry Details Displays the information of applications registered with Cisco
Prime home page.
Device Credentials Admin Information Displays the details of DCR mode, status of DCR Master,
number of devices in DCR and the contents of DCR configuration files.
ODBC Configuration Displays the information about the configuration of database connection
in the LMS Server.
Product Log Files Displays the contents of log files of all Cisco Prime components.
Environment Variables Displays the list of environmental variables set up in the LMS Server.
Process Status Displays the name of processes, current state of the process, process ID, start and
finish time of the process, and other information.
Memory and Harddrive Status Displays details of free space and total space of memory and hard
disk drives in the LMS Server.
JRE Registry Displays information about the Java Runtime Environment registry files.
Step 4
Click OK.
The server information for the selected components is collected.
Collecting server information may take longer if more components are selected.
To return to the Collect Server Information page, click Cancel.
You can click Refresh in the Collect Server Information page to see the latest status.
3-32
OL-25947-01
Chapter 3
Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.
Step 2
Click Server Information at the date time link to view the collected server information.
The popup window displays the server information collected.
Step 3
View server information by clicking the corresponding link in the Table of Contents.
Select Admin > System > Server Monitoring > Collect Server Information
The Collect Server Information page appears.
Step 2
Select the corresponding check box of the server information you want to delete.
Step 3
Click Delete.
or
Step 2
Select the E-mail text box and enter your Email ID.
Step 3
Click Save.
The system generated self test report will be sent to the specified Email ID.
3-33
Chapter 3
Step 2
Step 3
In LMS 4.2, the selftest report provides the following Hardware Parameters details:
Memory availability
Swap
CPU
DSN
Backup status
If the syslog database size exceeds 10 GB you need to purge the syslog records to reclaim space. Do the
following to purge syslog records and reclaim the database space:
Note
If you want to backup the syslogs, refer Setting the Syslog Backup Policy.
Step 1
Perform a forced purge of Syslog messages, refer Performing a Syslog Forced Purge.
Step 2
Step 3
Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and execute the
perl script DBSpaceReclaimer.pl.
Note
The perl script will reclaim the space occupied by SyslogFirst.db, SyslogSecond.db and
SyslogThird.db files present in the server. The amount of space reclaimed will depend on the
purge criteria that you specify. The most effective way to reclaim the space is to purge the
records older than 1 day.
3-34
OL-25947-01
Chapter 3
Step 1
Select Admin > System > User Management > Notify Users.
The Notify Users page lists all the users currently logged in.
Step 2
Note
If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every
visit to the page.
Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when
necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can
access the Resource browser page. The Refresh icon in the Resource browser is available for all users.
Note
The System Identity user must configure all the Resource management related tasks. The Browse
Resources and Free Resources tasks should be enabled.
To view Resource details:
Step 1
Description
Resource
Job ID / Owner
Number assigned to this task at creation time. Identifies all related locked
resources, and user who locked the resource.
Time Locked
Expire Time
Step 2
Step 3
3-35
Chapter 3
Description
SMTP Server
Administrator
E-mail ID
Enable E-mail
Attachment
Allows you to enable e-mail attachments in the mails sent from LMS Server.
This option helps you to attach PDF or CSV reports with the e-mail after the
scheduled jobs have completed.
This option is disabled by default.
Maximum
Attachment Size
Maximum size of the e-mail attachments that are allowed to be sent from LMS
Server.
You can specify the attachment size in KB or MB.
RCP User
Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.
SCP User
Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
SCP Password
3-36
OL-25947-01
Chapter 3
RCP User
Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.
SCP User
Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
SCP Password
3-37
Chapter 3
Caution
SMTP Server
Administrator E-mail ID
RCP User
Set this information carefully. If you introduce errors, users may not be able to log in.
Step 3
Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution
for the crmlog service, on a Windows system.
Step 4
Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the
LMS Server:
Step 5
SCP User
SCP Password
Click Apply after making the changes. To cancel the changes, click Cancel.
Rotate log files only when they have reached a particular size.
Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI.
The following log files are maintained by the log rotation program:
Daemon Manager
3-38
OL-25947-01
Chapter 3
Step 2
If you do not set a backup directory, each log file will be rotated in its current directory.
Step 3
Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log
rotation starts. This is optional.
Step 2
Step 3
Enter the name of the log file in the Select Log File field.
You can enter only one log file at a time.
You should specify log file using its fully-qualified path. If the log files do not exist in the path you have
specified, this will not be considered for rotation.
You can also click Browse to select a log file name from the file system.
Step 4
Enter the maximum file size in the Maximum Logrot Size field.
The log file will not be rotated until this size is reached.
You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log
rotation is 4096 MB.
Step 5
Step 6
gzGNU gzip
Step 7
3-39
Chapter 3
To edit the log files that you have configured for rotation:
Step 1
Step 2
Step 3
Click Edit.
The Edit Logrot page appears.
Step 4
Edit the name of the log file. The rotated log files will be stored with the new name you have edited.
Step 5
Edit the log file size, compression type or number of archive revisions.
Step 6
Step 2
Click Schedule.
The Schedule Logrot appears.
Step 3
Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should
start.
You should specify the time in 24-hour format.
Step 4
Step 5
WeeklyLog rotation job runs once a week on the day and time specified. Select a day from the
Day of Week list.
MonthlyLog rotation job runs once a month on the day and time specified. Select a day from the
Day of Month list.
Logrot should be installed on the same machine where you have installed LMS.
3-40
OL-25947-01
Chapter 3
Enter:
The Logrot configuration menu appears. You have the following options:
Step 2
Edit variables.
Step 3
Select Edit log files to add log files you wish Logrot to rotate.
You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log
file does not exist in that path, the default log file path for your operating system will be added during
rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).
Step 4
Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default)
for this option.
Step 5
Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in
kilobytes (KB). The default is 1024 KB or 1 MB.
Step 6
gzGNU gzip
When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a
certain pattern.
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for
example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that
match the pattern *.log.
You can also specify the special pattern, *, which means delete all logfiles in the configuration.
On Windows:
Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl
On Solaris/Soft Appliance:
Run /opt/CSCOpx/bin/logrot.pl
You can schedule log rotation so that the utility works on a specified time and day.
The following command line flags are accepted:
3-41
Chapter 3
Caution
-v
-s
The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is
shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.
-c
-h
The following wrapLogrot permissions should be checked for proper working of LogRotation.
For Solaris:
bash-3.00# ls -l /opt/CSCOpx/bin/wrapLogrot
-r-sr-x--- 1 root
casusers
/opt/CSCOpx/bin/wrapLogrot
For Virtual Appliance:
[root@HOSTNAME bin]# ls -l wrapLogrot
-r-sr-s--- 1 root casusers 7430 Sep 26 16:00 wrapLogrot
Viewing the Scheduled Logrot Job
You can view the scheduled jobs log file to troubleshoot the logrot utility.
To look at the scheduled logrot job:
Example:
To view the job scheduled to run as root user, use the command:
crontab -l root
Example:
To view the job scheduled to run as root user, use the command:
crontab -lu root
3-42
OL-25947-01
Chapter 3
The process calculates the disk space availability of the LMS Server directories at a regular interval of
approximately one hour.
In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one
hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes
and in the last 15 minutes of an approximate one hour time interval.
This process also alerts you when the disk space is less than the threshold level you have configured in
the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert
messages through e-mail if you have configured your e-mail ID along with threshold level.
This process records the alert information in the system log files. The alert information is recorded in
diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and
daemons.log files in Solaris machines.
To configure the disk space threshold limit:
Step 1
Select Admin > System > Server Monitoring > DiskWatcher Configuration.
The DiskWatcher Configuration page appears.
Step 2
Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk
space in the Cisco Prime Installation directory. This is mandatory.
You should enter the threshold value in units of MB or GB.
Step 3
Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in
Solaris file systems. This is mandatory.
You should enter the threshold value in units of MB or GB.
Note
Step 4
Step 5
Click Apply to save the changes or click Cancel to reset the values.
3-43
Chapter 3
The following are the scenarios where Assertion Error might appear:
If you use any third-party backup software to back up a live, running database, the Assertion Error
might be thrown.
This is because some of the database pages that have been modified will be in the database server
cache, so the database file will be in an inconsistent state.
We recommend that you do not use third-party backup software for backing up a running database.
We also recommend that you configure your anti-virus software so that it must not scan the
NMSROOT/databases directory.
NMSROOT is the directory where you have installed Cisco Prime.
Configuring TFTP
This applies only to Solaris.
The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP
(Transmission Control Protocol) Wrappers.
If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the
jobs requiring TFTP may fail.
To ensure that TFTP works properly, check the following configuration files:
Note
If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the
command is not there in the file at all, add it as in.tftpd:ALL
If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file
If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any
changes
The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon
under its control. It provides logging support, returns messages to connections, and permits a daemon to
accept only internal connections.
3-44
OL-25947-01
Chapter 3
Displaying LMS Server name with browser title helps you to identify the server from which the
application window is launched especially in a multi-server setup and Single Sign-On based setup.
You can enable or disable the option of displaying the LMS Server name along with the browser title.
When you choose to display the server name in the browser title, the browser window displays the title
in the following format:
Hostname - ApplicationWindowTitle
where,
Hostname is the name of the LMS Server
ApplicationWindowTitle is the title of application window launched from LMS Server.
Note
By default, the option of displaying the LMS Server name with the application window title in the
browser is enabled.
For example, if the name of your LMS Server is lmsdocultra, then the title of the Cisco Prime home
page is displayed as lmsdocultra - CiscoPrime.
If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra
- LMS Home.
You can also enable or disable the display of server name with the browser title by changing the
configurations in a properties file.
Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:
Enable or disable the option of displaying server name with browser title.
Replace hyphen (-) with any other delimiter except empty spaces.
Trim the spaces between the Hostname, delimiter and Application window title.
Select Admin > Cisco Prime Integration > Application Settings. The Application Settings page
appears.
Step 2
Add
Click Add. The Server Configuration page appears.
Select NAM from the drop-down list.
3-45
Chapter 3
Configuration page.
Edit
Select a configuration detail that has to be edited.
Click Edit. The Edit NAM Configuration page appears.
Enter the IP Address in the NAM IP field.
Enter the user name and password in the corresponding fields.
Enter the SNMP read community.
Select either HTTP or HTTPS as the protocol.
Enter the port number.
Click Edit to save the changes or Cancel to return to the NAM Configuration page.
Delete
Select a configuration detail that has to be deleted.
Click Delete. A confirmation dialog box appears.
Click OK to confirm or Cancel to return to the NAM Configuration page.
Filter
In the Filter By field, select the filter criteria e.g. ApplicationName from the drop-down list.
In the Matches text box, enter the matching details e.g. NAM.
Click Go, to execute the selected filter condition.
Click Clear Filter, to clear the filter condition.
3-46
OL-25947-01
CH A P T E R
Ensure jobs, other than Device Discovery, are not scheduled parallely along with the Device
Discovery jobs. If any other jobs are scheduled parallely, Device Discovery job will take more than
5 min to complete.
When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each
other. Otherwise, one of the Device Discovery jobs may fail.
You should configure the Device Discovery settings before you schedule a Device Discovery job.
Otherwise, the system displays an error message when you try add a schedule. However, you can
edit the Device Discovery settings for the scheduled job later.
Add a Device Discovery schedule. See Adding Device Discovery Schedule for details.
Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details.
Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details.
Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for
details.
4-1
Chapter 4
Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple
Discovery Settings for Multiple Scheduled Jobs for details.
View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing
Discovery Settings for Selected Discovery Schedule for details.
Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery
Settings for Selected Discovery Schedule for details.
Step 2
Click Add.
The Add Discovery Schedule popup window appears.
The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add
button if you have not configured Device Discovery Settings.
The Add button is disabled on a fresh installation of LMS in LMS Server.
Step 3
Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should
start.
You should specify the time in 24-hour format.
Step 4
Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 5
Note
Step 6
The job description should not contain special characters like , and #.
Click Schedule.
The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the
email address you have configured in the Discovery Settings wizard.
Step 2
Step 3
Click Edit.
The Edit Discovery Schedule popup window appears.
Step 4
Edit the values in the Hour and Min drop-down list, if required.
4-2
OL-25947-01
Chapter 4
Step 5
Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 6
Step 2
Step 3
Click Delete.
The Delete Confirmation dialog box appears.
Step 4
Click OK.
The selected Device Discovery schedule is deleted from the list of schedules.
Caution
Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the
Device Discovery job is running, deleting the schedule will stop the job first and then will
remove it.
Step 2
Step 3
Click Start Discovery. A popup window appears with the information on the immediate jobID.
The Start Discovery button will be disabled before setting any jobs or if a discovery is already running.
Step 4
You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status
of Device Discovery jobs.
To do so:
Step 1
4-3
Chapter 4
Step 2
Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the
settings for scheduled jobs later and maintain different settings for different jobs.
To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for
Selected Discovery Schedule.
To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected
Discovery Schedule.
Viewing Discovery Settings for Selected Discovery Schedule
You can view the Discovery settings used to create the selected Discovery Schedule job.
To do so:
Step 1
Step 2
Step 3
Step 4
Click OK to return to the Discovery Schedule page after you have view the schedule.
You can edit the Discovery Settings used to create the selected Discovery Schedule job.
To do so:
Step 1
Step 2
Step 3
Step 4
Edit the required module settings and click Next. The Seed Devices Settings page appears.
Step 5
Edit the required seed devices settings and click Next. If you do not want to proceed further, click
Finish. The SNMP Settings page appears.
Step 6
Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish.
The Filter Settings page appears.
Step 7
Edit the Filter settings and click Next. If you do not want to proceed further, click Finish.
The Global Settings page appears.
Step 8
Edit the Global settings and click Next. If you do not want to proceed further, click Finish.
4-4
OL-25947-01
Chapter 4
Description
Search Input
Device names with wildcard characters, (?) and (*), to search for
multiple devices matching the text string entered in this input field.
The wildcard character ? matches a single character in a device name
and the wildcard character * matches multiple characters in a device
name.
Use this icon to perform a Simple search of devices, after you have entered
your search input. See Performing Simple Search for more information.
Advanced Search
4-5
Chapter 4
Component Name
Description
All
This tab lists all the top-level device groups and the device names under
each group in a hierarchical format (tree view).
The top-level device groups include:
All Devices
Subnet Groups
This tab displays all the Simple or Advanced search results and you can
select all devices, clear all devices, or select a few devices from the list.
The Simple search results are based on the device name of the devices
added to DCR. The Advanced search results are based on the grouping
attributes of the grouping services server.
Selection
This tab lists all the devices that you have selected in the All or Search
Results tab or through a combination of both. You can also use this tab to
deselect the devices you have already selected.
You can perform more than one search and can accumulate your selection
of devices.
The Device Selector displays the number of devices selected by you at the bottom. When you click the
link provided, it launches the Selection Tab.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
This section contains the following information:
Searching Devices
The All tab lists the top-level device groups and the device names under each group in a hierarchical
format (tree view).
4-6
OL-25947-01
Chapter 4
You can select the devices from the tree view. The Selection tab shows the flat list of selected devices
from the All tab.
You should expand the nodes of the top-level device groups and sub groups to see the list of devices
within a group and select the devices you want. We recommend that you do not expand all and leave all
the multiple group nodes open. This may affect the performance of the device selector.
Selecting Devices From Search Results
You can perform a Simple Search or an Advanced Search, and the search results are displayed under the
Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab
and the All tab, display the devices you have selected from the Search Results tab.
Note
You can perform more than one search and can accumulate your selection of devices.
Combination of Selection From All Tab and Search Results
You can select the devices from the All tab and add more devices to the Selection list from the Simple
or Advanced search results in the Search Results tab.
The Selection tab displays the accumulated list from both All and Search Results tabs.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the Selection tab.
Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an
Advanced search. In both cases, you do not need to remember the name of the devices and the groups in
which the devices are grouped.
Note
You can enter a comma separated list of device names to search for multiple devices.
You can use the wildcard characters, * and ?, to search for multiple devices that match the text string
entered in this input field. Multiple wildcard characters are allowed in a search string.
You can use the combination of comma separated list of device names and wildcard characters in
the device names to search for multiple devices.
If you are not using the wildcard characters, make sure that you enter the full device name.
For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:
4-7
Chapter 4
Device names starting with device2 and with only one character after device2
Using Expressions
or
You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule
you have created using the Clear button.
Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression
contains:
Device Type Object type used for forming a group. All expressions start with the string Device
Variables Device attributes used to form a device group. The list of variables for advanced search
are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress,
MDFId, Model, Series, SystemObjectID, and the user-defined data, if any.
The list of device attributes are different across Cisco Prime modules. The Advanced Search window
in the Device Selector of Cisco Prime applications displays the respective device attributes as
variables.
Operators Various operators to be used with the rule. The list of operators includes equals,
contains, startswith, and endswith. The list of operators changes dynamically with the value of the
variable selected.
For the ManagementIpAddress variable, you can select the range operator other than the standard
list of operators. The range operator enables you to search for devices of the specified range of IP
Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.
Value Value of the variable. The value field changes dynamically with the value of the variable
and operator selected, and this may be a text field or a list box.
After you define the rule settings, click Add Expression to add the rule expression.
You can also enter multiple rule expressions using the logical operators. The logical operators include
OR, EXCLUDE and AND.
Using IP Address Range to Form a Search Rule
The range operator enables you to search the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:
4-8
OL-25947-01
Chapter 4
Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
Use the hyphen character (-) as a separator between the numbers within a range.
Specify the range of IP Addresses within the [ and ] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
Enter numbers lesser than 0 and greater than 255 in the IP Address range.
Enter the value of highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
For example, if you want to search all the devices in the network whose device name contains
TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform
the following:
Step 1
Step 2
Step 3
b.
c.
Step 4
Step 5
b.
c.
d.
Step 6
Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.
4-9
Chapter 4
TestDevice
Note
We recommend that you use expressions to construct a complex rule instead of creating them using the
Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.
Additional Notes
Read the following notes before you perform an advanced search:
You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith
or contains.
You can use Check Syntax button, when you add or modify a rule manually.
You must delete the complete rule expression including the logical operator, when you delete a
portion of your rule.
All Devices
Subnet Groups
4-10
OL-25947-01
Chapter 4
All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their device
names. The device names are defined when you have added the devices in DCR.
Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can
check the functionality settings at Admin > System Administration > Collection Settings >
Functionality Settings.
In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services,
then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups
folder in the Device Selector pane.
See Customization of Subnet Groups for information on customizing the display of devices under this
group.
Tip
We recommend you to provide unique and meaningful names to User Defined Groups when you create
them to avoid the display of multiple User Defined Groups with the same name.
See Customization of User Defined Groups for information on customizing the display of devices under
this group.
4-11
Chapter 4
All devices in groups and subgroups, based on their Device Category and Series
All devices in groups and subgroups, based on their Device Category, Series and Model
By default, the Device Type Group folder displays the devices in sub groups based on their category only.
To display the devices in groups based on their Device Category:
Step 1
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Check the Show Category Groups check box from the Device Type Based Groups panel.
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
To display the devices in groups and subgroups based on their Device Category and Series:
Step 1
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Check the Show Series Groups check box from the Device Types Based Groups panel.
When you check the Show Series Groups check box, the Show Category Groups check box will also be
checked automatically and will be disabled.
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
4-12
OL-25947-01
Chapter 4
To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 1
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Check the Show Model Groups check box from the Device Type Based Groups panel.
When you check the Show Model Groups check box, the Show Category Groups and Show Series
Groups check boxes will also be checked automatically and will be disabled to you.
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 1
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Go to the Device Type Based Groups Panel and uncheck all the check boxes.
Step 3
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel.
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
Only User Defined Groups created by you in all Peer Servers in a Multi Server setup
All User Defined Groups created by any user in the local server
All User Defined Groups created by any user in all Peer Servers in a Multi Server setup
By default, you can view all the User Defined Groups (irrespective of any user) created in the local server
in the Device Selector pane.
4-13
Chapter 4
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel.
Step 3
Select either:
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
created by you in the local server.
Or
All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups created by you in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups
panel.
Step 3
Select either:
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
in the local server.
Or
All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
All Devices
2.
3.
4-14
OL-25947-01
Chapter 4
4.
Subnet Groups
5.
Select Admin > Network > Display Settings > Group Ordering.
The Group Ordering page appears.
Step 2
Step 3
Click Up to move the device group up in the displayed order or click Down to move down.
Step 4
Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.
To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page
appears with the current DCR Administration settings.
You can change the Mode Settings or modify User Defined fields.
Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page
appears.
Step 2
4-15
Chapter 4
Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure
communication takes place between the Master and Slave.
Tip
We recommend you to configure the Master and all its Slaves in the management domain with the same
version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory
Management Guide.
If machine M is to be the Master and S is to be the Slave:
Step 1
Step 2
Add a System Identity user and password in S. This should be same as the Peer Server User set up in M.
See Setting up System Identity Account for details.
Step 3
Step 4
Step 2
Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in
place.
Step 1
Step 2
Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place.
You need to perform the following tasks:
Step 1
Step 2
4-16
OL-25947-01
Chapter 4
Step 3
Step 4
Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from
Master to Slave.
If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave)
will be informed of the new master hostname. That is, they will become the slaves of the new Master.
Step 5
Select the Add new devices to Master check box to add the devices in Slave to the new Master.
If the devices are already available in the new Master, they will be discarded.
Step 6
Click Apply.
A warning message appears when the Master server has the earlier version of LMS.
Step 7
Note
You must restart the daemon manager after the mode change to Slave is complete.
4-17
Chapter 4
Display a list of devices that are not reachable for a certain period of time
You should have the required privileges to configure Device Polling policy.
You should be a Network Administrator, or a System Administrator to perform this task in Local
Authentication mode.
You should have the following privileges to delete the devices:
You can use any one or more of the following protocols to poll devices:
ICMP (Ping)
SNMPv3
SNMPv2c/SNMPv1
When you select all protocols, the devices in the network are polled using ICMP (Ping) first
followed by SNMPv3, and later by SNMPv2c/SNMPv1.
When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1
is used to poll the devices only if the SNMPv2c protocol has failed to query the device.
If you use more than one protocol for polling and if a device is reachable using the first protocol,
the other protocols will not be used.
You can configure only one job at a time to detect unreachable devices. You can modify the schedule
later at any point of time.
In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job
only from Master server.
4-18
OL-25947-01
Chapter 4
Select Admin > Network > Timeout and Retry Settings > Device Poll Settings.
The Device Poll Settings page appears.
Step 2
Select the Activate Device Polling to Check Reachability check box to enable Device Polling.
Device Polling is not enabled by default. You must select this check box to activate Device Polling.
Step 3
Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for
polling:
ICMP (Ping)
SNMPv3
SNMPv2c/SNMPv1
Enter the timeout value for the selected protocols in the appropriate Timeout fields.
The timeout denotes the time period after which the ICMP or SNMP query of devices times out.
You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds
and the maximum value is 20000 milliseconds.
Default value is 1000 milliseconds.
You cannot leave this field blank.
c.
Enter the value of retries for the selected protocols in the appropriate Retries fields.
The retry denotes the number of attempts made to query the device.
You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for
both ICMP and SNMP protocols.
You cannot leave this field blank.
d.
Enter the number of instances in Notify when devices not reachable for, to receive notifications
when the devices are not reachable for a specific time period.
This is mandatory.
For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily,
you will receive notifications of devices that are not reachable for two days or more than 2 days.
If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will
receive notifications of devices not reachable for last 18 hours or more than 18 hours.
See Step 4 for details on the job frequencies available.
Step 4
b.
Enter a date in the Date field or select a date from the date picker to start the scheduled job.
The current date on the client system is displayed in the Date field by default.
You can edit the schedule at a later point of time. See Step 5 for details.
If you do not want to edit the schedule, go to Step 7.
4-19
Chapter 4
Step 5
Select the Change Schedule check box if you want to edit the schedule information (Run Type and
Starting Date).
This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not
been scheduled earlier.
If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager
(JRM) and a job is scheduled. The device reachability status is also reset.
A warning message appears if you select this check box.
Step 6
Click OK.
Step 7
Select the Report Attachment field if you want to receive the report through e-mail.
b.
c.
Enter a brief description about the Device Polling job in the Job Description field.
d.
Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device
Polling job.
You can enter multiple e-mail addresses separated by commas.
Entering an e-mail ID is mandatory when you have selected the Report Attachment field.
Step 8
Invalid timeout and retries may have been configured on the device.
To delete unreachable devices from DCR, select Reports > Inventory > Management Status >
Unreachable Devices.
user_defined_field_0
user_defined_field_1
user_defined_field_2
user_defined_field_3
4-20
OL-25947-01
Chapter 4
You can add six more UDFs through the user interface. You can rename or delete all the UDFs including
the four default UDFs provided by the user interface.
This section explains the following:
Select Admin > Network Administration > Device Credential Repository Settings > User Defined
Fields.
The User Defined Fields page appears with the current settings.
Step 2
Step 3
Step 4
Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.
Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2
Select the radio button corresponding to the UDF you want to rename.
Step 3
Click Rename.
The User Defined Field dialog box opens in a new window.
Step 4
Step 5
Click Apply. To return to the User Defined Fields page, click Cancel.
4-21
Chapter 4
Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2
Step 3
Click OK. To return to the User Defined Fields page, click Cancel.
4-22
OL-25947-01
Chapter 4
When other applications manage the newly added device, the management operations fail if they
cannot retrieve the required credentials from DCR. To prevent the management operations failing,
you can use the default credentials while adding devices through Discovery.
The default credentials you use while adding or importing devices into DCR will not be verified.
You can configure multiple default credential sets and add or import a set of devices in DCR with
default credentials from a default credential set. Later, you can edit the value of the credentials in a
default credential set and add another set of values with the edited default credentials.
The devices that are already added or imported into DCR will not be affected if you edit the values
of the default credentials or remove the default credentials from DCR.
Devices added with default credentials in DCR populates all the credentials you have configured for
the default credential set irrespective of the device management type.
For example, if you have configured the default credential set with Standard credentials, SNMP
credentials, and Auto Update Server Managed Device credentials and if you add a device of
Standard management type in DCR, the Auto Update Server Managed Device credentials are also
populated for that device.
We recommend you to configure a default credential set with the values common for most of the
devices that are to be added or imported into DCR.
4-23
Chapter 4
HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and
Password, HTTP port, HTTPS port, Current Mode)
Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2
Click Next or select Credential Sets name from the Default Credentials list panel and enter the
respective credential information.
Step 3
Enter a name of the credential set in the Credential Set Name field. This is mandatory.
The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9).
You can include the following special characters in the Credential Set Name:
Special Character
Description
Underscore
Hyphen
Period
4-24
OL-25947-01
Chapter 4
Step 4
Step 5
Click Next or select a credential type from the Default Credentials list panel and enter the respective
credential information. You can select any of the credential types from the panel.
Step 6
Standard Credentials
SNMP Credentials
HTTP Credentials
Standard Credentials
Primary Credentials (Username, Password, Enable Password)
Secondary Credentials (Username, Password, Enable Password)
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
HTTP Credentials
Primary Credentials (Username, Password)
Secondary Credentials (Username, Password)
Other Information (HTTP Port, HTTPS Port, Current Mode)
Note
You must enter a value for at least one credential before applying the default credentials.
Step 7
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.
4-25
Chapter 4
Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2
Click Next or select Credential Set Name from the Default Credentials list panel.
Step 3
Select a default credential set name from the Credential Set drop-down list box.
Step 4
Edit the description of the credential set in the Set Description field.
You cannot edit the name of the credential set.
Step 5
Click Next or select a credential type from the Default Credentials list panel.
Step 6
Standard Credentials
Primary Credentials (Username, Password, Enable Password)
Secondary Credentials (Username, Password, Enable Password)
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
HTTP Credentials
Primary Credentials (Username, Password)
Secondary Credentials (Username, Password)
Other Information (HTTP Port, HTTPS Port, Current Mode)
Note
Step 7
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.
4-26
OL-25947-01
Chapter 4
Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS
Servers. You cannot see this list item in DCR Slave Server.
Step 2
Step 3
IP Address
Hostname
Device Name
You can include patterns when creating rules for IP Address based default credential set policies.
See Patterns in IP Address Default Credential Set Policy Rules for more information.
Regular expressions are supported for policies based on Hostname and Device Names. IP Address
based policy types do not support regular expressions.
See Regular Expressions in Default Credential Set Policy Rules for more information.
4-27
Chapter 4
The expressions in default credential set policy rules are case insensitive.
You can include the following characters in Device Name and Hostname:
Lower case alphabets
Upper case alphabets
Numerals ( 0 to 9)
Special characters such as hyphen (-), underscore (_), period (.) and colon (:)
When you define more than one policy for a default credential set, all these policy rules work
together. The policies will be applied in the same order in which they appear on the Credentials Sets
Policy Configuration page.
See Defining the Order of Default Credential Set Policies for more information.
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Default Credentials Sets Policy Configuration page appears.
The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master
and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Step 3
Select a parameter from the Select a Policy Type drop-down dialog box.
The listed parameters are IP Range, Hostname and Device Name.
Based on the parameter that you have selected, the value field name changes dynamically.
b.
c.
Select a credential set name from the Credentials Set drop-down list box to associate the rule
expression with the default credential set.
Select No Default if you do not want to enter a credential set name.
Step 4
You can edit a default credential set policy later. To do so, you must select a default credential set policy
in the Credentials Sets Policy Configuration page and click Edit.
4-28
OL-25947-01
Chapter 4
Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format.
Example
Numbers between:
001:DB8:0:2AA:FF:C0A8:0:640A
(IPv6 Address)
10.77.[220-240].[210-220] (IPv4
Address)
001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA
F] (IPv6 Address)
or equal to EndingNumber
10.77.[250-200].221
10.77.200-250.221
001:DB8:0:[EEEE-FF]:FF:C0A8:0:[D-5]
001:DB8:0:AA-BB:FF:C0A8:0:[D-5]
The octets in an IP Address policy type can also contain the combination of wildcard characters and
range of numbers. Some examples of IP Address filter combinations include:
10.77.[210-230].*
10.77.*.[110-210]
001:DB8:*:*:FF:[C0A-DD8]:0:[5-D]
[10-20]:[10-20]:[A-F]:2:4:*:*:*
4-29
Chapter 4
Purpose
Period
Opening parenthesis
Closing parenthesis
Asterisk
Plus character
Trailing slash
Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added
or imported to DCR with the default credentials defined in a default credential set IPSet.
You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2
Step 3
Step 4
Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b.
c.
Consider that all devices whose IP Addresses are within the range
100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default
credentials defined in a default credential set IPv6Set.
You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
4-30
OL-25947-01
Chapter 4
Step 3
Step 4
Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b.
c.
Consider that all devices whose Device Names end with or contain device, should be added or imported
to DCR with the default credentials defined in a default credential set SetName2.
You should create a default credential set policy based on the Device Name policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2
Step 3
Step 4
Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b.
c.
Consider that all devices whose Device Names contain 1.3.6.1.4.1.9.1.n, should be added or
imported to DCR with the default credentials defined in a default credential set SOIDset.
You should create a default credential set policy based on the Device Name policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2
4-31
Chapter 4
Step 3
Step 4
Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b.
c.
Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with
the default credentials defined in a default credential set SetName1.
You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2
Step 3
Step 4
Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b.
c.
Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the
default credentials defined in a default credential set SetName3.
You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2
Step 3
Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b.
c.
4-32
OL-25947-01
Chapter 4
Step 4
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR
Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Step 3
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears with a list of default credential set policies.
Step 2
4-33
Chapter 4
Step 3
Either:
Click the Up Arrow icon to move the selected default credential set policy up in the displayed order.
Or
Step 4
Click the Down Arrow icon to move the selected default credential set policy down in the displayed
order.
4-34
OL-25947-01
CH A P T E R
Managing Groups
LMS 4.2 combines the device grouping with a new attribute list.
The other grouping services that are available in LMS are:
The numbers of groups that LMS supports will vary according to the SKU that you use. For more details,
see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN
Management Solution 4.2 guide.
This chapter explains the following:
5-1
Chapter 5
Managing Groups
Group Server:
Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by
the application. It interfaces with an application service adapter (ASA) to evaluate group rules and
retrieve devices of a particular group.
Group Admin:
Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.
Basic Concepts
Group Class:
Representation of a set of devices belonging to DCR. In this context a device in Device and
Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set
of attributes and a unique device ID.
Group Object:
Device in a group class. Each device in the group will have a set of attributes stored in DCR.
Associated with every device is a unique and immutable device ID.
Group:
Named aggregate entity comprising a set of devices belonging to a single class or a set of classes,
with a common superclass. Groups can be shared between users or applications, subject to
access-control restrictions. The membership of a group is determined by a rule.
Group Rule:
Consists of one or more rule expressions combined by operators, which can be AND, OR or
EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.
5-2
OL-25947-01
Chapter 5
Managing Groups
Groups in Single-Server and Multi-Server Setup
CS@hostname
RME@hostname
Campus@hostname
In LMS 4.2, there are no separate applications and there are four types of groups:
Device Groups
The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and
Campus@hostname. LMS supports 200 device groups.
Fault Groups
These groups are created by the Fault Management module in LMS, and consist of interface, trunk
port, and access port groups. Each group has a set of properties (such as a name, description, and
permission.), and are defined by the rules associated with the group.
5-3
Chapter 5
Managing Groups
Once the master slave setup is done, when we add a group in master it will be synced with slave only
after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both
the OGS will act as a individual servers.
Note
You can create groups in LMS even if the server on which it is installed is in Slave mode.
If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under
LMS@Slave hostname.
In a cluster, if you have M as the Master, and S1 and S2 as Ms slaves, and you want to evaluate S1s
groups from S2, you need to import the certificate of S1 to S2 and vice versa.
System-defined Groups
User-defined Groups
The System-defined Groups shows subgroups only after Device and Credential Repository is populated.
The predefined sub-groups under System-defined Groups are:
Network Management
Routers
Note
Wireless
You can create subgroups only under User-defined Groups. You cannot create them under
System-defined Groups. However, you can view the details of a subgroup under System-defined Groups
and refresh the group.
Note
Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone
mode. The groups created in DCR Master will be copied to Group Administration instances on servers
where DCR is in Slave mode.
5-4
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
The following sections provide information on how to perform group administrative tasks in LMS 4.2:
Creating Groups
Refreshing Groups
Deleting Groups
Exporting Groups
Importing Groups
The following table explains migration of device groups from previous releases of LMS, in the table. In
this example, Group A is an application group created separately in CS, RME, and CM, in earlier
versions of LMS:
LMS Version
Common Services
UDG/SDG
RME UDG/SDG
3.2.1
Group A
Group A
Group A
4.2
After migration to
After migration to LMS
LMS 4.2, Group A is 4.2, Group A is not
available
Available
3.2.1
Group A
Group A
4.2
3.2.1
4.2
Subnet-based groups
After migration to LMS 4.2, CM
Subnet-based groups will not be
available.
Creating Groups
This section contains:
5-5
Chapter 5
Managing Groups
Step 1
Either:
Or
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2
Select the group from the groups listed in Group Selector to create a new subgroup.
The Group Info fields on the right, display details of the selected group.
The group you select here is the Parent group for the new group that you are about to create. You can
change the Parent group later, if required. You cannot create groups under System-defined Groups but
you can view details and refresh the group.
Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public
or Private). If you have the required permissions, you can create subgroups under groups.
Step 3
b.
c.
The first page in the wizard is the Properties:Create window. While creating a new group you must complete
all of the above three tasks in this sequence to create a group.
If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the
group will not be created.
The recommended limit for creating User-Defined group is 200, but you are allowed to create upto 600
User-Defined groups in LMS.
Example
Either:
Or
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2
Select User Defined Groups from the groups listed in Group Selector to create a new subgroup.
5-6
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Step 3
Step 4
Enter the name Energywise_capable devices in the Group Name field in the Properties:Create dialog
box.
Note
Step 5
Click Next.
The Rule Dialog box appears.
Step 6
Step 7
b.
Select Operator as =
c.
Note
Step 8
Click Next.
The Group Membership Assigning page appears.
Step 9
Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.
Step 10
Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
Note
Step 11
Click Next.
The Summary page appears.
Step 12
Click Finish.
Either:
5-7
Chapter 5
Managing Groups
Select Admin > System > Group Management > Device. Click
The Group Administration page appears.
Or
Step 2
Step 3
Enter a name for the group in the Group Name field in the Properties:Create dialog box.
The group name should be unique within the Parent group. However, it need not be so across groups.
The same group name cannot be used in the same group hierarchy.
For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create
another group with the same name MyView under /LMS@Servername/User Defined Groups.
Step 4
Click Select Group, if you want to copy the attributes of an existing group.
The Replicate Attributes dialog box appears.
Step 5
Select the group you need from the Replicate Attributes list and click OK. To return to the Properties
page, click Cancel.
Step 6
Step 7
Select the group you need from the Select Parent list.
Step 8
Click OK.
The Group Administration wizard changes the Parent group to the one you selected. To return to the
Properties page, click Cancel.
Step 9
Step 10
Automatic:
The membership of the group is updated when you add a new device to the group, and each time the
group is invoked.
If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request,
the group will be a Static group.
Step 11
Private
The group created can be viewed only by user who creates the group.
Public
The group created can be viewed by all users.
5-8
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Step 12
Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and
composite group rules.
If you have created the group by copying the attributes of another group, the rules specified for that group
appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a
new set of rules.
The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this
facility to validate the rules you have created. If you leave the rule blank, it creates a Container group.
Click View Parent Rules to display the rules defined for its ancestor groups.
This section explains:
Examples
Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in
Properties:Create dialog box. See Specifying Group Properties for more information.
Complete all the tasks in the Properties page. See Specifying Group Properties for more information.
Step 2
Step 3
Object Type Denotes the object type used for forming a group. All expressions start with the
string Device.
Variables Denotes the device attributes, which are used to form a device group.
See System Defined Attributes for details on the variables.
Operators Denotes the various operators to be used with the rule. The list of operators includes
equals, contains, startswith and endswith. The list of operators changes dynamically with the value
of the variable selected.
5-9
Chapter 5
Managing Groups
For the ManagementIpAddress variable, you can select a range operator other than the standard list
of operators. See Using IP Address Range Operator for more information.
Step 4
Value Denotes the value of the variable. The value field changes dynamically based on the value
of the variable and operator selected, and the field type can be a text field or a list box.
Step 5
To view the rules defined for the parent groups, click View Parent Rules.
Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
If you have entered an invalid IP Address range or invalid values in the Value field, an error message will
be displayed. You should correct the values and then navigate to the Membership:Create dialog box.
Delete the rules displayed in the Rule Text field and click any other field.
Step 2
Step 3
Step 4
5-10
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Step 5
Select the appropriate parameters for Object Type, Variables, and Operators.
Step 6
Step 7
Step 8
To view the rules defined for the parent groups, click View Parent Rules.
Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
Use the hyphen character (-) as a separator between the numbers that indicate a range.
Specify the range of IP Addresses within the [and] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
Enter numbers less than 0 and greater than 255 in the IP Address range.
Enter the value of the highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on
the IP Address Range based device groups in a multi-server setup.
Examples
This section contains:
To create a group of all devices ending with the hostname Test, you should:
5-11
Chapter 5
Managing Groups
Step 1
Step 2
b.
c.
If you want to group all the devices in the network that match the following criteria:
Category of the device should be equal to Routers or IP Address of the device should starts with
10.77
Step 2
b.
c.
Step 3
Step 4
b.
c.
d.
Step 5
Step 6
b.
c.
d.
5-12
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Step 7
Edit the rule expression in the text area to adjust the priorities among the group expressions.
You should place two rule expressions together within an opening and a closing parentheses. Ensure that
you leave a space between the parenthesis and the group expressions.
The edited composite rule is:
Device.DisplayName contains "TestDevice" AND
( Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77" )
You can also check the syntax of the group rule entered.
Step 8
To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you
should:
Step 1
Step 2
b.
c.
Note
In LMS 4.2, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are
not available. If you backup and restore any group created in older versions of LMS using these
attributes, the groups will not be restored.
5-13
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Asset.CLE_Identifier
Asset.Part_Number
Asset.User_Defined_Identifier
Category
Category into which the device falls. The To create a group of all routers in the
first level entries in the Device Type tree network.
in DCR Device Management UI.
Select the variable Category.
Chassis.Model_Name
Chassis.Number_Of_Slots
5-14
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Table 5-1
Attribute
Description
Example
Chassis.Port_Count
Chassis.Serial_Number
Chassis.Vendor_Type
Chassis.Version
DeviceName
DomainName
5-15
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
EnergyWise.Domain_Name
EnergyWise.EnergyWiseState
EnergyWise.Importance
EnergyWise.Keyword
EnergyWise.Role
Flash.File_Name
5-16
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Table 5-1
Attribute
Description
Example
Flash.File_Size
Flash.Model_Name
Flash.Partition_Free
Flash.Partition_Name
Flash.Partition_Size
Flash.Size
5-17
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
HostName
Image.ROM_Sys_Version
Image.ROM_Version
Image.Sys_Description
Image.Version
ImageVersion
IP.Address
Version of ROM.
Device IP address.
5-18
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Table 5-1
Attribute
Description
Example
IP.Address_Type
IP.Network_Mask
IPv4.Subnet
IPv4.SubnetMask
IPv6.Subnet
IPv6.SubnetMask
ManagementIpAddress
Select IPv6.
5-19
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
MDFId
Memory.Free
Memory.Name
Memory.Size
Memory.Type
Memory.Used
Model
Memory type.
5-20
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Table 5-1
Attribute
Description
Example
Module.HW_Version
Module.Model_Name
Module.Port_Count
Module.Serail_Number
Module.Vendor_Type
Processor.Model_Name
5-21
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Processor.NVRAM_Size
Processor.NVRAM_Used
Processor.Port_Count
Processor.RAM_Size
Processor.Serial_Number
Processor.Vendor_Type
5-22
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Table 5-1
Attribute
Description
Example
Series
System.ASP_Capability
System.Contact
System.Description
System.DomainName
System.Identity_Capability
5-23
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
System.Location
System.Name
System.OSTYPE
System.Smart_Install_Directors
SystemObjectID
The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can
create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details,
see Adding User Defined Fields.
If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is
appended to the User-Defined Field you add, to distinguish these two attributes.
For example if you create a UDF called DisplayName (which is one of the predefined attributes present
in the Variable drop-down list), this will be displayed as DisplayName_UDF.
Note
You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field
stands for any attribute listed in the above table.
5-24
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum
number of UDFs that can be added in the Variable drop-down list is 10.
Note
You can add devices from the list of available objects in the parent group even if they do not match
membership criteria.
To add devices to the group you have created:
Step 1
Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.
Step 2
Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
Step 2
Click Remove.
The selected devices are removed from the Object Matching Membership Criteria column and added to
Available Objects From Parent Group.
Step 3
Click Next.
The Summary:Create window appears. It displays the group name, the parent group, description, the
membership update type, group rules, and the visibility scope of the group you created.
If you want to change the parameters, click Back to go back to the previous windows and make changes.
Step 4
5-25
Chapter 5
Managing Groups
Either:
Or
Step 2
Step 3
Click Details.
The Group Administration wizard displays the details of the group in Properties:Details window.
Click View Parent Rules to display the rules set for the parent group.
The rules set for the parent group are displayed in the Show Parent Rules window.
Click Membership Details to display a list of devices and their corresponding object types.
The membership details are displayed in Membership:Details window.
In the Membership:Details window, you can:
Click on the column headers to sort the entries in the table.
Select the number of rows to be displayed in the table in the Rows per page option.
Step 4
5-26
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Either:
Or
Step 2
Step 3
Click Edit.
The Group Administration wizard guides you through the process of editing a group. It displays the
details of the group in Properties:Edit window.
Step 4
Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit
dialog box.
You cannot change the Parent group or copy attributes from a different group in Edit mode.
Step 5
Click Next.
The wizard takes you to the Rules:Edit window.
Step 6
Change the rules as required. For details on creating the rules, see Defining a Group Rule.
Step 7
Click Next.
The wizard takes you to the Membership:Edit window.
Step 8
Add or remove devices from the list of objects in Objects Matching Membership Criteria as required.
For details on creating the rules, see System Defined Attributes.
Step 9
Click Next.
The wizard takes you to the Summary window.
If you want to change the parameters specified, click Back to go back to the previous windows and make
changes to the properties or rules.
Step 10
Step 11
Click OK.
The Group Administration wizard copies the attributes of the selected group and displays it in the
corresponding fields in Properties:Create window.
Note that the Parent group you have selected for the group does not change even if you are copying
attributes from a group that belongs to a different Parent group.
5-27
Chapter 5
Managing Groups
Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of
Automatic groups is recomputed dynamically.
The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with
this option.
Note
Only users with read-write access can refresh the Only-upon-user-request groups.
To refresh a group:
Step 1
Either:
Or
Step 2
Step 3
Click Refresh.
The Group Administration popup window prompts you for confirmation.
Step 4
Click Yes.
The selected group is recomputed and the window, refreshed.
Whenever you delete devices from a group, refresh the group so that group membership is recomputed.
Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the
group are also deleted. You can also delete the stale groups (groups that belong to users removed from
Cisco Prime).
To delete a group:
Step 1
Either:
Or
Step 2
5-28
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
The Group Info fields on the right pane displays details of the selected group.
Step 3
Click Delete.
The Group Administration prompts you for confirmation.
Step 4
Click Yes.
The selected group is deleted.
See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.
Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file.
You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to
an output file.
Private User-defined groups created by other users will not be exported. However, the
privateUser-defined groups created by you will be exported.
You must have Network Administrator, System Administrator or Super Admin privileges to export
groups.
In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same
DCR domain. You can do this from a DCR Master Server and a Slave server.
Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are
not supported.
See Sample Export Groups Output File for sample XML file generated by the Grouping Services export
utility.
Note
We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details.
or
Export Groups through the CLI. See Exporting Groups Through CLI for details.
5-29
Chapter 5
Managing Groups
<description> </description>
<rule/>
<evaluation-type>2</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_ID" tag-value="CS$216"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
</tags>
</ogs-group-definition>
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSStat</name>
<description/>
<rule>:CMF:DCR:Device.DisplayName contains "77"</rule>
<evaluation-type>1</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
<tag tag-name="__GROUP_ID" tag-value="CS$221"/>
</tags>
</ogs-group-definition>
</server>
</ogs-groups>
Step 2
Step 3
Click Export.
The Export Groups dialog box appears.
Step 4
Export the selected User-defined Group hierarchy Exports the selected User-defined Group and
its child groups.
Or
Export All Applications User-defined Groups Exports all User-defined Groups from all
applications installed on all LMS Server in the same DCR domain.
The browser-specific File Download window appears prompting you to open or save the output XML
OGSExport.xml file.
Step 5
Or
Save to store the file on the client system with the same or a different filename.
5-30
OL-25947-01
Chapter 5
Managing Groups
Device Group Administration
Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS
Server.
Note
You cannot import User-defined groups from older versions of LMS to LMS 4.0 and later versions.
You can import User-defined groups from an input file to the LMS Server.
The private User-defined groups in the input XML file will be imported as your private User-defined
groups in LMS Server. They will not be visible to other users.
You must have Network Administrator, System Administrator or Super Admin privileges to import
groups.
In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave
server.
Note
We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
You must have the required file permissions to select a source XML file for import groups operation.
After importing groups, the group selector may take some time to refresh and display the latest
groups information.
You must launch the Groups Administration page again to view the newly imported groups.
To launch the Groups Administration page, select Admin > System > Group Management >
Device.
5-31
Chapter 5
Managing Groups
Step 1
Either:
Or
Step 2
Click Import.
The Import Groups - File Selection dialog box appears.
Step 3
Enter an input XML file name in the File Name field or click Browse to select a file from the client
system.
The Import Groups dialog box appears with a list of import groups specified in the input XML file.
Step 4
Select the list of groups to be imported from the Import Groups From field.
Step 5
Select a server location to which the groups are to be imported in the Import Groups to Servers field.
You can select multiple Grouping Server locations or All to select all the Grouping Server locations.
This field is disabled on LMS Servers operating in the DCR Standalone mode.
Step 6
Click OK.
A message appears indicating if the groups were imported or not.
See Important Notes on Importing Groupsfor the possible causes of the import job failure.
See Using Group Administration Features Through CLI for more information on using group
administration feature using CLI.
Or
5-32
OL-25947-01
Chapter 5
Managing Groups
DCR Mode Changes and Group Behavior
This displays the Group Management page. The Group Selector field displays two groups,
System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System
Defined Groups.
The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"
For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"
The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.
The examples provided here are simple. However, the Grouping Service allows complex rules to be
arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives
the administrator the power and flexibility to create view partitions tailored to the needs of their site.
5-33
Chapter 5
Managing Groups
The following table gives details of DCR mode changes and implications on Groups.
Mode Changed to:
The Initial
Mode
Standalone
Slave
Master
Standalone
Not applicable.
Master
Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain.
The utility is useful in the following scenarios:
Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone
or Master belonging to a different domain.
Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode
changes, the Master will not be aware of the Slave mode change, when it comes up.
The Master will not receive any data from the Slave, but the Slave information will still be in its registry.
A redundant group (such as LMS@Slave) will still appear in the Master Groups UI.
5-34
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
In the case of DCR, any device operation on Master will update the Slave list. However, this does not
happen in the case of Groups.
You can run the UnregisterSlave utility to remove any unwanted slave information:
From the CLI, run:
NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name
You have to enter the hostname of the machine you want to unregister.
For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of
Backup-Restore on DCR and Effects of Backup-Restore on Groups.
When the Master server is using an earlier version of LMS, you cannot create device groups based
on IP Address range.
When the Slave server is using an earlier version of LMS, the IP Address Range based device groups
information in the Master is synchronized with the Slave.
Even if you change the mode of Slave server to Standalone, the IP address range based device groups
will remain as they were in the Groups Server.
However, you cannot retrieve the device group information from the Standalone LMS Server to view
it in the user interface. To retrieve and view the device group information, you should either:
Upgrade the LMS in Standalone LMS Server to LMS 4.2.
Or
Change the mode of the LMS Server that has the earlier version of LMS 4.2 from Standalone to
Slave for a DCR Master with the latest version of the software.
Port and Module configuration depends on the data collected by LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
2.
You must trigger a fresh inventory collection to update all the port and module attributes.
3.
If the data collection is not successful, then data will not be available for some attributes.
4.
2.
3.
5-35
Chapter 5
Managing Groups
4.
In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry
for the ifName will be considered and the duplicate entries will be dropped.
5.
The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in
the device, then port configuration for the device will not work.
For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the
device. In this case, the port configuration for the device will not work.
The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Table 5-2
Field/Button
Description
Group Name
100 Mbps Ethernet PortsContains all 100 Mbps Ethernet ports in the network.
Description
Group Type
Created By
Last Modification
Time.
This page displays the number of rows you have set for display in the Rows per page field.
You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You
can navigate through the pages of the report using the navigation icons at the bottom right of this table.
Create
Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module
Groups.
Edit
Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module
Groups.
View
Allows you to view the group details, as described in the Viewing Port and Module Group Details.
Delete
Deletes the group, as described in the Deleting Port and Module Groups.
You can perform the following tasks from the LMS Port and Module Group Browser window:
5-36
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
2.
3.
4.
You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using
Cancel, the details you have specified will be lost and the group will not be created.
Note
Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
Field
Description
Group Name
Description
To enter the values in Port and Module Group Properties dialog box:
Step 1
Either:
Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Step 2
Click Create.
The Group Properties page appears.
Step 3
Enter a unique name for the group in the Group Name field.
Step 4
Step 5
Click Next.
5-37
Chapter 5
Managing Groups
The Select Group Source page appears, displaying the Device Selection dialog box.
Fields
Description
Device Selector
Search Input
Search
Use this icon to perform a simple search of devices based on the search criteria
you have specified in the Search Input text field.
For information on Search, see Performing Simple Search.
Advanced Search
Use this icon to perform an advanced search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Advanced Search, see Performing Advanced Search.
All
Lists all User-defined and System-defined groups for all applications that are
installed on LMS Server.
For more information, see Selecting Devices From All Tab.
Search Results
Selection
Lists all the devices that you have selected in the Search Results or All tab.
Using this tab, you can deselect devices from the list.
Group Selector
Either:
or
5-38
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
Step 2
Click Next.
The Rule Express page appears.
Description
Object Type
Variable
Module
Port
Object type attributes, based on which you can define the group.
See Rule Attributes for Port and Module Creation.
Operator
Operator to be used in the rule. The list of possible operators change, based on the variable
selected.
When using the equals operator the rule is case-sensitive.
Value
Value of the rule expression. The possible values depend upon the variable and operator that you
select. Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.
(Button)
Rule Text
Check Syntax
(Button)
Use this button to verify the syntax of the rule that you have created before proceeding to the
next step.
5-39
Chapter 5
Managing Groups
Field/Buttons
Description
Include
Include List popup opens and lists all the modules or ports from the selected devices that do not
match the rule. You can choose to include those modules or ports for group creation.
(Button)
The Include List popup will also list the modules or ports that match the rule but will not be
enabled for selection.
Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in
the Include List window.
You can also include modules or ports for the selected devices, without specifying a rule, by
clicking Include.
Exclude
Exclude List popup opens and lists all the modules or ports from the selected devices that match
the rule. You can choose to exclude those modules or ports for group creation.
(Button)
The Exclude List popup will also list the modules or ports that do not match the rule but will not
be enabled for selection.
Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields
in the Exclude List window.
To define the group rule:
Step 1
Step 2
Step 3
Enter the desired value for the Variable you have selected.
Step 4
Step 5
Step 6
IncludeA popup window appears, allowing you to include ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Include List window.
ExcludeA popup window appears, allowing you to exclude ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Exclude List window.
If the syntax is correct, an information box appears with a message, The rule syntax is valid.
If the syntax is incorrect, an error box appears with a message, You have entered an invalid
rule. Enter a valid rule. See the Help for examples of valid rules.
For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7
Click Next.
The Summary page appears, displaying the group properties. See Understanding the Summary.
5-40
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
Note
You can also include modules or ports for the selected devices, without specifying a rule, by clicking
Include.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have a higher priority.
Rule Attributes for Port and Module Creation
The following table lists the available attributes that you can use to define rules to create port and module
groups.
Object Type Attribute
Description
Module
AdminStatus
FW_Version
ModuleName
OperStatus
SlotNumber
SW_Version
VendorType
AdminStatus
CM.AccessStatus
CM.Channel
CM.Duplex
CM.JumboFrameEnabled
CM.L2L3
CM.LinkStatus
CM.Neighbor
CM.TrunkStatus
Whether the port is a Trunk port. If trunk is configured in the port, then it
is a trunk port.
CM.VLAN_ID
CM.VLAN_NAME
CM.VTP_DOMAIN
EnergyWise_Importance
Port
This value prioritizes the devices in a domain based on their power usage.
EnergyWise_Role
EnergyWise_Keyword
A word that will help you identify a specific device or group of devices in
the EnergyWise domain.
FlexLink
IFIndex
IsEnergyWisePort
5-41
Chapter 5
Managing Groups
Description
Port
(contd.)
Specifies the security mode, based on the level of security you wish to
implement in your network. The three types of security modes are:
Identity_Security_Mode
Monitor Mode
MACsecStatus
OperStatus
PortDescription
PortName
SpanEnabled
Speed
Type
Note
For the port attributes that start with name CM. , the data collection for the attributes must be successful.
Examples for Port and Module Groups
Rule to select all the Ports whose Port Description contains the string: Ethernet
Rule to select all the Ports that are connected to another device
Rule to select all the Ports whose Port Description contains the string: Ethernet
This rule filters all ports whose Port description consists of the string Ethernet.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1
Step 2
Step 3
5-42
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
Step 4
Step 5
Rule to select all the Ports that are connected to another device
This rule filters all Ports that are connected to another device.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1
Step 2
Step 3
Step 4
Step 5
This rule filters all the modules that are placed in slot number 1.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1
Step 2
Step 3
Step 4
Step 5
Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet.
To provide rule expression for this scenario:
Step 1
5-43
Chapter 5
Managing Groups
b.
c.
d.
e.
Step 2
Step 3
b.
c.
d.
e.
The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected
based on either or both of the matching criteria.
Rule to select all the FastEthernet Ports whose Operational status is up.
To provide rule expression for this scenario:
Step 1
b.
c.
d.
e.
Step 2
Select the AND option from the logical operator list box.
Step 3
b.
c.
d.
e.
5-44
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both
the criteria are selected.
Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and
Module Group Administration.
Table 5-5
Window
Fields/Buttons
Description
Include List
Device Selector
Include
(Button)
Filter by Port/Module
Name
5-45
Chapter 5
Managing Groups
Table 5-5
Window
Fields/Buttons
Description
Exclude List
Device Selector
Exclude
(Button)
Filter by Port/Module
Name
Field
Description
Group Name
Description
Rule
Devices/Groups in Rule
Step 2
Click OK.
You can view the newly created group in the Port and Module Group Browser page.
Or
Click Back to change the group properties.
5-46
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
Either:
Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Step 2
Field/Button
Description
Group Name
Parent Group
Type
Description
Rule
Created By
User who created the group. This also displays the time at which the
group was created.
Last Modified By
User who last modified the group. This also displays the time at which
the group was last modified.
Devices/Groups
Devices or Device Groups that are part of the port or module group.
Membership Details
Used to view the list of devices that belong to the group. See Viewing
Membership Details.
(Button)
Cancel
(Button)
Closes the page and takes you back to the Port and Module Group
Browser page.
You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.
Step 1
Either:
Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
5-47
Chapter 5
Managing Groups
Step 2
Select the group name for which you want to view the membership details and click View.
The Group: Details dialog box appears.
Step 3
Field/Button
Description
Device Selector
Name of the port or module in the device that are part of the group.
Description
Description of the ports or modules in the device that are part of the
group.
Enter the filter expression and click Filter to filter the port or modules
in the device that are part of the group.
Close
(Button)
Either:
Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Step 2
Step 3
Click Edit.
The Group Properties page appears, displaying Port and Module Group Properties dialog box. See
Entering the Port and Module Group Properties Details.
You cannot:
5-48
OL-25947-01
Chapter 5
Managing Groups
Port and Module Group Administration
Step 4
Click Next.
The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box.
Device Selection
If you have selected devices using Device Selector in the Create flow.
If you have created the group by including the ports or modules without specifying the rule in
the Create flow. In this case, only the devices for which you selected ports or modules are
displayed.
Or
Group SelectionIf you have selected device groups using Group Selector in the Create flow.
You can modify the devices or groups that you have selected, based on your requirement.
Step 5
Click Next.
The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression
for Port or Module Groups.
You can modify and define new rules.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have the higher priority.
Step 6
Click Next.
The Summary page appears, displaying the group details. Understanding the Summary.
Step 7
Either:
Click Finish to complete the editing procedure for the group.
Or
Click Back to change the group properties.
Note
Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups.
Step 2
Select the group to remove from the Port and Module Group Browser dialog box.
Step 3
Click Delete.
A confirmation dialog box shows that the group will be deleted.
Step 4
Click OK.
5-49
Chapter 5
Managing Groups
Broadband Cable
Content Networking
Network Management
Optical
Routers
Storage Networking
Wireless
5-50
OL-25947-01
Chapter 5
Managing Groups
Working with Fault System-defined Groups
If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group,
then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB
Ethernet Group, you must set the priority of the group to high.
If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group,
then the 10GB device falls under 10 GB group.
For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.
5-51
Chapter 5
Managing Groups
Interface Groups
Device Groups
Table 5-7 lists the seven customizable groups that appear in each of the four categories.
Table 5-7
Customizable
Groups
Intended Use
Add one device to any of these groups when you need to test. For example, to test a
changed threshold or interval value for a polling setting.
C
1
2
Consider using customizable groups 1, 2, 3, and 4 when you want to override polling
settings and thresholds for more than one device.
3
4
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section
in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups
before you can set polling parameters or threshold values for them. To do so, see Working with
Customizable Groups.
Since you cannot change the rules for system defined groups, Fault Management provides groups that
you can customize so that they contain devices, ports, or interfaces.
Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold
Settings > Fault).
After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
Table 5-8
Access ports
Thresholds
Customizable Groups
Devices
Interfaces
Thresholds
Trunk ports
Thresholds
Group Name
5-52
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable
subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Table 5-9
Group Name
Customizable Group A
Restrictions
Cannot be deleted
Customizable Group 1
Customizable Group 2
Cannot be deleted
Customizable Group 3
Customizable Group 4
Customizable Group B
Customizable Group C
Note
If you are connecting to the LMS server for the first time, a Security Alert window is displayed
when you select an option. Do not proceed without viewing and installing the self-signed
security certificate.
See Editing and Creating Fault Groups for information on how to use Group Administration to create
and edit groups. In addition to creating and editing groups, Group Management provides the following
functions:
5-53
Chapter 5
Managing Groups
Table 5-10 describes the fields in the Group Administration and Configuration page.
Table 5-10
Field/Button
Description
Group Selector
Group Info
When you select an item from the Group Selector, the Group Info pane displays the
following information:
Create
Starts the Group Creation Wizard for creating a group, as described in Editing a
Fault Group.
Edit
Starts the Group Edit Wizard for editing user defined groups, as described in Editing
a Fault Group. Not supported for view groups created from the Alerts and Activities
Defaults page.
Details
Opens the Properties: Details page, as described in Viewing Fault Group Details.
Refresh
Delete
You can edit user defined customizable subgroups. For example, the subgroup Customizable
Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with
Customizable Groups.
You can create or edit user defined miscellaneous groups. These groups can be used with views in
the Alerts and Activities display, or with notification groups in Notification Services.
You cannot edit or view groups created from the Alerts and Activities Defaults page.
Understanding Rules
5-54
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group.
The wizard consist of four steps:
1.
2.
3.
Modifying group membership (for details, see Finalizing Fault Group Membership).
4.
Viewing the summary (for details, see Viewing the Fault Group Summary).
Either:
Or
Step 2
In the Group Selector, select the group you want to edit, click Edit.
The Properties: Edit page appears.
You can modify the following in the Properties: Edit page:
Group Name
Will be automatically populated when editing customizable subgroups; for example, Customizable
Group 1 under Customizable Access Port Groups.
Description
Membership update type (not supported for port and interface groups)
The parent group is displayed, but it cannot be modified.
Step 3
Visibility Scope
Click Next.
The Rules: Edit page appears. For more information on creating rules, see Understanding Rules.
To return to any of the previous pages in the wizard, click Back.
Note
5-55
Chapter 5
Managing Groups
From the first list, select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.+
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Verify whether the syntax of the rule is correct by clicking Check Syntax.
A dialog box appears, stating that the syntax is valid.
Step 8
Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.
Step 9
Click Next.
The Membership: Edit page appears.
5-56
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
To delete a rule:
Step 1
In the Rule Text box, select the entire rule text and press the Delete key.
After deleting the rule, you must click the page so that the page can refresh, removing the list of logical
operators.
Step 2
Click Next.
The Membership: Edit page appears.
In the Available Objects from Parent Group column, select the device you want to add.
Step 2
Click Add.
Step 3
Click Next.
The groups information appears in the Summary: Create page.
Step 4
Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5
Click OK.
To remove an object:
Step 1
In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 2
Click Remove.
Step 3
Click Next.
The groups information appears in the Summary: Create page.
Step 4
Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5
Click OK.
5-57
Chapter 5
Managing Groups
Note
When you create a fault group, at least one device must be in the managed state.
Procedure
Step 1
Either:
Or
Step 2
Step 3
Click Create.
The Properties: Create page appears.
Step 4
b.
Select the group from which you want to copy the attributes.
c.
Click OK.
All attributes except the group name are copied to the new group.
If you want to change the parent group (the location where the group will reside in the Group Selector),
do the following:
a.
b.
Step 5
Click OK.
Enter a description. This is optional.
Step 6
If you want the membership for this group updated automatically, select Automatic.
If you want the membership for this group updated only when the Refresh button is clicked, select
Only Upon User Request.
5-58
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
Step 7
Step 8
Click Next.
The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.)
Step 9
Click Next and select the objects on the Membership: Create page (not supported for port and
interface groups). Then go to Step 10.
If you need to return to any of the previous pages in the wizard, click Back.
Step 10
Select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.
b.
c.
Select a variable.
d.
Select an operator.
e.
Enter a value.
f.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
(AccessPort.Mode equals OR
AccessPort.Mode contains BACKUP OR
AccessPort.Mode contains NORMAL) AND
AccessPort.DuplexMode contains HALFDUPLEX OR
AccessPort.DuplexMode contains FULLDUPLEX)
g.
h.
Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.
i.
Click Next.
5-59
Chapter 5
Managing Groups
In the Available Objects from Parent Group column, select the device you want to add.
Step 2
Click Add.
Step 3
Click Next.
The groups information appears in the Summary: Create page.
Step 4
Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5
Click OK.
To remove an object:
Step 1
In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 2
Click Remove.
Step 3
Click Next.
The groups information appears in the Summary: Create page.
Step 4
Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5
Click OK.
5-60
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
Rules are created to filter in the objects that you want to belong to the group, and to filter out those that
you do not want in the group. When determining the objects that belong to a group, Group Management
compares object information to the rule. If an object information satisfies all of the rule requirements, it
is placed in the group.
One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
Object Type.Variable Operator Value
For example:
Routers.Location equals "San Jose"
Complex rules that contain both OR and AND conditions require you to edit the rule manually. For
example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.Mode equals OR
AccessPort.Mode contains BACKUP OR
AccessPort.Mode contains NORMAL) AND
(AccessPort.DuplexMode contains HALFDUPLEX OR
AccessPort.DuplexMode contains FULLDUPLEX)
Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You
can define the following:
Logical Operators
Object Type
Variable
Operator
Value
Logical Operators
The logical operator field appears when you are defining multiple rules. The logical operators can be:
If you used an AND operator in the previous port rule, it would be invalid.
5-61
Chapter 5
Managing Groups
For device groups, this operator can only be used between variables of the same type, as in the
following example:
Routers.Model equals "12816" AND
Routers.Model equals 12810
Object Type
The Object Type field lists the available objects that you can use to form a group.
Depending upon the type of group you are creating, the Object Type field may contain the following
choices:
AccessPort
TrunkPort
Interface
Cable
ContentNetworking
Device
DSLAndLRE
Group
InterfacesAndModules
NetworkManagement
Optical
Routers
SecurityAndVPN
ServerFabricSwitches
StorageNetworking
SwitchesAndHubs
UniversalGatewaysAndAccessServers
Unknown
VoiceAndTelephony
Wireless
Variable
The Variable field lists the possible attributes for the selected object type to be used for the rule. The list
of possible variables changes based on the object type that is selected. Some variables for port and
interface groups are described in Table 5-11.
Operator
The Operator field defines the operator to be used in the rule. The list of possible operators changes
based on the object type and the variable selected.
When using the equals operator, the rule is case-sensitive.
Value
The Value field describes the value of the rule expression. The possible values depend upon the object
type, variable, and operator selected. Depending on the operator selected, the value may be free-form
text or a list of values.
5-62
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some
of the objects in the Variables field have special meanings or restrictions on how to enter the related
attribute in the Value field.
Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need
further explanation.
Table 5-11
Variable
Explanation
Description
DuplexMode
InterfaceCode
MaxSpeed
MaxTransferSpeed
Note
Mib2ifType
Mode
Name
Name of object.
SystemModel
SystemName
SystemObjectID
SystemVendor
Type
After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page.
Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Table 5-12
Field/Button
Description
Rule Text
Displays the rule. For complex rules (which contain both OR and AND
conditions), you must manually add parentheses in this field. (In Editing a
Fault Group, see Step 10 and Step 6.)
5-63
Chapter 5
Managing Groups
Table 5-12
Field/Button
Description
Check Syntax
Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location.
Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains Dallas
Interface
VariableDuplex.Mode
OperatorContains
ValueFULLDUPLEX
Logical OperatorAnd
VariableLocation
Operatorcontains
ValueDallas
You want to create a group that contains all of the security and VPN devices in the San Jose location.
Form the following rule:
SecurityAndVPN.Location contains "SanJose"
Object TypeSecurityAndVPN
VariableLocation
OperatorContains
ValueSan Jose
To understand the group rules, see the rules used for system defined groups. These rules appear in the
Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group
Details.
5-64
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
Heading/Button
Description
Group Name
Parent Group
Description
Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button).
Rules
Visibility Scope
Setting that determines whether all Cisco Prime users or only the created user
can view the group.
Polling Overriding
Group preview
Click to display the Preview page. This page displays the priorities of the
Polling Overriding Groups.
Threshold
Overriding Group
preview
Click to display the Preview page. This page displays the priorities of the
Threshold Overriding Groups.
Either:
Or
Step 2
In the Group Selector, select the group for which you want to view details.
Step 3
Click Details.
The Properties: Details page appears.
5-65
Chapter 5
Managing Groups
Heading/Button
Description
Group Name
Parent Group
Type
Description
Membership Update
Created By
Last Modified By
Rules
Used to view the parent group rules. All parent group rules apply to the
subgroups.
Membership Details
Used to view the list of devices that belong to the group. Does not apply to
port and interface groups.
Cancel
Closes the page and takes you back to the Group Administration and
Configuration page.
Either:
Or
Step 2
In the Group Selector, select the group for which you want to view details.
Step 3
Click Details.
The Properties: Details page appears.
Step 4
5-66
OL-25947-01
Chapter 5
Managing Groups
Managing Fault Groups
Heading/Button
Description
Name
Name of the device for which you want to view membership details.
Object Type
Property Details
Cancel
Closes the page and takes you back to the Group Administration and
Configuration page.
Either:
Or
Step 2
Step 3
Click Refresh.
Step 4
Step 5
5-67
Chapter 5
Managing Groups
Either:
Or
Step 2
Step 3
Click Delete.
Step 4
Step 5
Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a
period of high CPU utilization after these processes are triggered.
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Rules are created to filter in the devices that you want to include in the group, and to filter out those that
you do not want in the group.
While determining the devices that belong to a group, Group Management compares device information
to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the
group.
The devices are filtered based on the data present in the IPSLA Performance database.
One or more rule expressions can be applied to form a rule.
Each rule expression contains the following:
object type.variable operator value
5-68
OL-25947-01
Chapter 5
Managing Groups
Understanding Collector Group Rules
Table 5-16 lists the various operators that can be used to create rules to group Collectors.
Table 5-16
Field/Button
Description
Logical operators.
The Rule Text field appears only after a rule expression is added.
Object Type
Variable
Operator
Operator to be used in the rule. The list of possible operators changes based on the Variable
selected.
When using the equals operator the rule is case-sensitive.
5-69
Chapter 5
Managing Groups
Table 5-16
Field/Button
Description
Value
Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-from text or a list of
values.
Wildcard characters are not supported.
The following are the values for the corresponding operations:
1 = echo
2 = pathEcho
5 = udpEcho
6 = tcpConnect
7 = http
8 = dns
9 = jitter
10 = dlsw
11 = dhcp
12 = ftp
14 = RTP
16 = icmpjitter
18 = VoipCallSetupPostDialDelay
19 = VoipGKRegDelay
1019-Ethernetping
1020-Ethernetjitter
1119-EthernetPingAutoIPSLA
1120-EthernetJitterAutoIPSLA
Rule Text
Check Syntax
5-70
OL-25947-01
Chapter 5
Managing Groups
Understanding Collector Group Rules
Collector Components
Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Table 5-17
Collector Components
Component Type
Description
Source Address
Device IP address.
Target Address
Device IP address.
Operation Type
Operation Name
VRF
You can start the IPMOGS Server either from the CLI, or from the LMS UI.
To start IPMOGS Server from the CLI:
Enter NMSROOT/bin/pdexec IPM OGSServer
where NMSROOT is the Cisco Prime installation directory.
To start IPMOGS server from the LMS UI:
Step 1
Step 2
Step 3
Click Start.
5-71
Chapter 5
Managing Groups
You can start the CMFOGS Server either from the CLI, or from the LMS UI.
To start CMF OGS Server from the CLI:
Enter NMSROOT/bin/pdexec CMFOGSServer
where NMSROOT is the Cisco Prime installation directory.
To start CMFOGS server from the LMS UI:
Step 1
Step 2
Step 3
Click Start.
Field/Buttons
Description
Group Selector
Group Info
Created ByThe person who created the group. You can also view the time at which the
group was created.
Last Modified ByThe last person to modify the group settings. You can also view the time
at which the group was modified.
Create
Starts the Group Creation Wizard for creating a group, as described in the Creating and
Modifying User-Defined Collector Groups.
Edit
Starts the Group Edit Wizard for editing an existing group, as described in the Creating and
Modifying User-Defined Collector Groups.
Details
Opens the Properties: Details page, as described in the Viewing Collector Group Details and
Viewing Membership Details.
Refresh
Delete
5-72
OL-25947-01
Chapter 5
Managing Groups
Working with User-Defined Collector Groups
2.
3.
4.
You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard
at any stage using Cancel, the details you have specified will be lost and the collector groups will not be
created.
5-73
Chapter 5
Managing Groups
Either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Step 2
Step 3
If you want to create or edit a group, select the User Defined Group folder from the Group Selector
pane.
If you want to create or edit a subgroup, select the required collector group under the User Defined
Groups folder.
Specify the collector group name and description in the Group Name and Description fields.
The Group Name must be unique within the parent group. However, you can specify the same name in
some other groups.
For example, if you already have a group named MyGroup in a group named Views under
User-Defined Groups, you cannot use the same name for another subgroup in the group Views.
However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups.
After entering the group name and description, you can either copy the attributes of an existing group to
the new group or proceed to Step 5.
To copy the attributes of an existing group to the new group, do the following:
a.
b.
Select the required collector group from the User Defined Groups folder.
c.
Click OK.
All attributes except the group name are copied to the new group.
The parent group you have selected for the group does not change even if you are copying attributes
from a group that belongs to a different parent group.
5-74
OL-25947-01
Chapter 5
Managing Groups
Working with User-Defined Collector Groups
b.
c.
Click OK.
The Properties page appears with the new parent group.
Step 5
Select the Membership Update and Visibility Scope for the group.
For more information, see Table 5-19.
Step 6
Click Next.
The Rules page appears.
Table 5-19
Field
Description
Group Name
Copy the attributes of an existing group to your new group using Select Group.
Parent Group
Parent group of the group you are creating. You can change the parent group using Change
Parent.
Description
Membership Update
Visibility Scope
Note
All rules assigned to a parent group also apply to any of its subgroups.
5-75
Chapter 5
Managing Groups
In the Rules page, you can either enter the rules directly in the Rule Text field or select the components
of the rule from the Rule Expression fields and define a rule.
Table 5-20 lists the various Fields and Buttons available in the Rules page.
Table 5-20
Field/Buttons
Description
Logical operators.
The Rule Text field appears only after a rule expression is added.
Object Type
Type of object (Collector) that is used to form a group. All IPSLA Collector group rule
expressions begin with the same Object Type, IPM:Collector Management: Collector.
Variable
Operator
Operator to be used in the rule. The list of possible operators change based on the Variable
selected.
When using the Equals operator, the rule is case sensitive.
Value
Value of the rule expression. The possible values depend upon the variable and operator selected.
Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.
Rule Text
Check Syntax
5-76
OL-25947-01
Chapter 5
Managing Groups
Working with User-Defined Collector Groups
Either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Step 2
Step 3
Select the required variables from the Variable drop-down list. You can select one or a combination of
variables.
The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target
Address.
For more information, see Table 5-20.
Step 4
Step 5
Step 6
Step 7
Step 8
Click View Parent Rules to view the parent and group rules.
Step 9
Click Next.
The Membership page appears.
Objects Matching MembershipLists the collectors that satisfy the rule defined by you. You can
add or delete collectors from this pane. You can also add collectors from the parent group to create
the collector group.
5-77
Chapter 5
Managing Groups
Select the required collectors from the Objects From Parent Group pane.
Step 2
Click Add.
The selected collectors are added to the Objects Matching Membership pane.
Step 3
Click Next.
The Summary page appears with the User-Defined Group properties.
Step 2
Click Remove.
The selected collectors are removed from the Objects Matching Membership pane and added to the
Objects From Parent Group pane.
Step 3
Click Next.
The Summary page appears with the summary of the user-defined collector group.
Field
Description
Group Name
Description
Parent Group
Parent group of the group you are creating. You can change the parent group using Change
Parent.
You can select only IPSLA Collector User-Defined groups.
You cannot edit this field in the Edit flow.
Membership Update
Rules
Visibility Scope
Describes if the group is public (all users) or private (only for the group owner).
5-78
OL-25947-01
Chapter 5
Managing Groups
Working with User-Defined Collector Groups
Step 2
Click OK.
You can view the newly created user-defined collector group in the Group Selector pane.
Or
Click Back to modify the group properties.
Select the group for which you want to view details from the Group Selector pane.
Step 2
Click Delete.
A confirmation message appears.
Either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
5-79
Chapter 5
Managing Groups
Step 2
Select the group for which you want to view details from the Group Selector pane.
Step 3
Click Details.
The Property Details page appears. For more information, see Table 5-22.
Table 5-22
Field/Button
Description
Group Name
Parent Group
Type
Description
Membership Update
Created By
Person who created the group. This also displays the time at which it was created.
Last Modified By
Last person to modify the group. This also displays the time at which it was modified.
Rules
Visibility Scope
Indicates whether the group is Public (visible to all users) or Private (visible only for the group
owner).
Membership Details
Cancel
Either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Step 2
Select the group for which you want to view details from the Group Selector pane.
Step 3
Click Details.
The Property Details page appears.
5-80
OL-25947-01
Chapter 5
Managing Groups
Working with User-Defined Collector Groups
Step 4
Field/Button
Description
Name
Object Type
Type of object.
Property Details
Cancel
Either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Step 2
Select the group for which you want to view details from the Group Selector pane.
Step 3
Step 4
Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.
5-81
Chapter 5
Managing Groups
Either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Step 2
Select the default operation name from the Group Selector pane for which you want to view the collector
group details.
Step 3
Click Details.
The system-defined collector group details appear.
Step 4
Click Membership Details to know the membership details of this system-defined collector group.
The Membership Details page appears.
Select the group for which you want to view details from the Group Selector pane.
Step 2
Step 3
Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.
5-82
OL-25947-01
CH A P T E R
If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially
queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1.
If you have configured a device with SNMPv3 settings in DCR, then the device is queried with
SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
Select Admin > Network > Timeout and Retry Settings > Data Collection SNMP Timeouts and
Retries.
The SNMP Timeouts and Retries dialog box appears.
Step 2
6-1
Chapter 6
Table 6-1
Field
Description
Target
Timeouts
Retries
Number of attempts made to query the device. The allowed range is 0-8.
Step 3
Step 4
Or
Click Apply.
6-2
OL-25947-01
Chapter 6
Select Admin > Collection Settings > Data Collection > Data Collection Schedule.
The Data Collection Schedule dialog box appears.
Step 2
Field
Description
Usage Notes
Schedule
Step 3
Best Practices
Use the Polling option to see the device and link status without running data collection. For more
details on polling see, Data Collection Critical Device Poller
6-3
Chapter 6
Step 2
To add a device to the Critical Devices list from N-Hop View Portlet:
Step 1
Step 2
Caution
If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle
will use a large amount of bandwidth.
To configure Device Poller:
Step 1
Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller.
The Device Poller screen appears.
Step 2
Field
Description
Usage Notes
Polling Details
All Devices
Specifies that all devices in the network will By default the whole network is polled every 2
be polled at the specified interval.
hours.
Critical Devices
6-4
OL-25947-01
Chapter 6
Table 6-3
Field
Description
Usage Notes
Time Interval
Time interval at which the specified devices Configure this option to change the interval from
the default value.
are polled.
The time interval is added to the completion
time of Data Collection.
For example, you have configured the
following:
IP Address
DeviceName
Step 3
IP Address
DeviceName
DeviceType
Neighbors
Import Contracts
6-5
Chapter 6
The Compliance Data Collection job runs daily by default. The user can schedule a Compliance Data
Collection Job.
To schedule a Compliance Data Collection System Job do the following:
Step 1
Select Admin > Compliance and Audit Settings > Compliance Data Collection > Compliance Data
Collection System Job Schedule.
The Compliance Data Collection System Job Schedule page appears.
Step 2
Enter the information required to scheule a Compliance Data Collection System Job
Field
Description
Job Type
Scheduling
Run Type
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
Date
1.
Enter the start date in the dd mmm yyyy format, for example, 06 Oct 2011, or click on the
calendar icon and select the date.
2.
Enter the start time by selecting the hours and minutes from the drop-down list.
Job Info
Job Description
The default job description is, System-defined job for Compliance data Collection.
Enter e-mail addresses to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
Step 3
Click Apply.
The scheduled job appears in the Compliance Data Collection Jobs.
6-6
OL-25947-01
Chapter 6
Column
Description
Job ID
Job ID:
Identifies the task. This does not maintain a history. For
Example:1002
JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1002.1, 1002.2
Status
Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Description
Owner
Job Type
Scheduled At
Completed At
Schedule Type
Daily
Weekly
Montly.
Work Order
Device Details
Job Summary
Displays the Job Status, Job Message, Start Time, End Time and
Device Updates.
Import Contracts
The Import Contracts enables you to import customer contracts into the Compliance and Audit Manager
Database.
The contract summary report can be generated only after importing contracts into the Compliance and
Audit Manager Database.
6-7
Chapter 6
The following steps should be performed for importing contracts into the Compliance and Audit
Manager Database:
Step 1
Go to
http://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do?method=viewContractMgr.
Note
Step 2
Open the link in Internet Explorer and use your Cisco.com credentials.
A contract Manager screen listing the contracts associated with your Cisco.com ID appears.
Note
If you do not see the contracts then there are no contracts associated with your Cisco.com ID.
Open a case with Cisco to get access to your contracts.
Step 3
Select Download Contract or Selected Data option from the Action drop-down menu.
Step 4
Step 5
Click Go.
A Download Contract or Selected Data window appears
Step 6
b.
Click Save Now radio button, to save a Zip file containing a CSV file in your local system.
c.
Click Send by Email to radio buttion, to receive a zip file containing a CSV file by Email.
Step 7
Go to Import Contracts page and Click Browse to select the downloaded contract file from your local
system.
Step 8
Click Import Contracts File to import the contracts file into the Compliance Engine.
Go to Admin > Compliance and Audit Settings > Import Policy Updates
Step 2
In Cisco.com, navigate to Home > Products > Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN
Management Solution 4.2 > Compliance Policy Updates.
Step 3
Step 4
Login using your Cisco.com credentials to open the LMS Compliance Policy Updates page in the
browser.
6-8
OL-25947-01
Chapter 6
Step 5
Download the CompliancePolicyUpdates.vX-y.jar patch file, where X is the major version and y is the
minor version.
Step 6
Step 7
Go to Import policy updates page and click Browse to select the downloaded
CompliancePolicyUpdates.vX-y.jar file from your local system
Step 8
Click Import Policy Updates to import the CompliancePolicyUpdates.vX-y.jar patch file into the
Compliance Engine.
A message appears indicating the successful importing of policy into the Compliance Engine.
Note
Ensure that the CAAM Server process is re-started to effect the changes.
Restarting CAAM server from User Interface
Step 2
Select CAAM Server from the Process Management Grid and click stop.
Step 3
After the CAAM server stops, click start to restart the CAAM server.
Step 2
Note
The policy updates patch file can be automatically downloaded and posted into the CAAM server by
scheduling a system defined job under Admin > Network > Compliance Policy/PSIRT/EOS/EOL
Settings.
6-9
Chapter 6
6-10
OL-25947-01
CH A P T E R
7-1
Chapter 7
These reports give a clear picture of the switch port utilization in the network and help you in doing
capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from
the megamenu.
This topic covers:
Accessing UT Data
Display information about the connectivity between the devices, users, and hosts in your network.
For example, you might want to identify all users connected to a particular subnet, or all hosts on a
particular switch.
Display information about the IP phones registered with discovered Media Convergence Servers.
Use simple queries to limit the amount of information User Tracking displays.
View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC
addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses.
You can also view History Reports for Switch port utilization, and the connection and disconnection
of endhosts and users from your network.
You can set the schedule for generating the reports, and also generate the reports for a subset of
devices.
Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports
You can generate End hosts or IP Phones report based on the given filter criteria
For example, you can generate reports on end hosts that belong to a specific VLAN.
To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.
7-2
OL-25947-01
Chapter 7
Scheduled Reports
You can schedule reports that run at the specified date and time. You can generate immediate reports or
schedule them to run once or at repetitive intervals.
Custom Reports
You can customize the layout and columns displayed in the reports to suit your needs. To generate these
reports select Reports > Report Designer > User Tracking > Custom Reports.
Command Line Interface
You can generate various User Tracking reports from the Command Line Interface also.
For more details, see User Tracking Command Line Interface.
Data Extraction Engine
Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format.
For more details, see Overview of Data Extraction Engine.
User Tracking Utility
Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful
information about users or hosts discovered by LMS User Tracking application.
You can use UTU search band to search for the users or hosts in your network. You can search using user
name, host name or IP address, or MAC address.
Discovers all the end hosts that are connected to the devices managed by LMS.
For details on the various options that can be set before starting an acquisition, see Modifying UT
Acquisition Settings.
User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following
command:
NMSROOT/campus/bin/ut cli
performMajorAcquisition u
userid -p password
where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User
Tracking Command Line Interface.
User Tracking Minor Acquisition
Minor acquisition occurs on a device if any of the following changes take place:
7-3
Chapter 7
Minor acquisition updates the LMS database with just the changes that have happened in the network. It
is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the
interval at which the acquisition takes place.
For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
User Tracking IP Phone Acquisition
Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.
Subnet based User Tracking Major Acquisition
User tracking subnet based acquisition would run only on those subnets that are configured in LMS.
LMS discovers end hosts on all the VLANs available in the configured subnets.
Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet
or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by
LMS.
For details on running subnet based acquisition, see Configuring UT Subnet Acquisition
Single device on-demand User Tracking Acquisition
This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is
useful for collecting information only on end hosts connected to the specified device.
For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions
Schedule Acquisition.
You can set the day and time of the week when you want to run Major Acquisition. The time interval
at which Minor Acquisition happens in the network can also be set.
For more details, see Modifying UT Acquisition Schedule
7-4
OL-25947-01
Chapter 7
7-5
Chapter 7
Either:
Select Admin > Collection Settings > User Tracking > Acquisitions Info.
Or
Description
Acquisition status
Type of User Tracking acquisition that you had performed last time.
Types of acquisition are:
Number of acquisitions
Number of duplicate IP
Date and time of the previous LMS Data Collection process. This
is displayed in the following format: dd mon yyyy hh:mm:ss time
zone.
7-6
OL-25947-01
Chapter 7
IP Phone Acquisition
Either:
Select Admin > Collection Settings > User Tracking > Acquisition Action.
Or
Acquisition Actions
Field
Description
Select a type
You can select the type of acquisition. Type When you select a type of acquisition the appropriate
of acquisition can be:
fields are displayed.
Scope Selection
Device
Subnet
IP Phones
Usage Notes
If you do not select the All hosts and users check box, the
device selection field is enabled and you can enter the
name or IP address of the device for which you require
data.
Device Selection
Subnets
Type Selection
You can choose to get data about a particular If you choose to acquire data about a particular subnet, the
subnet or about all the configured subnets. subnet selection fields are enabled.
Subnet Selection
Subnet ID
7-7
Chapter 7
Table 7-1
Field
Description
Usage Notes
Subnet Mask
Acquire Only
VLAN Specific to
Subnet
You do not have to specify any details for the IP Phones option.
Step 3
7-8
OL-25947-01
Chapter 7
Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The Acquisition Settings dialog box appears.
Step 2
Table 7-2
Field
Description
Usage Notes
Collects information only for users, who are logged into the
console port of the UNIX hosts.
7-9
Chapter 7
Table 7-2
Field
Description
Usage Notes
DNS threads
Number of parallel threads allowed for name
resolution. The default value is 1. Maximum number of
threads allowed is 12.
DNS Timeout
Time duration for which UT waits for a response from
the DNS server, for name resolution. The value should
be entered in milli seconds. The default value is 2000
milliseconds (2 seconds).
Specify the UDP port number from You must use the default port number unless it is already in
where logon and logoff messages use. This port number must match the port indicated in the
login script.
are received from hosts in
Windows and NDS.
Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List.
the screen that is launched.
Step 3
Step 4
Click Start Acquisition to start User Tracking Acquisition with the modified settings.
7-10
OL-25947-01
Chapter 7
Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion
and exclusion of Duplicate MAC addresses in UT Acquisition.
LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In
such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment
property, is explained in Table 7-3.
The conventions used in Table 7-3 are:
Note
Table 7-3
NA Not Available.
The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User
Tracking for DHCP Environment property.
Scenario
Explanation
MAC1
IP1
Device 1
6:40
IP1
Device 1
6:50
MAC1
For an endhost with Single MAC
address but multiple IP addresses, if MAC1
UT does not get the IP address in
the current acquisition, it retains the MAC1
older values in the database.
IP1
Device 1
7:00
IP2
Device 1
7:00
IP3
Device 1
7:00
NA
Device 1
6:35
MAC1
IP1
Device 1
6:40
IP1
Device 1
6:45
MAC1
NA
Device 1
6:50
IP1
Device 1
6:55
MAC1
IP2
Device 1
6:55
MAC1
IP3
Device 1
6:55
MAC1
NA
Device 1
7:00
7-11
Chapter 7
Table 7-3
Scenario
Explanation
MAC1
IP1
Device 1
4:00
MAC1
IP1
Device 1
4:00
MAC1
IP2
Device 1
5:00
IP2
Device 1
5:00
MAC1
IP3
Device 1
6:00
IP3
Device 1
7:00
MAC1
NA
Device 1
7:00
MAC1
For an endhost with different IP
addresses at different points of
MAC1
time, if UT does not get the IP
address in the current acquisition, it
retains the value that was last
discovered.
IP1
Device 1
6:00
IP1
Device 1
4:00
MAC1
IP1
Device 2
5:00
MAC 1
NA
Device 1
6:00
Property
Description
UT.DuplicateMac.Include_SwitchPorts
UT.DuplicateMac.Exclude_SwitchPorts
UT.DuplicateMac.Include_Switches
UT.DuplicateMac.Exclude_Switches
UT.DuplicateMac.Include_Vlans
7-12
OL-25947-01
Chapter 7
Table 7-4
Property
Description
UT.DuplicateMac.Exclude_Vlans
UT.DuplicateMac.Include_Subnets
UT.DuplicateMac.Exclude_Subnets
Port numbers should be given along with the device IP address as deviceip:port.
If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included
or excluded as specified.
For example, if you set the Include list as,
UT.DuplicateMac.Include_Switches=X,Y
Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y.
Duplicate addresses will not be allowed for any other endhost.
The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs.
7-13
Chapter 7
The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list.
For example, if you set
UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2
UT.DuplicateMac.Exclude_Switches=10.77.211.33
Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also
present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch.
Thus the SwitchPorts list has higher priority over the Switches list.
Configuring User Tracking Properties from the Backend
This section explains the new user configurable properties that have been added to UT.
You can configure properties that control DNS name resolution and history reports, by editing them in
the file ut.properties, stored in
NMSROOT/campus/etc/cwsi/
where NMSROOT is the root directory where you installed Cisco Prime.
7-14
OL-25947-01
Chapter 7
Property
Default Value
Description
HistoryHostPurgeTime
10 days
Purges history entries that are older than the specified time.
The value should be provided in minutes.
For example,
If you want to purge entries older than 10 days, set
HistoryHostPurgeTime=14400
UT.nameResolution
both
Name resolution for end hosts using Java APIs JNDI and
InetAddres.This property can have the following values:
UT.nameResolution.dnsTimeout
2000
Time duration for which UT waits for response from the DNS
server, for name resolution. The value should be entered in
milliseconds.
UT.nameResolution.winsTimeout
2000
Time duration for which UT waits for response from the DNS
server, for name resolution.The value should be entered in
milliseconds.
This property must be enabled only for windows server.
UTMajorUseDNSCache
false
UT.RunLookupAnalyzer
OFF
7-15
Chapter 7
Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The User Tracking Acquisition settings window appears.
Step 2
Step 3
7-16
OL-25947-01
Chapter 7
Property
Description
Select Mode
Add MAC/OUI
OUI List
7-17
Chapter 7
Step 4
Manual Add
a.
Select the required OUIs from the list displayed in OUI List.
b.
Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your
requirement.
The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list
that you selected.
a.
Click Browse and browse to the folder location and choose the file to be imported
b.
Import From UT
Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to
the Acceptable MAC/OUI List.
It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header MAC Address followed by MAC Address entries.
For example: In the example, the file to be imported includes a MAC Address column with MAC
Address entries.
MAC Address
MAC 1
MAC 2
MAC 3
The newly added values are reflected in the Rogue MAC Configuration screen.
Step 5
Step 6
Save
Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle.
If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the
Delete
Deletes entries.
Cancel
Cancels changes and closes the window.
7-18
OL-25947-01
Chapter 7
Select Admin > Collection Settings > User Tracking > Acquisition Schedule.
The Acquisition Schedule dialog box appears.
Step 2
Start the user tracking major acquisition for all or failed devices as specified below:
Click Start to start the user tracking major acquisition immediately for the selected devices.
The UT Acquisition Confirmation pop up appears.
Click OK to start user tracking acquisition. A success message appears. Click OK.
To cancel the user tracking acquisition process, click Cancel.
Step 3
Table 7-7
Field
Description
Usage Notes
Minor Acquisition
None.
Major Acquisition
Recurrence Pattern
Step 4
Step 5
Step 6
7-19
Chapter 7
Select Admin > Collection Settings > User Tracking > Ping Sweep.
The Ping Sweep dialog box appears.
Step 2
Step 3
Step 4
Click Apply.
User Tracking does not perform Ping Sweep on large subnets.
For more details, see Notes on Ping Sweep Option.
7-20
OL-25947-01
Chapter 7
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you
must use the arp time-out interface configuration command on devices running Cisco IOS.
Use any external software, that will enable you to ping the host IP addresses. This will ensure that
when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.
Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration.
The Configure Subnet Acquisition dialog box appears.
Step 2
Or
Step 3
Or
7-21
Chapter 7
Step 4
Select subnets from the list of Available Subnets and add them to the list of Selected Subnets.
In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking >
Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.
If you select this check box, only the work stations associated to the VLANs that are mapped to the
selected subnets will be acquired.
If you do not select this check box, work stations associated to all the available VLANs in the
selected subnets will be acquired.
Click Apply.
Select Admin > Network > Purge Settings > User Tracking Purge Policy.
The Delete Interval dialog box appears.
Step 2
Specify delete intervals for end host, IP phone and history tables.
Step 3
Either:
Or
Step 4
Click Apply.
7-22
OL-25947-01
Chapter 7
In a switched network, many clients from different VLANs might access an enterprise resource, such as
a database server.
If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a
different VLAN would have to send their traffic to a router. The router forwards the frames to the
database server. The problem with this approach is the latency introduced by the router.
To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN
information. With this arrangement, an end station need not send its frame to the router. Instead it can
directly access the file server. This makes the access much faster.
To configure trunk ports:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk.
The Configure Trunk for End Hosts Discovery page appears.
Step 2
You can:
Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT
non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the
end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing
this option, go to Step 8.
Step 3
Select the list of switches where end hosts are connected to trunk ports, from the device selector.
Step 4
Step 5
Select the list of trunk ports where end hosts are connected from the Available Trunks list.
Step 6
Click Add.
The selected ports are displayed under the Selected Trunks list.
7-23
Chapter 7
Step 7
Select either
Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition.
Or
Step 8
Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition.
Click Apply.
This saves the configuration on the server.
After saving the configuration, run Data Collection. End hosts connected to trunk ports will be
discovered in successive UT Major Acquisitions.
For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these
ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.
Select Admin > Collection Settings > User Tracking > Table Import.
The End Host Table Import dialog box appears.
Step 2
Specify the name of the file from which you are importing the end host table data.
Step 3
Click Apply.
Note
We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory
headers: MAC Address, User Name and Notes.
For example:
MAC1 Peter Finance department
7-24
OL-25947-01
Chapter 7
Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from
the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts
coming into and moving out of the network.
Traps from suspended devices are not processed by LMS.
The difference between a UTMajor Acquisition and a Dynamic UT process is:
LMS collects data from the network at regular intervals for UTMajor Acquisition.
In Dynamic UT, the devices send traps to LMS as and when changes happen in the network.
This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have
happened in your network. This is an improvement over the earlier versions, where updates on endhost
information happened based on the polling cycle.
As a result of Dynamic updates, the following reports contain up-to-date information:
End-Host Report
Contains information from UT Major Acquisition and the recently added end-hosts.
History Report
Contains information from UT Major Acquisition and the recently disconnected end-hosts or
end-hosts that have moved between ports or VLANs.
SNMP Traps are generated when a host is connected to the network, disconnected from the network or
when it moves between VLANs or ports in the network.
To enable the Dynamic Updates feature:
Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP
MAC Notification Listener.
Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port
number that you would have configured on LMS Administration screen). For more details, see
Enabling SNMP Traps on Switch Ports.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati
on/guide/scg.html
User Tracking collects username and IP address through UTLite for Windows environment. For
more details, see Understanding UTLite.
In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address
of the end host. They can also co-exist.
7-25
Chapter 7
If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host
connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device
should be populated with the IP address, for UT Major Acquisition to discover it.
The User Tracking Dynamic Updates process includes:
UTLite
Checks whether the traps are generated from a switch managed by LMS.
UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
For complete information, see Understanding UTLite.
When an end-host is connected to your network, the following happens in the background.
1.
2.
The MACUHIC process in LMS receives the MAC notification either directly from the switch or
through other applications like LMS Monitor and Troubleshoot module or HPOV.
3.
7-26
OL-25947-01
Chapter 7
4.
LMS updates the database with the username and IP Address received from the UTLite. Database
does not contain the complete information about the end host.
5.
Collection.
LMS updates the database with the complete User Tracking information for the host.
The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients,
duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating
reports.
Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status.
The Dynamic Updates Process Status window appears.
If you have started the process already, the status window shows Dynamic Updates Processes are
RUNNING.
Step 2
STOPPED.
Step 3
7-27
Chapter 7
Note
LMS supports only those switches that contain the Management Information Base (MIB) named MAC
Notification, for enabling the SNMP traps.
Through LMS Interface
Note
Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection
Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.
LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic
Updates.
To enable MAC notification in switches:
Step 1
Select Admin > Collection Settings > User Tracking > Device Trap Configuration.
The Configure Trap on Devices dialog box appears.
Step 2
Select the switches for which you want to enable the traps, from the Device Selector.
Step 3
Step 4
Field
Description
Check the check box to configure devices, to send SNMP traps to LMS.
Trap Community
Set a community string for the SNMP traps sent by devices. This property
is enabled only when LMS is the Primary receiver for SNMP traps. This
string is added to the list of valid strings in the Dynamic User Tracking
Configuration screen.
Check the check box to make this community string as the default for
future configurations, if LMS is the Primary Trap receiver.
Filter
Allows you to filter the ports listed, based on port name, device name and
the device address (IP address of the device).
The default trap receiver port number of the LMS server is 1431.
Port
7-28
OL-25947-01
Chapter 7
Table 7-8
Field
Description
Device Name
Device Address
Step 5
Check the check boxes to select the ports that you want to enable SNMP traps.
Step 6
Step 7
Click OK.
Note
If you select LMS as the Primary listener, the MAC notifications reach the application directly from
the switches.
If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module
as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and
Troubleshoot module.
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
To select the MAC notification listener, see the following sections:
Select Admin > Collection Settings > User Tracking > Trap Listener Configuration.
The Trap Listener Configuration dialog box appears.
Step 2
Check Listen traps from Device to configure the trap reception directly from the devices
This makes LMS as the primary listener for receiving SNMP traps from devices.
OR
7-29
Chapter 7
Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications.
In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They
forward it to LMS which acts as the secondary listener for traps.
If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS
Fault Monitor module.
Step 3
Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port
field.
The default trap listener port number of the LMS server is 1431.
Step 4
The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.
Install Cisco Works Integration Utility
You must have Cisco Prime Integration Utility (Integration Utility) installed on your system. Integration
Utility is a utility that integrates Cisco Prime applications with third-party Network Management
Systems (NMS).
This utility is available as part of the DVD in the LMS 4.0.
This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from
NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications.
See User Guide for Cisco Prime Integration Utility 1.11, for more details on the integration utility.
Note
You must install the Integration Utility on the same machine on which you have installed HPOV.
LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems.
To install the adapter on Windows:
Step 1
Step 2
Modify the Trap Receiver address and the port number to the LMS values, in the file.
Step 3
Step 4
7-30
OL-25947-01
Chapter 7
Step 1
Step 2
Modify the Trap Receiver address and the port number to the LMS values, in the file.
Step 3
Step 4
7-31
Chapter 7
The supported platforms for the HP NNM and HPOV adapters are:
Network Management System
HP OpenView 9.1
HP OpenView 9.01
HP OpenView 9.0
Supported Platforms
Solaris 10
Solaris 10
Solaris 10
From LMS
From LMS
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
The Notification Services page appears.
Step 2
Enter the Hostname and the port number of the LMS server to which you want to forward the MAC
Notifications.
Step 3
Note
If you configure through Cisco Prime, LMS server receives all Traps including MAC Notification.
From the LMS Fault Monitor Server
Step 1
7-32
OL-25947-01
Chapter 7
Step 2
Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server.
Step 3
Step 4
Edit the trapd.conf file in the directory to reflect the following changes.
Enter:
FORWARD:
address OID generic type specific type \ host [:port] | [:port:community] [host [:port] |
[:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.
Step 5
Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.
Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration.
The Dynamic User Tracking Configuration page appears.
Step 2
Step 3
If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried
with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1.
If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3.
However, if the query fails, the same device will not be queried with SNMP v2 or v1.
Enter the community string in the Valid Community List text box and click Add.
You can add the community strings one at a time. You can use the Delete button to remove the extra or
erroneous strings.
The default Trap community string that you might have added in the Device Trap configuration screen
is also listed here.
Step 4
Step 5
Enter the IP Address in the text box provided and click Add.
You can use the Delete button to delete extra or erroneous entries.
Step 6
You can use any one of the options to filter SNMP traps.
For example:
7-33
Chapter 7
To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box)
Community String = private, test
Validate Trap Source =false
then traps from all sources with community string private or test will be processed by LMS.
To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true
Community String = private, test
Validate Trap Source =true
Valid IP Addresses = 10.77.210.211, 10.77.210.212
then traps from the listed IP addresses, with the community string private or test will be processed by
LMS. In this case, LMS first validates the community string, and if it matches, validates the source
address.
Understanding UTU
Downloading UTU
Installing UTU
Accessing UTU
Configuring UTU
Uninstalling UTU
Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones
discovered by LMS User Tracking application. UTU comprises a server-side component and a client
utility.
UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and
LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.2, Network Topology, Layer 2 Services and
User Tracking must be enabled and accessible through the network.
UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS
server in Secure Sockets Layer (SSL) mode.
The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:
7-34
OL-25947-01
Chapter 7
Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts.
UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this,
UTU 2.0 now works on Windows Vista client systems
Support for Phone Number Search
In this release, UTU supports searching phone numbers in addition to existing search criteria.
Memory (RAM)
Additional
required software
Windows 2008
Windows Vista
512 MB
LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or
LMS 3.2 (Campus Manager 5.2.1), or LMS 4.2 (Network Topology, Layer 2
Services and User Tracking)
Network
Connectivity
LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS
3.2 (Campus Manager 5.2.1) or LMS 4.0 (Network Topology, Layer 2 Services and
User Tracking) must be running, and accessible through the network
Downloading UTU
UTU requires Cisco PrimeUserTrackingUtility2.0.exe file to be downloaded and installed.
To download UTU 2.0:
Step 1
Click http://www.cisco.com/cisco/software/navigator.html.
You must be a registered Cisco.com user to access this Software Download site. The site prompts you to
enter your Cisco.com username and password in the login screen, if you have not logged in already.
Step 2
From the Software Product Category, select Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution.
Step 3
Step 4
7-35
Chapter 7
Step 5
Select a product release version from the Latest Releases folder and locate the software update to
download.
Step 6
Step 7
Click the Download Now button to download and save the device package file to any local directory on
LMS Server.
Step 8
Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode.
Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware
and Software Requirements for UTU.
This section explains:
CiscoWorksUserTrackingUtility2.0.exe file
file-location is the directory where you have the setup.iss file.
Do not use space after the -f1 option. Use the complete path for file-location.
For example, if the install directory for UTU is c:\utu, enter the following at the command prompt:
c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss
The setup.log file is created during the installation in the same directory where you have extracted the
setup.iss file.
You should see the setup.log file to check the installation completion status.
7-36
OL-25947-01
Chapter 7
The value of the ResultCode attribute in the setup.log informs you whether the installation has completed
successfully. The value 0 denotes that the UTU installation in silent mode is successful.
When the value of the ResultCode attribute is other than 0, you must install UTU again.
Step 2
Step 3
Step 4
Click Next.
A warning message appears if you have not installed .Net Framework 3.5 SP1.
You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before
completing the current UTU installation.
Step 5
Click Next.
A confirmation message appears.
Step 6
Click Yes.
The Choose Destination Location dialog box appears. By default, UTU is installed in the directory
C:\Program Files\CSCOutu2.0.
Note
If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to
the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome
screen.
If you click No in the confirmation message, the warning message appears again stating that you have
not installed .Net Framework 3.5 SP1.
You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7
b.
Click Finish to complete the installation. User Tracking Utility is installed at the destination location
you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see
Accessing UTU.
7-37
Chapter 7
Accessing UTU
To access UTU, click either:
Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0
Or
The UTU band appears. See Figure 7-1 for UTU 2.0 band.
You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
Figure 7-1
1 - Settings Icon
2 - Minimize icon
3 - Close icon
After a system restart and during the startup, the system launches the UTU automatically.
7-38
OL-25947-01
Chapter 7
Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2
server configurations.
To configure UTU:
Step 1
b.
Click Settings.
Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS
4.0), or LMS 4.2 is installed.
Step 3
Step 4
Step 5
Enabling SSL
Step 6
Step 7
Select the Remember me on this computer checkbox if you want the client system to remember your
credentials.
The credentials are preserved only for the current user of Windows system. The credentials are not
available when you log into the Windows system with a different user name.
7-39
Chapter 7
Step 8
Note
Step 1
Step 2
User name
MAC Address
Phone number
Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC
Address in the UTU search field.
For example, you can enter 10.77.208 in the search field.
Step 4
Press Enter.
If your server is not SSL enabled, go to Step 7.
When you query for data from an SSL enabled server, the Certificate Summary dialog box appears.
Step 5
7-40
OL-25947-01
Chapter 7
Figure 7-3
Certificate Details
You can click Summary to go back to the Certificate Viewer dialog box.
Step 6
Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the
certificate.
SSL connection is established with the server.
If you click No, the certificate is not stored and no connection is established with the server.
Note
Step 7
The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes
the first time, you are not prompted to store the certificate during subsequent sessions.
Click the X Record(s) Found button to launch the results window.
X denotes the number of matches found.
For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See
Figure 7-4.
7-41
Chapter 7
Figure 7-4
UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your
search if you want better and more accurate results.
Step 8
Copy to Clipboard, where you can copy the selected search result record.
Copy All to Clipboard, where you can copy all the search result records.
For a selected search result record, the Results window displays the details as described in:
See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results
window.
Table 7-10
Details for Each Entry in Results Window For a User or Host Search
Entry
Description
User Name
MAC Address
Host IP Address
Host Name
Subnet
Subnet Mask
Device name
Device IP Address
VLAN
Port
Port Description
Port State
Port Speed
7-42
OL-25947-01
Chapter 7
Table 7-10
Details for Each Entry in Results Window For a User or Host Search
Entry
Description
Port Duplex
Last Seen
Date and time when User Tracking last found an entry for this user or host
in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-5
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Entry
Description
Phone Number
IP Phone number
MAC Address
Phone IP Address
CCM Address
Status
Phone Type
Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus,
30VIP, SoftPhone, or unknown.
Phone Description
Device Name
Device IP Address
Port
7-43
Chapter 7
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Entry
Description
Port Description
Last Seen
Date and time when User Tracking last found an entry. Last Seen is
displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-6
The search results for the value you enter in the search field depends on the default search
criteria.
Note
xxxx.xxxx.xxxx
7-44
OL-25947-01
Chapter 7
xx:xx:xx:xx:xx:xx
xxxxxxxxxxxx
xx-xx-xx-xx-xx-xx
Uninstalling UTU
Ensure that UTU is not running while uninstalling.
If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates.
To uninstall UTU:
Step 1
Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall Cisco Prime User Tracking Utility 2.0
from the windows task bar.
The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation.
Step 2
Click Yes.
The Uninstallation continues.
Step 3
7-45
Chapter 7
7-46
OL-25947-01
CH A P T E R
Secondary Credentials
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and
PSIRT/EOX System
8-1
Chapter 8
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
When you install LMS, a default job is defined for Inventory Collection and Inventory Polling.
When the default job runs, LMS evaluates the all devices group and executes the job. This way,
whenever new devices are added to the system, these devices are also included in the default
collection/polling job.
For the default system jobs, the device list cannot be edited. You can only change the schedule of those
jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the
scheduled job is not displayed in the Inventory Job Browser.
The default system jobs for Inventory Collection and Inventory Polling are created immediately after
installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers >
Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job
Browser (Admin > Jobs > Browser) only after some time has elapsed.
The jobs are displayed in the Job Browser when they are running, or after they are completed, with all
the details such as Job ID, Job Type, and Status.
User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are
running, and after they are completed.
You can do the following tasks from the Inventory Job Browser:
8-2
OL-25947-01
Chapter 8
Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs.
The columns in the Inventory Job Browser dialog box are:
Column
Description
Job ID
Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the
Job details (see Viewing Job Details.)
Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the
number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that
this is the third instance of the job ID 1001.
Job Type
Type of jobSystem Inventory Collection, System Inventory Polling, Inventory Collection and Inventory
Polling.
Status
Status of the jobScheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start.
The number, within brackets, next to Failed status indicates the count of the devices that had failed for
that job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions.
Description
Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values.
The field is restricted to 256 characters.
Owner
Scheduled at
Completed at
Schedule Type
6 - hourlyRuns the report every 6 hours, starting from the specified time.
12 - hourlyRuns the report every 12 hours, starting from the specified time.
WeeklyRuns weekly on the specified day of the week and at the specified time.
MonthlyRuns monthly on the specified day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will
start only at 10:00 a.m. on November 3.
Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.
8-3
Chapter 8
You can filter the jobs using any of the following criteria and clicking Filter:
Filter Criteria
Description
All
Job ID
Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display.
Select Job Type and then select any one of the following:
Job Type
Status
Inventory Polling
Inventory Collection
Schedule
Successful
Failed
Cancelled
Stopped
Running
Missed Start
Missed start is the status when the job could not run for some reason at the scheduled time.
For example, if the system was down when the job was scheduled to start, when the system comes up
again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the
specified job will be displayed as Missed Start.
Description
Select Description and enter the first few letters or the complete description.
Owner
Select Owner and enter the user ID or the beginning of the user ID.
Schedule
Type
Refresh
Immediate
Once
6-hourly
12-hourly
Daily
Weekly
Monthly
(Icon)
8-4
OL-25947-01
Chapter 8
To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.
Table 8-1
Inventory Browser Buttons, the Tasks they Perform and their Description
Button
Task
Description
Create
Create jobs
Edit
Edit jobs
Cancel
Cancel jobs
You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are
prompted to confirm the cancellation.
If it is a periodic job, you are prompted to confirm whether you want to cancel only the current
instance of the job or all future instances.
1.
2.
3.
Stop
Stop jobs
Click OK.
Delete
Delete jobs
You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However,
you cannot delete a running job.
You can select more than one job to delete, provided they are scheduled, successful, failed,
stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete
button is disabled.
If you are deleting a scheduled periodic inventory job, the following message is displayed:
If you delete periodic jobs, or instances of a periodic job, that are yet to be
run, the jobs will no longer run, nor will they be scheduled to be run again. You
must recreate the deleted jobs.
8-5
Chapter 8
Job DetailsExpand this node to display Job Summary and Job Results for the inventory collection
or polling job.
Job SummaryClick on this node to view the following for the inventory collection or polling job:
Job SummaryDisplays information about the job type, the job owner, the status of the job, the
start time, the end time, the schedule type, and details of email notification.
Device SummaryDisplays information about the total devices submitted for the job, the
number of devices that were scanned, the number of devices that were pending, the devices that
were successful with change, successful without change, and the failed devices.
Also, the Device Details and Not Attempted information appears.
Not Attempted displays the number of devices for which the Inventory collection module did
not attempt to collect the data.
Job ResultsDisplays information about the number of devices scanned, the names of the scanned
devices, the duration of scanning, the average scan time per device, and the job results description,
for the inventory collection or polling job.
To see more details, expand the Job Results node. You will see the following details:
FailedIf you click on this node, you will see the collective list of failed devices and the reason
for their failure in the right pane, for the inventory collection or polling job.
If you expand this node, the list of failed devices appears.
If you select a device, the right pane displays the device name and the reason for the failure. For
example, Device sensed, but collection failed, or Device not reachable.
Successful: With Changes
8-6
OL-25947-01
Chapter 8
If you click on this, you will see as a comma-separated list in your right pane, the devices that
were successful for the inventory collection or polling job.
Note
Either:
Select Admin > Collection Settings > Inventory > Inventory Jobs.
Select either:
Click Create.
The Create Inventory Job dialog box appears.
Or
Step 3
Select either:
Device Selector, if you want to schedule report generation for static set of devices
Or
Group Selector, if you want to schedule report generation for dynamic group of devices.
8-7
Chapter 8
Step 4
Field
Description
Job Type
Scheduling
Run Type
6 - hourlyRuns the report every 6 hours, starting from the specified time.
12 - hourlyRuns the report every 12 hours, starting from the specified time.
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
If you select Immediate, the date field option will be disabled.
Date
1.
Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the calendar icon and select the date.
2.
Enter the start time by selecting the hours and minutes from the drop-down list.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.
Job Info
Job Description
Enter a description for the report that you are scheduling. This is a mandatory field. Accepts alphanumeric values. This field is restricted to 256 characters.
Enter e-mail addresses to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
8-8
OL-25947-01
Chapter 8
Step 5
Click Submit.
You get a notification that the job has been successfully created, and it appears in the Inventory Job
Browser.
To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit.
The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change
the Scheduling and Job Info fields as required, and click Submit.
The job is edited.
SNMP RetryNumber of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero and the maximum value is 6.
SNMP TimeoutAmount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the total transaction time of SNMP Packets.
The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value
limit. Changing the SNMP timeout value affects inventory collection.
Telnet TimeoutAmount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the initial response time required to create a socket.
The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value
limit.
Changing the Telnet timeout value affects inventory collection.
Natted LMS IP AddressThe LMS server ID. This is the translated address of LMS server as seen
from the network where the device resides.
You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the
NAT boundary.
The default value is Not Available.
TFTP TimeoutAmount of time that the system should wait to get the result status of the copy
operation. Changing the TFTP timeout value affects Config collection.
The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit.
Read DelayAmount of time the system will sleep in between each read iteration.
The default read delay is 10 milliseconds.
8-9
Chapter 8
Transport TimeoutAmount of time the socket will be blocked for read operation.
The default value is 45000 milliseconds.
Login TimeoutAmount of time in milliseconds after which it will start reading the user prompt.
The default value is 2000 milliseconds.
Tune SleepAmount of sleep time in milliseconds after sending tune command 3 to 4 times.
The default value is 50 milliseconds.
Delay After ConnectAmount of waiting time in milliseconds after initial socket connection. It
will wait for the set time before doing the next operation.
The default value is 300 milliseconds.
Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings.
The Inventory, Config timeout and retry settings page appears.
Step 2
Step 3
SNMP Retry
SNMP Timeout
Telnet Timeout
TFTP Timeout
Read Delay
Transport Timeout
Login Timeout
Tune Sleep
Click Apply.
Note
Step 4
Modifying the default timeout values will apply to all the devices and impact the work flows of
all devices. To edit per device level attributes, go to Editing Device Attributes.
Click OK.
A confirmation message appears:
The settings are updated successfully
Note
When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry
values will not be restored by default. To restore the values for all the devices, edit the default values in
Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection
Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings
8-10
OL-25947-01
Chapter 8
Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device
Credential Repository (DCR).These credentials are:
Primary Credentials
Secondary Credentials
LMS uses either the primary or secondary credentials to access the devices using the following
protocols:
Telnet
SSH
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried
out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as
a fallback mechanism in LMS for connecting to devices.
For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to
failure.
You can add or edit the Secondary Credentials information through the DCR page (Select Inventory >
Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is
not available for a device.
Note
The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials
fallback when the Primary Credentials for a device fails. This is a global option which you can use to
enable or disable the use of Secondary Credential fallback for all LMS applications.
To enable or disable the Secondary Credentials fallback:
Step 1
Select Admin > Collection Settings > Config > Secondary Credential Settings.
or
Select Admin > Collection Settings > Inventory > Secondary Credential Settings.
The Secondary Credentials dialog box appears.
Step 2
Check Fallback to Secondary Credentials check box if you want to enable the Secondary
Credential fallback.
Or
Step 3
Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary
Credential fallback.
Click either Apply to apply the option or click Cancel to discard the changes.
8-11
Chapter 8
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Note
Step 1
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
Select Admin > Collection Settings > Inventory > Inventory System Job Schedule.
The System Job Schedule dialog box displays the current collection or polling schedule.
Step 2
Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2.
Inventory data does not change frequently, so infrequent collection is better. However, if you are
installing much new equipment, you may need more frequent collection.
Infrequent collection reduces the load on your network and managed devices. Collection is also best
done at night or when network activity is low.
Also, make sure your collections do not overlap, by checking their duration using the Inventory Job
Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Step 3
Click Apply.
The new schedule is saved.
8-12
OL-25947-01
Chapter 8
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
Step 1
Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and
Psirt/Eox System Job Schedule.
The Compliance Policy and PSIRT/EOX System Job Schedule page appears.
Step 2
Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2.
Step 3
Click Apply.
The new schedule is saved.
Table 8-2
Details of Inventory system schedule and CAAM Policy and PSIRT/EOX System Job Schedule
Field
Description
Scheduling
Run Type
Select the run type or frequency for inventory collection or polling, CAAM Policy and PSIRT/EOXDaily,
Weekly, or Monthly.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If
the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date
Select the date for the collection or polling to begin, using the date picker.
at
Enter the time for the collection or polling to begin, in the hh:mm:ss format.
Job Info
Job Description
Enter e-mail addresses to which the job sends messages when the collection or polling job has run.
You can enter multiple e-mail addresses, separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin
> System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address.
8-13
Chapter 8
Perform the following steps to view the Compliance Policy and PSIRT/EOX Job Report:
Step 1
Step 2
Select Type in the Filter by field and SystemPsirtJob in the drop-down list.
Step 3
Click Filter.
The SystemPsirtJob will be filtered and displayed.
Step 4
Click the JOB ID e.g 1005.1 to view the Compliance Policy and PSIRT/EOX Job Report.
Note
System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or
End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the
selected devices.
The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1.
If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not
configured the Cisco.com credentials.
2.
If the system PSIRT job fails due to problems in the downloaded local XML file.
3.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and
End-of-Sale or End-of-Life (EOX) job runs.
LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You
can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see
Changing the Data Source for PSIRT/EOS/EOL Reports.
8-14
OL-25947-01
Chapter 8
When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the
data either from Cisco.com or from a local text file with XML data, depending upon the option you have
set.
8-15
Chapter 8
Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option.
The PSIRT/EOX Reports dialog box appears.
Step 2
Either:
Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data
from Cisco.com
Or
Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from
local file.
The local file location is shown if you have selected Local.
Step 3
Click Apply
The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Note
While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com
method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy
Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy
Password fields are also enabled.
You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store
it in the local file location on the LMS server.
To download the text file with XML data from Cisco.com:
1.
Use a server other than LMS server with internet connection as the external server.
2.
From this external server, access the following link to download the XML data:
8-16
OL-25947-01
Chapter 8
Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=
latest#
2.
3.
4.
Extract the text file with XML data to the external server.
5.
Copy the text file from the external server into the LMS Server under:
On Solaris/Soft Appliance,
/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
The text file with XML data gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
For EoS/EoL Software Report:
1.
Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=
latest#
2.
3.
4.
Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under:
On Solaris/Soft Appliance,
/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
Note
You must not extract the EOX_SOFTWARE.zip file in the LMS Server.
The EOX_SOFTWARE.zip file gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data
from the XML file.
To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1.
Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external
server which has internet connection.
2.
3.
8-17
Chapter 8
Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings.
Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector.
Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and
Retries.
You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select
Admin > System > Debug Settings.
You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view
only VRF Lite jobs.
You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select
Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging
VRF Management Reports Jobs and Archived Reports.
This section contains:
8-18
OL-25947-01
Chapter 8
Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule.
The VRF Lite Collector Schedule dialog box appears.
Step 2
Table 8-3
Field
Description
Usage Notes
Schedule
Job ID
Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the
Lite collection is scheduled.
size of the network and the frequency of network changes.
By default, the VRF Lite collection process is scheduled to
run after the Data Collection process has completed.
Recurrence
Pattern
Select the days of the week on which VRF This field is available only when you are adding or editing a
Lite collection is to be scheduled.
schedule.
Job Description
Step 3
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use
the filter to view VRF Lite Collector Schedule job.
8-19
Chapter 8
Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries.
The VRF Lite SNMP Timeouts and Retries dialog box appears.
Step 2
Field
Description
Target
Timeouts
Retries
Number of attempts made to query the device. The allowed range is 0-8.
Step 3
Step 4
Click Edit to edit the VRF Lite SNMP Timeouts and Retries value.
Or
Click Delete to delete the VRF Lite SNMP Timeouts and Retries value.
Click Apply.
8-20
OL-25947-01
Chapter 8
Timeout4 seconds
Retries3
Note
Changing the settings on this page will modify the settings on all devices managed by LMS.
Note
Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
To modify the Fault Management SNMP timeout and retries:
Step 1
Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and
Retries. The SNMP Configuration page appears.
Step 2
Step 3
Step 4
Click Apply.
Step 5
8-21
Chapter 8
Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
LMS rediscovery probes the devices to discover their configuration and verify their manageable
elements in inventory.
LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you
cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional
schedules.
For more information, see
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
The Rediscovery Schedule page appears.
Step 2
Select a schedule that does not have a Suspended status, and click Suspend.
The status for the schedule changes to Suspended and the schedule does not run until you resume
the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it.
Or
8-22
OL-25947-01
Chapter 8
You should plan the rediscovery schedule for maximum efficiency and minimum system impact.
When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are
scheduled by default to ensure that they do not run concurrently. You can configure the schedules for
these tasks to meet the requirements of your site. However, you should still avoid running them
concurrently.
Table 8-5
Scheduling Considerations
Configuration Task
Default Schedule
Database purging
Run daily at
midnight.
Rediscovery
Run weekly on
Monday at 2:00 a.m.
In addition to configuring schedules, a system administrator can schedule database backups. Be careful
while coordinating the database backup schedule to avoid running concurrently with the tasks listed in
Table 8-5.
To add or edit a rediscovery schedule:
Step 1
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
Step 2
Select either:
Click Add.
Or
Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit
Default_Schedule.
Step 3
Step 4
Once
Daily
Weekly (default)
Monthly
8-23
Chapter 8
Step 5
Select the date, hour, and minute on which to start the rediscovery schedule and click Next.
Step 6
Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule
page appears, listing the new schedule.
Note
Step 2
Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job
Browser.
Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event
Forensics Configuration page appears.
Step 2
Select the Event Forensics Enable check box to enable LMS to collect forensics data.
Step 3
Click Apply.
LMS polls for Event Forensics data for the following events only:
Flapping
Operationally Down
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see
the event forensics results when you move your mouse over the Annotations in the Faults table of Fault
Monitor Device Fault Summary view tab.
8-24
OL-25947-01
Chapter 8
The left pane displays a device selector, from which you select the device or group that you want to
rediscover or delete. The left pane includes a search option
The right pane displays the information for the selected object.
Note
If the IP addresses of the device and its components such as interface or port are added separately in
DCR then only device IP will be managed in fault Management and the components IP will not be
managed separately as the components are already managed under the device IP.
The devices that appear in the device selector are organized in folders by device state as shown in the
Table 8-6. The folders appear only if there is a device to go in the folder.
Table 8-6
Heading
Description
Status
Lists the state the devices are in, from the following possibilities:
Known
The device has been successfully imported, and is fully managed by Fault
Management.
Learning
Questioned
Pending
Unknown
Rediscovering Devices
When rediscovery takes place, if there are any changes to a device or group configuration, the new
settings will overwrite any previous settings.
Rediscovery occurs only for managed devices, and not suspended devices.
Rediscovery also occurs when:
Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection
Settings > Fault > Fault Management Rediscovery Schedule)
A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured
to import that device type (or LMS automatically imports all DCR devices). Such DCR changes
include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type)
changed in the DCR.
8-25
Chapter 8
Note
Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and
Rediscovery is a process that affects only the LMS inventory.
To rediscover devices:
Step 1
Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2
Note
Step 3
If you are connecting to the LMS server for the first time, a Security Alert window is displayed
after you select nearly any option. Do not proceed without viewing and installing the security
certificate. You should contact a user with System Administrator privileges to create a
self-signed security certificate, and then install it. If you do not install the self-signed security
certificate, you may not be able to access some LMS application pages.
Click Rediscover.
Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage
Device State.
Note
If the number of components managed by fault management exceeds 40000/domain then the remaining
devices will be moved to Question State with the error message Network Adapter Limit Exceeded.
Question State Device Report
Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2
8-26
OL-25947-01
Chapter 8
LMS 4.2 removes application boundaries and provides tighter integration among the components. It
groups all the related functionalities in one place, thus making the product more user friendly.
LMS 4.2 consists of the following five functionalities:
Fault Management
Note
If you disable a function, the function will stop collecting device information. For IPSLA Management,
history data will be deleted.
SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to
query the device again.
SNMP retry is the maximum number of times LMS retries to query the device.
You can also set the notification interval time in case of poller failures and the e-mail ID to which the
notification should be sent.
You can also configure Poll Settings to send the polling failure report as an e-mail.
To configure Poll Settings:
Step 1
Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP
timeouts and retry settings.
The Poll Settings dialog box appears.
Table 8-7 describes the fields in the Poll Settings dialog box.
8-27
Chapter 8
Table 8-7
Field
Description
Poll Details
SNMP Timeout
SNMP Retries
Polling Failure
Notification Interval
Step 2
Poll Details
Polling Failure
See Table 8-7 for the description of fields that appear in the Poll Settings dialog box.
Step 3
Click Apply to update the poll settings or Reset to cancel the poll settings.
A message appears confirming that poll settings are updated successfully.
8-28
OL-25947-01
Chapter 8
Note
The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and
saved the IP SLA probes of the LMS collectors in the startup configuration.
To view the configured collectors in the running configuration:
Step 1
Select Admin > Collection Settings > Performance > IPSLA application settings.
The IPSLA Application Settings page appears.
Step 2
Step 3
Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4
Click OK.
Select Admin > Collection Settings > Performance > IPSLA application settings.
The Application Settings page appears.
Step 2
Step 3
Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4
Click OK.
8-29
Chapter 8
If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin >
Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs,
you are prompted for the following device credentials:
Login Password
Enable Password
8-30
OL-25947-01
Chapter 8
Routers
Username:, Username:
Password:, Password:
Switches
username: , Username:
password: , "Password:
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts,
you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more
information.
Handling Custom Telnet Prompts
To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located
at:
NMSROOT/objects/cmf/data (on Solaris/Soft Appliance)
NMSROOT \objects\cmf\data (on Windows)
where NMSROOT is the location where you have installed Cisco Prime LMS.
The format of this ini file is:
[TELNET]
USERNAME_PROMPT=
PASSWORD_PROMPT=
8-31
Chapter 8
For example, if you have configured username and password prompts as MyUserName: and
MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini
file must be configured as:
[TELNET]
USERNAME_PROMPT=MyUsername:, Secret Username:
PASSWORD_PROMPT=MyPassword:, Secret Password:
Note
You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only
the custom prompts need to be added.
Enabling rcp
Enabling scp
Enabling https
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your
device configurations.
Make sure the devices are rcp-enabled by entering the following commands in the device configurations:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
Where ip_address | host is the IP address/hostname of the machine where LMS is installed.
Alternatively, you can enter the hostname instead of the IP address. The default remote_username and
local_username are cwuser.
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS
server. To do this, use the command,
no ip rcmd domain-lookup for rcp to fetch the device configuration.
8-32
OL-25947-01
Chapter 8
Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your
device configurations.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
ip ssh authentication-retries 4
ip scp server enable
User on the TACACS Server should be configured with priv level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify
your device configurations.
To modify the device configuration, follow the procedure as described in this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html
8-33
Chapter 8
Router Commands
Switches Commands
For example, you can use the LMS server to access the devices using Telnet or SSH to archive their
configurations. Ensure that the user credentials provided by you in DCR has the required permissions to
access the devices and execute the above mentioned configuration CLI commands on the devices to fetch
the configurations.
These configuration information fetched from the devices by the LMS server is stored in the LMS
database.
Router Commands
Command
Description
terminal length 0
Sets the number of lines on the current terminal screen for the
current session
terminal width 0
Sets the number of character columns on the terminal screen for the
current line for a session
show privilege
Show running
Show startup
Show running-brief1
The commands in the above tables also apply to the following device types:
Optical Networking
Broadband Cable
Wireless
Storage Networking
8-34
OL-25947-01
Chapter 8
Switches Commands
The switches commands are:
Command
Description
set length 0
write term
Description
no terminal more
show running-config
show startup-config
Description
terminal length 0
Sets the number of lines on the current terminal screen for the current
session
show run
show config
Description
terminal length 0
Sets the number of lines on the current terminal screen for the current
session
show autostart
show configuration
8-35
Chapter 8
Description
terminal width 0
Sets the number of character columns on the terminal screen for the
current line for a session
show config
show running
show curpriv
no pager
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for moving the configuration archive location:
Step 1
Step 2
b.
c.
Click Stop.
Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3
Enter the new location in the Archive Location field, or click Browse to select a directory on your
system.
8-36
OL-25947-01
Chapter 8
Step 4
Click Apply.
A message appears confirming the changes.
Step 5
b.
c.
Click Start.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
You can enable or disable the use of Shadow directory by following this workflow:
Step 1
Step 2
b.
c.
Click Stop.
Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3
8-37
Chapter 8
Step 4
Click Apply.
A message shows that the changes were made.
Step 5
b.
c.
Click Start.
Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
While comparing configurations, if you have specified exclude commands in the Device Type, Device
Family and Device Category, these commands are excluded only at the Device Type level. The
commands in the Device Family and Device Category are not excluded.
Example 1:
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are
excluded.
8-38
OL-25947-01
Chapter 8
Example 2:
If you have specified these commands only at Device Family and Device Category,
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands
are excluded.
If the commands are specified only at the Device Category level, these commands are applicable to all
devices under that category.
To configure Exclude Commands:
Step 1
Select Admin > Collection Settings > Config > Config Compare Exclude Commands
Configuration.
The Configure Exclude Commands dialog box appears.
Step 2
Step 3
Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
Enter the command in the Exclude Commands pane to add new commands.
You can enter multiple commands separated by commas.
You can also edit or delete the existing commands in the Exclude Commands pane.
Step 4
Click Apply.
A message appears, The commands to be excluded are saved successfully.
8-39
Chapter 8
Select Admin > Collection Settings > Config > Config Job Timeout Settings.
The Fetch Settings dialog box appears.
Step 2
Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device
(seconds) field.
Step 3
Click Apply, if you want to submit the Job Result Wait Time entered.
Click Cancel if you want to cancel the changes made to the Job Result Wait Time.
8-40
OL-25947-01
Chapter 8
Note
The Syslog application triggers configuration fetch, if configuration change messages like
SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
8-41
Chapter 8
If LMS detects an effective change, the new configuration is queued for Archival.
2.
The archiver, calculates the exact effective changes, assigns a new version number for the newly
collected archive, and archives it in the system.
3.
The archiver, at the end, logs a change audit record that the configuration of the device has changed,
along with other Audit information.
4.
If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select
Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration
file is also stored in a raw format for manual TFTP purposes to restore the configuration on the
device, in the directory location:
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which
Note
Startup configurations are not versioned and only one copy of the startup configuration of devices
(which supports startup configuration), is saved in the system. No change audit records are logged for
changes in the Startup Configuration files.
LMS first compares the collected configuration file, with the latest configuration in the archive, and
checks to see if there are effective configurations changes from what was previously archived.
8-42
OL-25947-01
Chapter 8
Any configuration change made through the LMS system (example, using Config Editor or
Netconfig), will have the user name of the user who scheduled the change job.
Any configuration change that was done outside of LMS and detected through the configuration
retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB
variable (ccmHistoryEventTerminalUser).
Changes identified through syslog messages, contain the user name identified in the Syslog
message, if present.
Periodic configuration archival (with and without configuration polling). To do this select Admin >
Network > Collection Settings > Config > Config Collection Settings.
Manual configuration archival. To do this select using Configuration > Configuration Archive >
Synchronization.
You can modify how and when the configuration archive retrieves configurations by selecting one or all
of the following:
Periodic Polling
The configuration archive performs a SNMP query on the device. If there are no configuration changes
detected in the devices, no configuration is fetched.
Periodic Collection
The configuration is fetched without checking for any changes in the configuration.
By default, the Periodic Collection and Polling are disabled.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for defining the configuration collection setting:
Step 1
Step 2
Select Enable for Configuration archive to performs a SNMP query on the device to retrieve
configuration.
b.
Click Schedule.
The Config Collection Schedule dialog box appears.
8-43
Chapter 8
c.
Field
Description
Scheduling
Run Type
You can specify when you want to run the configuration polling job.
To do this, select one of these options from the drop-down menu:
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) to schedule.
Job Information
Job Description
The system default job description, Default config polling job is displayed.
You cannot change this description.
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d.
Click OK.
Periodic Collection
a.
Select Enable for Configuration archive to perform a periodic check on the device to retrieve
configuration.
b.
Click Schedule.
The Config Collection Schedule dialog box appears.
8-44
OL-25947-01
Chapter 8
c.
Field
Description
Scheduling
Run Type
You can specify when you want to run the configuration collection job.
To do this, select one of these options from the drop-down menu:
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) to schedule.
Job Information
Job Description
The system default job description, Default config collection job is displayed.
You cannot change this description.
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d.
Click OK.
b.
Click Apply.
The VLAN config collection will be disabled for both manual and system config collection jobs. By
default the Disable VLAN Config collection checkbox is unchecked.
Step 3
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
8-45
Chapter 8
Telnet
You must...
Telnet
Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password.
TFTP
RCP
Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the
following commands in the device configuration:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default
remote_username and local_username are cwuser. For example, you can enter:
# ip rcmd remote-host cwuser 123.45.678.90 cwuser enable
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server.
To do this, use the command,
no ip rcmd domain-lookup for RCP to fetch the device configuration.
8-46
OL-25947-01
Chapter 8
To use this
Protocols
SSH
You must...
Know the username and password for the device. If device is configured for TACACS authentication, enter
the Primary Username and Primary Password.
Know password for Enable modes.
When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2.
If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the
device that is being accessed.
Some useful URLs on configuring SSHv2 are:
_list.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html
8-47
Chapter 8
To use this
Protocols
You must...
SCP
ip ssh authentication-retries 4
ip scp server enable
User on the TACACS Server should be configured with privilege level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
HTTPS
Know the username and password for the device. Enter the Primary Username and Password in the Device
and Credential Repository.
To enable the configuration archive to gather the configurations using https protocol you must modify your
device configurations:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html
This is used for VPN 3000 device.
The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family
devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and
Enable passwords.
8-48
OL-25947-01
Chapter 8
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts,
you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom
Telnet Prompts.
For module configs, the passwords on the module must be same as the password on the supervisor.
This section also explains Supported Protocols for Configuration Management Applications.
The LMS device packages Online help. You can launch the LMS device packages Online help using
Help > Device Packages.
or
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Collection Settings > Config > Config Transport Settings.
The Config Transport Settings dialog box appears.
Step 2
Go to the first drop-down list box, select the application for which you want to define the protocol order.
Step 3
Select a protocol from the Available Protocols pane and click Add.
If you want to remove a protocol, select the protocol and click Remove.
The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of
protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons.
When a configuration fetch or update operation fails, an error message appears. This message displays
details about the supported protocol for the particular device and it modules, if there are any.
For the list of supported protocols, see Supported Device Table for Configuration Management
application on Cisco.com.
Step 4
Click Apply.
A message appears, New settings saved successfully.
Step 5
Click OK.
8-49
Chapter 8
Receives the filters it needs from the LMS server to filter Syslog messages.
Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from
the Analyzer, including the number of messages read, number of messages filtered, and number of
messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process.
If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the
Analyzer without filtering.
If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on
the current filters, it continues to filter the syslogs and stores them in a local file:
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server
name_port\DowntimeSyslogs.log
The Syslog Analyzer will automatically restore the connection after LMS server restart.
For the complete instructions on installing the Common Syslog Collector, see the Installing and
Migrating to Cisco Prime LAN Management Solution 4.2.
8-50
OL-25947-01
Chapter 8
Note
View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status)
View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform this task.
Description
Name
Forwarded
Invalid
Filtered
Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network >
Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.)
Dropped
Received
Up Time
Time duration for which the Syslog Collector has been up.
Click to test a Syslog collector thats already subscribed or thats going to be subscribed.
Subscribe
Unsubscribe
Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector.
If you want to refresh the information in this dialog box, click Update.
8-51
Chapter 8
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin >
Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze
processes come up. In this interval you may see the following message:
Collector Status is currently not available.
Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again.
To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common
Syslog Collector.
The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on
both the servers.
2.
The Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa.
To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
See Setting up Peer Server Certificate for more information.
3.
The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server,
are restarted after Step 2.
4.
Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears. For the information in the columns in the dialog box, see
Viewing Common Syslog Collector Status:
Step 2
Click Subscribe.
The following message appears:
Check if:
Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa. You can perform this operation from Admin > System Administration >
Multiserver Management > Peer Server Certificate Setup screen.
2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this
server is restarted after step 1.
3. Both hosts are reachable by host name.
4. Certificates are valid.
The Subscribe Collector dialog box appears.
Step 3
Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to.
Step 4
Click OK.
The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.
8-52
OL-25947-01
Chapter 8
If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and
click the Unsubscribe button.
If you want to test the Syslog collector subscription, select the collector and click Test Collector
Subscription. For more information see Testing Syslog Collector Subscription.
Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
Step 2
The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common
Syslog Collector Status.
Step 3
Either:
Test Collector Subscription popup window appears with the Syslog collector address.
Or
Step 4
Enter the Syslog collector in the Test Collector Subscription popup window.
Click OK.
The Test Collector Subscription Status popup window appears, displaying the following status of the
Syslog collector:
SSL certificate statusStatus of the SSL Certificates. For example, SSL certificates are valid and
are properly imported. For more information see Syslog Collector Subscription Messages.
Collector statusStatus of the Syslog collector. For example, Collector is up and reachable. For
more information see Syslog Collector Subscription Messages.
8-53
Chapter 8
The following table provides the Syslog collector subscription status messages shown when you test the
subscription of a Syslog Collector:
Subscription
Status
SSL Certification
Problem/Info
Message
When there is an
issue with SSL
Certificate
1.
2.
Collector
3.
4.
When the
hostname is not
DNS resolvable
If the
SyslogCollector
process is down
If the Syslog
Collector is
reachable
8-54
OL-25947-01
Chapter 8
Description
TIMEZONE
The timezone of the system where the Syslog Collector is running. Enter
the correct abbreviation for the timezone. For example, the time zone for
India is IST.
For the correct Timezone abbreviation, see the Timezone file in the
following location:
On Solaris/Soft Appliance,
/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/n
m/LMSng/fcss/data/TimeZone.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\LMSng\fcss\data\TimeZone.lst
See Timezone List Used By Syslog Collector.
COUNTRY_CODE
8-55
Chapter 8
Timezone-Related Properties
Description
TIMEZONE_FILE
The path of the Timezone file. This file contains the offsets for the time
zones.
After installing the Syslog Collector, ensure that the offset specified in
this file is as expected. If it is not present or is incorrect, you can add the
Timezone offset as per the convention.
The default path is:
On Solaris/Soft Appliance,
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/fcss/data/TimeZone.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\rmeng\fcss\data\TimeZone.lst
General Properties
SYSLOG_FILES
Filename and location of the file from which syslog messages are read.
The default location is:
On Solaris/Soft Appliance:
/var/log/syslog_info
On Windows:
%NMSROOT%\log\syslog.log
DEBUG_CATEGORY_NAME
DEBUG_FILE
Filename and location of the Syslog Collector log file containing debug
information:
The default location is:
On Solaris/Soft Appliance,
/var/adm/CSCOpx/log/CollectorDebug.log
On Windows,
%NMSROOT%\log\CollectorDebug.log
DEBUG_LEVEL
Warning
Debug
Error
Info
8-56
OL-25947-01
Chapter 8
Timezone-Related Properties
Description
DEBUG_MAX_FILE_SIZE
DEBUG_MAX_BACKUPS
The number of backup files that you require. The size of these will be the
value that you have specified for the DEBUG_MAX_FILE_SIZE
property.
Miscellaneous Properties
READ_INTERVAL_IN_SECS
QUEUE_CAPACITY
PARSER_FILE
File that contains the list of parsers used while parsing syslog messages.
The default path of the parser file:
On Solaris/Soft Appliance,
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/LMSng/fcss/data/FormatParsers.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\rmeng\fcss\data\FormatParsers.lst
SUBSCRIPTION_DATA_FILE
Syslog Collector data file that contains the information about the Syslog
Analyzers that are subscribed to the Collector.
The default path of the data file:
On Solaris/Soft Appliance,
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/csc/data/Subscribers.dat
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\rmeng\csc\data\Subscribers.dat
FILTER_THREADS
Number of threads that operate at a time for filtering syslog messages. The
default is set to 1.
COLLECTOR_PORT
8-57
Chapter 8
ADT=30
AET=100
AEST=100
AGT=-30
AHST=-100
ART=20
AST=-90
AT=-20
BET=-30
BST=10
BT=30
CAT=10
CCT=80
CDT=-50
CEST=20
CET=10
CNT=-35
CST=-60
CTT=80
EADT=-110
EAST=100
EAT=30
ECT=10
EDT=-40
EET=20
EST=-50
FST=-20
FWT=10
GMT=0
GST=100
HDT=90
HST=-100
IDLE=120
IDLW=-120
IET=-50
IST=55
JST=90
MDT=-60
MEST=-20
MESZ=-20
MET=10
MEWT=10
MIT=-110
MST=-70
MYT=80
NET=40
NST=120
NT=-110
NZDT=130
NZST=120
NZT=120
PDT=-70
PLT=50
PNT=-70
PRT=-40
PST=-80
SST=110
SWT=10
UTC=0
VST=70
WADT=-80
WAST=70
WAT=-10
YDT=-80
YST=-90
ZP4=40
ZP5=50
ZP6=50
8-58
OL-25947-01
CH A P T E R
Configuring RMON
Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology.
The Fault Monitor Poller Settings page appears.
Step 2
Select the Poll Fault Monitor Server for alerts check box.
If you try to apply the settings when Fault Monitor module is not installed on a local or remote server,
you will get an error message indicating the same.
If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.
9-1
Chapter 9
If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart
ANI Server before enabling the above setting.
Step 3
Step 4
Click Apply. The settings are saved to the server and polling starts within six minutes of the
configuration.
In addition to this, you can restrict the type of LMS event displayed in your machine. For example you
can choose to display only critical events in Topology maps.
The event information fetched from Fault Monitorserver can be launched from Topology Maps and
N-Hop view portlet, by right clicking on the required device.
Select Admin > Network > Monitor / Troubleshoot > Load MIB.
The Load MIB dialog box appears.
Table 9-1 describes the field in the Load MIB dialog box.
Table 9-1
Field
Description
MIB file
Use the Browse button to load a MIB file from a directory location.
For example, RFC1213-MIB.my
You are allowed to load a MIB file only from the following directory path:
In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs
9-2
OL-25947-01
Chapter 9
Step 2
Step 3
Step 4
Click Apply to load the MIB file into LMS or Cancel to cancel the operation.
You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are
available in the directory location.
For example,
To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and
RFC-1212) must also be available at the same directory location. If the dependent MIB files are not
available, an appropriate error message is displayed and RFC1213-MIB does not compile.
The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same
as the MIB files names present in the definition files. Load only version2 MIB.
The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:
RMON2-MIB.my
BRIDGE-MIB.my
RFC-1215.my
INET-ADDRESS-MIB.my
P-BRIDGE-MIB.my
Q-BRIDGE-MIB.my
CISCO-NETFLOW-MIB.my
CISCO-STACK-MIB.my
TOKEN-RING-RMON-MIB.my
RFC-1212.my
RMOM-MIB.my
RFC1155-SMI.my
RFC1213-MIB.my
SNMP-FRAMEWORK-MIB.my
CISCO-SMI.my
ENTITY-MIB.my
FDDI-SMT73-MIB.my
CISCO-VTP-MIB.my
SNMPv2-TC.my
SNMPv2-SMI.my
SNMPv2-MIB.my
SNMPv2-CONF.my
IF-MIB.my
IANAifType-MIB.my
EXPRESSION-MIB
CISCO-CLASS-BASED-QOS-MIB
9-3
Chapter 9
CISCO-VOICE-DIAL-CONTROL-MIB
CISCO-IPSEC-MIB
HOST-RESOURCES-MIB
CISCO-POP-MGMT-MIB
RMON-MIB
CISCO-PORT-QOS-MIB
DIAL-CONTROL-MIB
CISCO-DIAL-CONTROL-MIB
CISCO-VOICE-COMMON-DIAL-CONTROL-MIB
CISCO-VOICE-DNIS-MIB
PerfHist-TC-MIB
CISCO-QOS-PIB-MIB
INT-SERV-MIB
CISCO-ENERGYWISE-MIB
CISCO-FRAME-RELAY-MIB
CISCO-POWER-ETHERNET-EXT-MIB
CISCO-TC
CISCO-VTP-MIB
DS1-MIB
RFC1271-MIB
9-4
OL-25947-01
Chapter 9
Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology.
Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth
utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best
estimate of the mean physical layer network utilization on the links, during the sampling time interval.
In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them.
You can customize the filters to display bandwidth utilization.
For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting
Online Help.
This section contains:
Note
Disabling RMON
LMS computes bandwidth utilization only on ethernet links, and not on any other type of link.
To compute bandwidth utilization in Campus Manager , you must enable Remote Monitoring (RMON).
Enabling RMON depends on two parameters.
Parameters to Compute Bandwidth Utilization
Bucket SizeNumber of samples (incoming and outgoing packets) that will be examined for a
given point of time.
The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the
values through the user interface of Campus Manager , you can reconfigure these values through
command line interface. For more details see Modifying the Parameters.
Campus Manager computes bandwidth utilization only for those devices that have the same parametric
values as configured and displayed in the RMON Settings page. This application allows you to configure
only the same parametric values on all link ports. This is to avoid conflicts in computation.
Enabling RMON on Ports
All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices
Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices
Campus Manager highlights links in the Topology Map even if the devices are managed by other
applications such as HPOV, or CiscoView.
9-5
Chapter 9
Configuring RMON
Note
You must configure the same value for Interval across the devices.
To reconfigure the values:
Step 1
Enter pdterm ANIServer at the command line to stop the ANI server.
Step 2
Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 3
Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket
Size.
The maximum value that you can enter for RMON.interval is 3600 seconds (One hour).
Step 4
Enter pdexec ANIServer at the command line to start the ANI server.
After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON
on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices.
You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for
the Interval in a range. This is a hidden property that creates a range for the Interval value.
The property adds a value to the current interval that forms the upper limit and subtracts a value from
the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the
interval.
For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330.
Thus, the samples are collected for the range of 270 to 330 seconds.
If you want to change this default value, you must:
Step 1
Step 2
Enter pdterm ANIServer at the command line to stop the ANI server.
Step 3
Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 4
Enter RMON.percentageTolerance=value.
Step 5
Step 6
Enter pdexec ANIServer at the command line to start the ANI server.
9-6
OL-25947-01
Chapter 9
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices.
Step 2
Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization
across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3
Check the Configure on all links check box to configure all the ports of the selected devices in the
Device Selector.
Step 4
Click Configure to enable RMON on all the ports in the selected devices.
The following command is configured on the selected ports:
rmon collection history
Example:
rmon collection history
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays the list of devices.
Step 2
Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, Campus Manager collects 10 samples of bandwidth
utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3
Uncheck the Configure on all Links check box since it is checked by default.
Step 4
Click Select links to select the ports for which you want to enable RMON.
It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2.
The Select Links check box is enabled only when you uncheck the Configure on all links check box.
9-7
Chapter 9
Table 9-2
Column
Description
Port
Device Name
Device Address
isLink
True
Step 5
Select check boxes corresponding to the ports for which you want to enable RMON.
Step 6
Example:
rmon collection history
Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line
Interface (CLI) only.
Commands to Disable RMON
For a device running Cisco IOS, enter the following command at the CLI prompt:
no rmon
For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable
Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps.
For details, see Configuring Fault Poller Settings For Topology.
9-8
OL-25947-01
Chapter 9
Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View.
The configuration screen is displayed.
Step 2
Step 3
Click Apply.
Topology Maps display only the devices you are authorized to view. If Topology Services is already
launched, close it and relaunch for the change to take effect.
Important Notes
When the changed IP address is given as root in N-hop view portlet, it results in an error.
9-9
Chapter 9
9-10
OL-25947-01
CH A P T E R
10
10-1
Chapter 10
If you work with static groups, no further devices can be added to those groups.
If you set up dynamic groups, then any device that fits the criteria for the groups will be added to
those groups.
After you have configured your subscription, you can name it according to your needs. Regardless of
whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a
subscription containing a notification group. The final step in configuring your notification subscription
is specifying the notification recipients.
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
Notification Services tracks events on device types, not on device components.
For details on Notifications and Subscriptions, see the following topics:
Notification Types
Notification Replay
Subscriptions
Events
If you want to monitor a specific set of events, create an event set that contains the events you want
to monitor. Otherwise, all events will be monitored.
2.
Create a notification group that specifies the criteria the Fault Management module should use when
generating notifications:
One or more event sets (if no event set is specified, all events are monitored)
You can specify the notification group name, along with entering identifying information (using the
Customer ID and Customer Revision fields).
10-2
OL-25947-01
Chapter 10
3.
4.
Notification Types
The Fault Management module in LMS 4.2 provides three types of notifications:
SNMP Trap NotificationFault Management module generates traps with information about the
events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For
more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can
also generate SNMP trap notifications for specified events.
Using SNMP trap notification is different from forwarding raw traps to another server before they
have been processed by LMS.
E-mail NotificationLMS generates e-mail messages containing information about the events that
caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail
in text format. You can specify that you want the e-mail to only contain an informational subject
line or can customize the e-mail subject. For information on the customizing the e-mail subject, see
Managing Fault E-Mail Subject Customization.
Syslog NotificationLMS generates Syslog messages that can be forwarded to Syslog daemons on
remote systems.
All notifications have a default maximum message size of 250 characters. You can reset this variable to
any value between 250 and 1024 characters by editing the notification properties file.
To do this:
Procedure
Step 1
Step 2
Locate the following lines and change the value to any value up to 1024 characters:
MAX_TRAP_DES=250
MAX_EMAIL_DES=250
MAX_SYSLOG_DES=250
10-3
Chapter 10
Step 3
Stop and restart the Cisco Prime daemon manager on the LMS server.
a.
On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop
b.
On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop
Notification Replay
You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file
/opt/CSCOpx/objects/nos/config/nos.properties as follows:
To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to
the default value (0), the notifications will not be replayed.
Subscriptions
LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification
subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following
common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:
Event severity and statusOne or more event severity levels and status. You can also customize the
names of the events used by Notification Services, and Fault History. See Customizing LMS Events.
RecipientsOne or more hosts to receive SNMP traps or users to receive e-mail. For Syslog
notifications, the recipient would be the remote host containing a Syslog daemon configured to
listen for Syslog messages.
Subscriptions are based on user-configured event sets and notification groups. See Configuring Event
Sets and Notification Groups for Subscriptions for more information.
Events
LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS
compares the device, severity, and state against subscriptions and sends a notification when there is a
match. Matches can be determined by user-configured event sets and notification groups.
The procedure for configuring notification groups is described in Configuring Event Sets and
Notification Groups for Subscriptions.
10-4
OL-25947-01
Chapter 10
LMS assigns one severity to each event and changes the state of an event over time, responding to user
input and changes on the device. Table 10-1 lists values for severity and explains how the state of an
event changes over time.
Note
You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Table 10-1
Critical
Informational
Status
Events that have been cleared either expire or, if associated with a suspended
device, remain in LMS until a user resumes or deletes the device.
Customizing Names: When you customize an event name, that name is reflected in all notifications,
and in Fault History. The new event name is used for all instances of an event, regardless of the
component on which the event occurs. You can easily revert to the default event names as needed.
The Notification Customization page also lists the new name and default name, so you can easily
check which names have been changed.
Customizing Event Severity: The event severity can be customized using the New Event Severity
feature. You can select Critical or Warning or Informational from the drop-down list.
Select Admin > Network > Notification and Action Settings > Fault Notification Customization.
The Notification Customization page appears.
Step 2
Select the event names you want to customize by clicking the check box beside each event name.
Step 3
Step 4
Select the event severity from the New Event Severity drop-down list.
You can select Critical or Informational.
Step 5
Step 6
Step 7
10-5
Chapter 10
Step 8
Click Yes.
The changes are applied to LMS.
To revert to default event names:
a.
From the Notification Customization page, select the events you want to restore to their default
names, and click Restore factory settings.
b.
Apply your changes by clicking Yes when the confirmation window appears.
Event sets list the events you want monitored for notifications
Notification groups contain the criteria that LMS should use when generating a notification:
One or more event sets, or all events
Devices
Event status and severity
Fields for user-specified additional information you want to include with the subscription
Creating event sets and notification groups are described in the following topics:
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
10-6
OL-25947-01
Chapter 10
Select Admin > Network > Notification and Action Settings > Event Sets:
The Event Sets page appears. The page contains the following information:
Field
Description
Select/Unselect All for Event Set Select an Event Set from the drop-down list.
Step 2
Step 3
Event Code
Description
Severity
Event severity.
A-I
For each event set you want to configure, select events by doing either of the following:
Select specific events by clicking the editable field under the label, and selecting X.
Select or deselect all events for an event set using the Select or the Deselect button.
Click Apply.
If you want to create a notification subscription, first create a notification group that uses your event set.
See Configuring Fault Notification Groups.
One or more event sets, if desired (otherwise, the notification group will contain all events)
Devices
Fields for user-specified additional information you want to include with the subscription
Note
You cannot delete a notification group that is being used by a running subscription.
10-7
Chapter 10
Select Admin > Network > Notification and Action Settings > Fault Notification Group.
Step 2
Step 3
Specify the devices, event sets (if desired), and event severity and status. Click Next.
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the mega menu.
Step 4
Specify the notification group name, and enter any desired identifying information in the Customer ID
and Customer Revision fields.
For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the
notification.
For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any
notifications:
Customer ID: Customer Revision: *
Step 5
Click Next.
Step 6
Step 7
Note
Notification groups can be static or dynamic; you cannot have a mix of group types.
10-8
OL-25947-01
Chapter 10
notification.
SuspendedLMS will not use the subscription unless you resume it.
You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances.
From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.
Table 10-2
Task
Sample Usage
Reference
Add
Add a subscription that will send SNMP trap notification Adding an SNMP Trap
for one device with an event of any severity (critical or Notification Subscription
informational) and any status (active, acknowledged, or
cleared).
Edit
Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap
Notification Subscription
longer useful.
Suspend
Resume
Delete
Suspending an SNMP
Trap Notification
Subscription
Resuming an SNMP Trap
Notification Subscription
10-9
Chapter 10
Note
Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Before You Begin
You must create a notification group before you can create an SNMP trap notification subscription. Refer
to Configuring Fault Notification Groups.
To add an SNMP trap notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2
Click Add.
Step 3
b.
c.
Step 4
Click Next.
b.
Step 5
A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 5.)
Click Next.
Note
10-10
OL-25947-01
Chapter 10
Note
Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2
Select the subscription you want to edit by clicking the radio button beside it.
Step 3
Click Edit.
No information is saved until you complete Step 5.
Step 4
b.
c.
Step 5
Add or delete a recipient host or change the port number for a host:
a.
Step 6
Click Next.
To add one or more recipients, for each host, enter:
A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 6.)
b.
To delete a recipient, delete the hostname, port number, and comment, if any.
c.
Click Next.
Review the information that you entered and click the Finish.
The SNMP Trap Notifications page is displayed.
10-11
Chapter 10
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2
Select the subscription you want to suspend by clicking the radio button beside it.
Step 3
Click Suspend.
Step 4
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2
Select the subscription you want to resume by clicking the radio button beside it.
Step 3
Click Resume.
Step 4
Note
You can also suspend a subscription. Suspending a subscription causes the subscription to not be used
until a user resumes it.
To delete an SNMP trap notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
Step 2
Select the subscription you want to delete by clicking the radio button beside it.
Step 3
Click Delete.
Step 4
10-12
OL-25947-01
Chapter 10
You can use the E-Mail Configuration page to configure E-mail notification subscription and to
customize the E-mail subject.
The E-Mail Configuration page displays the following information:
Note
E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are
based on Notification Groups.
E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.
You may not be able to use some of these functions if you do not have the required privileges.
notification.
SuspendedLMS will not use the subscription unless you resume it.
You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.
Table 10-3
Task
Sample Usage
Add
Add a subscription that will send e-mail notification to a user for one device with
an event of any severity (critical or informational) and any status (active,
acknowledged, or cleared).
See Adding and Editing an E-Mail Notification Subscription for more information.
Edit
Suspend
View the notification group and e-mail recipients that comprise the
subscription.
10-13
Chapter 10
Table 10-3
Task
Resume
Delete
Sample Usage
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin
You must create a notification group before you can create an E-Mail Notification subscription. Refer
to Configuring Fault Notification Groups.
To add or edit a subscription for e-mail notification:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Email notification.
The E-Mail Notification Subscriptions page appears.
Step 2
Click Add.
Click Edit.
You can edit an e-mail notification subscription regardless of its status (Running or Suspended).
After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is
forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.
Click Delete.
Click OK in the confirmation dialog box.
The E-Mail Subscriptions page appears. The subscription is no longer displayed.
Select the subscription you want to suspend by clicking the radio button beside it and click Suspend.
Click OK in the confirmation dialog box.
The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended.
After you suspend an e-mail notification subscription, LMS stops using the subscription to send
e-mail notification.
Select the subscription you want to resume by clicking the radio button beside it and click Resume.
Click OK in the confirmation dialog box.
10-14
OL-25947-01
Chapter 10
The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After
you resume an e-mail notification subscription, LMS starts using the subscription to determine when
e-mail notification should be sent in response to an event.
Step 3
When you add or edit a subscription for e-mail notification, a page appears with the following fields:
Field
Description
Subscription Name
Notification Group
Step 4
Click Next.
Step 5
Description
SMTP Server
The name of the default Simple Mail Transfer Protocol (SMTP) server
may already be displayed. The server is specified using Admin >
System > SMTP Default Server. You may also enter a fully qualified
DNS name or IP address for an SMTP server.
To select from any non-default SMTP servers in use by existing
subscriptions, click the SMTP Servers button.
Sender Address
Enter the e-mail address that notifications should be sent from. If the
senders e-mail service is hosted on the SMTP server specified, you need
enter only the username. You do not need to enter the domain name.
Recipient Addresses
Enter one or more e-mail addresses that notifications should be sent to,
separating multiple addresses with either a comma or a semicolon. If a
recipients e-mail service is hosted on the SMTP server specified, you
need to enter only the username. You do not need to enter the domain
name.
By default, e-mail notification supplies a fully detailed e-mail message.
To omit the message body and send only a subject line, select the
Headers Only check box.
Step 6
Step 7
Note
10-15
Chapter 10
Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You
can use these subjects along with the default available subjects while sending e-mail notifications.
By default, following list of e-mail subject attributes are displayed in the Available Subjects for
E-Mail box:
ifAlias
sysLocation
sysContact
user_defined_field_0
user_defined_field_1
user_defined_field_2
user_defined_field_3
When you import devices from DCR, the subject information gets updated into LMS database and
they are displayed as available subjects for e-mails.
Selected Subjects for E-mail: The selected subjects including the default ones in the selected order
displayed by the side of the available subjects.
Select Admin > Network > Notification and Action Settings > Fault - Email subject customization.
The available and selected lists of the subject attributes for e-mail are displayed.
To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list.
By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail
box.
Event ID
Device Name
Time
Severity
Event Name
Status
To add a subject:
a.
b.
Click Add.
The selected subject attribute is added to the Selected Subjects for E-Mail list.
You can add a subject attribute only from the Available Subjects list to the Selected Subjects list.
You cannot add a subject attribute from the Selected subject list to the Available Subject list.
10-16
OL-25947-01
Chapter 10
b.
Click Remove.
The selected subject attribute is removed from the Selected list and added to the Available subjects
for E-Mail list.
You can remove a subject attribute only from the Selected Subjects list and not from the Available
Subjects list.
Step 2
Click Up or Down to rearrange the order of the selected e-mail subject attributes.
Step 3
You are completely in control of subscriptions. Fault Management module does not change or delete
subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks
listed in Table 10-4.
Table 10-4
Task
Sample Usage
Reference
Add
Edit
Suspend
Editing a Syslog
Notification Subscription
Suspending a Syslog
Notification Subscription
10-17
Chapter 10
Table 10-4
Task
Sample Usage
Reference
Resume
Delete
Deleting a Syslog
Notification Subscription
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin
Step 1
You must create a notification group before you can create a Syslog Notification subscription. Refer
to Configuring Fault Notification Groups.
A remote machines Syslog daemon must be configured to listen on a specified port, and you must
enter this information in Step 3 of the following procedure. LMS uses the default port 514.
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2
Click Add.
a.
b.
c.
Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity are used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
Critical = 2
Information = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d.
Step 3
Click Next.
10-18
OL-25947-01
Chapter 10
b.
A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 5.)
Click Next.
Step 4
Enter the name of the subscription in the Save As field and click Next.
Step 5
Note
Note
Step 1
Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2
Select the subscription you want to edit by clicking the radio button beside it.
Step 3
Click Edit.
Step 4
b.
c.
Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity is used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
Critical = 2
Informational = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d.
Step 5
Click Next.
Add or delete a recipient host or change the port number for a host:
a.
10-19
Chapter 10
A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 7.)
b.
To delete a recipient, delete the hostname, port number, and comment, if any.
c.
Click Next.
Step 6
Step 7
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2
Select the subscription you want to suspend by clicking the radio button beside it.
Step 3
Click Suspend.
Step 4
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2
Select the subscription you want to resume by clicking the radio button beside it.
Step 3
Click Resume.
Step 4
10-20
OL-25947-01
Chapter 10
Note
You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes
it.
To delete a syslog notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
Step 2
Select the subscription you want to delete by clicking the radio button beside it.
Step 3
Click Delete.
Step 4
LMS will only forward SNMP traps from devices in the LMS inventory.
It will not change the trap formatit will forward the raw trap in the format in which the trap was
received from the device. However, you must enable SNMP on your devices and you must do one of the
following:
Note
The ports and protocols used by Cisco Prime are listed in Installing and Migrating to Cisco Prime LAN
Management Solution 4.2.
10-21
Chapter 10
If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs.
Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your
devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must
be enabled and the device must be configured to send SNMP traps to the LMS server.
Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface
appropriate for your device:
10-22
OL-25947-01
Chapter 10
string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
To enable Cisco IOS-Based devices to send traps to LMS:
Step 1
Step 2
Step 3
Select the Cisco IOS software release version used by your IOS-based devices.
Step 4
Select Technical Documentation and select the appropriate command reference guide.
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
Step 1
Step 2
Step 3
Step 4
Select Technical Documentation and select the appropriate command reference guide.
10-23
Chapter 10
If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the
appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to Cisco
Prime LAN Management Solution 4.2. This guide also provides information on supported versions).
You do not need to install any adapters if HP OpenView or NetView is installed locally.
Add the host where LMS is running to the list of trap destinations in your network devices. See
Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another
NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS
will use by default.)
If your network devices are already sending traps to another management application, configure that
application to forward traps to LMS.
Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.
Table 10-5
Scenario
Advantages
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings.
Step 2
Step 3
Click Apply.
For a list of ports that are already in use, see Installing and Migrating to Cisco Prime LAN Management
Solution 4.2. If you have two instances of the DfmServer process running, traps will be forwarded from
the first instance to the second instance.
10-24
OL-25947-01
Chapter 10
Your login determines whether or not you can perform this task. View the Cisco Prime Permission
Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user
role.
LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap
formatit will forward the raw trap in the format in which it was received from the device. All traps are
forwarded in V1 (SNMP Version) format. In LMS 4.2, trap support is provided for SNMPv3 configured
devices, unknown devices and non-Cisco devices.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
Step 2
Step 3
Click Apply.
Field
Description
Number of Receivers
Create
(button)
Edit
(button)
10-25
Chapter 10
Table 10-6
Field
Description
Delete
(button)
Filter
Filters information based on the criteria that you select from the drop-down
(button)
You can perform the following tasks from the Trap Receiver Groups dialog box:
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups page appears.
Step 2
Click Create.
The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box.
Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Table 10-7
Field
Description
Group Name
Enter the name of the Trap Receiver Group. For example, Trap Receiver
Group 1.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host
Port
Enter the Port Number on which Trap Receiver is listening for traps.
The default port value is 162. This field is optional.
10-26
OL-25947-01
Chapter 10
Table 10-7
Field
Description
Community
Create
(button)
Add More
(button)
Cancel
(Button)
Step 3
Enter a descriptive name for the Trap Group name in the GroupName field.
Step 4
Enter the IP address or hostname of the destination to which the trap should be delivered in the Host
field.
Step 5
Enter the Port Number on which Trap Receiver is listening for traps in the Port field.
Step 6
Enter the community string that appears in the trap message in Community field.
The community string will be displayed as asterisks.
Note
You can add as many as five hosts or devices to the Trap Group by default.
Click Add More to add another host information to the Trap Group. Go to Step 4 to continue.
Step 2
10-27
Chapter 10
Step 1
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups dialog box appears.
Step 2
Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver
Group Name.
Step 3
Click Edit.
The Edit Trap Receiver Group dialog box appears, displaying the earlier settings.
Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Table 10-8
Field
Description
Group Name
Receiver Details
Host
Port
Enter the Port Number on which Trap Receiver is listening for traps.
For example, 162
Community
Update
(button)
Add More
(button)
Cancel
(Button)
Step 4
Step 1
Step 2
Step 3
Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver
Group.
Or
Click Cancel to cancel the operation.
The Trap Receiver Group dialog box appears, displaying the Trap Groups.
10-28
OL-25947-01
Chapter 10
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The List of Trap Receiver Groups dialog box appears.
Step 2
Select the Trap Group Name by checking the appropriate check box.
You can select multiple Trap Receiver Groups by checking their respective check boxes.
Step 3
Click Delete.
A message appears, prompting you to confirm the deletion,
Step 4
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The List of Trap Receiver Group dialog box appears.
Step 2
Step 3
Step 4
Click Show.
The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information
based on the filter criteria.
Table 10-9 describes the criteria to filter.
10-29
Chapter 10
Table 10-9
Filter Criteria
Description
Group Name
Select Group Name and enter the data. You can use either of the following
methods to filter by entering:
10-30
OL-25947-01
Chapter 10
Field
Description
Number of Receivers
Create
(button)
Edit
(button)
Delete
(button)
Filter
Filters information based on the criteria that you select from the drop-down
(button)
All
Group Name
Sends the Syslog message to the receiver, based on the facility level selected
in the drop-down list. The drop-down list contains the following criteria:
local 0
local 1
local 2
local 3
local 4
local 5
local 6
local 7
10-31
Chapter 10
You can perform the following tasks from the Syslog Receiver Groups dialog box:
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog appears.
Step 2
Click Create.
The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-11
Field
Description
Group Name
Enter the name of the Syslog Group name. For example, Syslog Group.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host
Port
Enter the Port Number on which Syslog Receiver is listening for syslog
messages.
The default port value is 514. This field is optional.
Create
(button)
Add More
(button)
Cancel
(Button)
Step 3
Enter a descriptive name for the Syslog Group name in the GroupName field.
Step 4
Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in
the Host field.
Step 5
Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.
10-32
OL-25947-01
Chapter 10
Note
You can add as many as five hosts or devices to the Syslog Group by default.
To add more than five hosts to the Syslog Group,
Step 1
Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue.
Step 2
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog box appears.
Step 2
Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver
Group Name.
Step 3
Click Edit.
The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-12
Field
Description
Group Name
Receiver Details
Host
Port
Enter the Port Number on which Syslog Receiver is listening for Syslog
messages.
The default port number is 512.
10-33
Chapter 10
Table 10-12
Field
Description
Update
(button)
Add More
(button)
Cancel
(Button)
Step 4
Step 1
Step 2
Step 3
Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver
Group.
Or
Click Cancel to cancel the operation.
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog box appears.
Step 2
Select the Syslog Group Name by checking the appropriate check box.
You can select multiple Syslog Receiver Groups by checking their respective check boxes.
Step 3
Click Delete.
A message appears, prompting you to confirm the deletion.
Step 4
10-34
OL-25947-01
Chapter 10
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The List of Syslog Receiver Group dialog box appears.
Step 2
Step 3
Step 4
Click Show.
The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information
based on the filter criteria.
Table 10-13 describes the criteria to filter.
Table 10-13
Filter Criteria
Description
Group Name
Select Group Name and enter the data. You can use any of the following
methods to filter by entering:
10-35
Chapter 10
When you select Admin > Network > Notification and Action Settings > Syslog Automated Actions,
a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are
two system-defined automated actions (the rest are user-defined). The system-defined automated actions
are:
You can edit these system-defined automated actions, but you cannot delete them. These actions are
enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable.
Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating
system device. You can then edit Config Fetch automated action and you can delete
SYS-6-CFG_CHG-*SNMP* message type.
In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices
or not.
The columns in the Automated Actions dialog box are:
Column
Description
Name
Status
Type
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
10-36
OL-25947-01
Chapter 10
Using the automated actions dialog box, you can do the following tasks:
Task
Button
Create
Edit
Enable/Disable
Import/Export
Delete
If you are creating an automated action, see the example (Automated Action: An Example) of how to set
up an automated action that sends an e-mail when a specific Syslog message is received.
On Windows, you cannot set up an automated action to execute an.exe file that interacts with the
Windows desktop. For example, you cannot make a window pop up on the desktop.
Related Topics
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can
choose whether to include interfaces of selected devices or not. For the description of the columns in the
Automated Actions dialog box, see Defining Automated Actions.
Step 2
Click Create.
A dialog box appears for device selection.
Step 3
You cannot select the individual devices or device categories from the device selector.
The syslog messages from the various device interfaces are considered for creating automated
actions.
10-37
Chapter 10
If you select Choose Devices option, you must select the required devices.
Step 4
Click Next.
A dialog box appears in the Define Message Type page.
Step 5
Enter a unique name for the automated action that you are creating.
Step 6
Select either Enabled or Disabled as the status for the action at creation time.
Step 7
Select the Syslog message types for which you want to trigger the automated action from the Define New
Message Type section of the dialog box.
Step 8
Click Next.
The Automated Action Type dialog box appears.
Step 9
Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.
If you select E-mail, enter the following information in the Automated Action Type dialog box:
Field
Description
Send to
Subject
Content
If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action
type dialog box. In the URL, you can use the following parameters:
$D (for the device)
$M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
The script files must be available at this location:
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
10-38
OL-25947-01
Chapter 10
Click Browse.
The Server Side File Browser dialog box appears.
b.
Step 10
Click OK.
Step 11
Click Finish.
If the executable program produces any errors or writes to the console, the errors will be logged as Info
messages in the SyslogAnalyzer.log.
This file is available at:
On UNIX,
/opt/CSCOpx/log directory
On Windows,
NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Actions page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2
Select an automated action from the drop-down list and click Edit.
The Select Devices dialog box appears.
Step 3
Step 4
Click Next.
Step 5
For E-mail, enter or change the following information in the Automated Action type dialog box:
10-39
Chapter 10
Field
Description
Send to
Subject
Content
For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you
select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type
dialog box. In the URL, you can use the following parameters:
$D (for the device)
$M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
The script files must be available at this location:
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
To select the script file:
a.
Click Browse.
The External Config Selector dialog box appears.
b.
Step 6
Click Finish.
The edited automated action appears in the dialog box on the Automated Action page.
10-40
OL-25947-01
Chapter 10
Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.2 server and put this file in:
For Solaris/Soft Appliance:
/var/adm/CSCOpx/files/scripts/syslog directory
For Windows:
NSMROOT/files/scripts/syslog
Step 2
Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory.
Here is an example shell script (called syslog-email.sh) for UNIX:
#!/bin/sh
/opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl
-text_message "MEssage:
$2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from
nobody@nowhere.com -smtp mail-server-name.nowhere.com
For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the
description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Select the required automated action from the list in the dialog box.
Step 3
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Action page.
10-41
Chapter 10
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2
Select an automated action. You can select more than one automated action.
If you do not select an automated action before clicking the Export/Import button, then only the Import
option will be available. The Export option will be disabled
Step 3
Click Export/Import.
The Export/Import Automated Actions dialog box appears with the Export or Import options.
Step 4
Step 5
Either:
Or
Click Browse.
The Server Side File Browser appears. You can select a valid file, and click OK.
Click OK.
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Action page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2
Select the required automated action from the list in the dialog box.
Step 3
Click Delete.
You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
10-42
OL-25947-01
Chapter 10
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, with a list of automated actions, appears in the Automated Action page. For the description
of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Click Create.
The Devices Selection dialog box appears.
Step 3
Step 4
Enter a unique name for the automated action that you are creating.
Step 5
Select either Enabled, or Disabled as the status for the action at creation time.
Step 6
Click Select.
The Select System Defined Message Types dialog box appears.
Step 7
Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined
Message Types list, and click OK.
The dialog box on the Define Message Type page appears.
Step 8
Click Next.
The Automated Action Type dialog box appears.
Step 9
Field
Description
Send to
Subject
Content
When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
10-43
Chapter 10
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and
$M is replaced with the URL-encoded syslog message.
Step 10
Click Finish.
Also see Verifying the Automated Action.
Select a managed router that is already sending Syslog messages to the LMS server and generate a
SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:
a. Connect to the managed router using Telnet and log in.
b. In enable mode enter enable, then enter a password.
c. At the config prompt enter configure terminal.
d. Change the banner by entering:
banner motd z
This is a test banner z
end
Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows:
On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has
been configured to receive Syslog messages.
On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory.
Where NMSROOT is the LMS installation directory.
Step 3
Verify that there is a message from the managed router whose banner-of-the-day was changed.
This message appears at the bottom of the log.
If the message is not in the file, the router has not been configured properly to send Syslog messages
to the LMS Server.
Creating a Filter
Editing a Filter
10-44
OL-25947-01
Chapter 10
Deleting a Filter
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform this task.
To launch the message filters dialog box:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box appears in the Message Filters page.
A list of all message filters is displayed in this dialog box, along with the names, and the status of each
filterEnabled, or Disabled.
Step 2
Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either
Drop or Keep.
If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop
filters from further processing.
If you select Keep, Collector allows only the syslogs that match any of the Keep filters, for further
processing.
Note
Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Task
Button
Create
Edit
Enable/Disable
Export/Import
Delete
Creating a Filter
You can create a filter for Syslog messages by:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box with a list of filters, appears in the Message Filter page.
Step 2
Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.
10-45
Chapter 10
If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop
filters from further processing.
If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further
processing.
Note
Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Click Create.
The dialog box appears for device selection.
Step 4
You cannot select the individual devices or device categories from the device selector.
The syslog messages from the various device interfaces are considered for creating message filters.
If you select the Choose Devices option, you must select the required devices.
Step 5
Click Next.
.A dialog box appears in the Define Message Type page.
Step 6
Step 7
Select either the Enabled, or the Disabled status for the filter at creation time.
Step 8
Select the Syslog message types for which you want to apply the filter.
Step 9
Click Finish.
The list of filters in the message filter dialog box on the Message Filters page is refreshed.
Editing a Filter
To edit a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2
Step 3
10-46
OL-25947-01
Chapter 10
Step 4
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2
Select the required filter from the list in the dialog box.
Step 3
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2
Step 3
Click Export/Import.
The Export/Import dialog box appears with the Export or Import options.
Step 4
10-47
Chapter 10
Step 5
Either:
a.
Click Browse.
The Server Side File Browser appears.
b.
Step 6
Click OK.
Deleting a Filter
To delete a filter:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2
Select the required filter from the list in the dialog box.
Step 3
Click Delete.
When you confirm the deletion, the filter is deleted.
You can use the Collection Failure Notification option to configure the destination Server and Port to
receive trap notification on Inventory Collection or Config Fetch failure. This failure trap is sent per
device from the LMS server whenever the collection does not happen.
Other network management stations can use this trap to know about LMS Inventory or Config collection
failure status. You can check or uncheck the options available in this page to enable or disable the
sending of trap notifications to other servers on Inventory Collection or Config Fetch failure.
10-48
OL-25947-01
Chapter 10
Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:
Table 10-14
Field
Description
All
Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap
notification to be sent to the listed servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Config Collection
Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed
servers.
Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed
servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Inventory
Collection
Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed
servers.
Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to
the listed servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Server
Port
List of
Destinations
The names of the destination servers along with their ports which are configured to receive the trap
notifications.
Buttons
Add
Use the Add button to add the destination server and port information. On clicking Add, the server and
port information get reflected in the List of Destinations list.
Delete
Use the Delete button to remove server and port information from the List of Destinations. To do so,
select one or more server and port entry from the list of Destinations list and click on Delete to remove
the entries from the list.
Apply
10-49
Chapter 10
Select Admin > Network > Notification and Action Settings > Inventory and Config collection
failure notification.
The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog
box.
Step 2
You are providing the following information in the Collection Failure Notification screen:
Destination Server: 10.77.153.47
Destination Port: 162
You are also enabling the Send Notification on Config Fetch Failure option. By enabling this option you
are allowing trap notifications to be sent to the specified destination server on Config Fetch Failure using
the specified port.
After that you add few new devices to LMS and schedule a job to fetch the configurations for all the
devices. There is a Config Fetch Failure as the scheduled job is unable to fetch the configurations for the
new devices. The server 10.77.153.47 receives trap notifications for each Config Fetch Failure per
device.
Example for Inventory Collection Failure
You are providing the following information in the Collection Failure Notification screen:
Destination Server: 10.77.153.47
Destination Port: 162
You are also enabling the Inventory Collection option. By enabling this option you are allowing trap
notifications to be sent to the specified destination server on Inventory Collection Failure using the
specified port.
After that you add few new devices to LMS and schedule a job to fetch the inventory information for all
devices. There is a Inventory Collection Failure as the scheduled job is unable to fetch the inventory
details for the new devices. The server 10.77.153.47 receives trap notifications for each Inventory
Collection Failure per device.
10-50
OL-25947-01
Chapter 10
Table 10-15
Field
Description
Application Name LMS application that caused this change or identified the change and generated the notification.
Device Name
Network device for which the inventory or configuration collection has failed.
Collection Failure
Time
Error Message
The message that describes the reason for the collection failure. Some examples of trap error messages:
Inventory Collection Failed due to SNMP TimeOut Exception.
Config Collection Failed due to authentication failure.
Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration.
The IPSLA Syslog Configuration page appears.
Step 2
Click Enable
If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server. This enables the generation of the IPSLAs specific traps through the system
logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking
the link will display the Syslog details.
Or
If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server.
(LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS
server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display
the Syslog details.
Note
In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be
greater than LMS 4.2
10-51
Chapter 10
10-52
OL-25947-01
CH A P T E R
11
Setting Up Preferences
11-1
Chapter 11
Setting Up Preferences
Setting Up Preferences
You can use this feature to set up your editing preferences. Config Editor remembers your preferred
mode, even across different invocations of the application.
You can change the mode using the Device and Version, Pattern Search, Baseline or External
Configuration option but the changes do not affect the default settings.
To set up preferences:
Step 1
Select Configuration > Tools > Config Editor > Edit Mode Preference.
The User Preferences dialog box appears.
Step 2
Step 3
Determine changes being made in the network during critical operations time
System administrators can define the start and end times during the day when network changes
should not be made. Based on this selection you can quickly see, for a given day, whether changes
were made when they should not be.
See Defining Exception Periods for defining the exception periods.
Monitor your software image distribution and download history for software changes made using
the Software Management application.
Software Management automatically sends network change data to the Change Audit summary and
details tables.
11-2
OL-25947-01
Chapter 11
View all the latest changes that occurred in the network over the last 24 hours
24-Hour Reports provides a quick way to access the latest changes in the Change Audit log.
See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit
reports.
Step 2
Step 3
11-3
Chapter 11
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To set the Change Audit Purge Policy:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Purge Policy.
The Purge Policy dialog box appears in the Periodic Purge Settings pane.
Step 2
Field
Description
Enter the number of days. Only Change Audit records older than the number of days that you
specify here, will be purged.
The default is 180 days.
Enter the number of days. Only Audit Trail records older than the number of days that you
specify here, will be purged.
The default is 180 days.
Scheduling
Run Type
You can specify when you want to run the Purge job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is
complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) to schedule.
at
11-4
OL-25947-01
Chapter 11
Field
Description
Job Info
Job Description
The system default job description, ChangeAudit Records - default purge job is displayed.
You cannot change this description.
Enter e-mail addresses to which the job sends messages at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences). When the job starts or completes, an e-mail is
sent with the E-mail ID as the sender's address.
Caution
Step 3
You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes
made to a Purge policy.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To perform a Change Audit Forced Purge:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Force Purge.
The Purge Policy dialog box appears.
Step 2
Field
Description
Enter the number of days. Only Change Audit records older than the number of days that you specify
here, will be purged.
Enter the number of days. Only Audit Trail records older than the number of days that you specify
here, will be purged.
11-5
Chapter 11
Field
Description
Scheduling
Run Type
You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
Date
Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar
icon and select the date.
The Date field is enabled only if you have selected Once as the Run Type.
at
Job Info
Job Description
Enter e-mail addresses to which the job sends messages at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
Step 3
11-6
OL-25947-01
Chapter 11
Select Admin > Network > Change Audit Settings > Config Change Filter.
The Config Change Filter dialog box appears.
Step 2
Step 3
Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created
for devices that have a VLAN configuration. By default, this option is checked.
Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for
devices that have VLAN configuration.
Click either Apply to apply the option or click Cancel to discard the changes.
Description
11-7
Chapter 11
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2
Step 3
Select:
Start and end times from the Start Time and the End Time drop-down list box.
Click Add.
The defined exception profile appears in the List of Defined Exception Periods pane.
To enable the exception period, see Enabling and Disabling an Exception Period.
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2
Select one or more exception profiles in the List of Defined Exception Periods pane.
Step 3
Click Enable/Disable.
If you have selected Enabled, then the exception period report is generated for that specified time
frame.
If you have selected Disabled, then the exception period report is not generated for that whole day.
For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then
there will not be any exception period report generated for Monday.
11-8
OL-25947-01
Chapter 11
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2
Select a day from the Day drop-down list box for which you want to change the exception period.
Step 3
Change the start and end times in the Start Time and the End Time drop-down list box.
If required you can also enable or disable the status for the exception period.
Step 4
Click Add.
The edited exception profile appears in the List of Defined Exception Period dialog box. This will
overwrite the existing exception profile for that day.
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2
Select one or more exception profiles in the List of defined Exception Periods pane.
Step 3
Click Delete.
11-9
Chapter 11
Traps
Automated scripts
Description
Name
Status
Type
Description
11-10
OL-25947-01
Chapter 11
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions.
The Automated Action dialog box appears.
Step 2
Click Create.
The Define Automated Action dialog box appears.
Step 3
Step 4
Description
Name
Status
Application
Select the name of the application on which the automated action has to
be triggered.
Category
Mode
User
Select the user name on which the automated action has to be triggered.
Click Next.
The Automated Action Type dialog box appears.
Step 5
Field
Select either E-mail or Trap or Script. Based on your selection, enter the following data:
Description
Send To
Subject
Content
11-11
Chapter 11
Field
Description
Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit.
Ensure that you have copied these files:
CISCO-ENCASE-MIB.my
CISCO-ENCASE-APP-NAME-MIB.my
Enter the Server and Port details in the Define Trap field.
b.
Click Add.
The server and port information appears in the List of Destinations text box.
If you want delete, the server and port information, select the server and port information from the List of Destinations
text box and click Delete.
You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have
only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The
other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute
from within the casuser account.
The following are the parameters for change audit automated action that will appear in the script:
Application Name
Category
User Name
Description
Connection Mode
Host Name
Click Browse.
The Server Side File Browser dialog box appears with the predefined location.
b.
c.
Click OK.
11-12
OL-25947-01
Chapter 11
Step 6
Click Finish.
The Automated Action window appears with the defined automated action.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1
Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2
Step 3
Step 4
Click Finish.
The Automated Action window appears with the updated data.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1
Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2
Step 3
Click Enable/Disable.
The Automated Action window appears with the updated data.
11-13
Chapter 11
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1
Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2
If you want to export an Automated action, then select the automated actions else go to next step.
Step 3
Click Export/Import.
The Export/Import dialog box appears.
Step 4
Step 5
Either:
Or
Click Browse,
The Server Side File Browser dialog box appears.
Step 6
a.
Select a folder.
b.
Click OK.
c.
Click OK.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1
Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2
Step 3
Click Delete.
The Automated Action window appears with the updated data.
11-14
OL-25947-01
Chapter 11
Viewing/Editing Preferences
Viewing/Editing Preferences
Edit Preferences helps you to set or change your Software Management preferences.
The options you specify here are applicable to Software Management tasks such as image distribution,
image import, etc.
This section contains:
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To view and edit the preferences:
Step 1
Select Admin > Network > Software Image Management > View/Edit Preferences.
The View/Edit Preferences dialog box appears.
Step 2
Field
Usage Notes
If you enter a new name, all existing files are moved to this
directory. If the directory does not have enough space, the files are
not moved and an error message appears.
Repository Management
Image Location
11-15
Chapter 11
Field
Description
Usage Notes
Distribution
Script Location
Click Browse.
The Server Side File
Browser dialog box appears
with the predefined location.
b.
c.
Click OK.
Protocol Order
RCP
TFTP
SCP
HTTP
11-16
OL-25947-01
Chapter 11
Field
Description
Usage Notes
The device must support SSH for Software Management to use this
protocol.
When you select the SSH protocol for the Software Management,
the underlying transport mechanism checks whether the device is
running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it
connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the
device using SSHv2.
If a problem occurs while connecting to the device using SSHv2,
then it does not fall back to SSHv1 for the device that is being
accessed and Telnet is used to connect to the device.
See the Software Management Functional Supported Device tables
on Cisco.com for SSH and CLI device support information.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod
ucts_device_support_tables_list.html
Recommendation Filters (See How Recommendation Filters Work for an IOS Image.)
Include Cisco.com
images for image
recommendation
Include General
deployment images
Include latest
maintenance release
(of each major
release).
Includes the latest major releases For Cisco IOS devices only.
of IOS images.
11-17
Chapter 11
Field
Description
Usage Notes
Step 3
Either:
Click Cancel to discard the values entered and revert to previously saved values.
11-18
OL-25947-01
Chapter 11
Step 2
Step 2
Step 2
11-19
Chapter 11
Option
Number
1
Include
General
Deployment
Images
Include
Latest
Mainten
ance
Release
(of Each
Major
Release)
Include
Images
Higher
Than
Running
Image
Include
Same
Image
Feature
Subset
as
Running
Image
Not
selected
Not
selected
Not
selected
Not
selected
Recommendation
The recommendation image list includes:
In case of,
Multiple images with the same version as that of the running
Not
selected
Not
selected
Not
selected
Selected The recommended list contains images that have the same feature set
as that of the running image.
The images with the highest version among the recommended image
list are recommended.
Not
selected
Not
selected
Selected Not
selected
Not
selected
Selected Not
selected
Not
selected
11-20
OL-25947-01
Chapter 11
Table 11-1
Include
Latest
Mainten
ance
Release
(of Each
Major
Release)
Include
Images
Higher
Than
Running
Image
Include
Same
Image
Feature
Subset
as
Running
Image
Selected Not
selected
Not
selected
Not
selected
Selected Not
selected
Not
selected
Selected Same as option5. However, the recommended list contains images that
have the same feature set as that of running image.
Selected Not
selected
Selected Not
selected
Option
Number
Include
General
Deployment
Images
Recommendation
The images with deployment status identified as GD are available in
the recommended image list and other recommendation flow remains
the same as the option 1.
Same as option 5. However, the image with the highest version in the
recommended image list is recommended.
The feature set of the recommended image may be superior than the
running image.
Selected Not
selected
Selected Selected Same as option 6. However, the image with the highest version in the
recommended image list is recommended.
All recommend images will have the same feature subset as the
running image.
Not
selected
The images with the highest version among recommended image list
are recommended.
The images of GD types of releases are available in the recommended
image list.
10
Selected The images with the same feature as that of running image is available
in the recommended list and the latest maintenance version of all
release is available in the recommended list.
Only an image with higher version than running image is
recommended. The recommended images can have only GD status.
11
11-21
Chapter 11
Note
To view all inventory change reports, select Reports > Inventory. In the Report Generator dialog
box, first select the application, Change Audit, and then select the Exception Period Report from the
respective drop-down lists.
To view inventory changes from the last 24 hours, select Reports > Inventory. In the Report
Generator dialog box, first select the application, Inventory, and then select report 24 Hour Inventory
Change report from the respective drop-down lists.
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task.
To set Inventory change filters:
Step 1
Select Admin > Network > Change Audit Settings > Inventory Change Filter.
The Inventory Change Filter dialog box appears.
Step 2
Select a group from the Select a Group drop-down list. See Table 11-2.
The dialog box refreshes to display the filters available for the attribute group that you selected.
Step 3
Select the attributes that you do not want to monitor for changes.
Step 4
Click Save.
A confirmation dialog box appears.
Step 5
11-22
OL-25947-01
Chapter 11
Table 11-2
Description
Asset
Tag
Asset tag.
CLE Identifier
Physical Index
Operational Status
Manufacturer Name
Name of manufacturer.
Slot Configuration
Model Name
Name of model.
Vendor Type
Type of vendor.
Serial Number
Description
Description of backplane.
Component Type
Type of component.
Index
Index of backplane.
Alias Name
Bridge Type
Type of bridge.
Number of Ports
Back Plane
Bridge
11-23
Chapter 11
Table 11-2
Description
Chassis
Type of vendor.
Chassis Version
Report Published
Description
Description of chassis.
FRU of chassis.
Component Type
Type of component.
Alias Name
Index
Free Slots
Slot Capacity
Operational Status
Manufacturer Name
Name of manufacturer.
Slot Configuration
Index
FRU of component.
Alias Name
Operational Status
Manufacturer Name
Name of manufacturer.
Name
Name of component.
Slots Configured
Model Name
Name of model.
Vendor Type
Serial Number
Description
Description of component.
Component Type
Type of component.
Component
11-24
OL-25947-01
Chapter 11
Table 11-2
Description
Container
Alias Name
Operational Status
Manufacturer Name
Slot Configuration
Description
Description of container.
Component Type
Index
Index of container.
FRU of container.
Description
Description of fan.
Component Type
Index
Index of fan.
FRU of fan.
Alias Name
Operational Status
Manufacturer Name
Slot Configuration
Module Index
Fan
Flash
11-25
Chapter 11
Table 11-2
Description
Flash Device
Removable
Jumper
Controller
Chip Count
Size (MB)
Partition Count
Maximum Partitions
Name
Index
Description
Index
Status
Checksum
Size (MB)
Name
Algorithm
Filename Length
Erase Needed
Upgrade Method
Status
Free (MB)
Size (MB)
Name
Index
Flash File
Flash Partition
11-26
OL-25947-01
Chapter 11
Table 11-2
Description
IP Address
IP Address
Index
IP Address index.
Address State
IP Address state.
Address Type
Type of IP Address.
Protocol of Address
Protocol of IP Address.
Broadcast Address
Broadcast address.
Network Mask
ROM Version
Version of ROM.
Media
Media of image.
Feature
Image feature
Module
Image module.
Image
Build Time
Family
Image family.
System Description
Version
Description
Description of image.
Processor Index
MTU
Alias
Interface alias.
Last Changed
Operational Status
Admin Status
Speed (Mbps)
Type
Type of interface.
Description
Description of interface.
Name
Name of interface
Physical Address
Image
Interface
11-27
Chapter 11
Table 11-2
Memory
Memory Pool
Description
Index
Index of interface.
Identifier
Identifier of interface.
FlexLink Enabled
SPAN Enabled
Processor Index
Processor index.
Free (MB)
Free memory in MB
Used (MB)
Validity
Alternate Pool
Name
Type
11-28
OL-25947-01
Chapter 11
Table 11-2
Description
Module
FRU of module.
Alias Name
Reset Reason
Admin Status
Additional Status
Module IP Address
IP Address of module
Hardware Encryption
Slot Number
Parent Type
Multiservice
Parent Index
Number of Slots
FW Version
SW Version
HW Version
Operational Status
Manufacturer Name
Slot Configuration
Model Name
Name of module.
Vendor Type
Serial Number
Description
Description of module
Component Type
Index
Index of module
11-29
Chapter 11
Table 11-2
Description
Port
Manufacturer Name
Slot Configuration
Description
Description of port.
Component Type
Port Index
Port index.
FRU of port.
Alias Name
Status
Status of port
Operational Status
Port Interface
Power Consumption
Power Available
Power Remaining
Number
11-30
OL-25947-01
Chapter 11
Table 11-2
Description
Power Supply
Admin Status
Operational Status
Manufacturer Name
Slot Configuration
Alias Name
Description
Component Type
Index
11-31
Chapter 11
Table 11-2
Description
Processor
Processor FRU.
Alias Name
Slot Number
Parent Type
Parent Index
Operational Status
Manufacturer Name
Slot Configuration
Model Name
Reset Reason
Vendor Type
Admin Status
Serial Number
Additional Status
Description
Description of processor.
Module IP Address
Component Type
Hardware Encryption
Hardware encryption.
Index
Index of processor.
Multiservice
Multiservice.
Number of Slots
FW Version
SW Version
HW Version
11-32
OL-25947-01
Chapter 11
Table 11-2
Description
Sensor
Operational Status
Manufacturer Name
FRU of sensor
Alias Name
Slot Configuration
Description
Description of sensor
Component Type
Index
Index of sensor
Serial Number
Description
Description of slot.
Component Type
Index
Index of slot.
Operational Status
Manufacturer Name
FRU of slot.
Slot Configuration
Configuration of slot.
Alias Name
Model Name
Vendor Type
FRU of stack.
Operational Status
Alias Name
Manufacturer Name
Slot Configuration
Description
Description of stack
Slot
Stack
11-33
Chapter 11
Table 11-2
Sys Application
System
Description
Component Type
Index
Index of stack.
Index
Software Version
Software Manufacturer
SysUpTime
System Up Time.
Host Name
Management Type
Modular
Modularity of system.
System Name
System name.
System Object ID
Last Updated At
Location
System location.
Contact
System contact.
Domain Name
Description
11-34
OL-25947-01
CH A P T E R
12
Managing Jobs
In LMS, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs.
LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management
allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group
of users designated as job Approvers approves each job before it can run.
This section contains the following:
12-1
Chapter 12
Managing Jobs
Column
Description
Job ID
Job ID:
Identifies the task. This does not maintain a history. For
Example:1001
JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1001.1, 1001.2
Type
Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Run Status
Running
Scheduled (pending)
Succeeded
Failed
Crashed
Cancelled
Suspended
Rejected
Missed Start
Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type
Once
Immediate
Description
Run Sched
12-2
OL-25947-01
Chapter 12
Managing Jobs
Using Job Browser
Table 12-1
Column
Description
Status
Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Owner
Scheduled At
Completed At
Filtering Jobs
You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria,
enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs
pertaining to that category are displayed.
Column
Description
All
Job ID
Type
1002
1010.5
1004,1008.8, 1004
1007*
1001-1010
1019.20-1019.100
Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Filters and displays all jobs that match a job type value in Job
Browser.
You must select a job type from the list of available types.
12-3
Chapter 12
Managing Jobs
Column
Description
Run Status
Running
Scheduled (pending)
Succeeded
Failed
Crashed
Cancelled
Suspended
Rejected
Missed Start
Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type
Description
Once
Immediate
Owner
Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs:
Stop buttonStops or cancels a running job. You will be prompted to confirm the cancellation of
the job. However, the job is stopped only after the devices currently being processed are successfully
completed. This is to ensure that no device is left in an inconsistent state.
Delete buttonDeletes the selected job from the job browser. You can select more than one job to
delete. You will be asked to confirm the deletion.
Note
12-4
OL-25947-01
Chapter 12
Managing Jobs
Configuring Default Job Policies
Login Username
Login Password
Enable Password
This section also explains about Defining the Default Job Policies.
12-5
Chapter 12
Managing Jobs
Note
Step 1
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Config Job Policies dialog box appears.
Step 2
Step 3
Select one application from the drop-down list. You can select one of the following options:
NetConfig
ArchiveMgmt
ConfigEditor
Netshow
Field Name
Description
Failure Policy
Select what the job should do if it fails to run on the You can create rollback commands for a job in
device. You can stop or continue the job, and roll
the following ways:
back configuration changes to the failed device or to
Using a system-defined template.
all devices configured by the job.
Rollback commands are created
You can select one of the options:
automatically by the template.
Stop on failureStops the job on failure.
The Banner system-defined template does
Note
Usage Notes
12-6
OL-25947-01
Chapter 12
Managing Jobs
Configuring Default Job Policies
Field Name
Description
Usage Notes
You can enter multiple e-mail addresses separated by Notification E-mails include a URL to enter to
display job details. If you are not logged in, do so
commas.
using log in panel.
Configure the SMTP server to send e-mails in the
View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in
the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent
with the E-mail ID as the sender's address.
Sync Archive
before Job
Execution
Copy Running
Config to Startup
Note
Note
Enable Job
Password
None.
None.
Fail on Mismatch
of Config Versions
Delete Config after The configuration file is deleted after the download.
download
Note
This appears if you select Config Editor.
12-7
Chapter 12
Managing Jobs
Field Name
Description
Usage Notes
Execution Policy
2.
Either:
User Configurable
Step 4
Click Apply.
A message appears, Policy values changed successfully.
Step 5
Click OK.
The following tables list the usage scenarios and their implications for Configuration application when
job password is configured on devices.
Table 12-2When Device Access is Only Through Job Password and No Access is Available
Through Regular Telnet/SSH and SNMP (Read or Write)
Table 12-3When Devices are Configured for Job Password and Access is Available Through SNMP
(Read or Write)
Table 12-4When Devices are not Configured for Job Password and Access is Available Through
Regular Telnet/SSH but no SNMP
Table 12-5When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled.
Access is Available Only Through SNMP (Read or Write)
12-8
OL-25947-01
Chapter 12
Managing Jobs
Configuring Default Job Policies
Table 12-2
When Device Access is Only Through Job Password and No Access is Available Through Regular
Telnet/SSH and SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Fails
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Not applicable
Fails
Not applicable
Not applicable
Fails
Not applicable
Not applicable
Not applicable
Fails
Not applicable
Not applicable
Not applicable
Fails
Not applicable
Not applicable
Not applicable
Config upload/restore
through cwcli config
Not applicable
Fails
Not applicable
Not applicable
NetConfig Job
Not applicable
Fails
Succeeds
Not applicable
Not applicable
Not applicable
Not applicable
Succeeds
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
12-9
Chapter 12
Managing Jobs
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
NetConfig Job
Not applicable
Fails
Succeeds
Not applicable
Not applicable
Not applicable
Not applicable
Succeeds
config
Table 12-4
When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH
but no SNMP
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds
Not applicable
Not applicable
Not applicable
Succeeds
Not applicable
Not applicable
Not applicable
Succeeds
Succeeds
Not applicable
Not applicable
Succeeds
Not applicable
Not applicable
Not applicable
Succeeds
Not applicable
Not applicable
Not applicable
Succeeds
Not applicable
Not applicable
Not applicable
Succeeds
Succeeds
Not applicable
Not applicable
NetConfig Job
Not applicable
Not applicable
Succeeds
Not applicable
Not applicable
Not applicable
Not applicable
Succeeds
config
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is
Available Only Through SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
12-10
OL-25947-01
Chapter 12
Managing Jobs
Configuring NetShow Job Policies
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is
Available Only Through SNMP (Read or Write) (continued)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds for
SNMP supported
devices
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
config
NetConfig Job
Not applicable
Fails
Fails
Not applicable
Not applicable
Not applicable
Not applicable
Fails
12-11
Chapter 12
Managing Jobs
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To define these default Job Policies:
Step 1
Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Job Policy dialog box appears.
Step 2
Step 3
Field Name
Description
E-mail Notification Enter e-mail addresses to which the job sends messages at
the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by
commas.
Configure the SMTP server to send e-mails in the View / Edit
System Preferences dialog box (Admin > System > System
Preferences).
Usage Notes
Notification is sent when job is started
and completed.
Notification e-mails include a URL to
enter to display job details. If you are not
logged in, log in using the login panel.
Enable Job
Password
12-12
OL-25947-01
Chapter 12
Managing Jobs
Configuring NetShow Job Policies
Step 4
Click Apply.
A message appears, Policy values changed successfully.
Step 5
Click OK.
Description
Application
Status
Policy
This value is in days. Data older than the specified value, will be purged. You can change this
value as required. This is a mandatory field. The default is 180 days.
Job ID
Unique ID assigned to the job by the system, when the purge job was created. This Job ID does
not change even if you disable or enable or change the schedule of the purge job.
For the Purge Now task, a Job ID is not assigned. Also, if a Job ID already exists for that
application, this Job ID is not updated for the Purge Now tasks. That is, the job scheduled for
purging is not affected by the Purge Now task.
Scheduled At
Date and time that the job was scheduled at. For example: Nov 17 2004 13:25:00.
Schedule Type
Monthly Monthly on the day of the month and at the specified time. (A month comprises
30 days).
12-13
Chapter 12
Managing Jobs
Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:
Button
Description
Schedule
Enable
Disable
Purge Now
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To define the protocol order for NetShow:
Step 1
Select Admin > Collection Settings > Config > Config Transport Settings.
The Transport Settings dialog box appears.
Step 2
Step 3
Select a protocol from the Available Protocols pane and click Add.
NetShow supports only Telnet and SSH.
If you want to remove a protocol or change the protocol order, you can remove the protocol using the
Remove button and then add it again.
The protocols that you have selected appear in the Selected Protocol Order pane.
Step 4
Click Apply.
A message appears, New settings saved successfully.
Step 5
Click OK.
The protocol used for communicating with the device is based on the order in which the protocols are
listed here.
12-14
OL-25947-01
Chapter 12
Managing Jobs
Enabling Approval and Approving Jobs Using Job Approval
Masking Credentials
You can mask the credentials shown in the output of show commands. If you want to mask the credentials
of a particular command, you must specify the command in the
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre
dCmds.properties file.
In this file you can specify all the commands whose output should be processed to mask the credentials.
We recommend that you enter the complete command in the file. For example, you must enter show
running-config, not show run. This file contains some default commands like show running-config.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform job approval tasks.
Role
Responsibilities
System Administrator
Approver
12-15
Chapter 12
Managing Jobs
2.
Creates one or more job Approver lists (see Creating and Editing Approver Lists).
3.
4.
The planner analyzes the network and prompts the network engineer to schedule a job to perform a
needed network change.
The job creator uses a Cisco Prime application to create a job.The application must have an Approver
list assigned to it before Job Approval is enabled. Also, it must be scheduled to run in the future (not
immediately).
All Approvers on the Approver list receive an automatic email notification. The job Approvers approve
or reject the job (see Approving and Rejecting Jobs) and give their comments.
The job creator and all Approvers on the Approver list receive an automatic e-mail notification.
A job that is not approved or rejected before its scheduled time is automatically moved to the Rejected
state. E-mail notification is sent to all Approvers and the user who scheduled the job. If the job is
approved, it runs as scheduled.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To specify Approver details:
Step 1
Select Admin > Network > Configuration Job Settings > Approver Details.
The Approver Details dialog box appears.
Step 2
12-16
OL-25947-01
Chapter 12
Managing Jobs
Job Approval Workflow
Step 3
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To create and edit Approvers lists:
Step 1
Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists.
The Create/Edit Approver List dialog box appears.
Step 2
Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an
alphanumeric name.
Step 3
Click Add.
A message appears:
List
Step 4
Listname has no users. To save the list successfully, add users and click Save.
Click OK to proceed.
The newly-created list appears in the lists box.
(If previously-created lists exist, you can highlight a list to see the List Members in the Users group of
fields.)
Step 5
To add a user to the Approver List, select the name from the Available Users list box, and click Add.
The name appears in the List Members list box.
To remove a user from the Approver list, select the name from the List Members list box, then click
Remove.
The name is removed from the List Members list box.
Step 6
Click Save.
The Approver Lists box displays the name of the new Approver list and the users on this list appear in
the box below Approver Lists.
12-17
Chapter 12
Managing Jobs
b.
Add new approvers, or remove existing ones in using the Add and Remove buttons in the Users
group of fields.
b.
Click Delete.
A message appears:
Are you sure you wish to delete? Approval will be disabled for applications to which
the Listname is assigned!
c.
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
To assign an Approver list:
Step 1
Select Admin > Network > Configuration Job Settings > Assign Approver Lists.
The Assign Approver Lists dialog box appears.
Step 2
Select the required Approver list from the drop-down list box for that application. Repeat this for each
of the applications listed here.
Step 3
Click Assign.
The selected Approver lists are assigned to the applications.
NetConfig
NetShow
Config Editor
Archive Management. See Using Job Approval for Archive Management for details.
Software Management. See Using Job Approval for Software Management for details
12-18
OL-25947-01
Chapter 12
Managing Jobs
Job Approval Workflow
Prerequisite
Make sure the approver list is assigned to the application, before you enable approval for the application.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task.
To set up Job Approval:
Step 1
Select Admin > Network > Configuration Job Settings > Approval Policies.
The Approval Policies dialog box appears. You can enable or disable Job Approval for the following
applications:
Step 2
Step 3
NetConfig
NetShow
Config Editor
Archive Management.
Software Management.
Set up Job Approval for the various applications that support job approval, by doing one of the following:
Select the Enable check box that corresponds to an application, to enable Job Approval.
Deselect the Enable check box that corresponds to an application, to disable Job Approval.
Select the All check box to enable Job Approval, for all applications to which it is applicable.
Deselect the All check box to disable Job Approval, for all applications to which it is applicable.
You can enable Job Approval for Archive Management tasks, (Admin > Network > Configuration Job
Settings > Approval Policies). This means all jobs require approval before they can run.
Only users with Approver permissions can approve Archive Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
For more details on enabling job approval see Setting Up Job Approval.
The following Archive Management tasks require approval if you have enabled Job Approval:
Out-of-Sync (Configuration > Compliance > Out-of-Sync Summary)
Sync Archive jobs do not have Job Approval enabled because this job only archives the configuration
from the device and there is no change to the device configuration.
12-19
Chapter 12
Managing Jobs
If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule
and Options dialog box:
You can enable Job Approval for Software Management tasks, (Admin > Network > Configuration Job
Settings > Approval Policies) which means all jobs require approval before they can run.
Only users with Approver permissions can approve Software Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
The following Software Management tasks require approval if you have enabled Job Approval:
Adding images to Software Repository (Configuration > Tools > Software Image Management >
Software Distribution) using:
Cisco.com
Device
URL
Network
Distribution software images (Configuration > Tools > Software Image Management > Software
Distribution) using any one of these methods:
Distributing by Devices [Basic]
Distributing by Devices [Advanced]
Distributing by Images
Remote Staging and Distribution
If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options
dialog box, you get these two options:
12-20
OL-25947-01
Chapter 12
Managing Jobs
Job Approval Workflow
Description
Job ID
Job Description
Job Schedule
Date and time for which the job has been scheduled.
Server Name
Server Time-zone:
Maker Comments
URLS
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task. You need to be a user with an Approver role.
Note
You will be able to select only those jobs for which you are a part of the Approver List. The other jobs,
for which you are not a part of the Approver List, will be disabled.
To approve or reject jobs:
Step 1
Column
Description
Job ID
Owner
Job owner.
Job Type
Scheduled to Run at
Approver List
Description
12-21
Chapter 12
Managing Jobs
Step 2
Either:
Select Next.
The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then
the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details
before approving or rejecting it.
Fields in the Job Details box are:
Field
Description
Job
ID
Schedule Options
Run Type
6 - hourlyRuns the report every 6 hours, starting from the specified time.
12 - hourlyRuns the report every 12 hours, starting from the specified time.
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the
next job will start only at 10:00 a.m. on November 3.
To change, select the required run type from the drop-down list.
12-22
OL-25947-01
Chapter 12
Managing Jobs
Using Device Selector
Field
Description
Current Schedule
Date
Scheduled date and time of the job. Click Change Schedule to change the schedule of the job.
You must click the Change Schedule button for the changed schedule to take effect. If you do not click
this button, the changed schedule will not be set.
Approver
Comments
Enter your comments. This field is mandatory only if you are rejecting a job.
Step 3
Click Approve.
The job is approved.
If you want to reject the job, enter comments in the Comments text box and then click Reject.
Note
If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you
while performing the tasks are based on your role and associated privileges that are defined in Cisco
Secure ACS.
The Device Selector pane contains the following field/buttons:
Field/Button
Description
Search Input
Search
Use this icon to perform a simple search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Search, see Using Simple Search.
12-23
Chapter 12
Managing Jobs
Field/Button
Description
Advanced Search
All
Lists all User-defined and System-defined groups for all applications that
are installed on LMS Server.
For more information, see Using the All Tab.
Search Results
Selection
Lists all the devices that you have selected in the Search Results or All
tab.
Using this tab, you can deselect devices from the list.
For more information, see Using the Selection Tab.
Device Selector
Tool-tips are provided for long device names so that you do not have to scroll to see the complete device
name.
12-24
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
You can enter multiple device names separated with a comma. You can also enter wildcard character,
* or ? for selecting multiple devices.
For example:
You can enter device names in these many ways to select multiple devices:
192.168.80.140, 192.168.135.101, rtr805
192.168.80.*, 192.168.*
192.168.22.?
You cannot enter multiple wildcard characters for selecting the devices
For example, 192.*.80.*. This is not allowed.
You must enter either the complete device name or enter the partial device name appended with
wildcard character *. That is,
No devices are selected, if you enter only 192.168 in the Device Name text box.
You have to enter either 192.168* or 192.168.10.10.
The devices that are selected is a unique list. There are no duplicate entries of devices.
For example:
If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20,
192.168.10.21, 192.168.10.30, and 192.168.10.31 then,
a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices
node.
b. Enter the search criteria 192.168.10.2*
c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30
in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node.
However, the selected devices count that is displayed in the Device Selector is only three and
not five.
The All Devices node is expanded without selecting any devices, if the search criteria is not
satisfied. The objects selected text displays 0 (zero) device selected.
12-25
Chapter 12
Managing Jobs
This dialog box contains the following fields and buttons (See Table 12-6):
Table 12-6
Field/Buttons
Description
Logical operators.
This field appears only after a rule expression is added in the Rule
Text box.
Object Type
Variable
Operator
Value
The value of the rule expression. The possible values depend upon
the variable and operator selected. Depending on the operator
selected, the value may be free-form text or a list of values.
The wildcard characters are not supported.
Rule Text
12-26
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
Table 12-6
Field/Buttons
Description
Check Syntax
Search
Usage Notes
If you have not selected any device nodes, then advanced search is applied only for All Devices
node.
You can either enter the rules directly in the Rule Text field, or select the components of the rule
from the Rule Expression fields, and form a rule.
Each rule expression contains the following:
object type.variable operator value
Object TypeThe type of object (device) that is used to form a group. All rule expressions begin
with the same Object Type, RME:INVENTORY:Device.
VariableDevice attributes, based on which you can define the group. See the Advanced Search
Rule Attribute.
OperatorOperator to be used in the rule. The list of possible operators changes based on the
Variable selected.
ValueValue of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-form text or a list of values.
If you are entering the rule expressions manually, the rule expression must follow this syntax:
object type.variable operator value
If you are entering more than one rule expression, you must enter logical operators OR, AND or
EXCLUDE after every rule expression.
You must use Check Syntax button only when you add a rule manually or when you modify a rule
expressions in the Rule Text.
To delete the rules in the Rule Text box, select the complete rule including the logical operator and
press the Delete key on your keyboard.
If you want to perform a new search, click Clear All before selecting any new devices.
12-27
Chapter 12
Managing Jobs
Table 12-7 lists the available device advanced search rule attributes that you can use for defining
advanced search.
Table 12-7
Attribute Group
Attribute Type
Description
Asset
Asset.CLE_Identifier
Asset.Part_Number
Asset.User_Defined_Identifier
Chassis.Model_Name
Chassis.Number_Of_Slots
Chassis.Port_Count
Chassis.Serial_Number
Chassis.Vendor_Type
Chassis.Version
Flash.File_Name
Flash.File_Size
Flash.Model_Name
Flash.Partition_Free
Flash.Partition_Name
Flash.Partition_Size
Flash.Size
Image.ROM_Sys_Version
Image.ROM_Version
Version of ROM.
Image.Sys_Description
Image.Version
IP.Address
Device IP address.
IP.Address_Type
IP.Network_Mask
Memory.Free
Memory.Name
Memory.Size
Memory.Type
Memory type.
Memory.Used
Module.HW_Version
Module.Model_Name
Module.Port_Count
Module.Serial_Number
Module.Vendor_Type
Chassis
Flash
Image
IP Address
Memory
Module
12-28
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
Table 12-7
Attribute Group
Attribute Type
Description
Processor
Processor.Model_Name
Processor.NVRAM_Size
Processor.NVRAM_Used
Processor.Port_Count
Processor.RAM_Size
Processor.Serial_Number
Processor.Vendor_Type
State
State
System
System.Contact
System.Description
System.DomainName
System.Location
System.SystemOID
The following example describes the procedure for selecting devices whose IP address starts with
192.168 or Network Mask is 255.255.255.0. Also, these devices are assumed to be in Normal state.
The devices in your network are:
Step 2
Step 3
Select,
a.
State as Variable
b.
= as Operator
c.
Normal as Value
12-29
Chapter 12
Managing Jobs
Step 4
Step 5
Select,
a.
b.
IP.Address as Variable
c.
Contains as Operator
d.
Step 6
Step 7
Select,
a.
OR as Logical Operator
b.
IP.Network_Mask as Variable
c.
Equals as Operator
d.
Step 8
Click Search.
The Device Selection dialog box appears.
The devices that satisfied the search condition are selected. That is these two devices are selected.
The following is the list of device folders under the All tab:
The All Devices folder lists all devices. That is, this includes devices in Normal, Alias, Pending, and
Pre-deployed states. This folder does not include devices in Suspended and Conflicting states.
The Normal Devices folder lists devices that has been successfully contacted by LMS or the device
has contacted LMS at least once (polling, successful job completion, Syslog receipt etc.).
The Pre-deployed folder lists Device has never ever been reachable by LMS (by protocol such as
SNMP).
The Previous selection folder lists LMS devices that were selected in previous LMS task in the same
session.
Saved device list folder lists devices that are saved explicitly by you while generating the Inventory
Reports, View Credential Verification Report and Error Report.
12-30
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
Only one Saved device list is created within the device selector. If concurrent users have created
Saved device list, only the last created Saved device list appears in the Device Selector. The previous
Saved device list is overwritten with the latest.
Note
You can use the Previous selection and Saved device groups only when you are working on a application.
You cannot use these device groups when you are working on another Cisco Prime application. That is,
if you are working on the Campus Manager application, these groups must not be used.
The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined
by you at the time of creating the User-defined groups.
Based on the applications that are installed on your LMS Server, you will also view device folders
related to other Cisco Prime applications:
CiscoWorks_ApplicationName@CiscoWorks_ServerHostName
For example: For Cisco Prime Common Services, you will see:
CS@CiscoWorks_ServerHostName.
In a stand-alone system, server name is not appended. For example, for Common Services, you will
see CS.
Other application folders are displayed in LMS based on the settings. For more details, see Common
Services Online Help.
In Device Selector, the other Cisco Prime application device folders will list only devices.
For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have
devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you
will view on device list, A, B, and C.
and is available in Device and Credentials). However, that device is not supported by
applications. (Inventory, Software Management, and Configuration Management).
There are two types of device selectors in LMS:
In the single device selector, you can select a device only at the leaf-level (device-level). The radio
buttons at the node-level (folder-level) are grayed out.
12-31
Chapter 12
Managing Jobs
In the multiple device selector, you can select devices at both the node-level and leaf-level.
The following are the usage notes for the multiple device selector:
If you select devices at the node-level, all devices listed under this node are selected.
For example, if you select the All Devices node, all devices under this node are selected.
If you expand a device node, you cannot select devices at the node-level. You need to select devices
individually at the leaf-level.
For example, if you expand the All Devices node, you cannot select devices at the All Devices
node-level (the check-box is grayed out). You need to select devices individually under the All
Devices node.
If you select devices at a node-level and expand that particular node, you can deselect the devices
only at the leaf-level and not at the node-level.
For example, if you select the Normal Devices node and expand the same, you can deselect the
devices only at the leaf-level. You cannot deselect all the devices at the Normal Devices node-level
(the check-box is grayed out), when it is expanded. However, you can use Clear All to deselect all
the devices.
You can select devices using the tree view in the All tab. This tab displays all devices that are available
in LMS.
Selection Using Search
You can search devices using Search or Advanced Search. The list of devices matching the search criteria
is shown under the Search Results tab. You can select the required devices from the Search Results tab.
The Selection tab reflects whatever you selected from Search Results.
If you click the All tab now, the devices selected from Search Results will be shown in the All Devices
group.
12-32
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
After you select devices using the All tab, you can add a few more devices using Search. You can enter
the search criteria and search using Search or Advanced Search and the Search Results tab displays the
devices matching the criteria.
You can select the required devices from the Search Results tab. The Selection tab displays the
accumulated list from both All and Search Results tabs. If you click the All tab, it displays the selected
devices from Search Results under the All Devices group also.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the All tab from the Selection tab, as you select more devices.
Note
The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of
devices you have selected. It launches the Selection tab when you click on it.
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
or
Select Admin > Collection Settings > Config > Edit the Inventory, Config Timeout, and Retry
settings.
The Edit Devices dialog box appears.
Step 2
Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information.
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
The Devices dialog box appears.
12-33
Chapter 12
Managing Jobs
Step 2
Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information
Step 3
Step 4
Click Export.
The Export Device Attributes to File dialog box appears.
a.
c.
Step 5
Step 6
c.
The Device Attributes window refreshes to display the updated device attributes.
While importing the edited device attributes file an error message may appear,
Attribute values for some selected devices are invalid. See Attribute Error Report for
details.
See Editing Device Attributes section to know the minimum and maximum values for the device
attributes. Also see Attribute Error Report for more information.
Step 7
Click Apply.
12-34
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
Device Name
Name of the device.
Serial Number
Cisco manufacturing serial number from chassis. You can enter alphanumeric characters up to 255.
The default value is Default Not Defined.
This attribute is available when you either export or edit the device attributes from the Devices
window.
SNMP Retry
Number of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero.
SNMP Timeout
Duration of time that the system should wait for a device to respond before it tries to access it again.
The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value
limit.
Changing the SNMP timeout value affects inventory collection.
Telnet Timeout
Duration of time that the system should wait for a device to respond before it tries to access it again.
The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value
limit.
Note
The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH
Timeout.
Natted IP Address
The server ID. This is the translated address of server as seen from the network where the device
resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to
enable support for NAT. The default value is Default Not Defined.
TFTP Timeout
Duration of time that the system should wait for a device to respond before it tries to access it again.
The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value
limit. This attribute is available only when you edit the device attributes from the Device Attributes
window.
Read DelayAmount of time the system will sleep in between each read iteration. Read Delay sets
the client to sleep for few milliseconds. During the delay time, the client accumulates the device
content in buffer and keeps it ready to be read. The default read delay is 10 milliseconds.
Transport TimeoutAmount of time the socket will be blocked for read operation. The client waits
for a response from the device after which it will get timed out. The default value is 45000
milliseconds.
12-35
Chapter 12
Managing Jobs
Login TimeoutAmount of time the system should wait for a clients input after which the client
gets disconnected from the device. The default value is 2000 milliseconds.
Tune SleepAmount of sleep time in milliseconds set before and after sending a new line to the
device. The default value is 50 milliseconds.
Delay After ConnectAmount of waiting time in milliseconds after initial socket connection. It will
wait for the set time before doing the next operation. The default value is 300 milliseconds.
Note
Set the device attributes value for a single device using Admin > Collection Settings > Inventory
> Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline
Edit. See To edit the device attributes for a single device
Set the device attributes value for the bulk of devices using Admin > Collection Settings >
Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes >
Export. See To edit the device attributes for the bulk of devices
View Permission Report to check if you have the required privileges to perform this task.
Note
The Attribute Error Report link is available only if importing of device attributes causes error.
;
;Start of section 0 - DM Export
;
;HEADER:
device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,TFTPTimeout,Natt
edIPAddress,ReadDelay,TransportTimeout,LoginTimeout,TuneSleep,DelayAfter Connect
;
192.168.8.4,Default Not Defined,2,2,36,5,Default Not Defined,10,45000,2000,50,300
12-36
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
Where,
device_identityDevice
serial_numberCisco manufacturing serial number from chassis. You can enter 0 to 255
alphanumeric characters. The default value is Default Not Defined.
SNMPRetryCountNumber of times, system should try to access devices with SNMP options. The
default value is 2. The minimum value is zero.
SNMPTimeoutDuration
of time the system should wait for a device to respond before it tries to
access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no
maximum value limit.
Changing the SNMP timeout value affects inventory collection.
TelnetTimeoutDuration of time the system should wait for a device to respond before it tries to
access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no
maximum value limit.
Natted IP Addressserver ID. This is the translated address of server as seen from the network
where the device resides. This is used when LMS tries to contact devices outside the NAT boundary.
The default value is not defined.
Read DelayAmount
Transport TimeoutAmount
Login TimeoutAmount
of time in milliseconds after which it will start reading the user prompt.
Tune SleepAmount
12-37
Chapter 12
Managing Jobs
12-38
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
12-39
Chapter 12
Managing Jobs
12-40
OL-25947-01
Chapter 12
Managing Jobs
Using Advanced Search
12-41
Chapter 12
Managing Jobs
12-42
OL-25947-01
CH A P T E R
13
13-1
Chapter 13
These dialog boxes display the bundle or product name, the version, and the date on which the software
was installed. To sort the table by version or date of installation, click on the Version / Installed Date link.
You can click the product name links to view the Applications and Packages Installed with the Product
page that gives the details of the installed applications, patches, and packages of the product. See
You can navigate further down for each product to get a detailed list of all individual OS level packages
installed on the system, along with the versions.
The Software Updates page provides two options:
Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2
Go to the Products Installed dialog box and click the link provided on a product.
A new window displays the details of:
Patches InstalledProvides details about the patches installed on the product, the patch version and
the date on which the patches were installed.
Application InstalledProvides details of the applications installed, the application version, and the
date on which the applications were installed.
Packages InstalledProvides details about the packages installed on the product, the package
version with patch level, and the date on which the packages were installed.
13-2
OL-25947-01
Chapter 13
Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2
Go to the Products Installed dialog box and select the check box corresponding to the product for which
you want to select update.
You can select multiple products by selecting the corresponding check boxes.
Step 3
Step 4
Enter your Cisco.com username and password to connect to Cisco.com, for software updates.
If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server
Setup, you must enter the Proxy server username and password.
Step 5
Click Next.
A list of available Software Updates for the selected product appears.
Step 6
Select the Software Update you need to download and click Next.
You can filter the required images based on Type, Package Name, Product Name, and Available Version
With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the
filter pattern in the text box.
For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 7
13-3
Chapter 13
Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2
Go to the Products Installed table and select the check box corresponding to the product for which you
want to download the update.
You can select multiple products by selecting the corresponding check boxes.
Step 3
Step 4
Step 5
Step 6
13-4
OL-25947-01
Chapter 13
You can also check for the device updates and delete the device packages using the Device Update page.
This section contains the following:
Deleting Packages
13-5
Chapter 13
Select Admin > System > Software Center > Device Update.
The Device Updates page appears.
Step 2
Select the check box corresponding to the product for which you want to check for updates and click
Check for Updates.
The Source Location page appears. You can check for updates at Cisco.com or a server.
Step 3
To check for updates from a server, select the Enter Server Path radio button and enter the path or
browse to the location using the Browse tab.
Click Next.
The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for
updates at Cisco.com.
Step 4
Step 5
Click Next.
The Available Packages and Installed Packages page appears. It displays:
Step 6
Type: Type of the update. For example, whether the update is a device package or IDU package.
Available version: Version of the product that is available (Other than the installed version).
Readme Details: Links to the Readme files associated with the update.
Select the check box corresponding to the package that you wish to update and click Next.
The Device Update page appears. You can either install the device packages or download them.
To install device packages, select the Install Device Packages radio button.
To download device packages, select the Download Device Packages radio button.
13-6
OL-25947-01
Chapter 13
Enter the folder in File Selection field or click Browse to select the destination directory.
By default, the destination location is:
/opt/psu_download (On Solaris/Soft Appliance)
System Drive:\psu_download (On Windows)
b.
Set the frequency of downloads, select the run type from the Run Type drop-down list. The options
are:
Immediate
Once
If you choose any of the options other than Immediate, set the date and time.
Select the date from the date picker. The date picker displays the date from the client system.
Specify the time from the drop-down lists.
c.
Enter a description for the download job in the Job Description field. This is mandatory.
d.
e.
Click Next.
The Summary window displays the details.
f.
Click Next.
The Summary window displays the details.
b.
Step 7
Click OK to continue.
Deleting Packages
You can also delete packages that are outdated or you no longer use.
To delete a package:
Step 1
Select Admin > System > Software Center > Device Update.
The Device Update page appears.
Step 2
Select the check box corresponding to the product and click Delete Packages.
The wizard displays a window that has the Package name, the Product name, and the Installed version
details.
Step 3
Select the check box corresponding to the Package you want to delete.
13-7
Chapter 13
You can filter the available device packages based on Package Name, Product Name, Installed Version.
To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in
the text box.
For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 4
Click Next.
The Summary window appears with the details of the Product and the Packages selected.
Step 5
After you have confirmed the Delete Packages operation, a message that the daemons are restarted
appears.
Step 6
Click OK to continue.
You have to provide your Cisco.com credentials and the location to which the packages should be
downloaded.
To schedule device package downloads:
Step 1
Select Admin > System > Software Center > Schedule Device Downloads.
The Schedule Device Downloads dialog box appears.
Step 2
Step 3
Enter the destination location, or browse to the location using the Browse tab.
By default, the destination location is:
13-8
OL-25947-01
Chapter 13
Step 4
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Note
Step 5
Select the run type from the Run Type drop-down list, to set the frequency of downloads.
Step 6
Select the date from the drop-down calendar, and specify the time using the drop-down lists.
The calendar displays the date from the client system.
Step 7
Enter a description for the download job in the Job Description field. This is mandatory.
Step 8
Step 9
Note
You can view the scheduled job status and details from the Job Browser window (Admin > Jobs >
Browser).
Scheduled Job
The Scheduled Job Details page displays the activities that are performed using Software Center. The
Scheduled Job table records and displays the downloads to the server. You can view the log from the
server or any client workstation.
To view Scheduled Job Details:
Select Admin > System > Software Center > Scheduled Job Details.
The Scheduled Job Details page appears with the following information:
13-9
Chapter 13
Event Log
Event Log
The Event log page displays the activities that are performed using Software Center. The Event Log table
shows the list of immediate downloads, installations and un-installations of device packages carried out.
You can view the log from the server or any client workstation.
To view the Event Log:
Select Admin > System > Software Center > Event Log.
The Event Log page appears with the following information:
StatusStatus of the event (Completed Successfully, Failed or Executed). Click on the Status link
to get more details on the operation.
You can delete either all the event logs or specific event logs from the list.
Select the log entries and click Delete to delete the selected entries.
Select Admin > System > Software Center > Point Patch Update.
The Point Patch Update page appears.
Step 2
Note
Step 3
The Download option in the Point Patch Update page will be enabled only after entering the
Cisco.com username and password.
Enter the download location, or browse to the location using the Browse tab.
By default, the download location is:
Step 4
13-10
OL-25947-01
Chapter 13
Select View the list of available point patches to download radio button.
A point patch list containing the defect ID, point patch revision number and patch description is
displayed.
Step 5
Click Download to download all the latest point patch versions that are not installed in your system.
Related Topics
To install new device packages from Cisco.com, you have to first download the packages from
Cisco.com, save them to a directory in your computer, and then install them, specifying the directory.
To get help on command usage, enter:
13-11
Chapter 13
-p
-query (-q)
-allSelects
-src
Lists the packages (default source location is installed repository of the product).
all packages available at the source location.
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Note
Example
-p
-install (-i)Installs
-allSelects
-src
13-12
OL-25947-01
Chapter 13
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Note
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
-p
-uninstall (-u)
-allSelects
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Note
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
13-13
Chapter 13
-p productSpecify the Product for which you want to download the Software Update. Invoking
CLI with -h option lists the valid product names.
-software (-s)
-dst download directorySpecify the directory to which you want to download the Software
Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
-allSelects
Note
You must enter the software update package name without any extension. The package name is
case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any one of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub- directories.
-p productSpecify the Product for which you want to download the Device Update. Invoking CLI
with -h option lists the valid product names.
-download (-d)Download
-dst
download directorySpecify the directory to which you want to download the Device Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
-allSelects
Note
You must enter the device package name without any filename extension. The package name is
case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
13-14
OL-25947-01
Chapter 13
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub- directories.
|PointpatchName}
-p
-pointpatch (-pp)Download
-dst download directorySpecify the directory to which you want to download the Point Patch
Update
Note
-allSelect
Note
You must enter the point patch update name without any filename extension and revision
number. The point patch update name is case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device, point patch or software updates in
the same directory where you have installed Cisco Prime LMS, or any of its sub-directories.
Note
13-15
Chapter 13
The downloaded point patch revisions that are not installed in your system are installed and an
installation successful message is displayed.
-p
-pkgDependents (-pdep)List
-allSelects
Note
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Example
13-16
OL-25947-01
Chapter 13
-p
-pkgVersion (-pver)List
-allSelects
Note
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Example
13-17
Chapter 13
13-18
OL-25947-01
CH A P T E R
14
Interpreting Discrepancies
View Reports on Discrepancies. Select Reports > Fault and Event > Best Practices >
Discrepancies.
View Reports on Best Practices Deviations. Select Reports > Fault and Event > Best Practices >
Deviation.
Acknowledge Discrepancies.
Customize Discrepancies Reporting. For details, see Customizing Discrepancies Reporting and
Syslog Generation.
14-1
Chapter 14
Interpreting Discrepancies
Interpreting Discrepancies
This section contains information on each of the discrepancy reported in LMS. It describes the
discrepancy, the impact it has on the network, and ways to resolve it.
The user interface in LMS displays commands you can use to make configuration changes on devices to
resolve discrepancies.
This section contains:
14-2
OL-25947-01
Chapter 14
On/Auto
On/Desirable
Desirable/Auto
Desirable/Desirable
Off/Desirable
Impact
Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of
different VTP domains) fails.
Fix
Make sure that the Trunk mode is ON, on both sides of the link.
Step 2
dot1q | isl
Step 3
Or
show interface
Make sure that the Trunk mode is ON, on both sides of the link.
Step 2
Step 3
mod/port
14-3
Chapter 14
Interpreting Discrepancies
Note
This discrepancy is applicable only for trunks that use 802.1q encapsulation.
Impact
The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link
is affected. The trunk continues to remain operational.
Fix
If you have altered the default native VLAN configuration, ensure that all trunks have the same native
VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport
trunk native vlan command for Cisco IOS switches to specify the native VLAN.
You cannot fix this discrepancy through LMS.
The trunk remains operational but the network traffic across the link is affected.
Fix
You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and
ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.
The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching
encapsulation types. However, the network traffic across the link is affected because of the mismatch.
Fix
Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy
through LMS.
14-4
OL-25947-01
Chapter 14
The VLAN information is not dynamically shared across the VTP domain.
Fix
Ensure that you configure VTP Configuration Revision number consistently across devices of the same
VTP domain. You cannot fix this discrepancy through LMS.
LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no
alternative or backup server.
This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when
the existing primary server or server mode device has gone down temporarily and if the server mode
device does not come up.
If you do not configure at least one server, the devices become unreachable. LMS discovers only the
client-mode devices in the domain and ignores the rest.
Fix
Configure at least one device as server in a VTP domain. If the device you have configured as server is
temporarily down, configure another device as server. You cannot fix this discrepancy through LMS.
For more information on VTP domain, see the document Configuring VTP at the following location:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html
14-5
Chapter 14
Interpreting Discrepancies
Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a
full-duplex device transmits whenever it has something to send, regardless of other devices.
If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will
consider this either a collision (during the slot time), or a late collision (after the slot time). Since the
full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet.
A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch
port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.
Figure 14-1
Duplex Mismatch
A (root)
Half-Duplex
Half-Duplex: Still
runs carrier sense
and collision
detection
Does not do
carrier sense
Collision
A
Full-Duplex
BPDU lost
to be retransmitted
130876
Fix
LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port
speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated
between devices.
To fix the discrepancy on switches using Cisco IOS:
14-6
OL-25947-01
Chapter 14
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
duplex auto
end
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
14-7
Chapter 14
Interpreting Discrepancies
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set port speed
mod/port auto
where:
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
A manually-set speed or duplex parameter is different from the manually set speed or duplex
parameter on the connected port.
A port is in Autonegotiate mode and the connected port is set to full duplex with no autonegotiation.
Impact
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
speed auto
end
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
14-8
OL-25947-01
Chapter 14
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set port speed
mod/port auto
where:
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
This results in the trunk not coming up, and there would be no traffic flow across the link.
Fix
LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode.
To fix the discrepancy on switches using the Catalyst operating system:
Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set trunk
mod/port desirable
where:
Step 2
causes the port to negotiate actively with the neighboring port to become a trunk link
desirable
mod/port specifies the number of the module and the port or ports on the module
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
14-9
Chapter 14
Interpreting Discrepancies
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
switchport mode dynamic desirable
end
where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link.
Step 2
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Channel misconfiguration
Duplex mismatch
BPDU port-guard
UDLD
Impact
When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port.
The port LED is set to the color orange and when you enter the show port command, the port status
shows errdisable.
Fix
Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so
on).
Step 2
14-10
OL-25947-01
Chapter 14
Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.
If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge
Protocol Data Units (BPDUs) are being transmitted and received on those ports.
14-11
Chapter 14
Fix
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set spantree portfast mod/port disable
where disable disables the spanning tree PortFast-start feature on the port.
Step 2
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
no spanning-tree portfast
end
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
14-12
OL-25947-01
Chapter 14
On
Off
Auto
Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable
modes. Ports configured in on or off mode do not exchange PAgP packets.
To form EtherChannel between, it is best to have both switches set to the Desirable mode. This gives the
most robust behavior if one side or the other encounters error situations or is reset. The default mode of
the channel is Auto.
Both Auto and Desirable modes allow ports to negotiate with connected ports to determine whether they
can form a channel. The determination is based on criteria such as port speed, trunking state, and native
VLAN.
Ports can form an EtherChannel when they are in different channel modes if the modes are compatible.
Examples of ports that can form an EtherChannel are:
A port in desirable mode can successfully form an EtherChannel with another port that is in
Desirable or Auto mode.
A port in the Auto mode can form an EtherChannel with another port in the Desirable mode.
A port in the Auto mode cannot form an EtherChannel with another port that is also in the Auto
mode, since neither port initiates negotiation.
A port in the On mode can form a channel only with a port in the On mode because ports in On mode
do not exchange PAgP packets.
Impact
When a non-channel port is in the Desirable mode, the links will not be efficiently used.
14-13
Chapter 14
Fix
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel mod/port mode auto
Step 2
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode auto
Step 2
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
On
Off
Auto
Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable
mode. Ports configured in On or Off mode do not exchange PAgP packets.
For switches to which you want to form an EtherChannel, it is best to have both switches set to Desirable
mode. This gives the most robust behavior if one of the sides encounters error situations or is reset. The
default mode of the channel is Auto.
Both Auto and Desirable modes allow ports to negotiate with connected ports to determine if they can
form a channel. The determination is based on criteria such as port speed, trunking state, and native
VLAN.
Ports can form an EtherChannel when they are in different channel modes if the modes are compatible.
Examples of ports that can form an EtherChannel are:
A port in Desirable mode can successfully form an EtherChannel with another port that is in
Desirable or Auto mode.
A port in Auto mode can form an EtherChannel with another port in Desirable mode.
14-14
OL-25947-01
Chapter 14
A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since
neither port initiates negotiation.
A port in On mode can form a channel only with another port also in On mode, because ports in this
mode do not exchange PAgP packets.
Impact
Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended
configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious
impact on the network.
Fix
To fix the Best Practise Deviation on switches using the Catalyst operating system:
Step 1
Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel
Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode desirable
Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
14-15
Chapter 14
BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to
an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding
state immediately, instead of going through the listening, learning, and forwarding states.
By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled.
BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies
to all PortFast-enabled ports on the switch.
When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled
port is also disabled.
Fix
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree bpdu-filter
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
spanning-tree bpdufilter enable
end
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-16
OL-25947-01
Chapter 14
Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts).
The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU
is received on those ports.
BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies
to all PortFast-enabled ports on the switch.
Fix
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree bpdu-guard
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
enables BPDUGuard
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
spanning-tree bpduguard enable
end
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-17
Chapter 14
If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning
tree operation.
BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP,
you can reduce convergence times from the default of 50 seconds to 30 seconds.
Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects
directly to Switch B is in the blocking state.
Figure 14-2
Switch A
Switch(Root)
A
Switch B
L1
(Root)
Switch B
L1
L2
L3
Blocked port
Switch C
Switch C
11241
L3
Blocked port
11241
L2
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly
to link L1.
Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to
move immediately to the listening state without waiting for the maximum aging time for the port to
expire.
BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch
B to Switch A.
This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the
topology to account for the failure of link L1.
14-18
OL-25947-01
Chapter 14
Figure 14-3
Switch A
(Root)
Switch B
L1
Link failure
L3
BackboneFast transitions port
through listening and learning
states to forwarding state
Switch C
11244
L2
Fix
Step 2
Step 2
14-19
Chapter 14
Note
This Best Practice Deviation is not applicable if the device is not an access layer switch.
Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access
layer. Do not use on switches without the implied topology knowledge of a backup root linktypically,
distribution and core switches in Cisco's multilayer design. It can be added without disruption to a
production network.
Impact
UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It
operates without modifying STP, and its purpose is to speed up convergence time in a specific
circumstance to less than three seconds, rather than the typical 30-second delay.
Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected
directly to Switch B is in the blocking state.
Figure 14-4
Switch A
(Root)
Switch B
L1
L2
L3
Switch C
11241
Blocked port
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast
unblocks the blocked port on Switch C and transitions it to the forwarding state without going through
the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5
seconds.
14-20
OL-25947-01
Chapter 14
Figure 14-5
Switch A
(Root)
Switch B
L1
L2
L3
Link failure
Switch C
11242
Fix
Step 2
Step 2
14-21
Chapter 14
Assume that a switch port is receiving BPDUs, and is in the blocking state. The port makes up a
redundant path. It is blocking because it is neither a Root Port nor a Designated Port. If, the flow of
BPDUs stops, the last known BPDU is retained until the Max Age timer expires.
When the Max Age timer expires, that BPDU is flushed, and the switch thinks there is no longer a need
to block the port. The port moves through the STP states until it begins to forward traffic. The switch
then forms a bridging loop. In its final state, the port becomes a Designated Port.
To prevent this situation, you can use the loop guard STP feature. When you enable this feature, loop
guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is
allowed to behave normally.
When BPDUs are missing, loop guard moves the port into the loop-inconsistent state. The port is
effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role.
After BPDUs are received on the port again, loop guard allows the port to move through the normal STP
states and become active. In this way, Loop Guard automatically governs ports without the need for
manual intervention.
STP PortFast
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes
up, STP calculation occurs on that port. The result of the calculation is the transition of the port into
forwarding or blocking state. The result depends on the position of the port in the network and the STP
parameters.
This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data
passes through the port. Owing to this, some user applications can time out during the period.
To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast
immediately transitions the port into STP forwarding mode upon linkup. This way the port still
participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP
blocking mode.
Impact
Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best
Practice Deviation.
Fix
If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port.
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree portfast disable
Step 2
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-22
OL-25947-01
Chapter 14
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted
negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to
become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the
intended behavior.
Fix
To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports.
To fix it through LMS, on switches using the Catalyst operating system:
Step 1
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-23
Chapter 14
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best
Practice Deviation.
Table 14-1
Trunking Configuration 1
Modes
On
Auto
Desirable
Nonegotiate
Off
On
None.
Reports
Best
Practice
Deviation.
None.
None.
(Trunking)
(Trunking)
(Trunking)
(Not Trunking)
(Trunking)
Auto
Desirable
Reports Best
Practice
Deviation.
Reports Best
Practice
Deviation.
(Trunking)
(Not Trunking)
None.
None.
Reports Best
Practice
Deviation.
(Trunking)
Reports
Best
Practice
Deviation.
(Trunking)
None.
(Not Trunking)
(Not Trunking)
(Trunking)
Nonegotiate
None.
(Trunking)
Reports
Best
Practice
Deviation.
Reports Best
Practice
Deviation.
None.
(Trunking)
(Not Trunking)
(Not
Trunking)
Off
Reports Best
Practice
Deviation.
Reports Best
Practice
Deviation.
(Not Trunking)
(Not Trunking)
None.
(Not Trunking)
14-24
OL-25947-01
Chapter 14
Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static
property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1
for different trunk mode combinations.
Fix
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-25
Chapter 14
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names
in transparent and server mode devices.
Fix
Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain.
You cannot fix this Best Practice Deviation through LMS.
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode
device in the domain has the same name as VLAN part of the server mode device in the domain.
Fix
Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the
server mode devices. You cannot fix this Best Practice Deviation through LMS.
14-26
OL-25947-01
Chapter 14
B
Blocking
X
B unblocks its port and can forward
traffic this way......
130877
Figure 14-6
In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while
transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a
port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these
BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop.
To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented
the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or
unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports.
For maximum protection against symptoms resulting from uni-directional links, we recommend that you
enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the
message interval to the default 15 seconds.
Fix
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set udld enable mod/port
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
14-27
Chapter 14
Step 2
Step 3
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
In parts of the network where a high level of security is required (such as Internet-facing de-militarized
zones), you should turn off CDP.
14-28
OL-25947-01
Chapter 14
Fix
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 2
Step 3
Step 4
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
High Availability:
Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum
productivity in a network.
Allows you to minimize the switch-over time from active supervisor engine to the standby
supervisor engine, if the active supervisor engine fails.
14-29
Chapter 14
Allows the active supervisor engine to communicate with the standby supervisor engine, keeping
feature protocol states synchronized.
Provides a versioning option that allows you to run different software images on the active and
standby supervisor engines.
You can enable High Availability using Command Line Interface (CLI).
Fix
As a general practice with redundant supervisors, we recommend that you enable High Availability
feature for normal operation.
LMS provides commands for enabling High Availability.
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set system highavailability enable
Step 2
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
For more information on Supervisor engines and High Availability, see the document Configuring
Redundancy at the following location:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html
Step 2
Click Configure.
The Configuring Discrepancies dialog box appears.
To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it.
Checking all the check boxes results in a report displaying all discrepancies and Best Practice
Deviations in the network.
To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding
check box.
14-30
OL-25947-01
Chapter 14
Step 3
Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check
Configure Syslog and click Next.
A list of the selected Discrepancies and Best Practice Deviations appears.
Step 4
Check Send Syslogs and enter the name of the server in the Syslog Server field.
Step 5
Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages
and click Next.
A summary of the selected Discrepancies and Best Practice Deviations appears.
Step 6
Click Finish.
You can use the filters to display discrepancy reports for specific devices, link or network types. This
makes it easy to find a particular discrepancy for a particular type.
You can use more than one filter at the same time, but results will vary.
If you select more than one filter in the same top-level category, Boolean OR is used.
For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter
criteria will be displayed in the report.
If you select more than one filter from different top-level categories, Boolean AND is used.
For example, if you select both a Link type and a Port type filter from the discrepancy filter, any
link that fulfils both filter criteria will appear in the report.
14-31
Chapter 14
14-32
OL-25947-01
CH A P T E R
15
Report Setting
Describes how to configure some settings for generating reports and set a report publish location.
This section contains the following sections:
Select Admin > Network > Purge Settings > User Tracking Report Purge Policy.
The Report Settings dialog box appears.
Step 2
You must specify in days, or weeks, or months the period for which you want to retain the report archives
or jobs.
Step 3
Click Save.
15-1
Chapter 15
Report Setting
Select Admin > Network > Display Settings > Domain Name Display.
The Domain Name Display window appears.
Step 2
Select the format for displaying the domain names in User Tracking Reports. You can:
Step 3
Click Save.
Note
Ensure that the casuser is assigned the required write permission to publish the PDF format of the report
to the directory path.
To set a report publish location:
Step 1
Step 2
Field/Button
Description
Report Location
Directory path where the PDF format of the reports are published.
Use the Browse button to select a directory path.
The Server Side File Browser dialog box is launched. You can select the
directory path in this dialog box.
Step 3
Click Browse.
The Server Side File Browser dialog box appears.
15-2
OL-25947-01
Chapter 15
Report Setting
Set Report Publish Location
Step 4
Select the directory path from the Server Side File Browser dialog box.
Step 5
Click OK.
The directory path is displayed in the Report Location field.
Step 6
Click Apply to save the default directory path settings or Cancel to reset the directory path.
15-3
Chapter 15
Report Setting
15-4
OL-25947-01
CH A P T E R
16
Purge Settings
Describes how to configure the purge settings of all modules in LMS.
This section contains the following sections:
Select Admin > Network > Purge Settings > Layer2 Services Purge Settings.
The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the
Purge Policy for archives or jobs here.
Step 2
Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives.
For instance, if you select 44 days, LMS purges archives that are older than 44 days.
Step 3
Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks.
Step 4
Click Save.
16-1
Chapter 16
Purge Settings
Select Admin > Network > Purge Settings > VRF Lite Purge Settings.
The Purge Settings dialog box appears.
Step 2
Step 3
Check the Purge Archives Older Than to specify the periodicity at which to purge archives.
For instance, if you select 44 days, VRF Management purges archives that are older than 44 days.
Step 4
Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks.
Step 5
Click Save.
Age. Configurations older than the number of days that you specify are purged.
The Labeled configuration files are not purged even if they satisfy either of the purge conditions
(Maximum versions to retain and Purge versions older than options in the Archive Purge Settings
window) unless you enable the Purge labeled files option in the Archive Purge Settings window.
The labeled files are purged only if they satisfy the conditions given in the Maximum versions to
retain and Purge versions older than options.
Archive Management will not purge the configuration files, if there are only two versions of these files
in the archive.
Archived configurations that match the purge criteria that you set are purged from the system. This purge
policy applies to Running configuration only.
Caution
Ensure that the configuration change detection schedule does not conflict with purging, since both
processes are database-intensive. Also backup your system frequently to prevent losing versions.
16-2
OL-25947-01
Chapter 16
Purge Settings
Purging Configurations from the Configuration Archive
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The workflow to define the Configuration Archive purge policy is:
Step 1
Select Admin > Network > Purge Settings > Config Archive Purge Settings.
The Archive Purge Setup dialog box appears.
Step 2
Select Enable.
Step 3
Step 4
Field
Scheduling
Run Type
You can specify when you want to purge the configuration archive files.
To do this, select one of these options from the drop-down menu:
WeeklyRuns weekly on the specified day of the week and at the specified time.
MonthlyRuns monthly on the specified day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job
will start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) to schedule the job.
Job Information
Job Description
The system default job description, Default archive purge job is displayed.
You cannot change this description.
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from
the E-mail ID.
16-3
Chapter 16
Purge Settings
Step 5
Specify when to purge configuration files from the archive by selecting one or all of the following purge
policies:
Click Maximum versions to retain and enter the number of configurations to be retained.
Click Purge versions older than and enter the number of days, weeks, or months.
a.
b.
c.
Archive Management does not purge the configuration files, if there are only two versions of these files
in the archive.
Step 6
Click Apply.
A message appears, New settings saved successfully.
Step 7
Click OK.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform these tasks.
16-4
OL-25947-01
Chapter 16
Purge Settings
Syslog Administrative Tasks
In Solaris/Soft Appliance, the backup file is created with -rw-r----- casuser casusers
irrespective of the permissions given to the directory for backup on purge.
In Windows, the backup file inherits the permission and ownership of the directory it is created in,
which is the directory selected as the backup location (on purge).
View the Permission Report (Reports > System > Users > Permission) to check if you have the
privileges required to perform this task.
To set up the backup policy:
Step 1
Select Admin > Network > Purge Settings > Syslog Backup Settings.
The Backup Policy dialog box appears.
By default, the backup policy is set to disabled.
Step 2
Select Enable to enable the backup process for Syslog messages, after configuring backup.
Step 3
b.
c.
Click OK.
Step 4
Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB.
Step 5
Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter
multiple e-mail addresses separated with commas. This is a mandatory field.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail
ID.)
If you also want a notification to be sent when the backup is a success, select Also Notify on Success.
Step 6
Either click Save to save the backup configuration details that you have specified or click Reset to clear
the values that you specified and reset to the previously saved values in the dialog box.
If you have clicked Save, the backup will continue to save the data even after the data has exceeded the
specified size of the backup file. However, the system will send an e-mail asking you to cleanup the
backup file.
16-5
Chapter 16
Purge Settings
Select Admin > Network > Purge Settings > Syslog Purge Settings.
The Purge Policy dialog box appears.
Step 2
Specify the number of days in the Purge records older than field.
Only the records older than the number of days that you specify here, will be purged. The default value
is 7 days. This is a mandatory field.
Caution
You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any
other means, it will not be purged. However, during the successive purge operations this data will be
purged.
Step 3
Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly.
Step 4
Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For
example, 02-Dec-2004). This is a mandatory field.
Step 5
Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field.
The Job Description field has a default descriptionSyslog Records - default purge job.
Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can
enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP
server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System
Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 6
Either click Save to save the purge policy that you have specified or click Reset. to clear the values that
you specified and reset the defaults in the dialog box.
You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).
16-6
OL-25947-01
Chapter 16
Purge Settings
Setting the Syslog Purge Policy
Select Admin > Network > Purge Settings > Syslog Force Purge.
The Force Purge dialog box appears.
Step 2
Field
Description
Enter the number of days. Only the records older than the number of days that you specify here,
will be purged. This is a mandatory field.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or
by any other means, it will not be purged. However, during the successive purge operations this
data will be purged.
Scheduling
Run Type
If you select Immediate, all the other options will be disabled for you.
If you select Once, you can specify the start date and time and also provide the job
description (mandatory) and the e-mail ID for the notification after the scheduled purge is
complete.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences
dialog box (Admin > System > System Preferences). When the job completes, an e-mail is
sent from E-mail ID.
Date
Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy
format, for example, 02-Dec-2004. This is a mandatory field.
The Date field is enabled only if you have selected Once as the Run Type.
at
16-7
Chapter 16
Purge Settings
Field
Description
Job Info
Job Description
Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You
can enter more than one e-mail ID separated by commas.
The e-mail field is enabled only if you have selected Once as the Run Type.
Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from
E-mail ID.
Step 3
You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).
The Job Purge option provides a centralized location for you to schedule Purge operations for the
following Configuration Management jobs:
Credential Verification JobsPurge all Credential Verification jobs. This also includes credential
verification edit jobs.
Software Management JobsPurge all Software Management jobs such as Image Import, Image
Distribution, etc.
Archive Management JobsPurge Archive Management jobs such as Compliance Check, and
Deploy Compliance Results.
Archive Update JobsPurge Archive Management collection jobs, Default config collection job.
Archive Poller JobsPurge Archive Management polling jobs, Default config polling job.
Archive Purge Jobs--Purge Archive Management purge jobs, Default archive purge job.
16-8
OL-25947-01
Chapter 16
Purge Settings
Purging Configuration Management Jobs
CwConfig JobsPurge all cwcli config jobs such as Get Config, Put Config, etc.
Note
TrustSec was known as Identity in the versions of LMS earlier than 4.2. Identity jobs will be
available for purging only if they have been backed up from the versions of LMS earlier than 4.2
and restored.
Reports Archive JobsAll reports that are archived are purged. You can view all reports that are
archived in the Archives window (Reports > Report Archives > Inventory and Syslog).
You cannot purge the jobs that are in the running state.
The Job Purge contains the following information:
Column
Description
Application
Status
Policy
This value is in days. Data older than the specified value, will be purged. You can change this value
as required. This is a mandatory field. The default is 180 days.
Job ID
Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not
change even when you disable or enable or change the schedule of the Purge job.
For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the
job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge
Now task.
Scheduled At
Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00.
Schedule Type
WeeklyRuns weekly on the specified day of the week and at the specified time.
MonthlyRuns monthly on the specified day of the month and at the specified time. (A month
comprises 30 days).
You can select the applications by checking the check boxes next to the application to perform the
following tasks using the Job Purge window:
Button
Description
Schedule
Enable
16-9
Chapter 16
Purge Settings
Button
Description
Disable
After you schedule a job, if you have enabled the Purge job, you can choose to disable it.
Purge Now
Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
To create a Purge job,
Step 2
Select Schedule.
The Purge Schedule dialog box appears for the selected application.
Field
Description
Scheduling
Run Type
WeeklyRuns weekly on the specified day of the week and at the specified time.
MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises
30 days).
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will
run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the
10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date
1.
Click on the date picker icon and select the date, month and year.
Your selection appears in the Date field in this format:
dd Mmm yyyy (example: 14 Nov 2004).
2.
Select the time (hh and mm) from the drop-down lists in the at fields.
Job Info
Days
The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged.
You can change this value as required. This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of days.
Job
Description
Based on the option that you selected, you see a default job description.
For example, for Software Management Purge jobs the default description is:
Purge - Software Management Jobs.
For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.
16-10
OL-25947-01
Chapter 16
Purge Settings
Purging Configuration Management Jobs
Step 3
Note
Click Done. The Purge job appears in the Job Purge dialog box.
You cannot purge the jobs that are in the running state.
Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
Step 2
Click Enable.
A confirmation message appears:
There is a purge schedule and it is enabled.
Step 3
Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
Step 2
Click Disable.
A confirmation message appears:
There is a purge schedule and it is disabled.
Step 3
Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.
16-11
Chapter 16
Purge Settings
Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
Step 2
Step 3
Step 4
Click OK.
The Purge Job Details window appears displaying the purged job details.
Note
You cannot purge the jobs that are in the running state.
Quick Report JobsPurge all Quick Report jobs older than the specified number of days.
Custom Report JobsPurge all Custom Report jobs older than the specified number of days.
Threshold Report JobsPurge all Threshold Report jobs older than the specified number of days.
Poller Report JobsPurge all Poller Report jobs older than the specified number of days.
Failure Tracker JobsPurge all Failure Tracker jobs older than the specified number of days.
TrendWatch jobsPurge all TrendWatch jobs older than the specified number of days.
TrendWatch Summary jobsPurge all TrendWatch summary jobs older than the specified number
of days.
Summarizer JobsPurge all Summarizer jobs older than the specified number of days.
Data Purge jobsPurge all Data Purge jobs older than the specified number of days.
16-12
OL-25947-01
Chapter 16
Purge Settings
Performance Purge Jobs
Job Purge jobsPurge all Job Purge jobs older than the specified number of days.
Maintenance jobsPurge all Maintenance jobs older than the specified number of days.
Select Admin > Network > Purge Settings > Performance Job Purge Settings.
Step 2
Field/Button
Description
Scheduling
Run Type
For Daily jobs, the subsequent instances of jobs will run only after the earlier
instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November
1, the next instance of this job will run at 10:00 a.m. on November 2, only if
the earlier instance of the November 1 job has completed. If the 10.00 a.m.
November 1 job has not been completed before 10:00 a.m. November 2, then
the next job will start only at 10:00 a.m. on November 3.
Date
Specify the date and time for which the purge is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.
Purge Policy
Days
The default setting for purging archived job data is 30 days. That is, job data
older than 30 days will be deleted. You can change this value as required.
This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of
days.
Apply
(button)
Purge Now
(button)
Job purge is scheduled at the specified Run Type and Date for the job data
older than the days specified in the Days field.
Job purge is done immediately for the job data older than the days specified
in the Days field.
16-13
Chapter 16
Purge Settings
Step 3
Scheduling
Purge Policy
See Table 16-1 for the description of fields that appear in the Job Purge Schedule dialog box.
Step 4
Click Apply to schedule job purge or Purge Now to immediately perform job purge.
If you click Apply, a message appears confirming that the purge settings are applied successfully.
If you click Purge Now, a message appears confirming that purge is done successfully and the Job
ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
We recommend that you wait for any activity currently running in the system to stop before purging jobs.
By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.
30 Minute Summarization recordsPurge all 30-minute summarization data records older than the
specified number of days.
3 Hour Summarization recordsPurge all 3-hour summarization data records older than the
specified number of days.
12 Hour Summarization recordsPurge all 12-hour summarization data records older than the
specified number of days.
Poller failure recordsPurge all failure data records older than the specified number of days.
Threshold violation recordsPurge all threshold violation data records older than the specified
number of days.
Audit trail recordsPurge all audit trail data records older than the specified number of days.
TrendWatch violation recordsPurge all TrendWatch violation data records older than the specified
number of days.
Status change details recordsPurge all status change details data records older than the specified
number of days.
16-14
OL-25947-01
Chapter 16
Purge Settings
Performance Purge Data
Note
It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running.
To schedule Data Purge:
Step 1
Select Admin > Network > Purge Settings > Performance data purge settings.
Step 2
Field/Button
Description
Purge Schedule
Run Type
HourlyRuns hourly.
By default, Daily is set as the default Run Type schedule for Data Purge.
For example, if you have scheduled Run Type as Daily for Data Purge job at
10:00 a.m. on November 1, the next instance of this Data Purge job will run
at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed.
If the 10.00 a.m. November 1 Data Purge job has not been completed before
10:00 a.m. November 2, then the next Data Purge job will start only at 10:00
a.m. on November 3.
Date
Specify the date and time for which the Data Purge job is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.
16-15
Chapter 16
Purge Settings
Table 16-2
Field/Button
Description
Purge Policy
Days
The following are the default settings for purging the following data:
The default data purge settings provides optimal performance of Cisco Prime
LMS. You can also change the default purge settings as required. However,
the performance of Cisco Prime LMS may not be as expected.
You can enter only whole numbers for days. You cannot enter fractions of
days.
This is a mandatory field.
Apply
(button)
Purge Now
(button)
Step 3
Data purge is scheduled at the specified Run Type and Date for the data older
than the days specified in the Days field.
Data purge is done immediately for the data older than the days specified in
the Days field.
Purge Schedule
Purge Policy
See Table 16-2 for the description of fields that appear in the Data Purge Schedule dialog box.
Step 4
Click Apply to schedule the data purge or Purge Now to immediately perform the data purge.
If you click Apply, a message appears confirming that data purge settings are applied successfully.
If you click Purge Now, a message appears confirming that purge is done successfully and the Job
ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.
16-16
OL-25947-01
Chapter 16
Purge Settings
View Performance Purge Details
Select Admin > Network > Purge Settings > Performance Data Purge Summary.
Step 2
Field
Description
Details
Value
16-17
Chapter 16
Purge Settings
LMS purges IPSLA-related historical data automatically everyday, based on the Purge period specified
on the Purge Settings page. It purges historical data that is older than the specified Purge period. If the
Purge period is not specified, it purges the historical data based on the default values.
The minute-based reports are purged daily by default.
To purge Historical reports:
Step 1
Select Admin > Network > Purge Settings > IPSLA data Purge Settings.
The Purge Settings page appears.
Step 2
Specify the Purge period. For more information, see Table 16-4.
Step 3
Click Apply.
A message appears that the Purge settings are updated successfully.
Step 4
Click OK.
16-18
OL-25947-01
Chapter 16
Purge Settings
IPSLA Data Purging Settings
Table 16-4
Purging Reports
Granularity
Purge Period
Minute
Specify the number of days for which you want to keep the
minute historical data in the database.
The default value is 1 day.
Hourly
Specify the number of days for which you want to keep the
hourly historical data in the database.
The default value is 32 days.
Daily
Specify the number of days for which you want to keep the
daily historical data in the database.
The default value is 180 days.
Weekly
Specify the number of weeks for which you want to keep the
weekly historical data in the database.
The default value is 12 weeks.
Monthly
Specify the number of months for which you want to keep the
monthly historical data in the database.
The default value is 12 months.
16-19
Chapter 16
Purge Settings
View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform these tasks.
Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain
only 31 days of data. You can select the time of day that purging begins. By default, purging begins at
00:00.
Before You Begin
Review the information in Performing Scheduling Tasks to ensure that daily purging does not conflict
with the other scheduled jobs listed there.
Do not use the LMS Job Browser to manage Rediscovery Schedules; use the LMS Daily Purging
Schedule interface. If you suspend the Fault History:DataPurge job using the Job Manager, the job is
deleted from the LMS Daily Purging Schedule interface, which can be confusing to users.
Step 1
Select Admin > Network > Purge Settings > Fault History Purging Schedule.
Step 2
HourFrom 0 to 23
Click Apply.
You can check the status of the Fault History data purge job from the Job Manager page each day after
the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type.
For more information, see Configuring Fault Management Rediscovery Schedules.
16-20
OL-25947-01
CH A P T E R
17
Debugging Options
Debugging Settings menu allows the administrator to set the debugging settings of various modules in
LMS.
This section contains:
Configuring Logging
Discovery Framework
Data Collector
Discovery Util
System Module
Cluster Module
ARP Module
AUS Module
Credential Module
17-1
Chapter 17
Debugging Options
Neighbor Module
Pingsweep Module
RouterPeer Module
RT Module
CSDiscoveryAdaptor
Discovery DeviceInfo
The debugging option for all the Device Discovery components is disabled by default.
To enable the debugging option for the LMS Device Discovery components:
Step 1
Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery
Logging Configuration page appears.
Step 2
Select one or more Discovery modules or components from the Disabled Modules list box.
Step 3
Click Add to add the components to the Enabled Modules list box.
Step 4
Click Apply.
Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will
come into effect after 60 seconds.
To disable the debugging option, move the selected component from the Enabled Modules list box to
Disabled Modules list box using the Remove button.
Deleting the unwanted log files from the Cisco Prime installation directory
Using the logrot functionality. See Configuring Log Files Rotation for more information.
Caution
On Solaris/Soft Appliancevar/adm/CSCOpx/log
On WindowsNMSROOT\log
As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To
prevent loss of data, make sure you are not running any critical tasks.
This section explains the following:
17-2
OL-25947-01
Chapter 17
Debugging Options
Maintaining Log Files
Step 2
Step 3
Step 4
Step 5
Verify the procedure was successful by examining the contents of the log files in this location:
/var/adm/CSCOpx/log/*.log
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6
Step 7
Select Reports > System > Status > Log File to view your log changes.
Step 2
Go to the command line and make sure you have the correct permissions.
Step 3
Step 4
Step 5
Verify the procedure was successful by examining the contents of the log files in the following location:
NMSROOT\log\
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6
Step 7
Select Reports > System > Status > Log File to view your log changes.
17-3
Chapter 17
Debugging Options
Directory Path
File
Description
AAA Serivces
/MDC/log/
core*
Backup and
Restore
dbbackup.log,
restorebackup.log,
restorebackup.log.old
Cico Prime
LMS General
Log Files
/MDC/Apache/logs/
error.log
perlerr.log
Proxy.log
event.log
Cisco Prime
Syslog Service
Database
Services
syslog.log
syslog_debug.log
CRMLogger debugging
information and messages
from device/machine (On
Windows only).
CmfDbMonitor.log
dbpwdChange.log
dbrestoreorig.log
dmgtDbg.log
/objects/db/win32/
dbcond8.log
17-4
OL-25947-01
Chapter 17
Debugging Options
Maintaining Log Files
Component
/Module
Directory Path
File
Description
dcr.log
DCRDevPoll.log
Device and
Credentials
Administration
Import and
Export Module
dcrimpexp.log,
DCRServer.log (Windows
Only),
daemons.log (Solaris/Soft
Appliance Only)
Device Center
SnmpWalk*
SnmpSet*
CSDiscovery.log,
ngdiscovery.log
CSDeviceSelector.log
Role
Management
/MDC/log/
cam.log
Disk Space
Monitoring
Services
diskWatcher.log
Event
Distribution
Services
EDS-GCF.log, EDS.log
Event Services
ESS.log, JavaDebug.log
Grouping
Service
CMFOGSClient.log
CMFOGSServer.log
JacORB
NameServiceMonitor.log,
NameServer.log
Logs for
NameServiceMonitor from
JacORB package
(On Windows only)
Job Services
daemons.log (Solaris/Soft
Appliance Only), jrm.log
(Windows Only)
Licensing
LicenseServer.log
license.log
lwms.log
Lightweight Messaging
Service activity
psu.log
Device and
Credentials
Administration
Device
Discovery
Messaging
Service
17-5
Chapter 17
Debugging Options
Component
/Module
Directory Path
File
Description
Web Services
/MDC/Apache/logs/
access.log, error.log,
mod_jk.log
ssl.log
/MDC/tomcat/logs/
jasper-YYYYMMDD.log,
servlet-YYYYMMDD.log,
stderr.log, stdout.log,
changeport.log
CSRegistryServer.log
TomcatMonitor.log
Logs for
Common
Services
backend
processes
Location in
Windows
Location in
Solaris/Soft
Appliance
Log File
Module
Purpose
ani.log
Data Collection
AniServer.log
ANIServer
NMSROOT/log/AN
IServer.log
/var/adm/CSCOpx/l Debugs
og/dmgtd.log
ANIServer
process
Campus.log
LMS
Configuration
and reports
NMSROOT/log/Ca
mpus.log
/var/adm/CSCOpx/l Debugs
og/Campus.log
Topology and
Layer 2 Services
module of LMS
17-6
OL-25947-01
Chapter 17
Debugging Options
Maintaining Log Files
Table 17-1
Log File
Module
Location in
Windows
Location in
Solaris/Soft
Appliance
Purpose
campusportal.lo Portal
g
Cmapps.log
User Tracking
UI
NMSROOT/log/Cm
apps.log
macuhic.log
MACUHIC
ut.log
User Tracking
NMSROOT/log/ut.l
og
utlite.log
UTLITE
NMSROOT/log/
UTMajorAcquisitio
n.log
/var/adm/CSCOpx/l Debugs
og/dmgtd.log
UTMajorAcquisi
tion process.
utm.log
UTManager
NMSROOT/log/
Utm.log
/var/adm/CSCOpx/l Debugs
og/utm.log
UTManager
process of
Dynamic UT
Vnmclient.log
VRF Lite UI
NMSROOT/log/
Vnmclient.log
NMSROOT/log/Vn
mCollector.log
NMSROOT/log/Vn
mDeviceSelector.lo
g
Vnmserver.log
Vnmutils.log
/var/adm/CSCOpx/
Vnmutils.log
Debugs utility
classes used by
VRF Lite client
and server.
17-7
Chapter 17
Debugging Options
Note
NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during
installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx.
When a log file reaches its maximum size, the module backs up the file and starts writing to a new log
file. The module appends a number to the backup file, until it reaches the maximum allowed backups.
In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file.
02:42 PM
10:22 AM
03:17 AM
4,481,607
5,120,447
5,120,105
TISServer.log
TISServer.log.1
TISServer.log.2
By default, Fault Management writes error messages only to log files. You can change the logging level
and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings.
If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.
Table 17-2
Function/Module
Folder in
NMSROOT\log\dfmLogs Log Files
Maximum
Size (KB)
No. of
Backup
Files
AAD
AAD.log
1000
Inventory Interactor
cfi
Interactor.log/Interactor1.log
1000
Inventory Collector
cfi
InventoryCollector.log/Inventory
Collector1.log
35000
cfi
PollingThresholdAdapter.log/Poll 10000
ingThresholdAdapter1.log
DDV
DDV.log
1000
DPS
DPS.log
100
epa
adapterServer.log/adapterServer1. 1000
log
dfmEvents.log/dfmEvents1.log
Event Promulgation Module
EPM
EPM.log
15000
Fault History
FH
FHCollector.log
1000
FHUI.log
Logging Services
LogService
DfmLogService.log
500
LogService
MultiProcLogger.log
10000
license
licenseCheck.log
100
Notification Services
NOS
nos.log
5000
N/A
DFMOGSServer.log
30000
2
2
152
17-8
OL-25947-01
Chapter 17
Debugging Options
Performance Debugging Settings
Table 17-2
Function/Module
Folder in
NMSROOT\log\dfmLogs Log Files
Maximum
Size (KB)
No. of
Backup
Files
PTM
1000
PTMClient.log
PTMServer.log
PTM
PTMDB.log
1000
PTM
PTMOGS.log
1000
PTMPTA.log
1000
Rediscovery Schedule
Rediscovery
Rediscovery.log
100
TIS
DCRAdapter.log
1000
Device Management
TIS
DeviceManagement.log
1000
Inventory Service
TIS
TISServer.log
1000
VGM
vgm.log
1000
1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on
Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance.
2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.
Table 17-3
Function/Module
Folder in NMSROOT\obj\smarts\local\logs
Log Files
Inventory
Incharge engine
DFM.log/DFM1.log
On Windows: $NMSROOT\log\, where $NMSROOT is the Cisco Prime LMS installation directory.
When a log file reaches its maximum file size of 10000 KB, the module backs up the file and starts
writing to a new log file. The maximum number of backup log files stored for each application is two.
17-9
Chapter 17
Debugging Options
Select Admin > System > Debug Settings > Performance Debugging Settings.
Step 2
Step 3
Step 4
Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance
Management modules are logged with appropriate log level message. The logging levels are:
Fatal
Error
Warn
Info
Debug
Application Module
All
UI
Sub-module
Log File
Poller Management
Description
upm_ui.log
Template Management
Threshold Setup
TrendWatch Setup
Report Management
Report Job Browser
Admin Pages
Trap Group
Management
Syslog Group
Management
Live Graph
LMSLiveGraph.log
LMS Portlets
LMSPortal.log
Device Center
upm_ui.log
17-10
OL-25947-01
Chapter 17
Debugging Options
Performance Debugging Settings
Table 17-4
Application Module
Sub-module
Log File
Description
UPMProcess
Polling Engine
upm_process.log
Instance Querying
Threshold Monitor
Device Access Layer
Device Management
UPMProcess
UPMProcess.log
PollerUPMProcess
upm_process.log
TemplateUPMProcess
ThresholdUPMProcess
JOBS
IfAdmin Status
IfAdminStatus.log
Report Jobs
HumReportJob_<JobId>_<InstanceId>.log
Summarization Job
Purge Job
upm_purge.log
HumReportJob_<JobId>_<InstanceId>.log
For example, HumReportJob_1003_479.log
UPMCTMOperations
Step 5
upm_ctm.log
Click Apply to set the logging level or Reset to apply the default logging level.
A message appears confirming that the logging levels are successfully updated.
Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The Log Level Settings page appears.
Step 2
Select either All or Module Level from the Application drop-down list.
17-11
Chapter 17
Debugging Options
Step 3
Select the appropriate log level from the Logging Level drop-down list.
For more information, see Table 17-5.
Step 4
Step 5
Click OK.
Table 17-5
Field
Description
Logging Level
All
Module Level
Select one of the following logging levels from the drop-down list.
FATAL
ERROR
WARN
INFO
DEBUG
Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.
Table 17-6
IPMCLI
ipmcli.log
IPMServer
ipmserver.log
IPMClient
ipmclient.log
IPMJob
jobid.log, jobid.subjobid.log
IPM OGS
collectorGroup.log, IPMOGSClient.log,
IPMOGSServer.log
ipm_ctm.log
IPMPortal
ipmportal.log
IPMPoller
ipmpoller.log
IPMBase
ipm_base.log
IPM TS
TS_IPSLA.log
17-12
OL-25947-01
Chapter 17
Debugging Options
Config and Image Management Debugging Settings
Select Admin > System > Debug Settings > Config and Image Management Debugging settings.
The Set Application Logging Levels dialog box appears.
Step 2
Step 3
Select the appropriate log level from the Logging Level drop-down list.
The fields in the Set Application Logging Levels dialog box are:
Application
Module
Description
All
ArchiveMgmt
BugToolkit
ChangeAudit
CLIFramework
ConfigCLI
Archive Service
dcmaservice.log
Archive Client
dcmaclient.log
Bug Toolkit
bugtoolkit.log
ChangeAudit.log
Change Audit
CLI Framework
cli.log
Config CLI
ConfigCLI.log
Netconfig CLI
netcfgcli.log
ConfigEditor
Config Editor
CfgEdit.log
ConfigJob
Config Jobs
logs under
%NMSROOT%\files\rme\jobs\Net
ConfigJob
ConfigJobManager
cjp.log
17-13
Chapter 17
Debugging Options
Application
Module
Description
ContractConnection
Contract Connection
contractcon.log
CTMJRrmServer
CTMJrmServer.log
CRI
CRI
DeviceManagement
DeviceSelector
ICServer
Install
cri.log
criarvpurge.log
crijobpurge.log
Device
Management User
Interface
EssentialsDM.log
Check Device
Attributes User
Interface
cda.log
Device Credential
Verification Jobs
Device
Management
Operations
EssentialsDM_Server.log
Device Selector
RMEDeviceSelector.log
Inventory
Collection Service
IC_Server.log
Inventory
Collection User
Interface
ICServerUI.log
Inventory
Collection Jobs
Migration
InventoryPoller
Inventory Poller
InvReports
Inventory Reports
invreports.log
MakerChecker
Maker Checker
MakerChecker.log
17-14
OL-25947-01
Chapter 17
Debugging Options
Config and Image Management Debugging Settings
Application
Module
Description
NetConfig
Netconfig Client
netconfigclient.log
rmeextnserver.log
Tracks the backend functionalities
when VRF Lite or IPSLA
Performance Management invokes
the extension API.
NetShow
NetShow Client
NetShowClient.log
Portlets
RMEPortlets.log
RMECommon
rme.log
RMECSTMServer
rme_ctm.log
SoftwareMgmt
SyslogAnalyzer
Software
Management User
Interface
swim_debug.log
Software
Management Jobs
Syslog Analyzer
SyslogAnalyzer.log
AnalyzerDebug.log
VirtualSwitch
SyslogAnalyzer.logfor
Windows
AnalyzerDebug.logfor
Solaris/Soft Appliance
Syslog Analyzer
User Interface
SyslogAnalyzerUI.log
Virtual Switch
Client
VirtualSwitchClient.log
17-15
Chapter 17
Debugging Options
Application
Module
Description
EnergyWise
EnergyWise UI
EnergyWiseUI.log
EnergyWise
Provisioning
EnergyWiseConfiguration.log
EnergyWise
Monitoring
EnergyWiseMonitoring.log
EnergyWise Policy
Compliance
EnergyWiseComplianceCheck.log
EnergyWise Data
Purge Settings
EnergyWise_Purge.log
Applying
EnergyWise
Policies to
Endpoints
EnergyWiseNativePolicy.log
EnergyWiseNativeCompliance.log
To track the port and module group backend evaluation exceptions and changes, the following logs are
maintained:
PMCOGSServer.log
PMCOGSClient.log
Step 4
Step 5
17-16
OL-25947-01
Chapter 17
Debugging Options
Configuring Logging
Configuring Logging
You can enable the debugging option LMS components without restarting the services. When you enable
the debugging option for the selected component, the log levels in the respective properties file is
changed to DEBUG and the debug messages are recorded in the corresponding log files
You can only enable or disable the debugging option. You cannot choose to set different log levels such
as INFO,WARNING, FATAL and ERROR.
To debug Faults, see Fault Debugging Settings
To enable the debugging option for the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box displays the following details:
Step 2
Item
Description
Component
List of components for which you can enable or disable the debug option
Description
Debug Mode
CS Device Groups
CS Device Selector
CS Home
CS Portlets
This component is listed in the drop-down list box only when you have installed the LMS Portal
application in LMS Server.
Device Center
Licensing
Getting Started
This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS
Server.
SMTP
Software Center
17-17
Chapter 17
Debugging Options
Step 3
Select the Enable option to enable debugging for the selected application. By default, the Debug Mode
is set to disabled.
Note
Step 4
You can only choose the enable or disable option. You cannot change the log levels to some other
value.
To disable the debug mode for all the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box appears.
Step 2
Click Reset All to disable the debug mode for all the Common Services components.
The log levels are restored as they are before enabling the debugging option.
This task can be performed by a user logged in to Fault Management in any of the following roles:
System Administrator
Network Administrator
Network Operator
You can also enable debug of the Incharge engine, and execute Incharge Commands. See Enable
Incharge Debugging for more information.
To set the Fault Management debug settings:
Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings
page is displayed.
Note
You cannot disable logging. Fault Management will always write error and fatal messages to application
log files.
For each Fault Management functional module, the Error check box is always selected; you cannot
deselect it.
17-18
OL-25947-01
Chapter 17
Debugging Options
Fault Debugging Settings
Step 2
Click OK.
For each module that you want to change, select one (or deselect all) of the following logging levels:
Note
Step 2
Deselecting all check boxes for a module returns it to Error, the default logging level.
To do this:
Step 1
Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging
Settings page.
The Incharge Command Execution page appears.
Step 2
Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module
in LMS.
The logs are available at:
On Windows:
NMSROOT\objects\smarts\local\logs\DFM.log
NMSROOT\objects\smarts\local\logs\DFM1.log
On Solaris/Soft Appliance:
/opt/CSCOpx/objects/smarts/local/logs/DFM.log
/opt/CSCOpx/objects/smarts/local/logs/DFM1.log
17-19
Chapter 17
Debugging Options
Step 3
You can execute any Incharge command in the Command text box, click Run and view the results in the
Result column.
Some sample commands that you can exceute are:
sm_server
brcontrol
Configuration and Reports (see Setting up Debugging Options for Network Reports)
User Tracking Server (see Debugging Options for User Tracking Server)
User Tracking Reports (see Debugging Options for User Tracking Reports)
Dynamic User Tracking Console (see Debugging Options for Dynamic User Tracking Console)
Select Admin > System > Debug Settings > Data Collection.
The Debugging Options dialog box appears.
Step 2
Field
Description
Usage Notes
Enable Debug
Select this option to enable You can select the modules for debugging
logging for Data Collection. only if you select this option.
Modules
17-20
OL-25947-01
Chapter 17
Debugging Options
Setting Debugging Options for Topology and User Tracking
Table 17-7
Field
Description
Usage Notes
File Name
Device IP(s)
Click Apply.
17-21
Chapter 17
Debugging Options
Module
framework
Description
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
topo
vlad
Enable debugging for this module if you have problems with VTP, VLAN
reports, and configuration.
ccm
vmpsadmin
Manages requests for scheduling user and host discoveries, ping sweeps,
database queries, and updates to user and notes information
Enable debugging for this module if you have problems with User Tracking.
dcrp
status
apps
stp
17-22
OL-25947-01
Chapter 17
Debugging Options
Setting Debugging Options for Topology and User Tracking
Table 17-8
Module
stpeng
Description
Provides basic STP analysis for migration from one STP type to another
Enable debugging for this module if you have problems with STP reports and
configuration.
devices
Select Admin > System > Debug Settings > Layer2 Configuration and Reports
The debugging page appears.
Step 2
INFO
Only informational messages are recorded in the log file.
DEBUG
All messages related to Configuration and Reports are recorded in the log file.
FATAL
Messages related to fatal errors are recorded in the log file. This is the default option.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\Campus.log
Step 3
Click Apply.
17-23
Chapter 17
Debugging Options
Select Admin > System Administration > Debug Settings > Device Groups.
The debugging page appears.
Step 2
INFO
Only informational messages are recorded in the log file. This is the default option.
DEBUG
All client side messages are recorded in the log file.
FATAL
Messages related to fatal errors are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\CampusDeviceSelector.log
Step 3
Click Apply.
Step 2
Step 3
Step 4
Note
In case you close the Java Console, to reopen it, close the Topology window and relaunch it.
17-24
OL-25947-01
Chapter 17
Debugging Options
Setting Debugging Options for Topology and User Tracking
To enable debugging:
Step 1
Step 2
TRACE
Only informational messages are displayed in the Java Console.
DEBUG
All Topology Services client side messages are displayed in the Java Console.
ERROR
Messages related to all errors are displayed in the Java Console. This is the default option.
Step 3
Click Apply.
Step 2
Step 3
Select Admin > System > Debug Settings > User Tracking Server.
The debugging page appears. See Table 17-9 for a description of the fields:
Table 17-9
Field
Description
Usage Notes
Enable Debug
Modules
File Name
17-25
Chapter 17
Debugging Options
Table 17-9
Field
Description
Usage Notes
Device IP(s)
Click Apply.
Module
Description
user tracking
Provides user tracking functionality. Enable debugging for this if user tracking
fails to discover end hosts as expected.
framework
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
devices
Select Admin > System > Debug Settings > Dynamic User Tracking.
The debugging page appears.
Step 2
17-26
OL-25947-01
Chapter 17
Debugging Options
Setting Debugging Options for Topology and User Tracking
Step 3
Select the Service Name from the drop down list in the Service Name field.
The framework modules appear in the Module Name column. The framework modules depend on the
service that you select.
Step 4
Step 5
Enter the filename for the log file in the Log Filename field.
The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647.
Giving zero or negative values or alphabets results in errors.
Step 6
Dynamic User Tracking modules available for debugging are explained in Table 17-11:
Note
Enabling debugging for these modules creates huge logs, which interferes with the Trap processing
capability of LMS. We recommend that you enable debugging for this module only when requested by
TAC.
Table 17-11
Module
Description
UT Lite
control plane
Log file
Port number
For example:
If you changed the log file from X to Y, but logging still happens in X , enable debugging
for this module.
listener
Listens to data sent by the UTLite script installed in the Windows or Novell server.
Checks for the integrity of the data received.
execution framework
execution
17-27
Chapter 17
Debugging Options
Table 17-11
Module
Description
MACUHIC
control plane
listener
Log file
Port number
execution framework
decoder
execution
Checks whether:
listener
Log file
Port number
execution framework
decoder
Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping
MIB and the other data sent by external systems.
execution
es framework
es.snmp
es.subnet
es.db
17-28
OL-25947-01
Chapter 17
Debugging Options
Setting Debugging Options for Topology and User Tracking
Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears.
Step 2
INFO
Only informational messages are recorded in the log file. This is the default option.
FATAL
Messages related to fatal errors are recorded in the log file.
DEBUG
All User Tracking client side messages are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\Cmapps.log
Step 3
Click Apply.
Debugging is enabled for UT client side activities and the messages are recorded in the corresponding
log file.
UTLite
UTManager
MACUHIC
Each process monitors different error conditions using circular buffers in the memory. For each error
condition, the buffer will have the count of error occurrences and the conditions under which the error
occurred.
You can write this information from the memory to a file if you need to, and troubleshoot based on that.
To enable Dynamic User Tracking Console:
Step 1
Select Admin > System > Debug Settings > Dynamic User Tracking Console.
The debugging page appears.
Step 2
UTLite
UTM
MACUHIC
The error conditions related to that process are listed under the Error Details section.
17-29
Chapter 17
Debugging Options
Step 3
Select the error condition for which you need details and click Generate.
A new file is generated with all the error details and stored in the LMS server. It is also listed under the
File list pane.
Step 4
Click Delete to delete the file from the server. You can delete multiple files at the same time.
Step 2
Select a device from the device selector, and select Administration > Debug Options And Display
Log.
The Trace Settings dialog box appears.
Step 3
Step 4
SNMP Trace Displays SNMP request and response pairs, MIB instance ID, data value, data type,
request method, and time stamp.
Activity Trace Displays server activity such as which device and dialog boxes are open.
You can click Reset All on the Debugging Settings page to reset the debug levels of functions listed.
17-30
OL-25947-01
Chapter 17
Debugging Options
Setting VRF Lite Debugging Options
Select Admin > System > Debug Settings > VRF Lite Server Debugging.
The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite
Server Debugging Settings is NMSROOT\log\Vnmserver.log.
The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.
Table 17-12
Field
Description
Debug Level
Step 2
INFO
DEBUG
All messages related to VRF Lite Server are recorded in the log file.
ERROR
Reset
Click Reset to reset the debug levels applied to VRF Lite Server, to
default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.
17-31
Chapter 17
Debugging Options
Select Admin > System > Debug Settings > VRF Lite Collector Debugging.
The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for
VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log.
The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:
Table 17-13
Field
Description
Debug Level
Step 2
INFO
DEBUG
All messages related to VRF Lite Collector are recorded in the log
file.
ERROR
Reset
Click Reset to reset the debug levels applied to VRF Lite Collector,
to default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.
17-32
OL-25947-01
Chapter 17
Debugging Options
Setting VRF Lite Debugging Options
Select Admin > System > Debug Settings > VRF Lite Client Debugging.
The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log.
The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:
Table 17-14
Field
Description
Debug Level
Step 2
INFO
DEBUG
All messages related to VRF Lite Client are recorded in the log file.
ERROR
Reset
Click Reset to reset the debug levels applied to VRF Lite Client, to
default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.
Select Admin > System > Debug Settings > VRF Lite Utility Debugging.
The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log.
The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:
Table 17-15
Field
Description
Debug Level
INFO
17-33
Chapter 17
Debugging Options
Table 17-15
Step 2
Field
Description
DEBUG
All messages related to VRF Lite Utility are recorded in the log file.
ERROR
Reset
Click Reset to reset the debug levels applied to VRF Lite Utility, to
default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.
17-34
OL-25947-01
CH A P T E R
18
Note
You should enable the Browse Jobs task to schedule any job across LMS.
Jobs
Getting Started
Manage Portal
18-1
Chapter 18
Log Rotation
Cisco.com Settings
Licensing
Software Center
Debug Settings
User Management
Server Monitoring
DBReader Access
Group Management
Backup
Log Rotation
You can configure log rotation settings and schedule log rotation jobs.
Cisco.com Settings
You can remove the proxy server settings that are already set up.
Licensing
18-2
OL-25947-01
Chapter 18
Software Center
Device Update
You can view a list of all Cisco Prime related devices packages on your system, and the count of
devices supported. The source location could be Cisco.com or the Server Side Directory.
Check For Updates
Software Update
You can perform the following tasks:
Download Updates
You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual
Config and Image Management packages.
18-3
Chapter 18
Fault Management
User Management
You can modify a local user in LMS Server, assign roles, and specify the authorization type.
Delete User
You can delete a local user profile from the LMS Server.
Modify My Profile
You can import local users from the client or from ACS. You can import local users from ACS
only through CLI and not from the UI.
You can export the local users.
18-4
OL-25947-01
Chapter 18
Notify Users
You can broadcast messages to online users.
You can import roles in the XML format from the client.You can export roles in the XML
format. The file will be saved in the client.
Copy Role
You can set a role as a default role. When multiple roles are set as default role, the user will be
assigned with all the roles selected as default roles.
Server Monitoring
Process
Start Processes
DiskWatcher Configuration
You can configure disk space threshold level.
18-5
Chapter 18
Selftest
You can view self test reports to test some basic functions of the server.
Create Self test
You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot
database issues.
Group Management
The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share
groups of devices. This section explains the following Group Management task groups:
Device Groups
Delete Group
You can export a selected group or all user-defined groups from all applications, to an output
file.
Group Refresh
You can recompute the membership of a group by re-evaluating the group's rule. The
membership of Automatic groups is recomputed dynamically.
Create Group
You can import user-defined device groups from an input XML file.
Group Details
You can use your current authentication database for Cisco Prime authentication and select a login
module (Kerberos, TACACS+, RADIUS, and others), and set their options.
Backup
Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or
monthly automatic database backups.
18-6
OL-25947-01
Chapter 18
Multi Server
Local Server
Multi Server
You can add the certificate of a peer LMS Server into its trusted store.
You can add a secret user who can programmatically login to multiple LMS Servers and perform
certain tasks.
Peer Server Accounts Edit
18-7
Chapter 18
Local Server
Certificate Setup
You can create a self-signed certificate from the user interface.
Monitor/ Troubleshoot
Discovery Settings
Purge Settings
Resource Browser
You can customize the Discrepancies Report and Best Practices Deviations Report to display only those
discrepancies and Best Practice Deviations about which you want to be notified.
Monitor/ Troubleshoot
NAM Configuration
You can view, add, edit, or delete the NAM configuration details.
Load MIB
You can load a MIB file.
RMON Configuration
You can enable RMON on all ports in selected devices.
18-8
OL-25947-01
Chapter 18
This section explains the following Notification and Action Settings tasks:
Event Sets
You can configure a set of events that you want to monitor.
18-9
Chapter 18
This section explains the following CAAM Policy and PSIRT/EOS and EOL Settings task:
Discovery Settings
Settings
You can:
View Discovery Settings
Schedule
You can add a device discovery schedule.
Purge Settings
18-10
OL-25947-01
Chapter 18
You can set the purge period for IPSLA historical data and for audit reports. You can configure the
following IPSLA data Purge settings:
Apply IPSLA Purge Settings
18-11
Chapter 18
View/Edit Preferences
You can set or change software management preferences
Approver Details
You can specify approver details
Approval Policies
You can set up job approval for the applications
You can add a User Defined Field to to store the additional information about a device.
Rename User Defined Fields in DCR
Mode Settings
You can change DCR mode settings to master, slave or standalone.
Verification Settings
You can select the credentials that need to be verified while adding devices.
18-12
OL-25947-01
Chapter 18
Exception Period
You can specify the time when no network changes should occur.
Resource Browser
Browse Resources
You can view the details of resources and manage resources.
Free Resources
You can free-up locked resources.
You can set the default values for inventory, config timeout, and retry settings. This section explains the
following Inventory Collection Settings tasks:
Inventory Jobs
You can view the Inventory job browser, and view, create, stop, delete, or edit an inventory collection
or polling job.
18-13
Chapter 18
Subscribe/Unsubscribe Collector
You can subscribe or subscribe to a Common Syslog Collector.
Collector Status/Update
You can view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed
to.
18-14
OL-25947-01
Chapter 18
You can view the configured collectors in the running configuration. You can also retain the
default settings.
Set a source interface address
You can set a source interface address for the source router. You can also retain the default
settings.
18-15
Chapter 18
The Light Weight Messaging system allows you to perform the following task:
Event Listener
You can use this tool to send and receive events.
Jobs
Browse Jobs
You can use the job browser and view the details of individual jobs.
Note
You should enable the Browse Jobs task to schedule any job across LMS.
Delete Job
You can use the job browser to delete the jobs.
Stop Job
You can stop the jobs using the job browser.
18-16
OL-25947-01
Chapter 18
Getting Started
18-17
Chapter 18
Threshold Violation
Best Practices
Syslogs
History
Threshold Violation
You can generate this report which displays threshold violations details for each device based on the
polled data.
Thresholds
You can create reports based on the threshold configured for the MIB variable. You can create, or
view reports for specific threshold MIB variables. These reports are called IPSLA Threshold
Violation reports.
TrendWatch Summary
You can create consolidated reports based on the TrendWatches configured for the MIB variable.
You can create, view summary reports of TrendWatch MIB variables.
Best Practices
You can generate the following Best Practices and Discrepancy reports:
Acknowledge/Unacknowledge Discrepancy
You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices.
You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best
Practise Deviations Report.
Discrepancies
You can fix the discrepancies detected in the network.
Fix Discrepancy
You can the fix discrepancies detected in the network.
Deviation
You can view best practice deviation report.
Syslogs
You can use Custom Reports along with Syslogs to generate GOLD test reports.
You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.
18-18
OL-25947-01
Chapter 18
History
Event History
You can view the fault history report for a given event ID.
IPSLA
IPSLA
You can manage IPSLA archived reports. You can perform the following tasks:
Delete Report
You can delete the IPSLA report archives.
You can view the list of the completed report jobs that you own or all report jobs.
Layer2 Services and User Tracking
You can view and delete archived Layer2 Services and User Tracking reports.
User Tracking
User Tracking
Custom Layouts
You can view the list of Custom layouts.
Custom Reports
You can customize the layout and columns displayed in the UT reports to suit your needs.
18-19
Chapter 18
Device Attributes
User Tracking
Management Status
Device Attributes
Management Status
You can generate device credentials, device and credentials admin reports, and inventory and config
Collection Status report.
System
Performance
System
18-20
OL-25947-01
Chapter 18
Performance
VLAN
VRF Lite
VLAN
You can generate VLAN reports for devices, switch clouds, or VTP domains.
VRF Lite
Poller
Device
Custom
Interface Report
Displays the Interface availability information of a device during the last 24 hours. It also displays
Interface utilization and error rate information for a device interface during the last 24 hours.
18-21
Chapter 18
Interface Report
Poller
You can:
Device
Device Performance
You can view performance parameters of a device.
18-22
OL-25947-01
Chapter 18
You can create IPSLA Reports and IPSLA Threshold Violation Reports. You can also reset the values
you entered.
View IPSLA Job Details
You can view IPSLA Reports, IPSLA Report Archives and IPSLA Threshold Violation Reports.
You can list and create IPSLA Audit Report.
Custom
Users
Status
You can view the duration of each data collection, and the device count. You can also view the icon,
name, and object ID of the supported devices.
Users
You can view information about users currently logged into LMS.
Who is Logged on
You can view information on users currently logged into LMS.
Permission Report
You can view information on roles and privileges.
You can view the status of the processes running on the LMS Server.
Log File
You can view information on log file size and file system utilization.
Process
You can view the status of the processes running on the LMS Server.
18-23
Chapter 18
Ports
Connected PortsThe ports that are administratively UP and are connected to a device will be listed
here.
Free PortsThe Ports that are administratively UP but are not connected to a device will be listed
here.
Free Down PortsThe ports that are administratively down will be listed here.
Ports
Port Attributes
You can view information about the status of ports in the network
You can schedule reports of the Network, Layer 2, and User Tracking function of LMS.
User Tracking Job Archives
18-24
OL-25947-01
Chapter 18
You can generate all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View All Reports
You can view all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View Own Reports
You can view all Inventory, Syslog, and Change Audit reports which you have generated.
Label Configs
Summary
Views
Label Configs
You can select configuration files from different devices, group and label them. You can manage Label
Configs.
Summary
18-25
Chapter 18
Views
You can search archives using version tree and version summary. The tasks in Views are the following:
Custom Queries
You can create a custom configuration query that searches information about the specified
configuration files.
Search Archive
You can search the archive for configuration containing text patterns for selected devices.
Version Summary
You can view all archived configurations for selected devices.
NetConfig/Template Center
Config Editor
Software Repository
You can view, add, delete, or update the images that are available in the Software Management
repository.
Repository Synchronization
You can update the software repository.
Software/Patch Distribution
You can distribute software images in the network. You can also distribute patches simultaneously
to applicable devices.
Jobs
You can check the status of a scheduled Software Image Management job. You can view, edit, stop,
delete, retry or undo the job.
Upgrade Analysis
You can analyze images before distribution.
18-26
OL-25947-01
Chapter 18
NetConfig/Template Center
This section explains the following NetConfig and Template Center tasks:
Assign Tasks
You can assign tasks to a valid Cisco Prime user.
Jobs
View
You can deploy and import configuration templates in LMS. You can also create NetConfig
jobs.
Config Editor
Private Configs
You can view changes made to a configuration file in the private work area.
Public Configs
You can view changes made to a configuration file in the public work area.
Config Editor
You can open, edit, or print configuration files.
Jobs
You can create, edit, delete, copy, or stop Config Editor jobs.
18-27
Chapter 18
You can delete configurations older than a specified date from the configuration archive.
Compare With Baseline and Deploy
You can create a job that compares the given Baseline template with the latest version of the
configuration for a device and download the configuration to the device if there is a non-compliance.
List Version
Lists the different versions of configuration files archived in the archival system.
Create Parameter file
You can create a parameter file if the Baseline template containing the parameters is specified.
Compare With Baseline
You can compare the given Baseline template with the latest version of the configuration for a device.
Deploy Baseline
You can reboot the devices, to load the running configuration with their startup configuration.
Get Configuration
You can retrieve the running configuration from the devices and push it to the configuration archive if
the running configuration is different than the latest version in the archive.
Run2Start
You can create a job that overwrites the startup configuration of device with running configuration.
Get Change Audit Data
You can compare the latest running configuration for the device in the configuration archive with the
configuration in the file, to generate a new configuration that is downloaded to the device, so that the
configuration specified in the file is available on the running configuration of the device.
Export Configuration
You can retrieve the configuration for a device from the archive and write it to a specific file.
Compare
18-28
OL-25947-01
Chapter 18
write2Start
You can erase the contents of the device's startup configuration and then write the contents of the given
file as the device's new startup configuration.
Export Configuration-xml
You can retrieve the configuration for a device from the archive and write it to a XML file.
Import Configuration
You can retrieve the configuration from a file, and push it to the device, adding to the device's running
configuration.
Get Inventory Data
You can merge the running configuration of any devices with their startup configuration to give a new
running configuration.
Put Configuration
You can retrieve the configuration from the configuration archive and push it to the device.
VLAN
VRF Lite
VLAN
VRF Lite
VRF Configuration
You can create, edit, extend, delete and assign Edge VLAN to VRF.
18-29
Chapter 18
Job Approval
NetConfig
Config Editor
Job Approval
You can approve or reject a job for which you are an Approver. The job will not run until you or another
Approver approves it.
NetConfig
Out-of-Sync Summary
Compliance Templates
Out-of-Sync Summary
Compliance Check
You can run a compliance check.
Direct Deploy
You can deploy a baseline template using a file system or UI.
Templates
You can manage a baseline template.
18-30
OL-25947-01
Chapter 18
IPSLA
Setup
IPSLA
You can manage IPSLA devices, collectors, operations and outage settings
Devices
You can add devices to manage IPSLA functionality. You can:
Enable IPSLA Responder
You can update the IPSLA responder enable or disable status. You can also save the latest
information configured in a device to the database.
View Devices
You can edit the device attributes like SNMP Retry and SNMP Timeout.
Delete devices
You can add adhoc target devices to the IPSLA Performance Management function in LMS if
you want to manage devices from an external source. The Adhoc devices may be either Cisco
devices or devices with a unique IP address.
Collectors
You can create, edit, delete, monitor, start, list, view, or stop collectors.
When you have the authorization to create collectors you can import, export and reconfigure
collectors.
18-31
Chapter 18
Operations
You can analyze IP service levels for IP applications and services. You can view operation details,
list, create, edit, or delete operations.
Outage Settings
You can view, list, create, edit, or delete planned outages.
Setup
Automonitor
You can change the polling intervals.
Pollers
You can create and manage pollers. You can:
Edit Poller
You can clear all the failures recorded in the database for a Poller.
Clear Missed Cycle
You can clear all the polling interval cycles missed for a Poller.
Activate and Deactivate Poller
You can activate an inactive Poller to poll, or stops a Poller from polling.
View Failures
Templates
You can create, copy, edit, list, delete, export, or import templates to monitor performance
parameter.
18-32
OL-25947-01
Chapter 18
Setup
You can setup polling parameters, group priorities, and view device fault details.
Apply Changes
TrendWatch
Performance
Fault
TrendWatch
You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.
Performance
You can create, edit, delete, access, or, list and view thresholds for a MIB variable.
Fault
You can view the thresholds that are associated with device groups, trunk port groups, access port
groups, and interface groups.
18-33
Chapter 18
VRF Lite
NetShow
Connectivity Tools
Troubleshooting Workflows
VRF Lite
NetShow
Job Operations
You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying
failed jobs, stopping jobs, and deleting jobs.
Command Sets
You can view the details of an existing Command Set.
Connectivity Tools
Device Center
You can launch the troubleshooting page by clicking device IPs.
Packet Capture
You can capture live data from the Cisco Prime machine to aid in troubleshooting.
SNMP Walk
You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering
information about a certain device.
SNMP Set
You can set an SNMP object or multiple objects on a device for controlling the device.
Troubleshooting Workflows
You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network
connectivity problems, or diagnose devices.
18-34
OL-25947-01
Chapter 18
Fault Monitor
Configure EtherChannel
Topology Services
Fault Monitor
You can view all the faults in a common place. It collects information of fault in devices in real-time and
display the information by a selected group of devices. You can clear or annotate faults.
It allows you to own the fault or clear them.
Configure Inter-VLAN Routing
You can view bandwidth utilization across links, in the Topology maps.
Configure EtherChannel
You can generate the TDR report that detect faults in a cable. TDR checks and locates open circuits, short
circuits, sharp bends, crimps, kinks, impedance mismatches, and other such defects.
18-35
Chapter 18
You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains
discovered in your network, and you can filter, access, or view network information or status.
Spanning Tree Configuration
You can set a preferred management address to be used by LMS for devices which can have multiple IP
addresses.
View Data Extraction Engine
Fault groups
You can view, create, edit, delete fault groups, or refresh groups.
IPSLA Collector
You can view, create, edit, delete or refresh IPSLA collector groups.
18-36
OL-25947-01
Chapter 18
View Credentials
You can view device information for a single device or for multiple devices.
Export Devices
You can export a list of device and their credentials.
View Reports
You can generate the following reports:
Unreachable Devices
Displays the information about the devices that are imported into DCR.
To generate this report, select Reports > Inventory > Management Status > Imported Device
Status.
Known Device List
Displays the complete list and information of all devices in the repository.
To generate this report, select Reports > Inventory > Management Status > Known Device
List.
Device Administration
18-37
Chapter 18
Add Devices
You can add devices, device properties or attributes, and device credentials to the DCR.
View Devices
You can view devices in DCR.
Delete Devices
You can delete devices from DCR. You can also schedule device polling job and view the
Unreachable device report.
Bulk import
You can import multiple devices into DCR. You can also view the Imported device report.
Edit Devices
You can edit device information for a single device or for multiple devices.
You can manually add managed devices without using the Device Allocation Policy.
Manage Device State
You can configure the device management policy for Device Management.
CiscoView
Provides real-time views of networked Cisco Systems devices
Mini-RMON
Provides web-enabled, real-time, remote monitoring (RMON) information to users to facilitate
troubleshooting and improve network availability.
18-38
OL-25947-01
Chapter 18
Jobs
You can view the status, delete, stop or manage Smart Install jobs.
Readiness Assessment
You can assess the readiness of your network for Smart Install.
Getting Started
You can provision Smart Install for Day 1 operations.
Configure
You can configure, and manage the Smart Install director.
Getting Started
You can provision Auto Smartports for day 1 operations.
Jobs
You can view the status, delete, stop or manage Auto Smartport reports.
Configure
You can configure, and enable Auto Smartports on selected interfaces.
Readiness Assessment
You can view Auto Smartports based device details after assessing the network.
Configure
You can configure Identity on Identity-capable devices.
Jobs
You can view the status, delete, stop or manage Identity jobs.
Reports
You can generate Identity reports.
Getting Started
You can provision Identity for Day 1 operations.
Readiness Assessment
You can view Identity-based device details after assess the network.
18-39
Chapter 18
Readiness Assessment
You can view EnergyWise-based device details after assessing the network.
Jobs
You can view the status, delete, stop or manage EnergyWise jobs.
Getting Started
You can provision EnergyWise for Day 1 operations.
Reports
You can generate EnergyWise reports like:
Power Usage
EnergyWise portlets
You can view EnergyWise portlets like:
EnergyWise Savings Trend Graph
EnergyWise Total Savings Graph
EnergyWise Power Consumption Graph
Configure
You can configure energy management policies on devices and configure endpoints.
Manage Policies
Settings
You can configure EnergyWise collection, cost settings, and data purge settings.
Cost Savings
18-40
OL-25947-01
Chapter 18
18-41
Chapter 18
18-42
OL-25947-01
Chapter 18
18-43
Chapter 18
18-44
OL-25947-01
Chapter 18
18-45
Chapter 18
18-46
OL-25947-01
A P P E N D I X
CLI Tools
This section explains all the CLI utilities that are available for the administrator in LMS 4.2.
This section contains:
Understanding UTLite
A-1
Appendix A
CLI Tools
Note
You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
Roles Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
Help Desk
Approver
System Administrator
Network Administrator
Network Operator
Super Admin
The following is an example of local user information to be represented in input text file:
A-2
OL-25947-01
Appendix A
CLI Tools
Setting Up Local Users Through CLI
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes
A-3
Appendix A
CLI Tools
where,
Password Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.
For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin
Even if you have entered password for the local users in the localuser.txt file, the local users are added
with the password mentioned in the command line.
where,
A-4
OL-25947-01
Appendix A
CLI Tools
Setting Up Local Users Through CLI
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
where,
Password ACS password which is the default password assigned to all users.
For Windows:
/NMSROOT/lib/jre/bin/java -cp
/NMSROOT/lib/classpath;/NMSROOT/www/classpath;/NMSROOT/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar;/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration <cwpass file location> <output file name with .xml
extension>
where, NMSROOT is the directory where you have installed Cisco Prime.
A-5
Appendix A
CLI Tools
Example:
C:/Progra~1/CSCOpx/lib/jre/bin/java -cp
C:/Progra~1/CSCOpx/lib/classpath;C:/Progra~1/CSCOpx/www/classpath;C:/Progra~1/CSCOpx/MD
C/tomcat/shared/lib/castor-0.9.5-xml.jar;C:/Progra~1/CSCOpx/MDC/tomcat/shared/lib/
castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration C:/cwpass C:/output.xml
Step 2
Move the output file to the client machine to import the user details.
Step 3
Go to Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 4
Step 5
Click Browse and select the output file from the client machine.
Step 6
Click Submit.
The user details can be migrated from LMS 3.2 to LMS 4.x versions by remote upgrade procedure. The
inline upgrade does not support the direct migraiton of user details from LMS 3.2 to LMS 4.2.
Step 1
Take selective backup from LMS 3.2 using the command given below:
NMSROOT\bin>perl NMSROOT\bin\backup.pl
-dest=
where, NMSROOT is the directory where you have installed Cisco Prime.
Step 2
Move the backup to LMS 4.x server where data has to be restored.
Step 3
Step 4
-d
<Backup Directory>
Step 5
Step 6
Start the daemons and check the user details once all the processes are up.
Note
Step 2
This environment variable set is applicable to the current working shell only.
A-6
OL-25947-01
Appendix A
CLI Tools
Changing Cisco Prime User Password Through CLI
Now, you can change the password using the Cisco Prime user password recovery utility.
Step 3
Step 4
Step 5
A-7
Appendix A
CLI Tools
Step 2
Step 3
Step 4
Starting a Process
Stopping a Process
Process Name
Process State
Process ID
A-8
OL-25947-01
Appendix A
CLI Tools
Managing Processes Through CLI
Description
Core
Information
During the startup of Daemon Manager, sometimes the pdshow command may display information
message requesting you to wait and enter the command again.
This happens particularly when the Daemon Manager is busy in running the tasks one by one in the
queue. You must enter the command again to view the process details.
Process Name
Process State
Process ID
For example, if you enter /opt/CSCOpx/bin/pdshow -brief Tomcat Apache in the command prompt,
the following output is displayed:
ProcessStatePid
***************
Tomcat
Program Started - No mgt msgs received13824
Apache
Running normally
13847
A-9
Appendix A
CLI Tools
Note
Description
Pid
Process ID
%CPU
RSS
VSZ
%MEM
NLWP
Process
Starting a Process
You must enter the following commands to start a process through CLI:
/opt/CSCOpx/bin/pdexec
pdexec
The dependent processes are started first before the specified process is started.
If the process is being restarted after a shutdown, any dependent processes registered with the Daemon
Manager is not automatically restarted. Dependent processes are automatically restarted only when the
Daemon Manager itself is restarted.
Stopping a Process
You must enter the following commands to stop a process through CLI:
/opt/CSCOpx/bin/pdterm
pdterm
The dependent processes are also shut down using this CLI command.
A-10
OL-25947-01
Appendix A
CLI Tools
Working With Third Party Security Certificates
Using the SSL Utility Script to Upload Third Party Security Certificates
Note
Cisco Prime does not support third-party certificates with Subject Alternative Names.
This utility is available at:
Note
What it Does...
For third party issued certificates, this option displays the details
of the server certificate, the intermediate certificates, if any, and
the Root CA certificate.
A-11
Appendix A
CLI Tools
Number Option
Verifies whether the server certificate issued by third party CAs, can
be uploaded.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates to Cisco Prime.
A-12
OL-25947-01
Appendix A
CLI Tools
Working With Third Party Security Certificates
Number Option
You must verify the certificates using option 4 before you select this
option.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates in Cisco Prime again.
A-13
Appendix A
CLI Tools
Number Option
You must verify the certificates using option 4 before you select this
option.
Upload a certificate
chain to LMS Server
Select this option, if you are uploading a certificate chain. If you are
also uploading the root CA certificate also, you must include it as
one of the certificates in the chain.
When you select this option and provide the location of the
certificates, the utility:
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates in Cisco Prime again.
7
Modify Certificate
This option allows you to modify the Host Name entry in the LMS
Certificate.
You can enter an alternate Hostname if you wish to change the
existing Host Name entry.
A-14
OL-25947-01
Appendix A
CLI Tools
Working With Third Party Security Certificates
Using the SSL Utility Script to Upload Third Party Security Certificates
To upload the certificates:
Step 1
On Solaris/Soft Appliance:
Step 2
Go to NMSROOT\MDC\Apache
b.
On Solaris/Soft Appliance:
a.
Go to NMSROOT/MDC/Apache/bin
b.
Step 3
Step 4
Enter the location of the certificates (server certificate and intermediate certificate).
The script verifies if the server certificate is valid. After the verification is complete, the utility displays
the options.
If the script reports errors during validation and verification, the SSL Utility displays instructions to
correct these errors. Follow the instructions to correct those errors and then try to upload the certificates.
Step 5
Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed
by a Root CA certificate.
Or
Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and
intermediate certificates.
Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime
Daemon Manager.
The utility displays a warning message if there are hostname mismatches detected in the server
certificate being uploaded, but you can continue to upload the certificate.
Step 6
SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime
requirements for security certificates.
Step 7
Restart the Daemon Manager for the new security certificate to take effect.
Enable SSL to establish a secured connection between LMS Server and your client browser, if you have
not enabled already.
A-15
Appendix A
CLI Tools
Note
Note
Cisco Prime does not support third-party certificates with Subject Alternative Names.
Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft
Appliance Platforms
Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms
Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft
Appliance Platforms
Step 2
Step 3
Step 4
Press Enter.
Step 5
If you have the required security certificates available on the server, Cisco Prime enables SSL.
If you do not have the security certificates on the server, Cisco Prime prompts you to create your
own self-signed certificate and enter the details required to create a self-signed certificate.
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA).
The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS
Server from your client browser.
Step 6
Log out from your Cisco Prime session, and close all browser sessions.
Step 7
Step 8
a.
b.
A-16
OL-25947-01
Appendix A
CLI Tools
Setting up Browser-Server Security
When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following
changes:
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
Step 2
Step 3
Step 4
Press Enter.
Step 5
If you have the required security certificates available on the server, Cisco Prime enables SSL.
If you do not have the security certificates on the server, Cisco Prime prompts you to create your
own self-signed certificate and enter the details required to create a self-signed certificate.
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA).
The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS
Server from your client browser.
Step 6
Log out from your Cisco Prime session, and close all browser sessions.
Step 7
Step 8
a.
b.
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the integration utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see the Integration Utility Online Help.
A-17
Appendix A
CLI Tools
Step 2
Step 3
Step 4
Press Enter.
Step 5
Log out from your Cisco Prime session, and close all browser sessions.
Step 6
Step 7
a.
b.
The URL should begin with http instead of https to indicate that connection is not secure.
The port numbers mentioned above are applicable for LMS Server running on Windows.
Step 2
Step 3
Step 4
Press Enter.
Step 5
Log out from your Cisco Prime session, and close all browser sessions.
Step 6
Step 7
a.
b.
The URL should begin with http instead of https to indicate that connection is not secure.
A-18
OL-25947-01
Appendix A
CLI Tools
Setting up Browser-Server Security
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see Integration Utility Online Help.
A-19
Appendix A
CLI Tools
LogFile Log file name that contains the details of the backup
To back up only selective data using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl -dest=BackupDirectory -system
[-log=LogFile] -gen=Num_Generations]
On Solaris/Soft Appliance, run:
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl -dest=BackupDirectory -system
[-log=LogFile] [-gen=Num_Generations]
where,
-dest=BackupDirectoryDirectory
-systemCommand
-log=LogFile
-gen=Num_GenerationsMaximum
line option that allows you to back up only the selected system configurations
from all applications instead of backing up the complete databases. This is mandatory.
Log file name that contains the details of the backup.
backup generations to be retained in the backup directory.
Caution
Make sure that you run this command after you have changed your hostname and the appropriate entries
specific to the operating system are updated.
A-20
OL-25947-01
Appendix A
CLI Tools
Using LMS Server Hostname Change Scripts
Prerequisites
Before running the hostname change script, you should do the following:
Step 1
/etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname.
/etc/nodename or the appropriate interface file - Modify nodename to the new hostname.
For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses
pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you
through the server-renaming process. You can also do this when you change the hostname in the
hosts, hostname.hme0, and nodename files in the /etc directory.
On Soft Appliance:
To change the hostname in Soft Appliance operating system:
a.
b.
c.
d.
Stop the daemons before changing the hostname in CARS CLI, by runing the command
/etc/init.d/dmgtd stop in shell mode.
e.
f.
g.
On Windows:
To change the hostname in Windows operating system:
a.
Right-click the My Computer icon from the desktop and click System Properties.
Or
Click Start > Settings > Control Panel > System.
The System Properties dialog box opens.
Step 2
b.
c.
Click Change... on the Windows 2008 machine to open the Computer Name Changes dialog box.
d.
e.
f.
Step 3
/etc/init.d/dmgtd stop
A-21
Appendix A
CLI Tools
(on Windows)
Step 4
Run the hostname script without command line options. See Running the Hostname Change Script for
more information.
Step 5
/etc/init.d/dmgtd start
(on Windows)
A-22
OL-25947-01
Appendix A
CLI Tools
Using LMS Server Hostname Change Scripts
Run the hostname change script without specifying any command line options
After you have restarted your system, ensure that you stop the Daemon Manager and then enter the
following command to run the hostname change CLI utility.
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl (on Windows)
NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl (on Solaris/Soft Appliance)
Or
2.
Changes ASName to the new hostname of LMS Server in the following files:
/opt/CSCOpx/lib/classpath/sso.properties (on Solaris/Soft Appliance)
NMSROOT\lib\classpath\sso.properties (on Windows)
3.
4.
5.
A-23
Appendix A
CLI Tools
6.
7.
The NS_Ref file is restored in LMS Server after the Daemon Manager is restarted.
8.
Starts the LMS 4.0 database and updates the database table entries with the new hostname. After
updating the database table entries, it stops the LMS 4.0 database.
9.
Detects and displays the details of the certificate in the LMS Server.
If the certificate is a third party certificate, you should regenerate your certificate with the new
hostname.
Or
If the certificate is a self-signed certificate, the script allows you to regenerate the certificate.
You can enter y to re-generate the certificate with the new hostname or n to re-generate the
certificate later. See Creating Self Signed Certificates for details.
After you have completed running the script, ensure that you:
Redo the integration, if you have integrated any third party network management application to
Cisco Prime, using Integration Utility.
Re-import the certificates and redo the Multi-Server setup if the machine is part of a Multi-Server
setup.
For example, if you are changing the hostname of a machine that is configured as a Slave, then it
needs to reregister with the Master. If you are changing the hostname of a machine that is configured
as a Master, then all its Slaves need to be updated with the new Master hostname.
If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some
cases.
A-24
OL-25947-01
Appendix A
CLI Tools
Using DCR Features Through CLI
The Device Name of a device is the same as that of any other device
The Host Name/Domain Name combination of a device is the same as that of any other device
Auto Update Device ID is the same as that of any other device (in case of AUS managed device)
Cluster and Member Number, together is same as that of any other device (in case of Cluster
managed device)
dcrcli operates in both the Shell and Batch modes. The Shell mode is interactive whereas the Batch mode
runs the specified command and exits to the prompt after the command is run.
You can set DCRCLIFILE environment to point to the file where LMS password is present. If you set
DCRCLIFILE variable, password will not be asked when you run dcrcli in shell or batch mode.
The password file should contain an entry in the format username password. Make sure that there is only
one blank space between the username and the password in the password file. For example, if admin is
the username and the password for the Cisco Prime user, the password file must contain the following
entry:
admin admin
Step 2
Step 3
Enter lsmode
It lists the DCR ID, the DCR Group ID, the current DCR mode, and the associated Master and Slaves.
Go to NMSROOT/bin
Step 2
A-25
Appendix A
CLI Tools
Step 2
Step 3
Go to NMSROOT/bin
Step 2
Step 2
Step 3
Enter setmaster
The DCR mode gets changed to Master.
Go to NMSROOT/bin
Step 2
Step 2
Step 3
Enter setstand
The DCR mode gets changed to Standalone.
A-26
OL-25947-01
Appendix A
CLI Tools
Using Group Administration Features Through CLI
Go to NMSROOT/bin
Step 2
Step 2
Step 3
Go to NMSROOT/bin
Step 2
You should have Network Administrator, System Administrator, or Super Admin privileges to use
OGSCli command line utility.
OGSCli runs in only Batch mode. It runs the specified command and exits to the prompt after the
command is run.
This section explains:
A-27
Appendix A
CLI Tools
Step 2
Or
where,
NMSROOT is the directory where you have installed Cisco Prime.
CiscoPrime_Username is the login username of a Cisco Prime user.
For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems.
The system prompts you to enter your Cisco Prime password.
Step 3
Step 4
Enter export.
The system prompts you to enter an output file name.
Step 5
Enter a file name for export output file with its absolute path name.
If you do not enter file name with its absolute path name, the export file will be stored on \nmsroot\bin.
A warning message appears indicating that the selected file will be overwritten with the new information
on exported groups.
The system uses the file name that you have entered to generate the output XML file irrespective of
whether the file exists on the server.
You should have the required directory-level permissions where you want to save the output XML file.
You must either enter y to continue or n to exit.
The system prompts you to enter an export group hierarchy.
Step 6
A-28
OL-25947-01
Appendix A
CLI Tools
Using Group Administration Features Through CLI
Step 2
Or
where,
NMSROOT is the directory where you have installed Cisco Prime.
CiscoPrime_Username is the login username of a Cisco Prime user.
For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems.
The system prompts you to enter your Cisco Prime password.
Step 3
Step 4
Enter import.
The system prompts you to enter the input XML filename.
Step 5
Enter the input XML filename with its absolute path name.
The system lists the groups to be imported from the source XML file.
Step 6
Enter your choices using the item numbers displayed for the listed groups.
You can enter one or more item numbers separated by comma.
The system lists the Grouping Server locations where you can import the groups.
Step 7
Enter your choices using the item numbers displayed for the listed Grouping Servers.
You can enter one or more item numbers separated by comma. You must enter 1 to import the selected
groups to all listed servers.
A message appears indicating whether the import of groups is successful.
See Exporting Groups for the possible causes for the import groups job to fail.
A-29
Appendix A
CLI Tools
Enter NMSROOT\bin
Step 2
On Solaris/Soft Appliance:
Step 1
Enter NMSROOT/bin
Step 2
-pfile:
Absolute Path of the text file with Cisco Prime login password of the current user, in one line.
-staleuser:
If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale
groups will be deleted.
Use the -prompt command if you do not want to enter your password from the command line. Using
-prompt prevents other users from running ps and seeing your password.
The -host option is required when you run the CLI command on a remote LMS Server.
A-30
OL-25947-01
Appendix A
CLI Tools
User Tracking Command Line Interface
Table A-1
Option
Arguments
Function
-prompt
No keywords or
arguments.
-help
No keywords or
arguments.
-ping
{enable | disable}
-performMajorAcquisition
No keywords or
arguments.
A-31
Appendix A
CLI Tools
Table A-1
Option
Arguments
Function
-query
This option takes one of Queries the Topology and Layer 2 services module
the following
database and updates the User Tracking table.
arguments:
all
name
dupMAC
dupIP
hub
all
name
-layout
layout_name
-layoutPhone
layout_name
-host
ANI Server device name Specifies the host name or IP address of the LMS
or IP Address
Server.
-queryPhone
-export
filename
-import
filename
-importMACToAcceptableOUI
filename
-stat
No keywords or
arguments.
-debug
No keywords or
arguments.
A-32
OL-25947-01
Appendix A
CLI Tools
User Tracking Command Line Interface
Table A-1
Option
Arguments
Function
-wireless
No keywords or
arguments.
-switchPortCapacity
For complete details on this, see Exporting Switch Port Usage Report.
-switchPortreclaimreport
For complete details on this, see Exporting Switch Port Usage Report
-switchPortSummary
For complete details on this, see Exporting Switch Port Usage Report
For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility
A-33
Appendix A
CLI Tools
Ports that were previously connected to an endhost or a device but are unconnected at least for a
period of one day.
Switch port usage reports can be generated from the command prompt as given in Table A-2:
Table A-2
Purpose
Command
NMSROOT/campus/bin ut -cli
60 -devices all
c:/sample -u username -p password
-switchPortCapacity lessthan
-export
NMSROOT/campus/bin ut -cli
60 -devices
10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
username -p password
-switchPortCapacity lessthan
NMSROOT/campus/bin ut -cli
60 -devices all
c:/sample -u username -p password
-switchPortCapacity greaterthan
-export
NMSROOT/campus/bin ut -cli
-switchPortCapacity greaterthan 60 -devices
10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
username -p password
A-34
OL-25947-01
Appendix A
CLI Tools
Using Lookup Analyzer Utility
Table A-2
Purpose
Command
NMSROOT/campus/bin ut -cli
2
c:/sample -u username -p
password
To generate Reclaim Unused Down Ports
report (for specific devices)
NMSROOT/campus/bin ut -cli
2
10.77.1.2,10.77.3.4 -export c:/sample -u
username -p password
-switchPortReclaimReport type down days
-devices
NMSROOT/campus/bin ut -cli
-switchPortSummary -devices all -export
NMSROOT/campus/bin ut -cli
-switchPortSummary -devices 10.77.1.2,10.77.3.4
-export c:/sample -u username -p password
Note
The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in
Windows, replace all forward slash (/) with reverse slash (\).
The report generated by the above options is saved as a file in the CSV format, at the specified location.
You can generate various Switch Port Usage reports, select Reports > Switch Port.
A-35
Appendix A
CLI Tools
A-36
OL-25947-01
Appendix A
CLI Tools
Understanding UTLite
UT.nameResolution.threadCount: 1
UT.nameResolution.winsTimeout: 2000
UT.nameResolution.threadThresholdPercentage: 10
UT.nameResolution.dnsTimeout: 2000
UTMajorUseDNSCache: false
nameserver.usednsForUT: true
DB.dsn: ani
--------------------------------ISSUES/RECOMMENDATIONS
----------------------Issue #1: Failure Percent is greater than 20%
Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured
Issue #2: DNS reverse lookup is NOT done as separate process
Recommendation: Enable UTMajorUseDNSSeperateThread=true in ut.properties
Issue #3: Name Resolution DNS server order is not optimal
Recommendation: Change dns server order as 64.104.128.248=7.0, 64.104.76.247=0.0,
WINS=0.0,
Other Recommendations:
* If hostnames in your network are less likely to change often, set
UTMajorUseDNSCache=true
* If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout,
UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage
* Optimal timeout values are: UT.nameResolution.winsTimeout=0,
UT.nameResolution.dnsTimeout=48
The script can also be run by setting properties in the ut.properties file.
Understanding UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at
the rate of 150 traps per second, with a default buffer size of 76800.
If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400.
To increase the buffer size:
Step 1
Enter pdterm UTLITE at the command line to stop the UTLite process.
Step 2
Step 3
Set Socket.portbuffersize=102400
Step 4
Enter pdexec UTLITE at the command line to start the UTLite process.
Caution
Increasing the buffer size beyond 102400 results in performance degradation of UTLite.
A-37
Appendix A
CLI Tools
Understanding UTLite
Step 2
Change the property of URTlite state by changing the value from "URTlite.state=disable" to
"URTlite.state=enable".
Or
You can change the property of URTlite state by launching LMS. Select the Acquisition Settings option
from Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings
page appears. In the Acquisition Settings page, check the Get user names from hosts in NT and NDS
domains and click Apply.
Note
The servers should be DNS resolvable to get the events from the clients. Else we have to make entry in
%WINDIR%\system32\drivers\etc\hosts.
Windows NT
Windows 2000
Windows XP
Windows 2003
Windows Vista
Solaris
HP-UX
AIX
A-38
OL-25947-01
Appendix A
CLI Tools
Understanding UTLite
You must have Administrator privileges on the Active Directory server to install the UTLite logon
script. To install the script:
Step 1
b.
c.
Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder.
NETLOGON is located at:
%SystemRoot%\sysvol\sysvol\domain DNS name\scripts,
where %SystemRoot% is usually c:\winnt and domain DNS name is the DNS name of the domain
Note
Step 2
For Windows 2000 and NT servers, the NETLOGON folder is located at:
%SYSTEMROOT%\system32\Repl\Import\Scripts
Edit the UTLiteNT.bat file:
a.
b.
Locate the following line and replace domain and ipaddress with the domain name of the Windows
domain controller and IP address of the computer running the Campus Manager server:
start
For example:
start %WINDIR%\UTLite33 -domain cdiclab.cisco -host 192.168.152.228 -port 16236
If port 16236 is already in use, enter a different number. This port number must match the number
that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page
(Select Admin > Collection Settings > User Tracking > Acquisition Settings).
For more details, see Modifying UT Acquisition Settings.
Step 3
Edit the user profile on the Active Directory server to run the UTLiteNT.bat file when users log in to the
network by editing the profile of the user as shown in Figure A-1:
A-39
Appendix A
CLI Tools
Understanding UTLite
Figure A-1
Here, in the User profile section of the window, the Profile path is set to be:
C:\windows\sysvol\sysvol\domain\scripts
The Logon script is set to be:
UTLiteNT.bat
Step 4
Update the domain controller logon script for each Windows domain that you add.
The first time users log into the network after you edit this script, UTLite33.exe is copied to the local
WINDIR directory on their Windows client system.
Step 2
A-40
OL-25947-01
Appendix A
CLI Tools
Understanding UTLite
Step 3
NMSROOT\campus\bin\UTLite33.exe
NMSROOT\campus\bin\UTLiteNDS.bat
where NMSROOT is the directory in which you installed Cisco Prime.
Step 4
Create a folder in \\Novell Server Name\SYS\public and copy UTLiteNDS.bat and UTlite33.exe to the
folder.
Step 5
Step 6
Step 7
Locate the following line and replace domain and ipaddress with the domain name of the Windows
domain controller and IP address of the computer running the LMS server:
start
If port 16236 is already in use, enter a different number. This port number must match the number
that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page
(Select Admin > Collection Settings > User Tracking > Acquisition Settings).
For more details, see Modifying UT Acquisition Settings.
Edit the logon scripts.
Step 8
Step 9
Step 10
Right-click on the users or organizational units whose logon scripts you want to modify and select
Details.
Step 11
Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller.
Step 2
Step 3
A-41
Appendix A
CLI Tools
Step 1
Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server.
Step 2
Step 3
Step 2
Remove the line added to the login scripts for all users and organizational units.
Step 3
A-42
OL-25947-01
Appendix A
CLI Tools
Configuring Switches to Send MAC Notifications to LMS Server
2.
Reports violation of basic rules for each of the missing ports such as link ports and trunk ports.
3.
Checks for SNMP retrieval of data, if the ports pass the validity check.
4.
Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.
where,
switch is the switch to which the end hosts are connected.
ports are the ports on the switch which have missing end hosts User Tracking.
filename specifies that the debug messages be stored in the file specified. If this option is not
used, the messages are displayed on the console.
-export
For example,
utdebug -switch 10.29.6.12 -port 5/12
utdebug -switch 10.29.100.10 -port Fa0/10
utdebug -switch 10.29.6.14 -port Gi6
A-43
Appendix A
CLI Tools
Deleting all Active Entries from User Tracking, and Restarting Servers
Deleting all Inactive Entries from User Tracking, and Restarting Servers
Deleting all History Entries from User Tracking, and Restarting Servers
If you have a corrupted database, you can use the database administration tools to restore the database
from a previous backup. However, if you do not have a previous backup, you must re-initialize the
database.
When you run this command, if Data Collection is running, it is automatically stopped and then restarted
when the database initialization is complete.
Caution
Note
If you re-initialize the database, information from discovered devices will be lost. However, user and
host information is retained. Replace the database only if recommended by a Cisco technical
representative.
If you enter y, it erases all data (database tables Wbu*...) from the server.
A-44
OL-25947-01
Appendix A
CLI Tools
Administration Command Line Interface
Deleting all Active Entries from User Tracking, and Restarting Servers
where inactive entries are hosts that are currently not logged in
Deleting all History Entries from User Tracking, and Restarting Servers
where history entries are complete entries. That is, hosts that have a login and logout in the past.
Deleting all User Tracking Entries, and Restarting Servers
Note
Before executing the -restore command, you should stop the daemon manager and start again
manually. For details, see Using Daemon Manager.
Restoring Data from Another Server
When you take database backup for LMS in one server and restore it in another server, the NMSROOT
logfile location may not be the same in both servers.
In that case, LMS will log messages to the log file stored in the default NMSROOT location in the
restored machine.
where NMSROOT is the root directory where you installed Cisco Prime.
A-45
Appendix A
CLI Tools
When you get out of memory errors in LMS, the following command can be used to tune the
performance:
NMSROOT/bin/perl NMSROOT/campus/bin/CMPTT.pl ProcessName HeapSize MaxPermSize
Heap size should be multiples of 512 and should not exceed 1536 MB.
Ensure you have enough swap space in the server before tuning the heap size.
md5
SHA
des
3des
aes128
aes192
aes256.
For using various LMS features in devices running SNMPv3, you must make specific configurations on
the devices. The commands that need to be configured are:
oid-tree included
A-46
OL-25947-01
Appendix A
CLI Tools
Administration Command Line Interface
You must set the access rights for a group with a certain security model in different security levels.
For Catalyst devices, enter the following command:
set snmp access campusgroup security-model v3 authentication read campusview write
campusview nonvolatile
access-list
IOS image versions prior to12.4 support only exact context name.
IOS image versions 12.4 or higher, support both exact or prefix context names.
You need to configure the device with and without context name, since Data Collection manages the
device without context name and User Tracking requires context name to contact the device.
Configuring a New User
A-47
Appendix A
CLI Tools
Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs
Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for
fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In
order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device,
associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS.
You can enable it by creating a view and by including and excluding MIBs. To create a SNMP view:
Step 1
Step 2
Step 3
Step 4
Step 5
Note
During data collection LMS is quering vacmContextName variable of SNMP-VACAM-MIB. From this
MIB variable LMS can find out which vlans are in shut down state so that LMS will try to connect to
that vlan context. This MIB will be not supported by the device by default.
A-48
OL-25947-01
Appendix A
CLI Tools
Administration Command Line Interface
Note
The device side configuration has to be done on all the devices in the network before changing the
property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.
A-49
Appendix A
CLI Tools
A-50
OL-25947-01
A P P E N D I X
Troubleshooting Guidelines
Troubleshooting Guidelines
This section provides guidelines on the following:
Symptom
Probable Cause
Possible Solution
User Tracking cannot discover any There may not be information in the
LMS database.
users or hosts
or
User Tracking cannot display any
IP phones.
User Tracking cannot discover
certain users or hosts.
1.
2.
3.
B-1
Appendix B
Troubleshooting Guidelines
Table B-1
Symptom
Probable Cause
Possible Solution
1.
2.
3.
Or
1.
2.
3.
Troubleshooting Suggestions
B-2
OL-25947-01
Appendix B
Server Status
Task
Purpose
Action
Administrative Tasks
Perform self test.
All Users
Check process
status.
Checks whether back-end Select Admin > System > Server Monitoring >
processes are in an interim Processes.
state.
Collect server
information.
Provides system
information, environment,
configuration, logs, and
web server information.
NMSROOT\bin\perl
NMSROOT\bin\collect.info (on Windows)
NMSROOT/bin/perl
NMSROOT/bin/collect.info (on
Solaris/Soft Appliance)
B-3
Appendix B
Troubleshooting Guidelines
Table B-2
Server Status
Task
Purpose
Action
MDC Support
Log files
Directory
B-4
OL-25947-01
Appendix B
Troubleshooting Suggestions
Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.
Table B-3
Troubleshooting Suggestions
Symptom
Probable Cause
Possible Solutions
Authorization
Incompatible browser
causing cookie failure
(unable to retrieve
cookie).
Verify that you have Accept all cookies enabled. Refer to the installation
documentation for supported Internet Explorer and Mozilla Firefox
software and setup procedures.
Daemon Manager
could not start.
The port is in
use.
Make sure all Cisco Prime processes are terminated (/usr/ucb/ps -auxww
| grep CSCO). Wait five to ten minutes, then try to restart the Daemon
Manager.
required. Please
log in with your
username and
password.
1.
2.
Authentication server
might be down and there
were no fallback logins
set.
The Log File Status Files need to be backed up
so that file size will be
window displays
files that exceed their reset to zero.
limit.
(on Windows)
NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl
1.
2.
3.
1.
2.
supported or not.
If you are not able to connect, check whether the device is running
SSH enabled (K2 or K9) image.
3.
If you have the correct image, check whether you have created
RSA key pairs in the device. Creating RSA keys will enable SSH
in the device.
B-5
Appendix B
Table B-3
Symptom
Probable Cause
Possible Solutions
While launching the The Group Administration Start the Group Administration server from the user interface or from the
server is either not running CLI.
Group
Administration page, or yet to be up.
To start the server from the user interface:
the following error
1. Select Admin > System > Server Monitoring > Processes.
message is
displayed:
The Process Management Dialog Box appears.
Error in
communicating with
Group
Administration
Server.
2.
3.
Click Start.
Check wheter
ctm_config.txt file is
corrupted.
Make sure the following two files have proper content by checking the
contents with the sample ctm_config.txt:
/NMSROOT/MDC/tomcat/shared/lib/ctm_config.txt
/NMSROOT/MDC/tomcat/webapps/cwhp/WEB-INF/lib/ctm_config.t
xt
B-6
OL-25947-01
Appendix B
Q.How does User Tracking acquisition process differ from that of the LMS Server?
Q.How does User Tracking user and host acquisition process work?
Q.Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
Q.Why am I getting a parse error when trying to parse some of the output files?
User Tracking does not automatically delete outdated end-user host entries. To delete these entries:
Manually delete selected entries.
Or
Configure delete interval for purging old records more than the given number of days.
Select Admin > Network > Purge Settings > User Tracking Purge Policy
Q. How does User Tracking acquisition process differ from that of the LMS Server?
A. User Tracking is a LMS client application. The LMS Server provides several types of global
discoveries, including:
Device and physical topology acquisition, resulting in baseline network information such as
device identity, module and port information, and physical topology. This type of acquisition is
required for logical, user, and path acquisition.
User acquisition, resulting in information about users and hosts on the network.
The LMS Server stores this information in the database. User Tracking discovers the host and user
information in the LMS server database, correlates this information, and displays it in the User
Tracking Reports.
For more information about the various acquisition processes, see Various Acquisitions in User
Tracking.
B-7
Appendix B
Q. How does User Tracking user and host acquisition process work?
A. Before collecting user and host information, LMS must complete Data Collection. After the
completion of Data Collection User Tracking performs steps described in Table B-4.
Table B-4
Process
Description
Pings all IP addresses on all known subnets, if you have Ping Sweeps
enabled (the default).
This process updates the switch and router tables before User Tracking
reads those tables. This ensures that User Tracking displays the most
recent information about users and hosts.
Obtains MAC addresses from Reads the switch's bridge forwarding table.
switches
The bridge forwarding table provides the MAC addresses of end
stations, and maps these MAC addresses to the switch port on which
each workstation resides.
Obtains IP and MAC
addresses from routers
Obtains hostnames
Obtains usernames
Attempts to locate the users currently logged in to the hosts and tries
to obtain their username or login ID.
Records discovered
information
Policy Details.
Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in
B-8
OL-25947-01
Appendix B
errors are logged in the respective log file. The log files are located at
Solaris/Soft Appliance : /var/adm/CSCOpx/log
Windows: NMSROOT\log
Where NMSROOT is the directory where you have installed Cisco Prime.
Q. Why am I getting a parse error when trying to parse some of the output files?
A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most
of the XML parsers do not support these characters and hence fail to parse them.
To overcome this, you have to manually search for those elements with special characters and
append CDATA as given in the example below:
If there is an element
<checksum> o </checksum>
Change it to:
<checksum> <![CDATA[o ]]> </checksum>
Q.The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
Q.What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
Q.Sometimes, while performing VRF Lite configuration, I get the following message:
Q.What are the details of the VRF Lite log files? In which location are the VRF Lite log files
located?
Q.After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?
Q.How can I configure SNMP timeout and retries details for VRF Lite?
Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in
the Create VRF Lite and Extend VRF Lite workflows ?
B-9
Appendix B
Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow,
why are values for the IP Address and SubnetMask fields empty?
Q.If you configure commands to be deployed to two different devices, will the commands be
deployed parallelly or serially?
Q.Which VRF Lite configuration jobs that are failed can be retried?
Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?
utilize network resources more effectively and efficiently. Using virtualization, a single physical
network can be logically segmented into many logical networks. The virtualization technology
supports multiple virtual routing instances of a routing table to exist within a single routing device
and work simultaneously.
Q. What are the pre-requisites to manage a device using VRF Lite?
A. The pre-requisites to manage a device in VRF Lite are:
1.
2.
3.
The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite.
The device must have the necessary hardware support. For more information on hardware support,
see
http://www.cisco.com/en/US/products/sw/cscowork/ps563/products_device_support_tables_list.ht
ml.
If the device hardware is not supported then the device will be classified as Other devices
4.
5.
VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB,
VRF Lite will not manage VTP Clients.
B-10
OL-25947-01
Appendix B
Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN
Configuration.
A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as
mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management
with Cisco Prime LAN Management Solution 4.2.
If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN
Configuration then a device will not be listed in the Device Selector, if a device is not participating
in the selected VRF Lite.
In the Readiness Report, a device listed as a supported device may be because it is not managed by
LMS. You can check if a device is managed by using the Device Management State Summary
(Inventory > Device Administration > Manage Device State).
In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not
participating in the selected VRF Lite.
In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3
devices that are not participating in the selected VRF Lite.
Q. What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
A. Virtual Network Manager identifies the devices based on the minimum hardware and software
But the device software must be upgraded to support MPLS VPN MIB. For information on the
IOS version that supports MPLS VPN MIB, refer
http://tools.cisco.com/ITDIT/MIBS/MainServlet.
VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite
Capable devices as these devices do not have the required MPLS VPN MIB support.
Other Represents the devices without required hardware support to configure VRF Lite.
B-11
Appendix B
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with device name(s) are already locked as they are used by configuration workflows.
You cannot configure these devices. Wait for some time Or Ensure the devices are not used by
configuration workflows and free the devices from Admin > Network > Resource Browser.
Or
Selected Device(s) are locked as they are used by configuration workflows. You cannot configure
these devices. Wait for some time OR Ensure the devices are not used by configuration workflows
and free the devices from Admin > Network > Resource Browser.
Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations.
Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located?
A. The following are the details of the VRF Lite log files:
1.
Vnmserver.log This log file logs the messages pertaining to the VRF Lite Server process.
2.
Vnmcollector.log This log file logs the messages pertaining to the VRF Lite collection.
3.
Vnmclient.log This log file logs the messages related to the User Interface.
4.
Vnmutils.log This log file logs the messages pertaining to the utility classes used by VRF Lite
client and server.
The above-mentioned VRF Lite log files are located in the following location:
In Solaris/Soft Appliance : /var/adm/CSCOpx/log/
In Windows: NMSROOT\logs
Q. When is the VRF Lite Collection process triggered?
A. Manually:
You can manually schedule to run the VRF Lite Collection process by:
Providing the setting details using Admin > Collection Settings > VRF Lite > VRF Lite Collector
Schedule option.
Automatically:
If you enable the Run VRF Lite Collector After Every Data Collection in the VRF Lite Collector
Schedule page. The VRF Lite Collection process will be automatically triggered after the
completion of Data Collection.
You can reach the VRF Lite Collector Schedule page using Admin > Collection Settings > VRF
Lite > VRF Lite Collection Settings page.
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin >
Network > VRF Lite Collection Settings page.
Q. How can I configure SNMP timeout and retries details for VRF Lite?
A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF
Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six
seconds and retry attempt of 1 second.
B-12
OL-25947-01
Appendix B
Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the
device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping
page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the
following procedure
1.
An SVI, VRF Lite searches for free VLANs in the range 1- 1005
2.
An SI, VRF Lite searches for free VLANs in the range 1006-4005
Admin > System > Debug Settings > VRF Lite Client Debugging Options.
Admin > System > Debug Settings > VRF Lite Collector Debugging
Admin > System > Debug Settings > VRF Lite Server Debugging
Admin > System > Debug Settings > VRF Lite Utility Debugging
You can manually change the name and the size of the log file. The configuration log files are
available under NMSROOT/MDC/tomcat/webapps/vnm/WEB-INF/classes. The changes made will
be reflected after approximately 60 seconds.
Q. Why are some port-channels not discovered in VRF Lite?
A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only
802.1Q
Q. What are the processes newly introduced for VRF Lite ?
A. To run VRF Lite , VRF Lite Server process is newly introduced in the application. The VRF Lite
configuration supported in 550 devices in your network. However, at a given time, you can select up
to 20 devices and configure VRF Lite using the Create, Edit and Extend VRF Lite workflow.
Q. What are the property files associated with VRF Lite?
A. The following property files are associated with VRF Lite:
1.
2.
3.
Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why
B-13
Appendix B
Manager Essentials.
Choose the NetConfig as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. What is protocol ordering for troubleshooting?
A. Troubleshooting VRF Lite workflow uses the protocol ordering similar to ordering used by NetShow
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration
workflow.
Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management.
This button is enabled only when IPSLA Performance Management is enabled in the local server.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite?
A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF
General
Security
Important URLs
Software Center
Database
B-14
OL-25947-01
Appendix B
General
The section lists you the general FAQs on LMS:
Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly?
Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
Q.Do I need to change the Cisco Prime configuration after changing the IP address?
Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running
it for a while?
Q.Cisco Prime Time is not synchronized with System time. What should I do?
Q.How do I change the configuration details of the server after installing LMS Soft Appliance?
Q.How can I increase the timeout value of Cisco Prime LMS user interface?
Q.How should I change the syslog port of Cisco Prime from 514 to another number?
Q.What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
Q.What are the specific ports required for Internet HTTP features?
Q.Why is the device name not available in the home page after importing?
Q.How do you ensure to register using a template and launch the links properly?
Q.I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
Q.What should I do when the TAC Service Requests feature that displays my current Cisco.com
TAC tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
Q.I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?
Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
A. You can change the IP address on the server, and then access it using the new IP address.
B-15
Appendix B
Click Start > Settings > Network and Dial-up Connections > Local Area Connection.
The Local Area Connection Status dialog box appears.
Step 2
Click Properties.
The Local Area Connection Properties dialog box appears.
Step 3
Step 4
Step 5
Step 6
Enter these values in the Subnet mask and Default gateway fields.
Step 7
Step 8
Click OK.
Step 9
To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP
address of the required interface.
For example, at the command prompt, you can enter:
ifconfig
where the variable interfacename represents the name of the interface and ipv4address represents the
new IP address.
Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE.
To do so:
Step 1
Step 2
Step 3
Step 4
Clear the selection in Require server verification for all sites in this zone.
Step 5
Step 6
Click the Custom level button from the Security level for this zone panel.
Step 7
Step 8
Step 9
Click Apply.
B-16
OL-25947-01
Appendix B
Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by
Step 2
In the Open box, enter: Regedit, then click OK. The Registry Editor opens.
Step 3
Step 4
Step 5
Add a DWORD value named iexplore.exe and set the value to 0 (decimal).
Step 6
Step 7
Q. What are the specific ports required for Internet HTTP features?
A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and
imported.
Q. How do you ensure to register using a template and launch the links properly?
A. Before you register through a template, you should ensure that:
The host is reachable.
Port information specified is correct and reflects the current port of the bundle.
The application is available and can be launched by entering the application URL in the browser.
Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly?
A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We
recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function
properly.
B-17
Appendix B
server may not be running. This may occur although pdshow indicates that those processes are
running. You need to check how your machine resolves its server name and IP address.
The Cisco Prime CORBA applications require name resolution to work properly. Domain Name
Service (DNS) is mandatory for Cisco Prime CORBA applications to work properly.
Configure the name resolution mechanism and restart the Cisco Prime LMS Server to access the
application correctly.
Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH
Click Tools > Internet Options. The Internet Options dialog box opens.
Step 2
Step 3
Step 4
Step 5
In the Miscellaneous options, select the Enable option for Allow Meta Refresh field.
Step 6
Step 7
Step 8
Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
A. There are several reasons why you are locked out. It is probably caused by the changes made using
the Select Login Module option. You must replace the incorrect login module with a default
configuration, log into Cisco Prime, and return to the login module to correct one or more of the
following:
Session Time out
Change from SSL mode to non-SSL mode
Change from non-SSL mode to SSL mode
Log out from any other Cisco Prime application
Visit other sites and then return to Cisco Prime
Prime uses hostname for most of the communication. Only devices need to point to the new IP
address. However, after changing the IP address, you must reboot the system on a Solaris server and
restart the Daemon Manager on a Windows server. This is to make the changes effective.
B-18
OL-25947-01
Appendix B
Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it
for a while?
A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and
To change the port for osagent in Windows, run the following script at the command prompt:
NMSROOT\bin\perl NMSROOT\bin\ChangeOSAGENTPort.pl Port_Number
where, Port_Number refers to any unused port number between 1026 to 65535.
The script completes the following:
Updates the value of the following registry entries with the new port numbers.
HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current
Changes the value of the port number to new port number in NameServer and NameServiceMonitor
processes.
Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file
with the new port numbers.
Reboot the server and start the Daemon Manager after you have completed running the script.
Q. How do I change port for osagent in Solaris?
A. Before you change the port for osagent in Solaris:
Ensure that the daemons are not running.
To change the port for osagent in Solaris, run the following script at the command prompt:
NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_Number
where, Port_Number refers to any unused port number between 1026 to 65535.
B-19
Appendix B
Changes the value of the port number to new port number in NameServer and NameServiceMonitor
processes.
Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file
with the new port numbers.
Reboot the server and start the Daemon Manager after you have completed running the scripts.
Q. How do I ensure that jrm is running fine?
A. To check whether jrm is working on Windows, at the command prompt enter:
cwjava -cw
NMSROOT com.cisco.nm.cmf.jrm.jobcli
NMSROOT com.cisco.nm.cmf.jrm.jobcli
If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are
running.
If you do not get the above message, contact the technical assistance center with the error
message.
If your jrm in down or inaccessible, youll get a message while accessing the UIs.
Q. How do I change the casuser password in Windows?
A. You can change the casuser password using resetCasuser.exe. It can be run only by an administrator
Step 2
1.
2.
3.
Exit.
Step 3
Note
You must know the password policy. If the password entered does not match the password policy,
it exits.
B-20
OL-25947-01
Appendix B
Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml.
You should edit the following section of the file:
<context-param>
<param-name>DEBUG</param-name>
<param-value>false</param-value>
<description>mice debug enabling</description>
</context-param>
Step 2
This process calculates the disk space information of a drive (in Windows machine) or a file system
(in Solaris machine) at regular intervals and stores them in diskWatcher.log file.
See Configuring Disk Space Threshold Limit for more information.
Q. Cisco Prime Time is not synchronized with System time. What should I do?
A. You should complete the following:
a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine.
b. Set the TZ=standard_timezone. For example, you can specify TZ=MET.
c. Save the TIMEZONE file.
d. Reboot the machine.
Now the system displays the modified time zone information. If you need to change the time zone
to daylight, you change only the time and date but not the TIMEZONE.
Q. How can I increase the timeout value of Cisco Prime LMS user interface?
A. You can configure the timeout value in the following file.
NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml
where NMSROOT is your Cisco Prime Installation directory.
You should change the value of an XML tag by name session-timeout. You should specify the value
in minutes. The default timeout value is set to 2 hours.
You cannot disable this option as this may increase the load in the server.
Q. How do I change the configuration details of the server after installing LMS Soft Appliance?
A. To change the configuration details of the server after installation:
Step 1
Step 2
B-21
Appendix B
Step 3
Step 4
Step 5
Step 6
/etc/init.d/dmgtd stop
In all the examples, sysadmin represents the sysadmin username that you provided during installation.
Step 7
Step 8
Step 9
<HOSTNAME>/sysadmin#
Step 10
Right-click the server and select Power > Reset to start the server.
Or
Enter the following command:
<HOSTNAME>/sysadmin# reload
Save the Current ADE-OS running configuration ?(yes/no)[yes]?yes
Note
You should reboot the server only if you change the following configuration details:
Hostname
IP Address, IP Netmask
IP Default Gateway
Time Zone
B-22
OL-25947-01
Appendix B
Note
Step 12
You should execute this command only when you change the hostname. Each time you change the
hostnameof the server, you must perform, steps 1 to 9 to reflect the hostname changes in LMS.
Enter the following command to start the Daemons:
sysadmin#/etc/init.d/dmgtd start
Note
You must restart the Daemon Manager before and after you change the hostname.
Note
You must change the server configuration details only through Soft Appliance admin console.
Table B-5 lists the examples of how to change the Soft Appliance server configuration details.
Table B-5
Tasks
Configuration Details
See Supported Server Time Zones and Offset Settings for more details.
Change the Username/
Password
Q. How should I change the syslog port of Cisco Prime from 514 to another number?
A. You can change the syslog port by modifying the value of CrmLogPort registry key located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters.
B-23
Appendix B
After you have changed the syslog port, you need to restart the syslog service.
B-24
OL-25947-01
Appendix B
Q. What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
A. Sometimes, Windows may prevent to run some processes for security reasons.
Right-click the My Computer icon on your desktop and click Properties to open the System Properties
dialog box.
Step 2
Step 3
Click Settings from the Performance panel to open the Performance Options dialog box.
Step 4
Step 5
Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove
the programs from the blocked list.
Step 6
Step 7
Step 8
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available
Step 2
Step 3
Remove the Hash symbol (#) to uncomment a particular timeout or delay value.
Step 4
Step 5
Step 6
Q. What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC
tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
A. Check whether the following production urls are reachable in the server, where product is installed.
SASI_SERVERhttps://wsgx.cisco.com
RSR_SERVERhttps://wsgx.cisco.com
CSC_SERVERhttps://supportforums.cisco.com
CCOLOGINURLhttps://sso.cisco.com/autho/apps/nmtgSSapp/index.html
CCOLOGOUTURLhttps://sso.cisco.com/autho/logout.html
B-25
Appendix B
CASE_QUERY_URLhttps://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest&method=doQueryByCase&SRNumber=
LOGIN_REDIRECT_URLhttps://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.
com&TargetResource=
CSC_REDIRECT_URLhttps://supportforums.cisco.com
Q. I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
Important URLs
Q. What are the URLs that are most commonly used in LMS?
A. The following URLs are most commonly used in LMS and should be added in the proxy server:
General
http://www.cisco.com
Device update/Software update/Point Patch update
http://tools.cisco.com/software/catalog/swcs/softwaremetadata
http://tools.cisco.com/software/catalog/swcs/image
http://www.cco.cisco.com
http://www.cisco.com/cgi-bin/smarts/swim/crmiosbridge.pl
http://www.cisco.com/techsupport
Smart Services
SASI_SERVERhttps://wsgx.cisco.com
RSR_SERVER https://wsgx.cisco.com
CSC_SERVERhttps://supportforums.cisco.com
CCOLOGINURLhttps://sso.cisco.com/autho/apps/nmtgSSapp/index.html
CCOLOGOUTURL https://sso.cisco.com/autho/logout.html
CASE_QUERY_URLhttps://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest
LOGIN_REDIRECT_URLhttps://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.
com
CSC_REDIRECT_URLhttps://supportforums.cisco.com
PSIRT
B-26
OL-25947-01
Appendix B
Bug Toolkit
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do??method=getAllBugs
http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getAffectedBugdata&b
ugid=
http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getBugsReport
Contract Connection
http://www.cisco.com/cgi-bin/front.x/cconx/conx_userinfo.pl
https://www.cisco.com/cgi-bin/front.x/cconx/conx_recv_data.pl
https://www.cisco.com/cgi-bin/front.x/cconx/conx_sortdetail_js.pl
Download Contractshttps://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do
?method=viewContractMgr
Security
The following are the FAQs on LMS Security:
Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
Q.My server certificate for Cisco Prime has expired. What should I do?
Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
Q.What are the minimum and maximum length of user account names? How do I control them?
Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
A. Yes. You have the following options:
If you are using Self-signed certificates in Internet Explorer, install the certificate in the
browsers trusted certificate stores, if you are confident about the identity of the server.
Use a server certificate issued by a prominent third party certificate authority (CA).
Configure the hostname in your server certificate properly, and use the same hostname to invoke
Cisco Prime.
Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
B-27
Appendix B
A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior
Certificate Authority.
The date of the certificate must be valid. (Each certificate is assigned a validity period. It can
The server should be invoked with the name same as the Issued to' field of the certificate.
To install the certificate in Internet Explorer:
Step 1
Step 2
Q. My server certificate for Cisco Prime has expired. What should I do?
A. If you are using a self-signed certificate, you can create a new certificate using the Create Self
Signed Certificate option. For more information, see Creating Self Signed Certificates.
If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew
the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.
Note
Before you perform any certificate management operationscreating or modifying certificates, back up
the certificate files, the server private key in particular, and keep them in a safe location.
Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this:
Step 1
Login as Admin.
Step 2
Step 3
Select a login module from the Available Login Modules list box and Click on Edit Options.
The Login Module Options dialog box appears.
Step 4
B-28
OL-25947-01
Appendix B
NMSROOT/MDC/Tomcat/logs/stdout.log
For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the
failure.
For example, if the Usersroot configuration is incorrect, then the login module cannot match the
complete DN string with any entries in the Active Directory database.
It indicates which portion of the DN matched and which portion did not match. You can verify your
Active Directory setup and the entries for the Usersroot.
In some cases, the log file contains error messages with NameError. This indicates that either you
entered a wrong user ID or there is some spelling error in the Usersroot configuration.
Q. What are the minimum and maximum length of user account names? How do I control them?
A. The minimum length of a user account name is 5 characters. The maximum length of a user account
underscores (_), periods (.), tilde (~), commercial At character (@), number sign (#),
Apostrophe ('), solidus or leading slash (/), trailing slash (\), and space.
The username should start with alphabets, numerals and underscore characters.
The password can contain the alphabets, numerals, leading and trailing spaces, and any special
characters.
The length of username and password can span from 5 to 256 characters.
B-29
Appendix B
Installation directory.
Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
A. You should check whether the casuser is assigned with the required local security policies.
Step 2
Click the Local Security Policy shortcut from the Administrative Tools folder.
The Local Security Policy window opens.
Step 3
Click Local policies > User Rights Assignment in the Local Security Policy window.
Step 4
If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again.
Enter the following commands to run the resetCasuser utility:
Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so,
kill the stray processes from the Task Manager or stop them from the Services panel.
Ensure that the casuser or administrator has the read permission for the CSCOpx,
CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.
Software Center
The following are the FAQs on Software Center:
Q.What are the prerequisites for downloading Software Updates from Cisco.com?
Q.Does the Software Center list only the software updates that are not installed in this machine?
Q.What should I do if I see errors when using Software Center or having issues with LMS not
correctly working with supported devices?
B-30
OL-25947-01
Appendix B
packages are installed and which devices are supported, become corrupted.
If such files become corrupted, you may notice one or more of the following symptoms:
"HTTP 500" error occurs while trying to view package information from Admin > System >
[CreateMaps : removeDupEntries]
range: -1
Devices shown as supported in "Supported Devices Table for Cisco Prime LAN Management
Solution" and may have been working previously, show as not supported/unknown and displays
device icons in Device Selectors with a question mark (?) in one or more areas of LMS.
Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards
> Device Status > Collection Summary) fails for all devices of a particular model, but
succeeds for other devices with identical configuration, yet different models.
Specific models of devices are not available in Device Selectors to have reports, jobs or other
functionality run on them, however Inventory Collection and/or Config Archive has succeeded
for them. This is frequently seen with Configuration related functionality.
To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files
which store information on which device support packages are installed and devices they support.
Run the following script:
NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance)
or
NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)
B-31
Appendix B
B-32
OL-25947-01
Appendix B
Step 2
Run the ChangeOSAGENTPort.pl script to change the port number. Enter the following command:
NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_number
where,
NMSROOT Cisco Prime Installation directory
Port_number Osagent port
Step 3
Addresses in DNS.
Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other
network?
A. This could because the domain name of the Cisco Prime LMS server may not be resolved.
To access the CORBA services in a server that is not DNS resolvable, you must:
Step 1
Step 2
Step 3
Q.What kind of directory structure does Cisco Prime use when backing up data?
Q.What should I do when backup fails and displays a Backup.LOCK file exists error
message?
Q.Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
Q. What kind of directory structure does Cisco Prime use when backing up data?
A. Cisco Prime uses a standard database structure for backing up all suites and applications. See
Table B-6 for a sample directory structure on Cisco Prime LMS Server.
Table B-6
Directory Path
Description
Usage Notes
/tmp/1
Number of backups
1, 2, 3...
/tmp/2/cmf
Application or suite
B-33
Appendix B
Table B-6
Directory Path
Description
Usage Notes
/tmp/1/cmf/data
base
xxx_DbVersion.txt
backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI
for more information.
Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the
Database
The following are the FAQs on Database:
This can occur if processes are not running. Try the following:
Step 1
Step 2
Step 3
B-34
OL-25947-01
Appendix B
Step 4
Select Admin > System > Server Monitoring > Collect Server Information.
Step 5
Step 6
Contact the Cisco TAC or your customer support to get the information you need to access the database
and find out details about the problem.
After you have the required information, perform the following tasks for detecting and fixing database
errors.
Depending upon the degree of corruption, the database engine may or may not start. For certain
corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed.
Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires
the database engine to be running.
To detect database corruption:
Step 1
Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows).
Step 2
Step 3
/etc/init.d/dmgtd stop
(on Windows)
Make sure no database processes are running and there is no database log file.
For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is
/opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Step 4
Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris
machines. If not, change the ownership of these files to user casuser and group casusers.
Step 5
NMSROOT/objects/db/conf
Reinitializing database
Caution
B-35
Appendix B
Q.How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
Q.Why does the Apache process not come up after installation or why does the process go down
suddenly?
Q.How should I enable or disable web server SSL mode from the command line?
Q.What is the maximum number of connections allowed by Cisco Prime to access the web interface?
Q.Why does Apache server does not start during reboot process?
Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
A. The new installer detects IIS web server running on the machine and prompts you to enter a different
port number for Cisco Prime LMS Server to avoid the conflict.
Q. Why does the Apache process not come up after installation or why does the process go down
suddenly?
A. This could be a problem with the Apache configuration syntax or the validity of the server
Note
If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL
Utility Script.
B-36
OL-25947-01
Appendix B
Solaris.
On Solaris:
You can change the web server port numbers for the webservers. You can also change both the HTTP
and HTTPS port numbers. To change the port numbers you must login as Cisco Prime LMS Server
administrator, and run the following command at the prompt:
NMSROOT/MDC/Apache/bin/changeport
If you run this command without any command line parameter, Cisco Prime displays:
*** CiscoWorks Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where
port numberThe new port number that should be used
-sChanges
-fForces
Note
Do not use this option by default. Use it only when Cisco Prime instructs you to.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number.
If you change the port after installation, Cisco Prime will not launch from Start menu
(Start > Programs > Cisco Prime).
You have to manually invoke the browser, and specify the URL, with the changed port number.
The restrictions that apply to the specified port number are:
Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number.
The specified port should not be used by any other service or daemon. The utility checks for active
listening ports, and ports listed in /etc/services. If there is any conflict, it rejects the specified port.
The port number must be a numeric value in the range 1026 65535. Values outside this range, and
non-numeric values are not allowed.
If port 443 is specified for any of the web servers, that web server process is started as root. This is
because ports lower than 1026 are allowed to be used only by root in Solaris.
However, according to Apache behavior, only the main web server process run as root, and all the
child processes run as casuser:casusers. Only the child processes serve the external requests.
The main process that runs as root monitors the child processes. It does not accept any HTTP
requests. Owing to this, Apache ensures that a root process is not exposed to the external world, and
thus ensures security.
If you do not want Cisco Prime processes to run as root, do not use the port 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.
B-37
Appendix B
This utility lists all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed
port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.
This utility lists out all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file index.txt. This text file contains information about the changed port and a
list of all files that are backed up and their actual location in the Cisco Prime directory.
Note
All of the above files and the unique directories are stored with read only permission to casuser:casusers.
To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write
permissions.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
/var/adm/CSCOpx/log/changeport.log
This file contains the date and time stamps to indicate when the log entries were created.
On Windows:
You can change the web server port numbers for the LMS Webserver. You can also change both the
HTTP and HTTPS port numbers.
To change the port numbers you must have administrative privileges. Run the following command at the
prompt:
NMSROOT\MDC\Apache\changeport.exe
B-38
OL-25947-01
Appendix B
If you run this utility without any command line parameter, Cisco Prime displays the following usage
text:
*** Common Services Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where:
port numberThe new port number that should be used
-sChange
-fForce
Note
Do not use this option by default. Use it only when Cisco Prime instructs you to.
change the Cisco Prime web server HTTP port to use 1744.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number.
If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs
> Cisco Prime). You have to manually invoke the browser and specify the URL, with the changed port
number.
The restrictions that apply to the specified port number are:
Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number.
The specified port should not be used by any other service or daemon. The utility checks for active
listening ports, and if any conflict is found, the utility rejects the specified port.
There is no reliable way to determine whether any other service or application is using a specified
port. If the service or application is running and actively listening on a port, it can be easily detected.
However, if the service is currently stopped, there is no way that the utility can determine what port
it uses. This is because on Windows there is no common port registry equivalent to /etc/services as
in Solaris.
The port number must be a numeric value in the range 1026 65535. Values outside this range, and
non-numeric values are not allowed.
When you run the utility with the appropriate options, it displays messages on the actions it is
performing.Cisco Prime
It lists out all the files that are being updated. Before updating, the utility backs up all the affected files
in CSCOpx\conf\backup, and creates, appropriate, unique, sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed port,
a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
A sample backup may be similar to:
[drive:]
|
`--\Program Files
|
`--\CSCOpx
|
`--\conf
|
B-39
Appendix B
`--\backup
|
|--README.txt (Notes the purpose of this dir as it is initially empty)
|
`--\skc03._Ciscobak (Autogenerated unique backup directory).
|
|--index.txt
(The backup file list)
|--httpd.conf
(Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml
(Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note
All the above files and the unique directories are stored with read only permissions. Only the
administrator and casuser have write permissions, to ensure the security of the backup files.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
NMSROOT\log\changeport.log
This log file contains the date and time stamps to indicate when the log entries were created.
Q. How should I enable or disable web server SSL mode from the command line?
A. To enable or disable the web server SSL mode:
Step 1
Step 2
Step 3
NMSROOT/bin/perl ConfigSSL.pl -enable (to enable the web server SSL mode from the
command line)
NMSROOT/bin/perl ConfigSSL.pl -disable (to disable the web server SSL mode from the
command line)
On Solaris/Soft Appliance:
Run /etc/init.d/dmgtd stop
On Windows:
Run net stop crmdmgtd
Step 2
B-40
OL-25947-01
Appendix B
Step 3
On Solaris/Soft Appliance:
Run /etc/init.d/dmgtd stop
On Windows:
Run net start crmdmgtd
If Tomcat is already configured for higher memory than what you specify when you run the command,
the following message is displayed:
INFO: Tomcat is already configured with a higher heap value.
Go to NMSROOT\MDC\Apache
b.
On Solaris/Soft Appliance:
a.
Go to NMSROOT/MDC/Apache/bin
b.
After you have entered this command, the system displays a set of options.
Step 2
Select the fourth option Verify the input Certificate/Certificate Chain by entering 4.
Step 3
Step 4
Note
requests.
B-41
Appendix B
Step 2
Step 3
Navigate to the location where you have extracted this jar file.
Step 4
Q. Why does Apache server does not start during reboot process?
Anti-virus causes the processes to come up slowly after reboot. Delay the anti-virus during startup to
solve the issue. Ensure that the NMSROOT folder is excluded correctly from anti-virus and reboot the
server after shutting down the anti-virus completely.
Q.What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap
alert/event Trap Forwarding? Does LMS support both of these methods?
Q.How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
Settings page appears. Click the Enable Incharge Debugging, and execute Incharge Commands
link. See, Enable Incharge Debugging for more information.
Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event
Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process
it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action
Settings > Fault - SNMP trap forwarding.
When LMS receives certain SNMP traps, it analyzes the data found in fields such as
Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap
message.
If needed, LMS changes the property value of the object property. These are Processed Traps. To
configure Processed event/alert trap forwarding, select Admin > Network > Notification and
Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap
notifications if there is a threshold violation in the LMS managed devices.
For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN
Management Solution 4.2
B-42
OL-25947-01
Appendix B
Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog
notification
Step 2
/etc/init.d/syslog start
tail -f /var/adm/messages
Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla
Plugins directory. To create the link, go to the command prompt and enter:
Step 1
cd /plugins
Step 2
ln -s /plugin/sparc/ns610/libjavaplugin_oji.so
at these locations:
On Windows: NMSROOT\log\, where NMSROOT is the Cisco Prime DPM installation directory.
B-43
Appendix B
Q.I have problems while migrating the IPSLA Performance Management data. What should I do?
Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The IPSLA Debugging Settings page appears.
Step 2
Select the module and log level from the Module and Logging Level drop-down lists.
The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG.
Step 3
Click Apply.
Q. I have problems while migrating the IPSLA Performance Management data. What should I do?
A. Check the following log files for information:
restorebackup.log
migration.log
ipmclient.log
ipmserver.log
B-44
OL-25947-01
A P P E N D I X
cmexport Manpage
C-1
Appendix C
Table C-1
For
Location
User Tracking
PX_DATADIR/cmexport/ut/timestamput.xml
Layer 2 Topology
PX_DATADIR/cmexport/L2Topology/
timestampL2Topology.xml
Discrepancy
PX_DATADIR/cmexport/Discrepancy/
timestampDiscrepancy.xml
Generating user tracking and configuration data in XML format using the Servlet:
Allows you to generate and download the user tracking, topology and discrepancy XML files using
the servlet.
You must upload a payload XML file, which contains the cmexport and utexport command options
and Cisco Prime user credentials.
You should write your own script to invoke the servlet with a payload of this XML file. If the
credentials are correct and options are valid, the servlet returns the exported file in XML format.
Commands
C-2
OL-25947-01
Appendix C
where:
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
cmexport
arguments are the additional parameters required for each core command.
options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options are not important. However, you must enter the core command
immediately after cmexport.
Commands
Command Descriptions
Core Command
Description
ut
l2topology
discrepancy
You must invoke the cmexport command with one of the core commands specified in the above table. If
you do not specify any core commands, cmexport can only execute the -v or -h options:
Option -h (or null option) lists the usage information for this utility.
Mandatory Arguments
Optional Arguments
Function-Specific Options
Displaying Help
Uses of cmexport
C-3
Appendix C
Mandatory Arguments
The arguments that must be specified with all functions are:
-u
-p
If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must
store your userid and password in a file and set a variable CMEXPORTFILE which points to this
file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we
recommend that you do not use this option.
You must enter the password in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password.
The password file can contain multiple entries with different user names. If there are duplicate
entries the password that matches the first user name is considered.
If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Note
Optional Arguments
The arguments you can specify with any function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debuggingTRACE and DEBUG. If you do not specify the -d option, logging will not occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output is displayed in the standard output.
C-4
OL-25947-01
Appendix C
Function-Specific Options
DEE supports the following function-specific option:
-f
filename
If used with:
Topology function
Specifies the name of the file to which the layer 2 topology information is to be exported.
Discrepancy function
Specifies the name of the file to which the discrepancy information is to be exported.
Displaying Help
To display help for cm export Enter the following at a CLI prompt: cmexport -h.
This displays a list of options for cmexport.
On Solaris, you can also enter the following at a CLI prompt:
man cmexport
Uses of cmexport
If you enter:
cmexport ut
User Tracking XML output for host will be generated and it is stored in the file filename.xml.
If you want to export the latest topology details for all Layer 2 devices enter:
cmexport L2Topology {u
Notations
The notations followed in describing the command line arguments are explained below:
{argument}Argument is a mandatory parameter.
[argument]Argument is an optional parameter.
argumentArgument is a variable.
argument 1 | argument 2Either argument 1 or argument 2 may be specified but not both.
Table C-3 lists the notations part of the cmexport syntax.
C-5
Appendix C
Table C-3
Notations Descriptions
Command
Description
ut
l2topology
discrepancy
empty
[-v | -h]
-vDisplays
-hLists
Name
Synopsis
Description
Mandatory Arguments
Accessing Help
Examples
Name
cmexport ut:
Synopsis
cmexport ut: { -u
C-6
OL-25947-01
Appendix C
Table C-4
Command Descriptions
Argument
host-options
-query queryname
-query queryname -view viewname
-layout layoutname
-layoutlayoutname -view viewname
-query queryname -layout layoutname
-query queryname -layout layoutname -view viewname
phone-options
-queryPhone
queryname
-layoutPhone layoutname
-queryPhone
options
-f filename
-d
debuglevel
-l logfile
Description
User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined
schema.
Mandatory Arguments
The options that must be specified with the cmexport ut function are:
-u
-p
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend
that you do not use this option.
The password must be provided in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
C-7
Appendix C
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Note
-host:
-phone:
Options
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option, an XML file of the format timestamput.xml is stored in the following
directory: PX_DATADIR/cmexport/ut
-view
Specifies the format in which the user tracking XML data is to be presented. It supports two optional
arguments:
a. switch: User Tracking data is displayed based on the type of switch.
b. subnet: User Tracking data is displayed based on the subnet in which they are present.
-query queryname
User Tracking host data is exported in XML format for the query provided in queryname. This
option must be used with the -host argument. For this option:
Create a Custom report for end hosts from the mega menu:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layout layoutname
User Tracking host data is exported in XML format for the layout provided in layoutname. This
option must be used with the -host argument. For this option:
Create a Custom layout for end hosts in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
C-8
OL-25947-01
Appendix C
The Custom layouts are defined per user. An invalid layout name error message will be
displayed if layout name created by another user is entered as custom layout name.
Note
-queryPhone queryname
User Tracking phone data is exported in XML format for the query given in queryname. This option
must be used with the -phone argument. For this option:
Create a Custom report for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layoutPhone layoutPhone
User Tracking phone data is exported in XML format for the layout given in layoutPhone. This
option must be used with the -phone argument. For this option:
Create a Custom layout for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
Accessing Help
cmexport -h:
cmexport ut -h:
Examples
ut
ut
ut
ut
ut
ut
ut
-u
-u
-u
-u
-u
-u
-u
admin
admin
admin
admin
admin
admin
admin
-p admin -host
-p admin -phone
-p admin -host -query host1Query -layout all
-p admin -host -query host1Query -layout layoutname
-p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout
-p admin -host -f file1.xml
-view switch -host
Name
Synopsis
Description
Mandatory Arguments
Accessing Help
C-9
Appendix C
Examples
Name
cmexport
Synopsis
cmexport l2topology
Table C-5
Command Description
Argument
options
-f filename
-d debuglevel
-l logfile
where cmexport l2topology -h lists the options available and function of each option.
Description
Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based
on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport L2Topology function are:
The options that you must specify with the cmexport L2Topology function are:
-u
-p
password
C-10
OL-25947-01
Appendix C
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Note
Options
The options you can specify with the layer 2 topology function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option an XML file of the format timestampL2Topology.xml is stored in the
following directory: PX_DATADIR/cmexport/L2Topology
Accessing Help
Examples
Considering userid: admin, password: admin, filename: file1.xml, you can have the following:
cmexport L2Topology -u admin -p admin
cmexport L2Topology -u admin -p admin -f file1.xml
cmexport L2Topology -u admin -l file.log
C-11
Appendix C
Name
Synopsis
Description
Mandatory Arguments
Accessing Help
Examples
Name
cmexport Discrepancy:
Synopsis
cmexport discrepancy
where
Table C-6
Command Description
Argument
options
-f filename
-d debuglevel
-l logfile
Description
Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a
predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport Discrepancy function are:
-u
-p
password
C-12
OL-25947-01
Appendix C
If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Note
Options
The options you can specify with the Discrepancy function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the
following directory: PX_DATADIR/cmexport/Discrepancy
Accessing Help
Examples
Considering userid: admin, password:admin, filename: file1.xml, you can have the following:
cmexport Discrepancy -u admin -p admin
cmexport Discrepancy -u admin -p admin -f file1.xml
cmexport Discrepancy -u admin -d 2
C-13
Appendix C
cmexport Manpage
cmexport Manpage
This sections contains:
Commands
Accessing Help
where:
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
cmexport
arguments are the additional parameters required for each core command.
options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options is not important. However, you must enter the core command
immediately after cmexport.
Commands
Table C-7 lists the command part of the cmexport syntax.
Table C-7
Command Description
Core Command
Description
ut
l2topology
discrepancy
You must invoke the cmexport command with one of the core commands specified in the above table. If
no core command is specified, cmexport can execute the -v or -h options only:
Option -h (or null option) lists the usage information of this utility.
C-14
OL-25947-01
Appendix C
Mandatory Arguments
Function-Specific Options
Mandatory Arguments
The options that must be specified with all functions are:
-u
Optional Arguments
The options you can specify with any function are:
-p
password
If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Note
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output will be displayed in the standard output.
C-15
Appendix C
Function-Specific Options
The following function-specific option is supported
-f
filename
User Tracking functionSpecifies the name of the file to which the user tracking information is to
be exported.
Topology functionSpecifies the name of the file to which the layer 2 topology information is to
be exported.
Discrepancy functionSpecifies the name of the file to which the discrepancy information is to be
exported.
Accessing Help
Enter the following in the CLI:
cmexport -h:
C-16
OL-25947-01
Appendix C
C-17
Appendix C
C-18
OL-25947-01
Appendix C
C-19
Appendix C
<xs:complexType>
<xs:sequence>
<xs:element name="SubnetId" type="xs:string"/>
<xs:element name="UTData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="UTData">
<xs:complexType>
<xs:sequence>
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PrefixLength" type="xs:string" minOccurs="0"
maxOccurs="1"/>
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
C-20
OL-25947-01
Appendix C
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Device">
<xs:complexType>
<xs:sequence>
<xs:element name="DeviceName" type="xs:string"/>
<xs:element name="IPAddress" type="xs:string"/>
<xs:element name="DeviceState">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="Reachable"/>
<xs:pattern value="UnReachable"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="DeviceType" type="xs:string"/>
<xs:element ref="Neighbors" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbors">
<xs:complexType>
<xs:sequence>
<xs:element ref="Neighbor" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbor">
<xs:complexType>
<xs:sequence>
<xs:element name="NeighborIPAddress" type="xs:string"/>
<xs:element name="NeighborDeviceType" type="xs:string"/>
<xs:element name="Link" type="xs:string"/>
<xs:element name="LocalPort" type="xs:string"/>
<xs:element name="RemotePort" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
C-21
Appendix C
C-22
OL-25947-01
Appendix C
To invoke cmexport and utexport commands, the servlet requires a payload file that contains details
such as:
User credentials
The command you want to execute.
Optional details such as log and debug options as inputs in XML format.
The servlet then parses the payload file encoded in XML, performs the operations, and returns the results
in XML format. You must create the payload file to include the input details and submit it when you ask
for servlet access.
Typically, servlet access is used when you need to use the data export feature from a client system.
To use DEE export features, you can write a script to upload the payload file and perform the data export
functions.
See the following sample scripts:
For example, if you are using the script test.pl, you can invoke the servlet in either of these modes:
HTTP Mode
HTTPS Mode
HTTP Mode
HTTPS Mode
C-23
Appendix C
}
}
java.io.*;
java.net.URL;
java.net.HttpURLConnection;
java.lang.String;
java.lang.Byte;
class CMExportServletRun {
static void main (String args[])
{
try {
URL url = new URL("http://localhost:1741/campus/servlet/CMExportServlet");
String payload = "adminadminut_hostdee.log1";
HttpURLConnection con;
InputStream is;
//opens connection to servlet
con = (HttpURLConnection)url.openConnection();
con.setRequestMethod("POST");
con.setRequestProperty("Content-type", "text/xml");
con.setDoOutput(true);
con.setUseCaches(false);
OutputStream bos = new BufferedOutputStream(con.getOutputStream());
PrintWriter out = new PrintWriter(bos);
out.println(payload);
out.flush();
out.close();
C-24
OL-25947-01
Appendix C
Payload File
The payload file is an XML file that contains inputs required for the DEE servlet to process requests for
data export. Schema for the payload XML file is given in Schema for Payload File.
Table C-8 describes the elements in the schema.
Table C-8
Element
Description
username
password
command
view
queryname
User Tracking host data is exported in XML format for the query provided
in queryname.
You can use this option when you specify ut_host
layoutname
User Tracking host data is exported in XML format for the layout provided
in layoutname.
You can use this option when you specify ut_host
queryphone
User Tracking phone data is exported in XML format for the query given
in queryphone.
You can use this option when you specify ut_phone
C-25
Appendix C
Table C-8
Element
Description
layoutphone
User Tracking phone data is exported in XML format for the layout given
in layoutPhone.
You can use this option when you specify ut_phone
debug
You can use the following schema for creating the payload file in XML format.
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:element name="payload">
<xs:complex Type>
<xs:sequence>
<xs:element name="username" type="xs:string"/>
<xs:element name="password" type="xs:string"/>
<xs:element name="command" type="xs:string"/>
<xs:element name="view" type="xs:string"/>
<xs:element name="queryname" type="xs:string"/>
<xs:element name="layoutname" type="xs:string"/>
<xs:element name="queryphone" type="xs:string"/>
<xs:element name="layoutphone" type="xs:string"/>
<xs:element name="debug" type="xs:string"/>
</xs:sequence>
</xs:complex Type>
</xs:element>
C-26
OL-25947-01
A P P E N D I X
General SecurityPartially implemented by the client components of Cisco Prime and by the
system administrator.
Server SecurityPartially implemented by the server components of Cisco Prime and by the system
administrator.
Application SecurityImplemented by the client and server components of the Cisco Prime
applications.
General Security
The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network
management applications.
Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure
than the standard computing model that only requires a system login to execute applications.
The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used
to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco
Prime applications and data.
However, Cisco Prime applications can change the behavior and security of your network devices.
Therefore, it is critical to limit access to applications and servers as follows:
Limit access to personnel who need access to applications or the data that the applications provide.
Limit Cisco Prime LMS Server logins to just the systems administrator.
Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.
D-1
Appendix D
Server Security
Server Security
The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the
code and data files that reside on the server. The following Cisco Prime LMS Server security control
elements apply:
ServerImposed Security
ServerImposed Security
The Cisco Prime LMS Server has many dimensions, such as:
Runtimer
Remote Connectivity
Access Control
UNIX SystemsCisco Prime must be installed by a user with root privilege. It should be installed
as the user, casuser with a casusers group. If the system administrator needs to work on causer files,
a user with a name chosen by the system administrator, must be created and added to the causers
group.
All files and directories are owned by casuser with group equal to casusers. Temporary files are
created as the user casuser with permissions set to read-write for the user casuser and read for
members of group casusers.
The only exception to this rule is the log files created by the Cisco Prime web server and
diskWatcher. The Cisco Prime web server and diskWatcher must be started as root. Therefore, their
log files are owned by the user root with group=casusers.
Windows SystemsCisco Prime must be installed by the administrator and must be installed as the
user casuser.
If it is a new installation, the system displays a message prompting you to either create or to
cancel the process. You can enter the password or it can be automatically generated.
If it is not a new installation, the system displays a message prompting you to either continue
D-2
OL-25947-01
Appendix D
Runtimer
This describes the runtime activities.
UNIX SystemsTypically Cisco Prime back-end processes are run with permissions set to the user
ID of the binary file.
For example, if user Joe owns an executable file, it will be run by the Cisco Prime daemon
manager under the user ID of Joe).
The exception are files owned by the root user ID. To prevent a potentially harmful program from
being run by the daemon manager with root permissions, the daemon manager will run only a
limited set of Cisco Prime programs that need root privilege.
This list is not documented to preclude any user from trying to impersonate these programs.
All back-end processes are run with a umask value of 027. This means that all files created by these
programs are created with permissions equal to rwxr-x, with an owner and group of the user ID
and group of the program that created it. Typically this will be casuser and group=casusers.
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the
control of the web servers child processes or the servlet engine, which all run as the user casuser.
Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser
have access to the directories that these services read and write to.
The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the
Resource Manager Essentials Software Management application to run image download jobs.
WindowsCisco Prime back-end processes are run with permissions set to the user casuser. Some
of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID.
These processes include:
Daemon manager
Web server
Servlet engine
Rcp/rsh service
TFTP service
Corba service
Database engine
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control
of the web server and the servlet engine that run as the user localsystem.
The local system user has special permissions on the local system but does not have network
permissions.
Cisco Prime provides several services for RCP, TFTP communication with devices. These services
are targeted for use by Cisco Prime applications, but can be used for purposes other than network
management.
The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager
Essentials Software Image Manager application. Jobs run by the at command, run with system level
privileges.
D-3
Appendix D
Server Security
Remote Connectivity
The remote connectivity details for Windows and Solaris are:
UNIX SystemsThe Cisco Prime daemon manager only responds to requests to start, stop, register,
or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
Windows SystemsThe Cisco Prime daemon manager only responds to requests to start, stop,
register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
UNIX SystemsSystems used by the Cisco Prime LMS Server as remote sources of device
information for importing into the LMS Inventory Manager application must allow the user casuser
to perform remote shell operations on the user who owns the device information.
Windows SystemsSystems used by the Cisco Prime Server as remote sources of device
information for importing into the LMS Inventory Manager application must allow the user casuser
to perform remote shell operations on the user who owns the device information.
Access Control
The access control details are:
UNIX SystemsThe UNIX user casuser is a user ID that is not typically enabled for login.
Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies
the installation process and ensures limited access to the Cisco Prime Server. This is because casuser
is not a valid login ID as there is no password assigned to it.
However, the casuser user on UNIX systems can perform system and possibly network-wide
operations that could be harmful to the system or the network.
Windows SystemsThe user casuser, created as part of the install process, has no special
permissions or considerations on a system so it is a safe user ID under which to run the Cisco
Prime Server and application code. The localsystem user can perform harmful system operations.
Therefore, consider that by using the localsystem user ID to run some of the backend processes, the
localsystem user ID cannot perform network operations.
Note
The system administrator should review and adopt the security recommendations in System
Administrator-Imposed Security.
D-4
OL-25947-01
Appendix D
Do not allow users other than the systems administrator to have a login on Cisco Prime LMS Server.
Do not allow the Cisco Prime LMS Server file systems to be mounted remotely with NFS or any
other file-sharing protocol.
Limit remote access (for example, FTP, RCP, RSH) to Cisco Prime LMS Server to those users who
are permitted to log into Cisco Prime LMS Server.
Place your network management servers behind firewalls to prevent access to the systems from
outside of your organization.
Change the database password after installation and periodically based on your companys security
policies.
Back up the security certificates in a safe location, if you are using SSL in Cisco Prime LMS Server.
Connection Security
The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection
between the client browser and management server, and Secure Shell (SSH) to provide secure access
between the management server and devices.
Security Certificates
Security certificates are similar to digital ID cards. They prove the identity of the server to clients.
Certificates are issued by Certificate Authorities (CAs) such as VeriSign or Thawte.
A certificate vouches for the identity and key ownership of an individual, a computer system (or a
specific server running on that system), or an organization. It is a general term for a signed document.
Typically, certificates contain the following information:
Note
Validity period (the length of time that the certificate is considered valid).
The digital signature of the issuer. This attests to the validity of the binding between the subject
public key and the subject identifier information.
D-5
Appendix D
Server Security
Cisco Prime LMS Server supports security certificates for authenticating secure access between client
browser and management server.
Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates.
For more information, see Creating Self Signed Certificates.
PKCS#8
Certificate Authority
PKCS#8
Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography,
developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple,
Microsoft, DEC, Lotus, Sun and MIT.
The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation
of OSI standards.
The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509
standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13
and #14 are currently being developed.
PKCS #8 describes a format for private key information. This information includes a private key for
some public-key algorithm, and optionally a set of attributes.
D-6
OL-25947-01
Appendix D
Note
Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you
confirm with the CA the format of the certificate, and request specifically for Base64 Encoded
X.509Certificates formats.
Certificate Authority
A certificate authority (CA) is an authority in a network that issues and manages security credentials and
public keys for message encryption.
As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify
information provided by the requestor of a digital certificate. If the RA verifies the requestor's
information, the CA then issues a certificate.
D-7
Appendix D
Server Security
D-8
OL-25947-01
A P P E N D I X
Choose Admin > Trust Management > Multi Server > System Identity Setup.
Step 2
Ensure that the System Indentity User user name and password are are valid, also under Admin >
System > User Management > Local User Setup.
See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more
information.
E-1
Appendix E
Global commands
While configuring, Network Topology, Layer 2 Services and User Tracking selects the commands for
each device based on the fallback rule in the following order:
1.
2.
3.
4.
Global commands
If a device OID matches an OS version, the Device OS version-specific commands should be selected to
configure the device. Otherwise, the Device Type-specific commands should be selected.
If a device OID could not find a specific match on both Device OS version-specific commands and
Device Type-specific commands, the Device-Family specific commands should be selected.
The Global commands are selected for configuring the device when there is no match of Device OS
version-specific, Device Type-specific, or Device Family-specific commands available for the device.
The device is considered as an unknown device type when there is no match of any of the command sets
available. In other words, for an unknown device type, command set will not be generated.
[12.2(40),12.2(43)) denotes all OS versions between 12.2(40) and 12.2(43) including 12.2(40) and
excluding 12.2(43).
[,12.2(40)] denotes all OS versions prior to 12.2(40) and including version 12.2(40).
[12.1(19)EA1,12.2(46)SE) denotes all OS versions 12.1(19)EA1 and later, and prior to 12.2(46)SE.
E-2
OL-25947-01
Appendix E
Device Family
Device Type
SysOID
default
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Command Set
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
OS Version
-
E-3
Appendix E
Table E-1
Device Family
Device Type
Interface
Command Set
SysOID
mac address-table
notification change:mac
address-table notification
change interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3750-STACK 1.3.6.1.4.1.9.1.516
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac address-table
notification change:mac
address-table notification
change interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notificatio
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
12.2(52)SE
C3750-STACK -
OS Version
E-4
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
NME16ES1GP 1.3.6.1.4.1.9.1.702
Interface
Command Set
OS Version
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
E-5
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK NMEX23ES1
GP
(continued)
NMEXD24ES
1SP
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.664
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
1.3.6.1.4.1.9.1.665
OS Version
E-6
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK NMEXD48ES
2SP
(continued)
C3550-24ME
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.666
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
1.3.6.1.4.1.9.1.574
OS Version
E-7
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3550-24ME
1.3.6.1.4.1.9.1.589
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3550-24ME
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.590
OS Version
E-8
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3550-24ME
1.3.6.1.4.1.9.1.591
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3550-24ME
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.592
OS Version
E-9
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3550-24ME
1.3.6.1.4.1.9.1.688
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750-24P
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.536
OS Version
E-10
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
1.3.6.1.4.1.9.1.530
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.511
OS Version
E-11
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
1.3.6.1.4.1.9.1.512
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.513
OS Version
E-12
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
1.3.6.1.4.1.9.1.514
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.535
OS Version
E-13
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
1.3.6.1.4.1.9.1.602
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.603
OS Version
E-14
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750P
1.3.6.1.4.1.9.1.604
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.624
OS Version
E-15
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
1.3.6.1.4.1.9.1.656
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3550
Interface
Command Set
SysOID
OS Version
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3550-24
1.3.6.1.4.1.9.1.366
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-48
1.3.6.1.4.1.9.1.367
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
E-16
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
C3550-12T
1.3.6.1.4.1.9.1.368
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-12G
1.3.6.1.4.1.9.1.431
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-24FX
1.3.6.1.4.1.9.1.453
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-24DC
1.3.6.1.4.1.9.1.452
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-24PWR 1.3.6.1.4.1.9.1.485
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
(continued)
Interface
Command Set
OS Version
E-17
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
C3560-24PS
1.3.6.1.4.1.9.1.563
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560-48PS
1.3.6.1.4.1.9.1.564
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560G-24PS
1.3.6.1.4.1.9.1.614
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560G-24TS
1.3.6.1.4.1.9.1.615
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560G-48PS
1.3.6.1.4.1.9.1.616
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
(continued)
Interface
Command Set
OS Version
E-18
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
C3560G-48TS
1.3.6.1.4.1.9.1.617
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560E
1.3.6.1.4.1.9.1.930
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3560E
1.3.6.1.4.1.9.1.956
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3560E
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-19
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
3000
1.3.6.1.4.1.9.1.909
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.910
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.911
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.912
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-20
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
3000
1.3.6.1.4.1.9.1.918
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.919
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.920
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.921
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-21
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
3000
1.3.6.1.4.1.9.1.922
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.947
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.948
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.949
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-22
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
3000
1.3.6.1.4.1.9.1.999
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-23
Appendix E
Table E-1
Device Family
Device Type
SysOID
C3550
C3000IE
1.3.6.1.4.1.9.1.958
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3000IE
1.3.6.1.4.1.9.1.959
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3508GXL
1.3.6.1.4.1.9.1.246
C3512XL
1.3.6.1.4.1.9.1.247
C3524XL
1.3.6.1.4.1.9.1.248
C3548XL
1.3.6.1.4.1.9.1.278
C3524PWRXL 1.3.6.1.4.1.9.1.287
(continued)
-
C3500XL
Interface
Command Set
OS Version
E-24
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2970
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2970G-24T
1.3.6.1.4.1.9.1.527
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
C2970G-24TS
1.3.6.1.4.1.9.1.561
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
371098-001
1.3.6.1.4.1.11.2.3.7. mac-address-table
11.33.3.1.1
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
ME-3400G-12
CS-D
1.3.6.1.4.1.9.1.781
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Command Set
OS Version
E-25
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2970
ME-3400G-12
CS-A
1.3.6.1.4.1.9.1.780
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
C2960-24TC-S 1.3.6.1.4.1.9.1.928
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
ME-3400G-2C 1.3.6.1.4.1.9.1.825
S-A
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
C2960G-48TC
-L
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
12.2(35)SE5
mac address-table
notification change interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
12.2(44)SE6
(continued)
ME-3400
1.3.6.1.4.1.9.1.697
1.3.6.1.4.1.9.1.873
Interface
Command Set
OS Version
E-26
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2970
ME-3400
(continued)
C2900XL
C2900XL
(continued)
Interface
Command Set
OS Version
1.3.6.1.4.1.9.1.1007 -
ME-3400
1.3.6.1.4.1.9.1.1008 -
ME-3400
1.3.6.1.4.1.9.1.1009 -
C2960
1.3.6.1.4.1.9.1.929
C2960
1.3.6.1.4.1.9.1.927
C2960
1.3.6.1.4.1.9.1.1005 -
C2960
1.3.6.1.4.1.9.1.1006 -
C2960
1.3.6.1.4.1.9.1.950
C2960
1.3.6.1.4.1.9.1.951
C2960
1.3.6.1.4.1.9.1.952
C2975
1.3.6.1.4.1.9.1.1067 -
C2975
1.3.6.1.4.1.9.1.1068 -
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2908XL
1.3.6.1.4.1.9.1.170
C2924XL
1.3.6.1.4.1.9.1.183
C2924CXL
1.3.6.1.4.1.9.1.184
C2924XLV
1.3.6.1.4.1.9.1.217
C2924CXLV
1.3.6.1.4.1.9.1.218
C2912XL
1.3.6.1.4.1.9.1.219
C2924MXL
1.3.6.1.4.1.9.1.220
C2912MFXL
1.3.6.1.4.1.9.1.221
C2924XL-LRE 1.3.6.1.4.1.9.1.369
C2912XL-LRE 1.3.6.1.4.1.9.1.370
E-27
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2950
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2950-12
1.3.6.1.4.1.9.1.323
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950-24
1.3.6.1.4.1.9.1.324
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
Interface
Command Set
OS Version
E-28
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2950
(continued)
C2950C-24
1.3.6.1.4.1.9.1.325
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950T-24
1.3.6.1.4.1.9.1.359
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950G-24
1.3.6.1.4.1.9.1.428
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950G-12
1.3.6.1.4.1.9.1.427
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950G-48
1.3.6.1.4.1.9.1.429
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
Interface
Command Set
OS Version
E-29
Appendix E
Table E-1
Device Family
Device Type
C2950
(continued)
C2950G-24DC 1.3.6.1.4.1.9.1.472
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950-24SX
1.3.6.1.4.1.9.1.480
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2955C-12
1.3.6.1.4.1.9.1.489
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2955S-12
1.3.6.1.4.1.9.1.508
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2955T-12
1.3.6.1.4.1.9.1.488
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
SysOID
Interface
Command Set
OS Version
E-30
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2950
(continued)
C2950ST-8LR
E
1.3.6.1.4.1.9.1.483
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950ST-24L
RE
1.3.6.1.4.1.9.1.482
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2940-8TT
1.3.6.1.4.1.9.1.540
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2940-8TF
1.3.6.1.4.1.9.1.542
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950-48SX
1.3.6.1.4.1.9.1.560
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
Interface
Command Set
OS Version
E-31
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2950
(continued)
CIGESM-18T
T
1.3.6.1.4.1.9.1.592
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C6000
set cam
notification
added enable
INTERFACE:set
cam notification
removed enable
INTERFACE
C6006
1.3.6.1.4.1.9.5.38
C6009
1.3.6.1.4.1.9.5.39
C6509
1.3.6.1.4.1.9.5.44
C6506
1.3.6.1.4.1.9.5.45
C6509SP
1.3.6.1.4.1.9.5.47
C6513
1.3.6.1.4.1.9.5.50
C6503
1.3.6.1.4.1.9.5.56
mac-address-table
notification
change:mac-address-table
notification change interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
C6000-IOS
Interface
Command Set
OS Version
E-32
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
C6000-IOS
(continued)
C4000
Interface
Command Set
OS Version
catalyst6000IO 1.3.6.1.4.1.9.1.657
S
catalyst6006IO 1.3.6.1.4.1.9.1.280
S
catalyst6009IO 1.3.6.1.4.1.9.1.281
S
Cisco
C6506-IOS
1.3.6.1.4.1.9.1.282
catalyst6509IO 1.3.6.1.4.1.9.1.283
S
catalyst6509sp
IOS
1.3.6.1.4.1.9.1.310
catalyst6513IO 1.3.6.1.4.1.9.1.400
S
ciscoWSC6503 1.3.6.1.4.1.9.1.449
ciscoWSC6509 1.3.6.1.4.1.9.1.534
neba
catalyst6509V
E
1.3.6.1.4.1.9.1.832
Cisco
C6503-IOS
1.3.6.1.4.1.9.1.449
set cam
notification
added enable
INTERFACE:set
cam notification
removed enable
INTERFACE
C4003
1.3.6.1.4.1.9.5.40
C4912G
1.3.6.1.4.1.9.5.41
C2948G
1.3.6.1.4.1.9.5.42
C4006
1.3.6.1.4.1.9.5.46
C2980G
1.3.6.1.4.1.9.5.49
C2980G-A
1.3.6.1.4.1.9.5.51
C4503
1.3.6.1.4.1.9.5.58
C4506
1.3.6.1.4.1.9.5.59
C2948G-GE-T
X
1.3.6.1.4.1.9.5.62
SysOID
E-33
Appendix E
Table E-1
Device Family
Device Type
SysOID
C4000-IOS
mac-address-table
notification
change:mac-address-table
notification change interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
cisco4000
1.3.6.1.4.1.9.1.448
cisco4900M
1.3.6.1.4.1.9.1.917
cisco4948
1.3.6.1.4.1.9.1.626
cisco4948-10G 1.3.6.1.4.1.9.1.659
E
cisco4948-10G 1.3.6.1.4.1.9.1.875
E
cisco4948-10G 1.3.6.1.4.1.9.1.877
E
cisco4948-10G 1.3.6.1.4.1.9.1.874
E
cisco4948-10G 1.3.6.1.4.1.9.1.876
E
C4506-IOS
mac address-table
notification change:mac
address-table notification
change interval
15:snmp-server enable traps
mac-notification:snmp-serve
r host HOST version 1
COMMUNITY udp-port
1431 mac-notification
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
12.2(53)SG
mac-address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
1.3.6.1.4.1.9.1.502
C4900ME
-
C4900ME
1.3.6.1.4.1.9.1.788
Interface
Command Set
OS Version
E-34
OL-25947-01
Appendix E
Table E-1
Device Family
Device Type
SysOID
C2400ME
mac address-table
notification:mac-address-tabl
e notification interval
15:snmp-server enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2400ME
1.3.6.1.4.1.9.1.735
C2350
1.3.6.1.4.1.9.1.1104 -
Interface
Command Set
OS Version
E-35
Appendix E
E-36
OL-25947-01
A P P E N D I X
Note
Backing Up Data
To avoid restarting daemons, you must ensure that device packages, point patches and software updates
are updated (up-to-date) before network is down during planned network downtime.
Solaris Patches
F-1
Appendix F
Purging Databases
Purging Jobs
Purging Archives
Purging Databases
To reclaim disk space by purging your systems database:
Set the Syslog Purge Settings in such a way that syslog records do not pile up in the database. The
following steps should be performed to set the Syslog Purge Settings:
Enable the Syslog Backup Settings by navigating to Admin > Network > Purge Settings >
Purge.
Run the DBSpaceReclaimer tool after performing force purge job to reclaim disk space to a greater
extent. The following steps should be performed:
Open RMEDebugToolsReadme.txt from
execute the perl script DBSpaceReclaimer.pl. For more details, refer Syslog Administrative
Tasks.
In Device Performance Management, if the size of the database remains the same after purging, the
following steps should be performed to reclaim disk space:
For Windows:
Stop the daemon using the net stop crmdmgtd command.
Enter dbunload -c "uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>> " -ar
For Solaris:
Stop the daemon using the /etc/init.d/dmgtd stop command.
If you get an error message regarding library path, enter source
/opt/CSCOpx/etc/install.cshrc
/opt/CSCOpx/lib/classpath/md.properties.
To set the library path, enter setenv LD_LIBRARY_PATH <<PATH>>
To reload the database, enter dbunload -c
"uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>>" -ar
F-2
OL-25947-01
Appendix F
Note
Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
For Linux:
Stop the daemon using the /etc/init.d/dmgtd stop command.
If you get an error message regarding library path, enter source
/opt/CSCOpx/etc/install.cshrc
/opt/CSCOpx/lib/classpath/md.properties.
To set the library path, enter setenv LD_LIBRARY_PATH <PATH>
To reload the database, enter dbunload -c
"uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>>" -ar
Note
Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
Purging Jobs
You can configure LMS to periodically purge job data that you no longer need. This is done using Job
Purge. For more details, refer Performance Purge Jobs.
Refer the following links to configure the purge settings for all modules in LMS:
F-3
Appendix F
Note
You can view the status of all the LMS admin-related Jobs in Job Browser. For more details, refer Using
Job Browser.
Purging Archives
Purging archives frees disk space and maintains your archive at a manageable size. For more details,
refer Purging Configurations from the Configuration Archive.
Note
Log files can expand and fill up disk space. Log files disk space usage can be maintained by deleting the
unwanted log files from the Cisco Prime installation directory. For more details, refer Maintaining Log
Files. Log Files can also be maintained by using the logrot functionality. For more details, refer
Configuring Log Files Rotation. Log files rotation can be also be scheduled. For more details, refer
Scheduling Log Files Rotation.
PTT is a Command Line Interface (CLI) utility that enables you to apply and list various profiles
available in LMS server. Profiles consist of configuration files, which are in the form of XML files whose
values are based on the recommendations for various applications. There are two profiles shipped with
LMS. You can use any of the profiles that matches the system. Parameters are tuned and available in each
profile. You can apply the required profile to the system and improve performance. This is a major
advantage of using PTT. For more details, refer to Performance Tuning Tool in the Configuration
Management with Cisco Prime LAN Management Solution 4.2 guide. For Layer2 and topology related
PTT, refer to Performance Tuning Tool in Appendix A.
Improving System Performance Using Critical Device Poller
Data collection consumes significant system resources. The critical device poller allows you to view the
device and link status without running Data Collection. You can simply poll the network and view the
device and link status in Topology maps. Only core devices should be managed in critical device poller.
For more details, refer Data Collection Critical Device Poller.
Suggestions for Better System Performance
Configure devices to send only the syslogs that you are working with. This practice will help you
avoid server issues that occur due to huge amount of syslogs.
F-4
OL-25947-01
Appendix F
When restarting the scanner, delay the anti-virus scan to avoid issues that could occur in upcoming
processes. You can restart the scanner only after all processes are up again.
Do not delete or move any files available in LMS-installed location, without confirming with the
TAC engineer about the impact the action might cause.
Related or critical jobs from the same application should not be triggered in a way that it conflicts
with each other. For example: Inventory collection and Configuration collection should not be
scheduled to run at the same time because doing so will create system issues. Similarly, Data
Collection and User Tracking must not be scheduled to run simultaneously. You should identify
priority of jobs based on use cases and schedule appropriate timings for those critical jobs to run.
Unrelated jobs or non-critical jobs can run at a parallel or later time.
Consider the following points when you configure systems to manage a large number of devices:
Note
Device Discovery Set up the discovery schedule to a less frequent one and choose the time most
appropriate to you. You must select the discovery parameters most suitable to your environment so
that it could speed up the discovery process, and discover and populate correct values.
Data Collection Settings The data collection is configured to run every four hours starting at
midnight. Run discovery manually once to determine an appropriate polling cycle. The subsequent
polls will be shorter in duration, but you should still give it a 20 percent buffer. For example, if it
took four hours to poll the whole network the first time, you could set the frequency to five hours to
make sure that there is no overlapping between the two consecutive data collection processes.
User-Tracking Discovery You must configure the time so that two consecutive schedules do not
overlap. You could also filter subnets for which you do not want to perform end-host discovery or
subnets where no end hosts are present. Configure subnets that you want excluded from doing a ping
sweep before the discovery process.
Fault Management Polling Parameters and Threshold Default Cisco Prime fault management
polling and threshold parameters are configured for Cisco Prime fault management system-defined
groups; however, it is recommended that you look at these configurations based on critical and
noncritical devices in your network.
Cisco Prime Inventory, Configuration, and Image Management In Cisco Prime LMS, you can
create user-defined jobs for inventory polling and collection, and configuration collection and
polling on a set of devices selected as part of the job creation process. You should consider this
option when servers manage a large number of devices.
Periodic Polling Versus Periodic Collection Polling uses fewer resources than full scheduled
collection because configuration files are retrieved only if the configuration MIB variable is set, so
it is recommended that you enable the Period Polling option and disable the Periodic Collection
option.
All collection must be scheduled in a way that it does not conflict with each other.
Recommendations on when to schedule various jobs
All Purge jobs (not specific to inventory and Config) can be scheduled to run on weekly basis.
F-5
Appendix F
Backing Up Data
Note
The UI performance of the application client can be improved by using device groups when executing
application tasks, especially when a single server is managing a large number of devices.
Backing Up Data
Regular backup of data should be practiced on a daily/weekly basis to avoid data loss. To schedule
system backups at regular intervals, select Admin > System > Backup. For more details, refer Backing
Up Data.
Consider the following points when backing up data:
Note
While scheduling or triggering a backup, if the backup time conflicts with any JRM job time (Jobs
that is scheduled between backup time +/- one hr), then an error pops up displaying a list of job IDs.
Similarly, when scheduling or triggering a JRM job, if the JRM job schedule time conflicts with any
backup time (Backup time that is scheduled between JRM job time +/- one hr), then an error pops
up displaying a list of backup time that runs around the same schedule as the JRM job.
If you want to backup Config on a daily basis, the shadow directory option can be used.
DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file. For
more details, refer Configuring Disk Space Threshold Limit.
F-6
OL-25947-01
INDEX
A
access
connection security, understanding
control, security and
D-5
4-26
4-27
4-28
4-33
D-4
5-52
access ports
customizable groups
5-51
ACS
roles on NDG basis, assigning
4-30
2-13
admin
application settings
purge settings
8-28
16-18
mode, changing
3-1
3-2
3-3
3-5
processes, viewing
3-4
4-1
3-20
3-5
debugging options
6-3
6-3
17-20
DCR
default credentials
4-21
4-22
3-5
processes, stopping
4-21
4-20
3-6
4-16
4-15
processes, managing
4-18
administering
Common Services
4-24
17-11
4-33
default credentials,using
7-22
4-24
4-27
schedule, modifying
7-24
15-1
7-19
7-21
17-30
IN-1
Index
17-33
17-31
17-33
IOS commands
setting up
17-32
8-19
using
log level
8-28
purge
8-29
11-11
deleting
11-14
11-13
enabling, disabling
17-11
exporting, importing
8-29
creating
10-37
deleting
10-42
editing
debugging options
6-3
example of
6-3
verifying
10-41
10-42
exporting, importing
17-20
11-14
10-39
enabling, disabling
11-13
in Syslog Analysis
16-18
log file
11-10
creating
editing
8-37
8-30
in Change Audit
8-18
8-36
admin setting
application
8-30
Administering VRF
Using VRF Administration
8-35
8-34
directory, moving
8-35
10-41
10-44
6-1
applications
Job Approval
12-15
licensing
backing up data
application settings
using CLI
B-28
A-17
8-29
using CLI
A-17
B-28, B-29
3-29
directory structure of
3-29
8-28
3-19
back-up data
3-29
obtaining a license
updating licenses
3-29
16-5
16-2
configurations, modifying
credentials, entering
security, modifying
8-32
8-30
8-34
Catalyst commands
C
cautions regarding
8-35
IN-2
OL-25947-01
Index
2-6
11-5
16-6
3-2
3-2
certificates
D-6
D-7
D-6
B-3
deleting
11-14
1-12
11-7
deleting
11-9
5-79
5-78
5-68
16-2
8-43
12-5
12-6
11-5
8-46
10-5
2-38
CiscoWorks
3-16
8-49
configuring
11-4
B-3
12-8
11-3
5-73
5-79
archive purging
setting properties
5-81
11-14
11-9
maintenance tasks
11-10
11-13
exception periods
defining
5-82
viewing summary
exporting, importing
11-8
5-80
11-13
creating
5-77
refreshing membership
11-10
viewing
enabling, disabling
B-18
5-75
operation based
D-7
CM view
membership details
D-5
creating
3-6, A-5
defining rules
3-6
collector group
D-6
editing
B-3
assigning membership
understanding
editing
D-6
D-6
B-4
D-7
SSH
MDC support
CA (certificate authority)
PKCS#8
B-18
self-test, performing
3-21
17-2
locked out of
7-21
D-5
D-5
D-6
CA (certificate authority)
D-7
D-7
IN-3
Index
PKCS#8
Solaris
D-6
3-22
Windows
D-6
3-23
SSH
D-6
SSL
D-6
DCR
administering
connectivity
tasks
C-1
default credentials
B-3
B-3
4-18
B-3
mode, changing
B-4
performing a self-test
4-22
4-15
B-3
8-29
creating
4-20
4-21
1-10
customizable groups
5-52
access port
5-52
editing
5-54
interface
log file
trunk port
8-25
8-26
17-9
5-52
restrictions
4-21
1-12
5-52
device
4-22
5-73
4-16
importing using
A-24
listing attributes
A-22
A-23
5-53
5-52
A-22
A-22
A-23
DDV
log file
17-8
3-2
restarting on Solaris
3-2
restarting on Windows
3-2
mandatory arguments
optional arguments
16-20
running
database
inaccessible, troubleshooting
B-29
B-18
3-22
3-24
C-5
C-4
C-4
C-2
C-12
C-9
cmexport manpage
16-20
available formats
C-2
function-specific options
17-8
managing
C-1
cmexport command
17-20
C-14
cmexport ut command
C-6
developers reference
C-16
IN-4
OL-25947-01
Index
Device Selector
C-21
searching devices
C-19
C-19
C-18
overview
Default
C-20
C-1
Simple Search
selecting devices
4-8
4-7
4-6
12-23
device groups
5-28
4-22
5-68
group membership
log file
8-25
17-9
rediscovery
6-4
8-25
Rediscovery Schedule
6-4
devices
8-25
discovery, scheduling
4-1
discrepancy reporting
14-1
8-25
physical discrepancies
devices, discovery
4-1
adding
4-2
editing
14-2
scheduling
deleting
8-26
8-25
5-67
5-61
Device Poller
duplexity, interface
3-42
5-63
4-3
4-2
viewing status
4-3, 4-4
editing
devices, managing
attributes, editing
Device Selector
12-33
12-23
device states
8-25
5-27
2-13
12-30
10-22
A-24
17-8, 17-9
8-25
SMTP server
10-13
10-13
10-16
using CLI
rediscovering
17-8
discovery
5-54
5-52
deleting groups
10-5
log files
12-29
DFM
deleting
states
12-30
4-7
Advanced Search
device selector
4-23
rules
4-10
10-3
3-31
B-27
IN-5
Index
events
changing names
10-5
log files
details
5-65
editing
5-54, 5-55
managing, overview
membership
17-8
rules
17-8
5-61
DFM
5-65
system defined
B-23
exporting
message filters, in Syslog Analyzer
summaries
5-53
5-51
user defined
11-14
editing
10-47
5-54
Groups, administering
creating
5-5
deleting
groups
Fault History
log file
5-28
details
17-8
modifying
D-2
viewing
filters
Inventory change report filters, setting
10-45
deleting
10-48
editing
editing
11-22
10-44
5-26
5-27
exporting
5-29
enabling, disabling
exporting, importing
10-47
10-47
forced purges
11-5
in Syslog Analyzer
importing
5-25
5-31
importing from UI
5-31
multi-server setup
5-3
refreshing
5-7
5-28
rules, defining
5-4
properties, specifying
16-7
5-29
5-30
Group Administration
10-46
in Change Audit
5-27
5-9
group administration
composite rule
5-72
5-71
creating
5-54, 5-58
customizable
editing
5-52
restrictions
deleting
5-53
5-68
5-13
5-11
range operator
5-11
5-54
5-10
groups
5-11
5-9
5-12
5-3
5-3
5-10, 5-11
IN-6
OL-25947-01
Index
5-13
5-13
J
H
HP OpenView
10-24
B-17
12-15
7-30
12-16
approver lists
assigning
12-18
creating, editing
12-17
images
IOS images, and recommendation filters
12-16
A-24
jrm, checking
interfaces
customizable groups
12-18
task workflow
11-14
setting up
11-20
12-20
8-2
12-1
B-20
5-52
5-51
Inventory
change report filters, setting
11-22
8-25
inventory
effect of DCR changes
8-25
log files
Inventory Collector
17-8
Inventory Interactor
17-8
Inventory Service
17-9
Inventory, using
licensing procedure
8-12
8-2
8-7
8-6
overview
3-29
3-29
3-29
3-29
2-4
inventory collection
log file
obtaining a license
updating licenses
8-25
17-9
17-3
on Windows
8-25
17-3
IOS
B-18
3-40
3-41
login module
images, and recommendation filters
11-20
2-27
IN-7
Index
2-27
purging jobs
2-28
NetView
logrot utility
10-24
10-24
configuring
running
12-15
17-11
Notification Services
3-40
3-41
logs
E-Mail Configurations
configuring
E-Mail Notifications
17-18
3-31, 10-3
17-9
17-8
Event Sets
A-32
log file
subscriptions
8-29
10-2
10-3, 10-17
12-15
10-44
creating
10-45
deleting
10-48
10-46
exporting, importing
messaging online users
Windows
10-47
3-34
B-19
B-19
overview
10-47
3-34
10-3, 10-9
3-35
enabling, disabling
10-5
5-54, 10-7
Syslog Notifications
managing
10-16
17-8
10-13
10-6
Notification Groups
10-6
10-13
17-8, 17-9
editing
12-14
17-17
credentials, masking
2-33
12-12
12-13
2-32
2-32
TACACS+, changing to
log level setting
2-28
2-28
overviews
Common Syslog Collector
2-16
2-24
Syslog Analyzer
8-50
8-50
overviews of
C-1
2-32
NetShow
Administering NetShow settings
IN-8
OL-25947-01
Index
CiscoWorks
3-16
processes, managing
2-19
8-25
PSUCLI
14-2
7-20
D-6
13-13
13-14
17-9
17-9
purge settings
13-16
13-17
13-13
13-12
D-6
16-18
historical data
log files
16-18
purging messages
adapter
17-8
database
17-9
in Change Audit
grouping services
manager
17-9
17-9
Administration
in Change Audit
5-41
Examples
5-42
Properties
5-37
5-39
in Change Audit
11-4
in Syslog Analyzer
16-7
11-5
in Syslog Analyzer
5-37
Deleting Groups
16-6
forced purges
5-35
Creating Groups
11-5
in Syslog Analyzer
16-6
5-38
5-49
8-25
5-48
5-47
5-47
R
Radius, changing login module to
5-51, 5-52
occupied by CiscoWorks
trunk ports
13-12
17-8
grouping services
access ports
13-11
log files
manager
10-21
polling
database
A-5
adapter
17-8
range operator
10-21
D-6
5-11
rediscovery
5-51, 5-52
2-32
8-26
8-25
17-9
processes
Administration of Cisco Prime LAN Management Solution 4.2
OL-25947-01
IN-9
Index
Rediscovery Schedule
8-25
D-3
8-22
5-81
security
reports
discrepancy reporting
14-1
physical discrepancies
understanding
14-2
understanding
14-1
general
server
A-31
3-35
3-20
D-5
D-1
D-1
D-2
security, setting up
2-1
2-24
3-21
windows
D-4
certificates, understanding
user tracking
restoring data
D-6
2-39
login module
3-22
multi-server mode
RME portlets
2-16
1-13
setting up
1-14
2-19
1-15
2-39
SSL
properties file
2-7
2-2
COLLECTOR_PORT
COUNTRY_CODE
8-57
8-55
8-56
8-56
DEBUG_LEVEL
A-13, A-15
DEBUG_CATEGORY_NAME
DEBUG_FILES
8-56
changing
2-22
enabling
2-20
user management
DEBUG_MAX_BACKUPS
8-57
DEBUG_MAX_FILE_SIZE
8-57
FILTER_THREADS
PARSER_FILE
8-57
8-57
SUBSCRIPTION_DATA_FILES
SYSLOG_FILES
8-57
8-57
8-56
8-55
TIMEZONE_FILE
rules, group
2-9
A-2
2-14
3-33
server, configuring
AAA mode, setting up
2-24
5-61
running-config
2-13
2-17
READ_INTERVAL_IN_SECS
TIMEZONE
users, adding
8-57
QUEUE_CAPACITY
2-3
8-29
2-24
applications, licensing
licensing information, viewing
licensing procedure
3-29
3-29
IN-10
OL-25947-01
Index
obtaining a license
updating licenses
certificate setup
3-29
administrator-imposed
3-29
connection
2-14
server-imposed
processes, managing
runtime
3-31
17-11
17-4
16-8
17-3
17-13
17-3
logging, configuring
8-9
17-17
login module
8-11
2-19
modify profile
2-13
security levels
2-7
user accounts
2-39
2-6
Self-signed certificates
2-6
3-31
2-14
2-22
enabling
2-20
7-29
7-27
SNMP traps
2-9
2-8, A-3
2-4
2-13
Software Center
A-2
10-24
13-1
2-13
10-3, 10-9
10-25
2-17
7-29
3-35
user management
2-4
SNMP
D-4
D-3
3-42
D-2
D-4
remote connectivity
on Windows
D-4
other systems
A-5
3-35
on UNIX
D-6
3-3
resources, managing
D-5
D-2
access control
3-2
D-5
3-1
3-19
D-5
security certificates
2-39
D-2
3-31
event log
13-10
scheduled job
13-9
13-8
IN-11
Index
enabling, disabling
13-6
example
13-4
13-4
13-11
11-15
forced purges
16-7
11-20
creating
10-45
deleting
10-48
10-3, 10-17
2-2
1-8
system administration
2-3
databases, purging
A-13, A-15
SSL, definition
10-47
B-19
10-47
8-50
Syslog Notifications
B-27
16-20
D-6
logging, configuring
17-18
3-31
changing
2-22
enabling
2-20
B-18
10-22
10-25
10-24
8-25
DFM
Syslog Analyzer
purge policy
5-51
System Preferences
8-51
10-46
exporting, importing
overview
8-51
10-44
enabling, disabling
11-19
8-52
editing
11-15
procedure
message filters
16-5
13-2
13-3
10-41
13-2
administration tasks
10-42
exporting, importing
13-7
10-41
16-6
16-6
status, viewing
8-51
8-51
8-52
8-27
Purging Data
16-14
Purging Jobs
16-12
9-2
17-9
15-2
10-31
creating
10-37
10-32
deleting
10-42
10-34
editing
10-39
10-33
IN-12
OL-25947-01
Index
10-35
database
10-25
10-26
inaccessability
10-29
B-29
Solaris
10-29
B-27
FAQs list
10-25, 10-31
16-17
Backup-restore
Database
T
TACACS+, changing login module to
B-29
PKCS#8
jrm
B-20
Solaris
B-19
Windows
D-6
B-19
SSH
D-6
suggestions
SSL
D-6
User Tracking
B-5
thresholds
log files
adapter
B-17
D-7
D-6
B-25
D-6
D-7
B-27
Software Center
2-33
B-31
B-28
CA (certificate authority)
B-18
10-27
B-3
manager
customizable groups
17-9
grouping services
B-38
trunk ports
17-8
database
B-7
5-52
17-9
17-9
7-23
5-51
topology groups
system-defined groups
creating, based on subnet
5-33
UNIX systems
changing login module to local UNIX system
8-49
8-46
traps
10-22
17-3
8-25
user accounts
setting up
Cisco.com
troubleshooting
back-up data, directory structure of
CiscoWorks applications, starting
B-28, B-29
B-18
local
2-39
2-13
CiscoWorks Server
locked out of, diagnosing
2-27
B-18
7-22
7-24
IN-13
Index
viewing
7-20
15-1
collector group
7-19
group details
5-73
5-79
5-26
membership details
5-80
views
5-54
log file
User Tracking
acquisition schedule, modifying
acquisition settings, modifying
command-line interface
DHCP snooping
17-9
view groups
7-19
5-54
7-8
A-27
8-20
7-25
Dynamic updates
7-24
7-24
FAQs
warnings regarding
error logging
B-9
B-8
B-8
7-26
Major Acquisition
7-3
Minor Acquisition
7-3
for osagent
7-14
17-3
Windows systems
using
5-79
7-21
3-29
7-12
jrm, running
B-19
B-20
A-39
A-39
A-40
7-2
UT data, accessing
7-2
UT in DHCP environment
various acquisitions
7-11
7-3
A-37
A-39
A-34
V
verifying CiscoWorks Server status
B-3
IN-14
OL-25947-01