LMS Admin Guide

Administration of Cisco Prime LAN
Management Solution 4.2
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-25947-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Administration of Cisco Prime LAN Management Solution 4.2
Copyright 2012 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
xxiii
Notices
xxvii
OpenSSL/Open SSL Project i-xxvii

License Issues i-xxvii
CHAPTER
Overview of Administration
How the guide is organized?
Administration Tasks
1-1
1-1
1-3
Understanding the System Dashboard 1-8

Cisco Prime Product Updates 1-8
Critical Message Window 1-8
Device Credentials and AAA Information
Log Space Usage 1-10
Process Status 1-11
System Backup Status 1-11
User Login Information 1-12
Job Information Status 1-12
Audit Trail Information 1-13
Job Approval 1-14
Syslog Collectors Information 1-15
Supported Device Finder Portlet 1-15
VRF Collector Summary 1-18
Collection Summary Portlet 1-19
CHAPTER
Setting up Security
1-9
2-1
Managing Security in Single-Server Mode 2-1

Setting up Browser-Server Security 2-2
Enabling Browser-Server Security From the LMS Server 2-3
Disabling Browser-Server Security From the LMS Server 2-3
Setting up Local User Policy 2-4
Setting up Local Users 2-6
About User Accounts 2-6
Understanding Security Levels 2-7
Importing and Exporting Local Users 2-7
OL-25947-01
iii
Contents
Importing Local Users Using CLI 2-8

Importing Users From ACS 2-9
Adding and Modifying a Local User 2-9
Adding Local Users Using CLI 2-11
Assigning Roles on NDG Basis 2-13
Modifying Your Profile 2-13
Creating Self Signed Certificates 2-14
Creating a Self Signed Certificate From the User Interface
Working With Third Party Security Certificates 2-16
Managing Security in Multi-Server Mode 2-16
Setting up Peer Server Account 2-17
Setting up System Identity Account 2-18
Setting up Peer Server Certificate 2-19
Enabling Single Sign-On 2-20
Single Sign-On Setup 2-20
Navigating Through the Single Sign-On Domain
Changing the Single Sign-On Mode 2-22
2-21
Setting up the Authentication Mode 2-24

Authentication Using Login Modules - Overview 2-24
Cisco Secure ACS Support for LMS Applications 2-26
Setting the Login Module to Pluggable Authentication Modules
Managing Roles
CHAPTER
2-26
2-36
Managing Cisco.com Connection 2-39

Setting up Cisco.com User Account
Setting Up the Proxy Server 2-40
Support Settings
2-15
2-39
2-40
Administering LMS Server

Using Daemon Manager
3-1
3-2
Managing Processes 3-3

LMS Back-end Processes 3-6
Server Back-end Processes 3-6
Inventory, Config and Image Management Processes 3-11
Network Topology, Layer 2 Services and User Tracking Processes 3-14
IPSLA Performance Management Processes and Dependency Processes 3-15
Device Performance Management Module Processes 3-15
Fault Management Processes 3-16
Backing Up Data 3-19
Scheduling a Backup
3-19
iv
OL-25947-01
Contents
Restoring Data 3-20

Changing the Database Password 3-22
Effects of Backup-Restore on DCR 3-24
Master-Slave Configuration Prerequisites and Restore Operations
Effects of Backup-Restore on Groups 3-27
Backup for Cisco Prime Infrastructure
Licensing Cisco Prime LMS
3-28
3-29
Compliane and Audit Manager (CAAM) Server License

Configuring a Default SMTP Server
Collecting Server Information
Managing Resources
3-31
3-33
3-34
3-35
Modifying System Preferences
3-36
Configuring Log Files Rotation
3-38
Configuring Disk Space Threshold Limit
3-43
Effects of Third Party Backup Utility and Virus Scanner

Configuring TFTP
3-44
3-44
Cisco Prime Integration Application Settings
CHAPTER
3-30
3-31
Collecting Self Test Information

Messaging Online Users
3-26
3-45
Administering Discovery Settings and Device and Credential Repository

Scheduling Device Discovery
4-1
4-1
Configuring Device Selector 4-5

Selecting Devices for Device Management Tasks 4-6
Searching Devices 4-7
Performing Simple Search 4-7
Performing Advanced Search 4-8
Device Selector Settings 4-10
Understanding Device Groups 4-10
Customizing Device Grouping 4-12
Customizing Display Order of Device Groups 4-14
Administering Device and Credential Repository 4-15
Changing DCR Mode 4-15
Configuring Device Polling 4-18
Configuring Device Polling Settings 4-18
Deleting Unreachable Devices from DCR 4-20
Configuring User Defined Fields 4-20
Adding User Defined Fields 4-21
OL-25947-01
Contents
Renaming User Defined Fields 4-21

Deleting User Defined Fields 4-22
Configuring Default Credentials 4-22
Using Default Credentials 4-22
Important Notes on Default Credentials 4-23
Default Credentials Behavior in Multi-Server Setup
Configuring Default Credential Sets 4-24
Configuring Default Credential Set Policy 4-27
CHAPTER
Managing Groups
4-23
5-1
Groups - Components and Basic Concepts
5-2
Groups in Single-Server and Multi-Server Setup

Groups in Single Server Scenario 5-3
Groups in Multi-Server Scenario 5-3
5-3
Device Group Administration 5-4

Creating Groups 5-5
Specifying Group Properties 5-7
Defining Group Rules 5-9
System Defined Attributes 5-13
Assigning Group Membership 5-25
Viewing Group Details 5-26
Modifying Group Details 5-27
Refreshing Groups 5-28
Deleting Groups 5-28
Exporting Groups 5-29
Sample Export Groups Output File 5-29
Exporting Groups From User Interface 5-30
Importing Groups 5-31
Important Notes on Importing Groups 5-31
Importing Groups From User Interface 5-31
Overview of Subnet Based Groups 5-32
Accessing Subnet Based Groups 5-32
Understanding Subnet Based Groups 5-33
Creating Groups Based on Subnet 5-33
DCR Mode Changes and Group Behavior 5-33
Unregistering a Slave 5-34
Behavior of IP Address Range Based Device Groups in Multi-Server Setup
5-35
Port and Module Group Administration 5-35

Creating Port and Module Groups 5-37
vi
OL-25947-01
Contents
Entering the Port and Module Group Properties Details 5-37

Selecting Group Source 5-38
Defining Rule Expression for Port or Module Groups 5-39
Understanding the Summary 5-46
Viewing Port and Module Group Details 5-47
Editing Port and Module Groups 5-48
Deleting Port and Module Groups 5-49
Working with Fault System-defined Groups
LMS System-defined Groups 5-50
Fault System Defined Groups 5-51
Working with Customizable Groups
5-50
5-52
Managing Fault Groups 5-53

Editing and Creating Fault Groups 5-54
Editing a Fault Group 5-55
Creating a Fault Group 5-58
Understanding Rules 5-61
Finalizing Fault Group Membership 5-64
Viewing the Fault Group Summary 5-65
Viewing Fault Group Details 5-65
Viewing Fault Membership Details 5-66
Refreshing Fault Membership 5-67
Deleting Fault Groups 5-68
Understanding Collector Group Rules 5-68
IPSLA Collector Group Administration Process 5-71
Understanding IPSLA Collector Group Administration
5-72
Working with User-Defined Collector Groups 5-73

Creating and Modifying User-Defined Collector Groups 5-73
Setting Collector Group Properties 5-73
Defining Collector Group Rules 5-75
Assigning Collector Group Membership 5-77
Viewing the Collector Group Summary 5-78
Deleting User-Defined Collector Groups 5-79
Viewing User-Defined Collector Groups 5-79
Viewing Collector Group Details 5-79
Viewing Membership Details 5-80
Refreshing User-Defined Collector Group Membership 5-81
Operation-Based Collector Groups (System-Defined)
5-82

OL-25947-01
vii
Contents
CHAPTER
Administering Data Collection
6-1
Modifying Data Collection SNMP Timeouts and Retries

Scheduling Data Collection
6-1
6-3
Data Collection Critical Device Poller
6-4
Compliance and Audit Settings 6-5

Compliance Data Collection 6-5
Compliance Data Collection Jobs 6-7
Import Contracts 6-7
Import Policy Updates 6-8
CHAPTER
User Tracking and Dynamic Updates
7-1
Understanding User Tracking 7-1

Using User Tracking 7-2
Accessing UT Data 7-2
Various Acquisitions in User Tracking
7-3
Using User Tracking Administration 7-4

Viewing User Tracking Acquisition Information 7-6
Configuring User Tracking Acquisition Actions 7-7
Using User and Host Acquisition 7-8
Modifying UT Acquisition Settings 7-8
Configuring Rogue MAC List 7-16
Modifying UT Acquisition Schedule 7-19
Modifying Ping Sweep Options 7-20
Configuring UT Subnet Acquisition 7-21
Deleting User Tracking Purge Policy Details 7-22
Configuring UT Acquisition in Trunk for End Host Discovery
Importing Information on End Host Users 7-24
Understanding Dynamic Updates 7-24
MAC User-Host Information Collector (MACUHIC) Process
User Tracking Manager (UTManager) Process 7-26
UTLite 7-26
Viewing Dynamic Updates Process Status 7-27
Enabling SNMP Traps on Switch Ports 7-27
SNMP MAC Notification Listener 7-29
Configuring SNMP Trap Listener 7-29
HPOV as Primary Listener 7-30
LMS Fault Monitor Module as Primary Listener 7-32
Configuring Dynamic User Tracking 7-33
7-23
7-26
viii
OL-25947-01
Contents
Using User Tracking Utility 7-34

Understanding UTU 7-34
Hardware and Software Requirements for UTU 7-35
Downloading UTU 7-35
Installing UTU 7-36
Installing UTU in Silent Mode 7-36
Installing UTU in Normal Mode 7-37
Accessing UTU 7-38
Configuring UTU 7-39
Searching for Users, Hosts or IP Phones Using UTU 7-40
Uninstalling UTU 7-45
Upgrading to UTU 2.0 7-45
Re-installing UTU 2.0 7-46
CHAPTER
Administering Collection Settings
8-1
Using the Inventory Job Browser 8-2

Viewing Job Details 8-6
Creating and Editing an Inventory Collection or Polling Job 8-7
Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
Timeout and Retry Settings
Secondary Credentials
8-9
8-9
8-11
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX
System 8-12
Changing the Schedule for System Inventory Collection or Polling Settings 8-12
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings 8-13
PSIRT or End-of-Sale or End-of-Life Data Administration 8-14
Changing the Data Source for PSIRT/EOS/EOL Reports 8-14
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com 8-16
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
Administering VRF Lite 8-18
Using VRF Lite Collector Settings 8-18
Scheduling VRF Lite Collector 8-19
Modifying VRF Lite SNMP Timeouts and Retries
8-16
8-20
Modifying Fault Management SNMP Timeout and Retries
8-21
Configuring Fault Management Rediscovery Schedules 8-22

Suspending and Resuming a Rediscovery Schedule 8-22
Adding and Modifying a Rediscovery Schedule 8-23
Configuring Event Forensics
8-24
Fault Monitoring Device Administration
8-25
OL-25947-01
ix
Contents
Device Management Functions
8-26
Performance Management SNMP Timeouts and Retry Settings

IPSLA Application Settings 8-28
Copying IPSLA Configuration to Running-Config
Managed Source Interface Setting 8-29
8-27
8-29
Setting Up Archive Management 8-30

Preparing to Use the Archive Management 8-30
Entering Device Credentials 8-30
Modifying Device Configurations 8-32
Enabling rcp 8-32
Enabling scp 8-33
Enabling https 8-33
Configuring Devices to Send Syslogs 8-33
Modifying Device Security 8-34
Router Commands 8-34
Switches Commands 8-35
Content NetworkingContent Service Switch Commands 8-35
Content NetworkingContent Engine Commands 8-35
Cisco Interfaces and ModulesNetwork Analysis Modules 8-35
Security and VPNPIX Devices 8-36
Moving the Configuration Archive Directory 8-36
Enabling and Disabling the Shadow Directory 8-37
Configuring Exclude Commands 8-38
Configuring Fetch Settings 8-40
Understanding Configuration Retrieval and Archival 8-40
Schedule Periodic Configuration File Archival 8-40
Schedule Periodic Configuration Polling 8-41
Manual Updates (Sync Archive function) 8-41
Using Version Summary 8-41
Timestamps of Configuration Files 8-42
How Running Configuration is Archived 8-42
Change Audit Logging 8-43
Defining the Configuration Collection Settings
8-43
Configuring Transport Protocols 8-46

Requirements to Use the Supported Protocols 8-46
Supported Protocols for Configuration Management Applications
Defining the Protocol Order 8-49
Overview: Common Syslog Collector
8-49
8-50
Viewing Status and Subscribing to a Common Syslog Collector
8-51
OL-25947-01
Contents
Viewing Common Syslog Collector Status 8-51

Subscribing to a Common Syslog Collector 8-52
Testing Syslog Collector Subscription 8-53
Understanding the Syslog Collector Properties File 8-55
Timezone List Used By Syslog Collector 8-58
CHAPTER
Monitoring and Troubleshooting Settings
9-1
Configuring Fault Poller Settings For Topology

Loading MIB Files
9-1
9-2
Configuring RMON 9-5

Modifying the Parameters 9-6
Enabling RMON on All Ports in Selected Devices 9-7
Enabling RMON on Selected Ports in Selected Devices
Disabling RMON 9-8
9-7
Configuring Topology Settings 9-8

Viewing Restricted Topology 9-9
CHAPTER
10
Notification and Action Settings
10-1
Understanding Notifications and Subscriptions

Customizing LMS Events
10-2
10-5
Configuring Event Sets and Notification Groups for Subscriptions 10-6

Configuring Event Sets 10-6
Configuring Fault Notification Groups 10-7
Setting Up a Fault Notification Group as Static or Dynamic 10-8
Managing Fault SNMP Trap Notifications 10-9
Adding an SNMP Trap Notification Subscription 10-10
Editing an SNMP Trap Notification Subscription 10-11
Suspending an SNMP Trap Notification Subscription 10-11
Resuming an SNMP Trap Notification Subscription 10-12
Deleting an SNMP Trap Notification Subscription 10-12
Managing Fault E-Mail Configurations 10-13
Managing Fault E-Mail Notification Subscriptions 10-13
Adding and Editing an E-Mail Notification Subscription
Managing Fault E-Mail Subject Customization 10-16
10-14
Managing Fault Syslog Notifications 10-17

Adding a Syslog Notification Subscription 10-18
Editing a Syslog Notification Subscription 10-19
Suspending a Syslog Notification Subscription 10-20

OL-25947-01
xi
Contents
Resuming a Syslog Notification Subscription 10-20

Deleting a Syslog Notification Subscription 10-21
Configuring Fault SNMP Trap Receiving and Forwarding 10-21
Enabling Devices to Send Traps to LMS 10-22
Enabling Cisco IOS-Based Devices to Send Traps to LMS 10-23
Enabling Catalyst Devices to Send SNMP Traps to LMS 10-23
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs
Updating the SNMP Trap Receiving Port 10-24
Configuring SNMP Trap Forwarding 10-25
Performance SNMP Trap Notification Groups
Creating a Trap Receiver Group 10-26
Editing a Trap Receiver Group 10-27
Deleting a Trap Receiver Group 10-29
Filtering Trap Receiver Groups 10-29
10-24
10-25
Performance Syslog Notification Groups 10-31

Creating a Syslog Receiver Group 10-32
Editing a Syslog Receiver Group 10-33
Deleting a Syslog Receiver Group 10-34
Filtering Syslog Receiver Groups 10-35
Defining Automated Actions 10-36
Creating an Automated Action 10-37
Editing an Automated Action 10-39
Guidelines for Writing Automated Script 10-41
Enabling or Disabling an Automated Action 10-41
Exporting or Importing an Automated Action 10-41
Deleting an Automated Action 10-42
Automated Action: An Example 10-42
Verifying the Automated Action 10-44
Defining Syslog Message Filters 10-44
Creating a Filter 10-45
Editing a Filter 10-46
Enabling or Disabling a Filter 10-47
Exporting or Importing a Filter 10-47
Deleting a Filter 10-48
Inventory and Config Collection Failure Notification 10-48
Configuring Trap Notification Messages 10-50
Examples for Collection Failure Notification 10-50
Fields in a Trap Notification Message 10-50
IPSLA Syslog Configuration
10-51
xii
OL-25947-01
Contents
CHAPTER
11
Administering Change Audit and Software Management

Setting Up Preferences
11-1
11-2
Performing Change Audit Tasks
11-2
Performing Maintenance Tasks 11-3

Setting the Purge Policy 11-4
Performing a Forced Purge 11-5
Config Change Filter 11-7
Defining Exception Periods 11-7
Creating an Exception Period 11-8
Enabling and Disabling an Exception Period
Editing an Exception Period 11-9
Deleting an Exception Period 11-9
11-8
Defining Change Audit Automated Actions 11-10

Understanding the Automated Action Window 11-10
Creating an Automated Action 11-11
Editing an Automated Action 11-13
Enabling and Disabling an Automated Action 11-13
Exporting and Importing an Automated Action 11-14
Deleting an Automated Action 11-14
Software Management Administration Tasks 11-15
Viewing/Editing Preferences 11-15
Selecting and Ordering Protocol Order 11-19
How Recommendation Filters Work for an IOS Image
Setting Change Report Filters
CHAPTER
12
Managing Jobs
11-20
11-22
12-1
Using Job Browser
12-1
Configuring Default Job Policies 12-5

Defining the Default Job Policies 12-6
Configuring NetShow Job Policies 12-11
Defining Default Job Policies 12-12
Purging Configuration Management Jobs
Defining Protocol Order 12-14
Masking Credentials 12-15
12-13
Enabling Approval and Approving Jobs Using Job Approval
12-15
Job Approval Workflow 12-16

Specifying Approver Details 12-16
Creating and Editing Approver Lists 12-17
OL-25947-01
xiii
Contents
Assigning Approver Lists 12-18

Setting Up Job Approval 12-18
Approving and Rejecting Jobs 12-20
Using Device Selector 12-23
Using Simple Search 12-24
Using Advanced Search 12-25
Using the All Tab 12-30
Using the Search Results Tab 12-32
Using the Selection Tab 12-32
Editing Device Attributes 12-33
Attribute Error Report 12-36
Device Attributes Export File Format 12-36
CHAPTER
13
Working With Software Center
13-1
Performing Software Updates 13-2

Viewing the List of Installed Applications and Packages
Selecting Software Updates 13-3
Downloading Software Updates 13-4
13-2
Performing Device Update 13-4

Viewing Package Map 13-5
Viewing Device Map 13-5
Checking for Updates 13-6
Deleting Packages 13-7
Scheduling Device Package Downloads
Scheduled Job
Event Log
13-8
13-9
13-10
Point Patch Update
13-10
Using the Software Center CLI Utility 13-11

Querying Updates on the LMS Server 13-12
Installing Device Packages 13-12
Uninstalling Device Packages 13-13
Downloading Software Updates 13-13
Downloading Device Updates 13-14
Downloading Point Patch Updates 13-15
Installing Point Patch Updates 13-15
Listing Dependent Device Packages 13-16
Listing Device Packages Version 13-17
xiv
OL-25947-01
Contents
CHAPTER
14
Discrepancies and Best Practices Deviations
14-1
Understanding Discrepancies and Best Practices Deviations
14-1
Interpreting Discrepancies 14-2

Trunking Related Discrepancies 14-2
Trunk Negotiation Across VTP Boundary 14-3
Native VLANs Mismatch 14-4
Trunk VLANs Mismatch 14-4
Trunk VLAN Protocol Mismatch 14-4
VLAN-VTP Related Discrepancies 14-5
VTP Disconnected Domain 14-5
No VTP Server in Domain with at least One VTP Client
Link Related Discrepancies 14-6
Link Duplex Mismatch 14-6
Link Speed Mismatch 14-8
Link Trunk/NonTrunk Mismatch 14-9
Port Related Discrepancy 14-10
Port is in Error Disabled State 14-10
Device Related Discrepancy 14-11
Devices With Duplicate SysName 14-11
Spanning Tree Related Discrepancy 14-11
Port Fast Enabled on Trunk Port 14-11
14-5
Interpreting Best Practices Deviations 14-12

Channel Ports Related Best Practices Deviations 14-13
Non-channel Port in Desirable Mode 14-13
Channel Port in Auto Mode 14-14
Spanning Tree Related Best Practices Deviations 14-15
BPDU Filter Disabled on Access Ports 14-16
BPDU-Guard Disabled on Access Ports 14-17
BackboneFast Disabled in Switch 14-18
UplinkFast not Enabled 14-20
Loop Guard and Port Fast Enabled on Ports 14-22
Trunk Ports Related Best Practices Deviations 14-23
Non-trunk Ports in Desirable Mode 14-23
Trunk Ports in Auto Mode 14-25
VLAN Related Best Practices Deviations 14-25
VLAN Index Conflict 14-26
VLAN Name Conflict 14-26
Link Ports Related Best Practice Deviation 14-26
UDLD Disabled on Link Ports 14-27

OL-25947-01
xv
Contents
Access Ports Related Best Practice Deviation 14-28

CDP Enabled on Access Ports 14-28
Cisco Catalyst 6000 Devices Related Best Practice Deviation
High Availability not Operational 14-29
Customizing Discrepancies Reporting and Syslog Generation
CHAPTER
15
Report Setting
Specifying Domain Name Display

Set Report Publish Location
16
Purge Settings
14-30
15-1
Specifying User Tracking Report Purge Policy
CHAPTER
14-29
15-1
15-2
15-2
16-1
Purging Reports Jobs and Archived Reports
16-1
Purging VRF Management Reports Jobs and Archived Reports

Purging Configurations from the Configuration Archive
Syslog Administrative Tasks 16-4
Setting the Syslog Backup Policy
Setting the Syslog Purge Policy 16-6
Performing a Syslog Forced Purge
16-2
16-2
16-5
16-7
Purging Configuration Management Jobs 16-8

Scheduling a Configuration Management Purge Job 16-10
Enabling a Configuration Management Purge Job 16-11
Disabling a Configuration Management Purge Job 16-11
Performing an Immediate Purge for Configuration Management Jobs
Performance Purge Jobs
16-12
Performance Purge Data
16-14
View Performance Purge Details

IPSLA Data Purging Settings
16-17
16-18
Configuring the Daily Fault History Purging Schedule
CHAPTER
17
Debugging Options
16-12
16-20
17-1
Configuring Discovery Logging
17-1
Maintaining Log Files 17-2

Maintaining Log Files on Solaris/Soft Appliance 17-3
Maintaining Log Files on Windows 17-3
About Cisco Prime Common Services Log Files 17-4
Viewing and Maintaining LMS Log File Details 17-6
xvi
OL-25947-01
Contents
Fault Management Log Files
17-8
Performance Debugging Settings 17-9

IPSLA Debugging Settings 17-11
Config and Image Management Debugging Settings
Configuring Logging
17-13
17-17
Fault Debugging Settings
17-18
Setting Debugging Options for Topology and User Tracking 17-20

Setting up Debugging Options for Data Collection 17-20
Setting up Debugging Options for Network Reports 17-23
Setting Debugging Options for Device Groups 17-24
Setting Debugging Options for Topology 17-24
Debugging Options for User Tracking Server 17-25
Debugging Dynamic Updates 17-26
Debugging Options for User Tracking Reports 17-29
Debugging Options for Dynamic User Tracking Console 17-29
Debugging Options for CiscoView 17-30
Setting VRF Lite Debugging Options 17-30
VRF Lite Server Debugging Settings 17-31
VRF Lite Collector Debugging Settings 17-32
VRF Lite Client Debugging Settings 17-33
VRF Lite Utility Debugging Settings 17-33
CHAPTER
18
Understanding LMS Tasks
18-1
Understanding Admin Tasks 18-1

Understanding System Tasks 18-2
Understanding Trust Management Tasks
Understanding Network Tasks 18-8
Understanding Collection Tasks 18-13
18-7
Understanding Report Tasks 18-17

Understanding Fault and Event Report Tasks 18-18
Understanding Report Archives Tasks 18-19
Understanding Report Designer Tasks 18-19
Understanding Inventory Report Tasks 18-20
Understanding Audit Report Tasks 18-20
Understanding Technology Report Tasks 18-21
Understanding Performance Report Tasks 18-21
Understanding System Report Tasks 18-23
Understanding Switch Port Report Tasks 18-24
Understanding Configuration Tasks
18-25
OL-25947-01
xvii
Contents
Understanding Configuration Archive Tasks 18-25

Understanding Configuration Tools Tasks 18-26
Understanding ConfigCLI Tasks 18-28
Understanding Configuration Workflows Tasks 18-29
Understanding Configuration Job Browsers Tasks 18-30
Understanding Compliance Tasks 18-30
Understanding Monitor Tasks 18-31
Understanding Performance Settings Tasks 18-31
Understanding Fault Settings Tasks 18-33
Understanding Threshold Settings Tasks 18-33
Understanding Troubleshooting Tools Tasks 18-34
Understanding Monitoring Tools Tasks 18-35
Understanding Inventory Tasks 18-36
Understanding Group Management Tasks 18-36
Understanding Job Browsers Tasks 18-37
Understanding Device Administration Tasks 18-37
Understanding Inventory Tools Tasks 18-38
Understanding Work Center Tasks 18-38
Understanding Smart Install Tasks 18-39
Understanding Auto Smartports Tasks 18-39
Understanding Identity Tasks 18-39
Understanding EnergyWise Tasks 18-40
APPENDIX
CLI Tools
A-1
Setting Up Local Users Through CLI A-2

Adding Local Users A-2
Importing Local Users A-4
Importing Users From ACS A-5
Migrating User Details from LMS 3.2 to LMS 4.x versions
Changing Cisco Prime User Password Through CLI
A-5
A-6
Managing Processes Through CLI A-8

Viewing Process Details Through CLI A-8
Viewing Brief Details of Processes A-9
Viewing Processes Statistics A-10
Starting a Process A-10
Stopping a Process A-10
Working With Third Party Security Certificates A-11
Uploading Third Party Security Certificates to LMS Server A-11
Using the SSL Utility Script to Upload Third Party Security Certificates
A-15
xviii
OL-25947-01
Contents
Setting up Browser-Server Security A-16

Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms A-16
Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance
Platforms A-17
Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms A-18
Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance
Platforms A-18
Backing up Data Using CLI
A-20
Using LMS Server Hostname Change Scripts A-20

Running the Hostname Change Script A-23
Using DCR Features Through CLI A-25
Viewing the Current DCR Mode Using CLI
Viewing Device Details A-26
Changing DCR Mode Using CLI A-26
A-25
Using Group Administration Features Through CLI

Exporting Groups Through CLI A-28
Importing Groups Through CLI A-29
Deleting Stale Groups Using CLI
A-27
A-30
User Tracking Command Line Interface A-30

Exporting Switch Port Usage Report A-34
Using Lookup Analyzer Utility
A-35
Understanding UTLite A-37

Installing UTLite Script on Active Directory/Windows A-38
Installing UTLite Script on NDS A-40
Uninstalling UTLite Scripts From Windows A-41
Uninstalling UTLite Scripts From Active Directory A-41
Uninstalling UTLite Scripts From NDS A-42
User Tracking Debugger Utility A-42
Understanding Debugger Utility A-42
Using Debugger Utility A-43
Configuring Switches to Send MAC Notifications to LMS Server
A-43
Administration Command Line Interface A-44

SNMP Configuration on Devices A-46
APPENDIX
Troubleshooting and FAQs
B-1
Troubleshooting Guidelines B-1

Troubleshooting User Tracking
B-1

OL-25947-01
xix
Contents
Troubleshooting the Cisco Prime LMS Server

Verifying Server Status B-3
Troubleshooting Suggestions B-5
B-2
Frequently Asked Questions B-6

User Tracking FAQs B-7
VRF Lite FAQs B-9
Cisco Prime LMS Server FAQs B-14
General B-15
Important URLs B-26
Security B-27
Software Center B-30
Event Distribution Services and Event System Services
Backup and Restore B-33
Database B-34
Apache and Tomcat B-36
Fault Management FAQs B-42
Device Performance Management FAQs B-43
IPSLA Performance Management FAQs B-44
APPENDIX
Data Extraction Engine
B-32
C-1
Overview of Data Extraction Engine
C-1
The cmexport Command C-2

Running cmexport Command C-2
cmexport Arguments and Options C-3
Mandatory Arguments C-4
Optional Arguments C-4
Function-Specific Options C-5
Displaying Help C-5
Uses of cmexport C-5
cmexport User Tracking
C-6
cmexport Topology Command
C-9
cmexport Discrepancy Command
C-12
cmexport Manpage C-14

Command Line Syntax C-14
Commands C-14
Arguments and Options C-15
Mandatory Arguments C-15
Function-Specific Options C-16
Accessing Help C-16
xx
OL-25947-01
Contents
DEE Developers Reference C-16

Schema for User Tracking Data C-17
User Tracking Schema for Switch Data C-18
User Tracking Schema for Phone Data C-19
User Tracking Schema for Subnet Data C-19
Schema for Topology Data C-20
Schema for Discrepancy Data C-21
Using Servlet to Export Data from LMS C-22
APPENDIX
Understanding Cisco Prime Security

General Security
D-1
D-1
Server Security D-2

ServerImposed Security D-2
Files, File Ownership, and Permissions D-2
Runtimer D-3
Remote Connectivity D-4
Access to Systems Other Than the Cisco Prime LMS Server
Access Control D-4
System Administrator-Imposed Security D-5
Connection Security D-5
Security Certificates D-5
Terms and Definitions D-6
APPENDIX
Commands to Enable MAC Notification Traps on Devices

Overview of Dynamic Updates
E-1
E-1
Configuring Switches With MAC Notification Commands

Device Operating System Version-Specific Commands
E-2
E-2
List of Commands to Enable MAC Notification Traps on Devices
APPENDIX
Recommended Best Practices
E-3
F-1
Basic Server and Client Requirements
F-1
Best Practices to Reclaim Disk Space Using Purging Method

Purging Databases F-2
Purging Jobs F-3
Purging Archives F-4
Best Practices for Improving System Performance
Backing Up Data
D-4
F-1
F-4
F-6
Handling Custom Telnet Prompts
F-6

OL-25947-01
xxi
Contents
INDEX
xxii
OL-25947-01
Preface
Administration in Cisco Prime LAN Management Solution (LMS) 4.2 groups all the activities and tasks
that a user with Network or System Administrator privileges needs to perform.
This preface details the related documents that support the Admin feature, and demonstrates the styles
and conventions used in this guide. This preface contains:
Audience
Document Conventions
Product Documentation
Audience
This guide is for users who are skilled in network administration and management, and for network
operators who use this guide to make configuration changes of devices using LMS. The network
administrator or operator should be familiar with the following:
Basic Network Administration and Management
Basic Solaris System Administration
Basic Windows System Administration
Basic Soft Appliance System Administration
Basic LMS Administration
Document Conventions
Table 1 describes the conventions followed in the user guide.
Table 1
Conventions Used
Item
Convention
Commands and keywords
boldface font
Variables for which you supply values
italic font
Displayed session and system information
screen
Information you enter
boldface screen
font
font

OL-25947-01
xxiii
Preface
Table 1
Note
Conventions Used (continued)
Item
Convention
Variables you enter
italic screen
Menu items and button names
boldface font
Selecting a menu item in paragraphs
Option > Network Preferences
Selecting a menu item in tables
Option > Network Preferences
font
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Note
We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
Table 2 describes the product documentation that is available.
Table 2
Document Title
Administration of Cisco Prime LAN Management
Solution 4.2 (this document)
Context-sensitive online help

Getting Started with Cisco Prime LAN
Configuration Management with Cisco Prime

LAN Management Solution 4.2
Available Formats
On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/admin/admin.html
PDF version part of Cisco Prime LMS 4.2

Product DVD.
Select an option from the navigation tree, then

click Help.
On Cisco.com at
user/guide/getting_started/
lms42_getstart_guide.html

Product DVD.
On Cisco.com at
user/guide/configuration/config.html

Product DVD.
xxiv
OL-25947-01
Preface
Table 2
Product Documentation (continued)
Document Title
Available Formats
Monitoring and Troubleshooting with Cisco

Prime LAN Management Solution 4.2
Inventory Management with Cisco PrimeLAN

Technology Work Centers in Cisco Prime LAN

Reports Management with Cisco PrimeLAN

Installing and Migrating to Cisco Prime LAN

Navigation Guide for Cisco Prime LAN

Open Database Schema Support in Cisco Prime

LAN Management Solution 4.2
On Cisco.com at
ciscoworks_lan_management_solution/4.2/us
er/guide/lms_monitor/lms_mnt.html

Product DVD.
On Cisco.com at
er/guide/inventory/inventory.html

Product DVD.
On Cisco.com at
er/guide/workcenters/wcug.html

Product DVD.
On Cisco.com at
er/guide/reports/lms42_reports_guide.html

Product DVD.
On Cisco.com at
ciscoworks_lan_management_solution/4.2/in
stall/guide/install.html

Product DVD.
On Cisco.com at
ciscoworks_lan_management_solution/4.2/N
avigation/guide/lms42_nav_guide.html

Product DVD.
On Cisco.com at
ciscoworks_lan_management_solution/4.2/da
tabase_schema4.2/guide/dbviews.html

Product DVD.

OL-25947-01
xxv
Preface
Table 2
Product Documentation (continued)
Document Title
Release Notes for Cisco Prime LAN Management
Solution 4.2
Supported Devices Table for Cisco Prime LAN

Documentation Roadmap for Cisco Prime LAN

Available Formats
On Cisco.com at
ciscoworks_lan_management_solution/4.2/re
lease/notes/lms42rel.html

Product DVD.
On Cisco.com at
ciscoworks_lan_management_solution/4.2/de
vice_support/table/lms42sdt.html

Product DVD.
Printed document part of Software kit
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
xxvi
OL-25947-01
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
Copyright 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgment: This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
4.
The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.

OL-25947-01
xxvii
Notices
5.
Products derived from this software may not be called OpenSSL nor may OpenSSL appear in
their names without prior written permission of the OpenSSL Project.
6.
Redistributions of any form whatsoever must retain the following acknowledgment:

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
The word cryptographic can be left out if the routines from the library being used are not
cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: This product includes software written
by Tim Hudson (tjh@cryptsoft.com).
xxviii
OL-25947-01
Notices
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].

OL-25947-01
xxix
Notices
xxx
OL-25947-01
CH A P T E R
This guide is intended for Local Area Network (LAN) administrators and management professionals
who perform LAN configurations and monitor LAN performance.
The Admin menu groups all the activities and tasks that a user with Network or System Administrator
privileges can perform.
This section explains:
Understanding the System Dashboard

The Administration user guide is organized as follows:
Table 1-1
Administration User Guide
Chapter
Description
Chapter 1, Overview of Administration
Provides information on the organization of Administration with Cisco Prime

LMS user guide, and describes the System Dashboard portlets in LMS.
Chapter 2, Setting up Security
Describes the security mechanisms that help to prevent unauthenticated access

to LMS server, Cisco Prime applications, and data. LMS provides features for
managing security while operating in single-server and multi-server modes.
Chapter 3, Administering LMS Server
Describes how to use administrative features to ensure that the server is performing properly.
You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the Cisco Prime LMS Server.
Chapter 4, Administering Discovery

Describes how to configure discovery settings, and perform administrative tasks
Settings and Device and Credential Repos- in DCR.
itory

OL-25947-01
1-1
Chapter 1
Table 1-1
Administration User Guide (continued)
Chapter
Description
Chapter 5, Managing Groups
Describes how to use the Grouping feature in LMS.

LMS 4.2 has a more robust device grouping which can support 600 device
groups. The other grouping services that are available in LMS are:
Fault Group
IPSLA Collector Group
Port and Module Group
Chapter 6, Administering Data Collection
Describes how to use Data Collection.
Chapter 7, User Tracking and Dynamic

Updates
Describes how to use User Tracking and Dynamic Updates.

User Tracking allows you to track end stations.
Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.which
Chapter 8, Administering Collection

Settings
Describes how to configure the various collection settings in LMS.
Chapter 9, Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform
ing Settings
to monitor and troubleshoot your network using LMS.
Chapter 10, Notification and Action
Settings
Describes how to configure the the administrative tasks involved in setting up notification, syslog settings.
You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks
and syslogs.
Chapter 11, Administering Change Audit Describes how to perform Change Audit tasks and set your preference to
and Software Management
download images.
Chapter 12, Managing Jobs
Describes how to manage jobs in LMS, and set up job approval for certain
modules in LMS.
Chapter 13, Working With Software

Center
Describes how to use the Software Center to check for software and device
support updates, download them to their server file system along with the related
dependent packages, and install the device updates.
Chapter 14, Discrepancies and

Best Practices Deviations
Describes how to use the Discrepancies Reporting module of LMS to view the
discrepancies and best practices deviations in your network.
Chapter 15, Report Setting
Describes how to configure some settings for generating reports and set a report
publish location.
Chapter 16, Purge Settings
Describes how to configure the purge settings of all modules in LMS.
Chapter 17, Debugging Options
Describes how to configure the debugging settings of all modules in LMS.

You can also view the details of all the log files.
Chapter 18, Understanding LMS Tasks
Describes all LMS tasks.
Appendix A, CLI Tools
Describes all the CLI utilities that are available for the administrator in LMS 4.2.
Appendix B, Troubleshooting and FAQs Provides troubleshooting and FAQs.

Appendix C, Data Extraction Engine
Describes how to export User Tracking, Topology, and Discrepancy application

data using Data Extraction Engine
1-2
OL-25947-01
Chapter 1
Table 1-1
Administration User Guide (continued)
Chapter
Description
Appendix D, Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS.
Security
Appendix E, Commands to Enable MAC Provides information on the list of commands that needs to run on each device
Notification Traps on Devices
to enable MAC Notification traps
The System Administration tasks are grouped into:
Authentication Mode Setup
Backup
Cisco.com Settings
Debug Settings
Group Management
License Management
Log Rotation
Server Monitoring
SMTP Default Server
Software Center
System Preferences
User Management
The Network Administration tasks are grouped into:
Change Audit Settings
Discovery Settings
PSIRT, EOS and EOL Settings
Configuration Job Settings
Device Credential Settings
Best Practises Deviation Settings
Display Settings
Monitor and Troubleshoot
Purge Settings
Resource Browser
Software Image Management
The Collection Settings are grouped into:
Config

OL-25947-01
1-3
Chapter 1
Data Collection
Fault
Inventory
Performance
Syslog
User Tracking
VRF Lite
Apart from the system administration and network administration tasks, you can also perform:
Trust Management
Local Server
Multi Server
Job Management
Job Browser
Job Approval
The two dashboards in the Admin menu are:
System Dashboard. For more information, see Understanding the System Dashboard
Device Status Dashboard.

This section is explained in the Inventory Online Help.
IPv6 Support in LMS
LMS provides IPv6 Support for the following features:
1-4
OL-25947-01
Chapter 1
Application
IPv6 Supported Features
Common Services
The following features in Common Services support IPv6:
Device Discovery
Common Services Device Discovery allows you to discover devices
from IPv6 networks, using CDP and Ping Sweep on IP Range Device
Discovery modules.
DCR and Grouping Services

DCR supports IPv6 and stores the expanded format of IPv6 Addresses
that are discovered by the CDP and Ping Sweep on IP Range modules.
Device Polling
The device polling feature allows you to poll device using IPv6 address.
Device Selector
The device selector feature allows you to search a device using IPv6
address either in a compressed format or in a expanded format.
Configuring Default Credentials

You can define a default credential policy type based on the standard
IPv6 Address format (6 octets separated by periods).
You can now create group rules based on IPv6 management addresses.
LMS supports IPv6 Addressing scheme in the following Device Discovery
pages:
Seed Device Setting Page
SNMP Settings Page
Filter Settings Page
In the Device Troubleshooting home page, the existing IP Address field

supports IPv6 Addresses.

OL-25947-01
1-5
Chapter 1
Application
Inventory, Config and

Image Management
The following features/technologies in Inventory, Config and Image

Management support IPv6:
CiscoView
Assigning an IPv6 Address to a Layer 3 device or VLAN
Retrieving software files from a device
Distributing different versions of software to a device
Scheduling retrieval of software from a device
Retrieving configuration files from a device
Distributing a new configuration to a device
Distributing a historical configuration file to a device
Scheduling distribution of configuration files to a device
Provisioning Auto Smart Ports on ASP-capable devices
Medianet
Provisioning Identity on Identity-capable devices
Configuring Syslogs
IPv6 sorting in Work Center Grids.
CiscoView allows you to enter an IPv6 Address of a device to display the

device view for configuring and remote monitoring.
1-6
OL-25947-01
Chapter 1
Application
Network Topology,
Layer 2 Services and
User Tracking
The following features in Network Topology, Layer 2 Services and User

Tracking support IPv6:
Data Collection
The following tasks related to Data Collection are supported in the IPv6
environment:
SNMP Timeout and Retry configuration for IPv6 devices
Viewing Data Collection Metrics and reports for IPv4/IPv6 devices
Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks
Device-based debugging for IPv6 devices
Topology
The following tasks related to Topology are supported in the IPv6
environment:
Setting an IPv6 Address as the preferred Management Address
from Topology view

Cross-launching Inventory, Config and Image Management and
CiscoView from Topology Services - Device Dashboard and Add to

Critical Poller
Selecting IPv6 devices for Device Type Topology Filter
Network Topology, Layer 2 Services and User Tracking Reports

IP Address fields in all these reports except User Tracking reports can
now display IPv6 Addresses.
You can sort the reports based on IP Addresses (IPv4 and IPv6).
VLAN Configuration
The following VLAN related configurations are supported in the IPv6
environment:
Configure VLAN
Delete VLAN
Create Private VLAN
Delete Private VLAN
Configure Port Assignment
Configure Promiscuous Ports
Create Trunk
Modify Trunk Attributes
Monitoring and
Troubleshooting
Note
LMS supports IPv6 Addressing scheme in Device Performance

Management.
In LMS, IPv6 support is provided for Dual stack devices.

OL-25947-01
1-7
Chapter 1

The System Dashboard has the following portlets:
Note
The data in these portlets does not appear based on any role-based authorization, both device-level or
user-level authorization.
Cisco Prime Product Updates
Critical Message Window
Log Space Usage
Process Status
System Backup Status
User Login Information
Job Information Status
Audit Trail Information
Job Approval
Syslog Collectors Information
Supported Device Finder Portlet
VRF Collector Summary
Collection Summary Portlet
Cisco Prime Product Updates

You can view the recent updates and announcements of Cisco Prime products using Cisco Prime Product
Updates.
Critical Message Window

In the Critical Message Window portlet, you can view the alerts for Cisco Prime Drive Utilization and
for processes that are down. For details, see Utilizing Space in the Cisco Prime Drive.
For instance, if the usage of the drive exceeds the specified limit, the alerts appear. You can click the
help link to view the details, and can reduce drive utilization.
You must configure the refresh time in the portlets.
You can also get information about:
Authentication mode fallback

Authentication mode from which the user fallbacks to the Local Authentication module. This
message appears when the user is in fallback mode.
License expiration
1-8
OL-25947-01
Chapter 1
Single Sign On (SSO) master unreachability, which is applicable only for a slave server.
Utilizing Space in the Cisco Prime Drive

You can use the space in Cisco Prime LMS drive in the following ways:
Delete the unwanted log files from the NMSROOT directory.
Use the log rotate functionality, to rotate the logs to other drives.
Remove unwanted files from the NMSROOT drive.
Note
The Authentication modes appear in the Critical Message Window portlet (in red) if you do not
have full privileges in the Device Credential and AAA Information portlet.
Table 1-2 lists the Critical Message Window portlet details.

Table 1-2
Critical Message Window Portlet
Details
Description
Cisco Prime Drive Utilization
Displays the utilization of the drive for Windows, Solaris

and Soft Appliance.
For Windows:
Drive is where the product is installed.
For example, 'C' drive in case of "C/Program
Files/CSCOpx"
For Solaris/Soft Appliance:
The portlet displays the File System utilization of the
following:
/opt - Product Installed location
/var - Log file details location.
Processes xyz are down.
Displays the processes that are down.
For example:ESS, EssMonitor, Proxy

and so on.
All the processes that are down are displayed in red in the
portlet.
However, when Fault processes such as DFMCTMStartup
and Data Purge are down, they are not displayed in the
Critical Message Window portlet.

The Device Credentials and AAA Information portlet allows you to view the information about the
device credentials, admin settings, security settings, and device polling status.
The security settings enable you to view the security settings in LMS such as the Authentication mode,
and Single sign-on configuration.
Table 1-3 lists the Device Credentials and AAA Information portlet details.

OL-25947-01
1-9
Chapter 1
Table 1-3
Device Credentials and AAA Information Portlet
Field
Description
Authentication Mode
Mode selected to authenticate the LMS server when logging into the LMS
application. For example, TACACS+, MS Active Directory.
If the status is displayed in green, authentication is successful in the local or

external server.
The status is in red when you log into the Cisco Prime application in fallback
mode.
Authorization Mode
Mode used to authorize the user after authentication. From LMS 4.0, only the
Local Authentication mode is used to authenticate users, and authorize them to
access Cisco Prime LMS. ACS mode is not available.
Single Sign On (SSO) Mode
SSO mode such as Stand alone and Master/Slave.
No. of Devices
Number of devices. Click on the number to view the DCR Device Management
page details.
DCR Mode
DCR mode such as Standalone, Master, Slave.

For more information about DCR mode, see DCR Architecture in Inventory
Management Online Help.
For more information on changing the DCR mode, see Changing DCR Mode.
Device Polling Status
Device Polling Status
Status of the device polling.

The status can be either enabled or disabled.
If the status is enabled, then it displays the scheduled jobs along with the Job ID.
For example Job ID: 1034.
Device Polling Frequency
Polling frequency of the devices.

This frequency can be:
Total Unreachable Devices
Every 6 hours
Every 12 hours
Daily
Weekly
Monthly
Total number of devices that are not reachable.

Click the unreachable device link to view the report.
Next Polling Schedule
Time at which the next polling is scheduled.
Log Space Usage

In Log Space Usage portlet, you can manage the reports on log file size.
The Log Space Usage portlet also displays details of all log files, including the Tomcat and Apache log
files. You must configure the refresh time in the portlets.
Table 1-4 lists the Log Space Usage portlet details.
1-10
OL-25947-01
Chapter 1
Table 1-4
Log Space Usage Portlet
Field
Description
Log File
Name of the log file such as syslog.log, EDS.log upm_base.log, and

so on.
The asterisk (*) displayed along with some log file name denotes
that there are multiple files available.
Directory
Displays the location of the logfile.

For instance, var/adm/CSCOpx/log.
File Size
Current size of the log file in kilo bytes.

You can click the portlet name in the title bar of the portlet to navigate to Log File status report page
(Reports > System > Status > Log File).
For more information on the list of log files, see Maintaining Log Files.
Process Status
In Process Status portlet, you can manage all the activities or jobs.
Table 1-5 lists the Process Status portlet details.
Table 1-5
Process Status Portlet
Field
Description
State
Status of the process, such as Failed to start, Running normally and

Shutdown.
No. of Process
Number of processes in each state.

You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page
(Reports > System > Status > Process).
You can click the link displayed in the portlet to start or stop the process.
System Backup Status

In the System Backup Status portlet, you can view the details such as the current backup schedule, last
backup status, last backup location and the time when the last backup was completed.
You should back up the database regularly so that you have a safe copy of the database. You cannot back
up the database while restoring it. Whenever you perform a backup, all the databases of the installed
applications are backed up.
LMS provides a single backup and restore facility to back up and restore all applications installed on the
LMS server. You cannot backup or restore individual portal databases without the LMS backup utility.
See, Backing up Data Using CLI for more information on the backup utility.
To schedule system backups at regular intervals, select Admin > System > Backup.
Table 1-6 lists the System Backup Job Details portlet fields.

OL-25947-01
1-11
Chapter 1
Table 1-6
System Backup Job Details Portlet
Field
Description
Backup Schedule
Date and time at which the backup was scheduled.

You can click the link corresponding to the Backup Schedule to
view/schedule the respective Backup Job details.
Last Backup Completed at
Date and time when the last backup was completed.
Last Backup Status
Status of the last backup.
Last Backup Location
Location of the last backup.
You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.
User Login Information

In the User Login Information portlet, you can view the information on users currently logged into LMS
server.
Table 1-7 lists the User Login Information portlet details.
.
Table 1-7
User Login Information Portlet
Field
Description
No. of Logged-in Users
Number of users who have logged in.

You can click the number of logged-in users to view the Who is Logged on
Report page (also available from Reports > System > Users > Who is Logged
On).
Users
Log-in details of all users and the number of sessions opened by each user.
Note
You can send broadcast messages to logged-in users by clicking the Send Message to all users
link displayed in the User Login Information and the users will receive the message within 60
seconds by default.
You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report
page.
For more information on setting up local users, see Setting up Local Users.
Job Information Status

In the Job Information Status portlet, you can view the status of up to 20 jobs of the installed
applications. You can click the portlet name in the title bar of the portlet to navigate to the Job Browser
page.
1-12
OL-25947-01
Chapter 1
Table 1-8 lists the Job Information Status portlet details.

Table 1-8
Job Information Status Portlet
Field
Description
Job ID
Unique ID assigned to the job by the system, when the job is created. The Job IDs are
displayed in ID.No.of.Instances format in periodic jobs.
For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job
whose ID is 1002.
When you click the Job ID, the job details, if available, are displayed.
Job Type
Type of the job.

For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job.
Status
Status of the scheduled jobs that are completed.

The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected.
The status of the succeeded jobs are displayed in green and the Failed, Crashed,
Cancelled, and Rejected jobs are displayed in red.
Job Description
Description of the job provided by the job creator.

It can contain alphanumeric characters.
Owner
Name of the user who created the job.
Scheduled At
Date and time at which the job is scheduled to run.

In the Audit Trail Information portlet, you can view the details of the changes made to the LMS
application by the user.
Table 1-9 lists the Audit Trail Information portlet details.
Table 1-9
Audit Trail Information Portlet
Field
Description
User Name
Name of the person who performed the change. This is the name entered
when the person logged in.
It can be the name under which the LMS application is running, or the name
under which the Telnet connection is established.
Application Name
Name of the LMS component involved in the network change. For example,
Change Audit, Device Management, ICServer, NetConfig, and NetShow.
Creation Time
Date and the time at which the changes were performed on the LMS server.
Description
Brief summary of the change that occurred on the LMS server.

You can click the portlet name in the title bar to navigate directly to the Report Generator page.

OL-25947-01
1-13
Chapter 1
Job Approval
In Job Approval portlet, you can view the list of all jobs.
To configure Job Approval portlet, see Configuring the Job Approval portlet.
Table 1-10 lists the Job Approval portlet details.
Table 1-10
Job Approval Portlet
Field
Description
Job ID
ID of the job that has been given for approval.

The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so
on, the job IDs are in the number x format. The x represents the number of instances of
the job.
For example, 1001.3, indicates that this is the third instance of the job ID 1001.
Click the Job ID hyperlink to view the job details.
Job Description
Description of the job.
Job Schedule
Date and time for which the job is scheduled.

The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will
run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it,
the job is moved to its rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other
instances are also considered as approved.
You are notified by e-mail, when a job approved by you is created.
This portlet enforces the approval process by sending job requests through e-mail to people on the
approved list.
You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details
page in LMS.
In the Job Approval portlet, you can view the list of Job details.
You can configure the Job Approval portlet to set the number of records to be displayed in the portlet,
and refresh time both manually and automatically.
Configuring the Job Approval portlet
To configure the Job Approval portlet:

Step 1
Click the Configuration icon. You can:
Step 2
Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Step 3
Select the number of records to be displayed in the portlet from the Show Last Records drop-down list.
Step 4
Click Save to view the portlet with the configured settings.
1-14
OL-25947-01
Chapter 1

Syslog Collectors Information portlet displays the list of remote Syslog collectors subscribed to the LMS
servers. It contains the syslog collector information such as the name of the remote syslog, analyzer
name, status and the number of packets received.
Syslog Collector is a service to receive, filter and forward syslogs to one or more Syslog servers. In this
way the collectors reduces traffic on the network as well as the processing load on the server.
By default you can only view the remote Syslog analyzer name, status and the number of packets
received. However, you can configure the portlet for you to view the other details in the portlet such as
the number of packets that are filtered, invalid, dropped, or forwarded.
Table 1-11 lists the Syslog Collectors Information portlet details.
Table 1-11
Syslog Collectors Information Portlet
Field
Description
Name
Host name or the IP address on which the collector is installed.
Status
Status of the Remote Syslog Collector. For example, whether it is

connected.
Received
Number of packets received.

To configure Syslog Collectors Information:
Step 1
Move the mouse over the title bar of the Syslog Collector
Step 2
Click the configuration icon. You can:
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The
items in the portlet get refreshed at the changed Refresh frequency.
Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to
view the respective columns in the Syslog Collector portlet.
FilteredNumber of filtered messages. Filters are defined with the option Message Filters
option. See Defining Syslog Message Filters for more information.

InvalidNumber of invalid Syslog messages.
DroppedNumber of Syslog messages dropped.
ForwardedNumber of forwarded Syslog messages.
Step 3
Supported Device Finder Portlet

The Supported Device Finder portlet enables you to view the details of the devices that are supported in
various LMS applications.
By default the Supported Device Finder portlet is added to the System View.
This portlet enables you to:
Locate the supported devices in the LMS applications

OL-25947-01
1-15
Chapter 1
Get the latest updates on devices that are supported and those that will be supported in the upcoming
releases.
Raise a request through mail to support a new device that is not supported.
You can search the support of devices added to the DCR using the following search options:
IP Address
Host Name
Device Name
Model Name
SysObjectID
To search using Supported Device Finder portlet:

Step 1
There are three scenarios when the device is not supported:
If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.
If the requested device is supported in later releases, and not available with your present installation,
the following message appears:
Not supported in Installed version <<version number>>. Support available in version
<< version number>>
Note
If the device is not currently supported with your existing package, you can install the latest IDU
from Cisco.com to get the device support.
If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.
Step 2
Click the click here link and a popup box appears:

The popup box has the following information:
Step 3
OK button to raise a request for the unsupported device.
Disclaimer: Please note that all efforts will be made to provide support to this request, however we
are unable to commit to a time-line at this moment.
Links to the latest device updates
Link to the Supported Devices Table
Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or
Model name.
The SysobjectID or the Model Name appears based on the entries made in the portlet.
The default mail client is launched.
The To field and Subject field has the following address and entries:
To field: lms-dev-supreq@external.cisco.com
Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>
The body lists the application names.

Step 4
Enter Yes against the respective application names for which device support is required.
1-16
OL-25947-01
Chapter 1
Step 5
Click Send to send a request.
IP Address
You can use the IP Address option to search the devices that are supported in the LMS application.
To search using the IP Address:
Step 1
Select the IP Address from the drop-down list.
Step 2
Enter an IP Address in the IP Address field and click Submit.

All applications are displayed, regardless of whether they are installed or not. The supported servers are
also displayed.
If the requested device is supported in the later releases and you have not installed it, the following
support details are displayed:
Supported in LMS 3.2. Click here to download
If the requested devices is in the roadmap of next recent releases, the following supported details
message is displayed.
Support expected by Sept 08.
If the requested device is not supported in any release, the following supported details are displayed.
Click here to send a request to support team.
Host Name
You can use the Host Name option to search the devices that are supported in the LMS applications.
To search using the Host Name:
Step 1
Select the Host Name from the drop-down list.
Step 2
Enter a Host Name in the Host Name field and click Submit.
Note
The valid Host Name characters are A-Z, a-z, 0-9, _.
All LMS functions are displayed. The supported servers are also displayed.
The LMS applications are:
Inventory, Config and Image Management
Network Topology, Layer 2 Services and User Tracking
Fault Management
IPSLA Performance Management
Device Performance Management
For more information on the server supported details, see Step 2 of IP Address.

OL-25947-01
1-17
Chapter 1
Device Name
You can use the Device Name option to search the devices that are supported in the LMS applications.
To search using the Device Name:
Step 1
Select the Device Name from the drop-down list.
Note
Step 2
The valid Device Name characters are A-Z, a-z, 0-9, _.
Enter a Device Name in the Device Name field and click Submit.
SysObjectID
You can use the SysObjectID option to search the devices that are supported in the LMS application.
To search using the SysObjectID:
Step 1
Select the SysObjectID from the drop-down list.
Step 2
Enter a SysObjectID in the SysObjectID field and click Submit.

All LMS functions are displayed, regardless of whether they are installed or not. The supported servers
are also displayed.
Model Name
You can use the Model Name option to search the devices that are supported in the LMS application.
To search using the Model Name:
Step 1
Select the Model Name from the drop-down list.
Step 2
Enter a Model Name in the Model Name field and click Submit.
Note
You can also use a wildcard search, (*), to search for the model name.
VRF Collector Summary

In the VRF Collector Summary portlet, you can view details of the VRF collection, number of VRFs
discovered, number of VRF-supported and VRF-capable devices.
1-18
OL-25947-01
Chapter 1
Table 1-12 lists the VRF process summary portlet details.

Table 1-12
VRF Process Summary Portlet
Field
Description
VRF Collector Status
Status of the VRF Collector. The two states are:
RunningIndicates that the VRF collector is running.
IdleIndicates that the VRF collector is not running.
VRF Collector Last Completion Time
Indicates the time when the VRF collection is completed.
Total VRFs Discovered
Total number of VRFs discovered. Click the number to launch the Virtual Network
Manager Report.
VRF Supported Devices [H/W and S/W

Supported]
Number of VRF-supported devices. These devices have both VRF-supported

hardware and software. Click the number to launch the VRF Readiness report.
VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but
S/W Update Required]
these devices do not have the supported IOS image for VRF. Click the number to
launch the VRF Readiness report.

In the Collection Summary portlet, you can view details of the different collectors in LMS.
Table 1-13 lists the Collection Summary portlet details.
Table 1-13
Field
Description
Collector Name
Name of the Collector. The various collectors in LMS are:
Succeeded
Inventory Collection
Config Archive
EnergyWise Collection
Device Discovery
Fault Discovery
Topology Data Collection
UT Major Acquisition
VRF Collection
Indicates if the respective collection has completed successfully.

Note
In Inventory Collection, Succedded will give the count of devices that

were successfully inventory collected at least once. In Config Archive,
partial success state devices will not be shown in Succeeded or Failed
columns.

OL-25947-01
1-19
Chapter 1
Table 1-13
Collection Summary Portlet (continued)
Field
Description
Failed
Indicates if the respective collection has failed.

In Inventory Collection, Failed will give the count of devices that are
recently failed. A device which was previously successfully inventory
collected and recently failed will have entry in both the columns. We
should not compare this with DCR device count.
Note
Last Completion Time
Indicates the time when the collection is completed.
Current Status
Status of the Collector. The two states are:
Schedule
RunningIndicates that the collector is running.
IdleIndicates that the collector is not running.
Click the Schedule link next to the respective collector to launch the corresponding
page. You can now schedule the collector.
To configure this portlet:
Step 1
Move the mouse over the title bar of the Collection Summary Portlet.
Step 2
Click the configuration icon.
Step 3
Select the Auto Refresh check box.
Step 4
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Step 5
Note
The data in the above portlets is not populated based on device-level or user-level authorization.
Role-based access control is not applicable to the portlets.
Note
From LMS 4.2.2, the Collection Summary Portlet page will display the total number of managed devices
in LMS server. The customer can view the detailed list of the devices managed by the LMS server by
clicking the Managed Device count link on the Collection Summary Portlet page.
1-20
OL-25947-01
CH A P T E R
Setting up Security
LMS 4.2 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS
applications, and data. LMS provides features for managing security while operating in single-server and
multi-server modes.
You can specify the user authentication mode using the Authentication Mode Setup.
This chapter explains the following:
Managing Security in Single-Server Mode
Managing Security in Multi-Server Mode
Setting up the Authentication Mode
Managing Roles
Managing Cisco.com Connection
Support Settings

You can configure the following in Single-Server mode:
Browser-Server Security Mode Setup: LMS 4.2 Server uses Secure Socket Layer encryption to
provide secure access between the client browser and management server and also among the
management server and the devices. You can enable or disable SSL depending on your need to use
secure access between the client browser and management server.
Local User Policy Setup: Set up username and password policies for local users using this option.
Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a
user, or view a users settings using this option.
Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections
between the client browser and the management server.
You can set up browser-server security, add and modify users, and create self signed certificate using the
features that come under Single-Server Management in the Security Settings user interface.
The Single-Server Management page displays the mode of server security and the information on self
signed certificate.

OL-25947-01
2-1
Chapter 2
Setting up Security
To open the Single-Server Management page:

Step 1
Select Admin > Trust Management > Local Server

The Browser-Server Security Mode Setup page appears.
Step 2
Click Single-Server Management in TOC.

The Single-Server Management page displays the mode of server security and the information on self
signed certificate.
This section contains the following:
Setting up Browser-Server Security
Setting up Local User Policy
Setting up Local Users
Creating Self Signed Certificates

LMS provides secure access between the client browser and management server. It does this using SSL
(Secure Socket Layer).
SSL encrypts the transmission channel between the client, and server. LMS provides secure access
between the client browser, and management server.
SSL is an application-level protocol that enables secure transactions of data through privacy,
authentication, and data integrity. It relies upon certificates, public keys, and private keys.
You can enable SSL if you want to open the LMS application in secure mode. If you want to open the
LMS application in non-secure mode (http), you can disable SSL. The login pages always open in SSL
mode, irrespective of the Browser-Server security mode.
LMS Server uses certificates for authenticating secure access between the client browser and the
management server. To enable SSL from the client browser, you must have the necessary security
certificates on your computer. See Creating Self Signed Certificates for more information.
You can enable or disable the Browser Server Security using LMS Server GUI or Command Line
Interface CLI.
This section has the following:
Enabling Browser-Server Security From the LMS Server
Disabling Browser-Server Security From the LMS Server
2-2
OL-25947-01
Chapter 2
Setting up Security
Enabling Browser-Server Security From the LMS Server

To enable Browser-Server Security:
Step 1
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2
Select the Enable option to enable SSL.
Step 3
Click Apply.
Step 4
Log out from your Cisco Prime session and close all browser sessions.
Step 5
Restart the Daemon Manager from the LMS Server CLI:

On Windows:
a.
Enter net stop crmdmgtd
b.
Enter net start crmdmgtd
On Solaris/Soft Appliance:
Step 6
a.
Enter /etc/init.d/dmgtd stop
b.
Enter /etc/init.d/dmgtd start
Restart the browser and the Cisco Prime session.

When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following
changes:
The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to https mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Disabling Browser-Server Security From the LMS Server

To disable Browser-Server Security:
Step 1
Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2
Select the Disable option to disable SSL.
Step 3
Click Apply.
Step 4
Log out from your Cisco Prime session, and close all browser sessions.

OL-25947-01
2-3
Chapter 2
Setting up Security
Step 5

On Windows:
a.
b.
Step 6
a.
b.
Restart the browser, and the Cisco Prime session.

When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the
following changes:
The URL should begin with http instead of https to indicate that connection is not secure.
The port numbers mentioned above are applicable for LMS Server running on Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Setting up Local User Policy

You can setup username and password policies for Local Authentication users in LMS.
With the new local user policy, you can:
Start the local username with a number
Include special characters in local username
Specify the length of local username
Specify the length of local user password
Include at least characters from lowercase, uppercase, digits and special characters in password.
The password should not be:
Same as the username, or the username in reverse
Have the same character repeated three times, in sequence
A variant of the word Cisco
You can apply only one local user policy at a time.

You cannot define policies for each local user. The local user policy you set up applies to all users
including the administrative users.
The local usernames that begin with numbers and contain special characters are not subject to the
security limitations of authentication and authorization in LMS Servers integrated with pluggable
authentication modules such as Active Directory.
2-4
OL-25947-01
Chapter 2
Setting up Security
To set up local user policies:

Step 1
Select Admin > System > User Management > Local User Policy Setup.
The Local User Policy Setup page appears.
Step 2
Select Allow Special Characters in username to allow special characters in the username.
You can include the following special characters in the username:
Special Character
Description
Tilde
Commercial At character
Number sign
Underscore
'
Apostrophe
Hyphen
Solidus or Leading slash
Trailing slash
Period
space
Non-breaking space
Note
Step 3
You can add the special characters including hyphen and period in local username only when
you have selected this check box. You cannot start a local username with special characters
except _ (Underscore).
Select Allow Username to start with numbers to allow the first character of a local username to be a
numeral.
You can enter any number between 0 to 9 in the username as the first character if you have enabled this
option.
Step 4
Enter the minimum and maximum length of username of local users.

The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum username length field that is greater than the number
in maximum username length field.
Step 5
Enter the minimum and maximum length of password of local users.

The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum password length field that is greater than the number
in maximum password length field.
Step 6
Click Apply to save the changes.

OL-25947-01
2-5
Chapter 2
Setting up Security
Setting up Local Users

Local User Setup feature helps you to:
Import users
Export users
Modify your profile
Add a local user
Edit user profiles
Delete local users
You can also set up local users and reset Cisco Prime password through CLI.
About User Accounts
Understanding Security Levels
Importing and Exporting Local Users
Importing Local Users Using CLI
Importing Users From ACS
Adding and Modifying a Local User
Adding Local Users Using CLI
Assigning Roles on NDG Basis
Modifying Your Profile
About User Accounts

Several Cisco Prime network management and application management operations are potentially
disruptive to the network, or to the applications themselves, and must be protected.
To prevent such operations from being used accidentally or maliciously, Cisco Prime uses a multi-level
security system that allows access only to certain features, to users who can authenticate themselves at
the appropriate level.
LMS provides two predefined login IDs for which the password is specified during installation:
guestAfter authentication and authorization, user will have the default role. After a fresh
installation, the default role is Help Desk. You can change the default roles, see Managing Roles for
more information.
adminThis login provides the user access to all Cisco Prime tasks.
However, as an administrator, you can create additional unique login IDs for users in your company.
Note
The LMS Server Administrator can set the passwords for admin and guest users during installation.
Contact the LMS Server Administrator if you do not know the password for admin.
2-6
OL-25947-01
Chapter 2
Setting up Security
Understanding Security Levels

System administrators determine user security levels when users are granted access to Cisco Prime.
When users are granted logins to the Cisco Prime application, they are assigned one or more roles.
A role is a collection of privileges that dictate the type of system access you have. A privilege is a task
or operation defined within the application. The set of privileges assigned to you, defines your role and
dictates how much and what type of system access you have.
The user role or combination of roles, dictates the tasks that are presented to the users. For information
on tasks that can be performed with each role, see Permissions Report (Reports > System > Users >
Permission). See also About Cisco Prime Pluggable Authentication. Other roles are displayed,
depending on your applications.
Importing and Exporting Local Users

You can import local users from the client. If you want to import local users to the local server from a
remote LMS Server, you must first import the file from the remote server to the client and then use the
import function from the LMS UI.
Note
When you import local users, if there are no roles associated with the users, the default role will be
associated with them.
You can also export the local users to an output file.
You can import local users from the client through CLI. See, Importing Local Users Using CLI for more
information.
You can import local users from ACS through CLI. See, Importing Users From ACS for more
information.
Before you import users from the client, you must install the peer certificate of the remote server in the
local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more
information.

OL-25947-01
2-7
Chapter 2
Setting up Security
To import users from a remote server:

Step 1
Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2
You can do one of the following:
Import:
Click Import Users. You can import only files in the XML format.
Click Browse and select a file from the client.
Click Submit. To return to the Local User Setup page, click Cancel.
Export:
Select the users for whom you want to export information. If you want to select all the users,
you can check the check box next to the User field.
Click Export. The files exported are in XML format.
A message appears prompting you to open or save the LMSuserExport.xml file. This file is
saved in the client. Click Cancel to return to the Local User Setup page.
Importing Local Users Using CLI

This feature allows you to import information about local users to the local server, from a remote LMS
Server.
You should have the privileges to import local users from the remote LMS Server through CLI.
Before you import users from a remote server, you should install the peer certificate of the remote server
in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate
for more information.
To import users from a remote server, enter the following commands:
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber

Username Password (on Solaris/Soft Appliance)
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber

Username Password (on Windows)
where,
Protocol Protocol of the remote LMS Server.

The supported values are HTTP or HTTPS.
Hostname Hostname or IP address of the remote LMS Server.
Portnumber Port Number of the remote LMS Server.
Username Remote LMS Server login Username.
Password Remote LMS Server login Password.
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
2-8
OL-25947-01
Chapter 2
Setting up Security

To import users from ACS through CLI, enter the following commands:
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on

Solaris/Soft Appliance)
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on

Windows)
where,
Filename Output of executing CSUtil.exe.
Password Default password assigned to all the importing users.
To execute CSUtil.exe follow the steps below:

Step 1
Go to Start > Run in the ACS server.
Step 2
Enter services.msc in the Run command and click OK

It will list all the services registered.
Step 3
Select CSAuth and right click to get the Stop option.
Step 4
Click Stop to stop the CSAuth service
Step 5
Execute the command <ACS install directory>/bin/CSUtil.exe -q -d <output file> from CLI.
The output file which we got by running the CSUtil.exe should be given as the input while importing
users.
Log Files
The information on the users added or imported into the LMS Server is stored in the following files,
when you use the import local user CLI commands:
/var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)
NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages, and other information that you can use for
troubleshooting.
Adding and Modifying a Local User

You can add more users into Cisco Prime as required.
You can add only one user at a time through the user interface. See Adding Local Users Using CLI for
adding bulk users. You can delete Stale Users From Cisco Prime LMS Portal. See Deleting Stale Users
From LMS Portal for more details.
To add or edit a user:
Step 1
Step 2
Click Add or Edit.

OL-25947-01
2-9
Chapter 2
Setting up Security
The User Information dialog box appears with the following fields:
Field
Description
Username
Enter the username. The value is case-insensitive.

You can control the length of the username, start the username with a
number, or include special characters in the local username.
To do this, you must set up the username and password policy in the Local
User Policy Setup page. See Setting up Local User Policy for information.
Password
Enter the password.

You can control the length of the password when you set up policies for local
users. See Setting up Local User Policy for information.
Verify Password
Re-enter the password.
E-mail
Enter the e-mail ID. This is mandatory if you assign the approver role to the
local user. Otherwise, this is optional.
Authorization Type
Select the radio button corresponding to the authorization type. You can
choose from:
Full AuthorizationSelect this radio button to enable full authorization

to the user.
Enable Task AuthorizationSelect this radio button to enable a role, and

the privileges and tasks associated with the roles, to the user.
After you select this option, you have to select the desired role from the
list of Roles. This is applicable for all devices.
Enable Device AuthorizationSelect this radio button to enable

authorization to device groups.
After you select this option, you have to:
Select the device group from the Device Group.
Select the role you want to associate with the device group. The user
group can perform the tasks that are assigned to the chosen roles on
the chosen device groups.
Roles
Select the check box corresponding to the role to specify the roles to be
assigned to the user from the Roles pane. The user group can perform the
tasks that are assigned to the chosen role on all devices and device groups.
The following roles are available:
Help Desk
Approver
Network Operator
Network Administrator
System Administrator
Super Admin
Network Level Login

Credentials
Enter the network device login credentials for LMS to communicate with the
network devices.
Username
Enter the username.
2-10
OL-25947-01
Chapter 2
Setting up Security
Step 3
Field
Description
Password
Enter the password.
Verify Password
Re-enter the password.
Enable Password
Enter the enable password.
Verify Password
Re-enter the enable password.
Click OK. To return to the Local User Setup page, click Cancel.
Adding Local Users Using CLI

You can add bulk local users through CLI. This feature allows you to specify a file that has the
information about the local users as an input. The input file you use should be a plain text file.
Note
You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
Username Local username. The local username is case-insensitive.
Password Password for the local user account name.

You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.
E-mail E-mail address of the local user.

This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.
Roles Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
Help Desk
Approver
Network Operator
Super Admin
DeviceUnameDevice login username
DevicePasswordDevice login password
DeviceEnPassword Device enable password.

OL-25947-01
2-11
Chapter 2
Setting up Security
The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes
To add local users through CLI, enter the following commands:
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft

Appliance)
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows)
where,
Filename Absolute path of the filename containing local users information.
Password Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.
For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin
Log Files
The user information added or imported into the LMS Server is stored in the following files, when you
use the import local user CLI command:
/var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)
NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages and other information that you can use for
troubleshooting.
Deleting Stale Users From LMS Portal
This section describes how to delete stale users from LMS Portal.
When you delete the user names from Cisco Prime Common Services application, they are deleted only
from the Common Services database and not from LMS Portal database.
The usernames remain in LMS Portal as stale users.
2-12
OL-25947-01
Chapter 2
Setting up Security
To delete stale users from LMS Portal:

Step 1
Go to the following link:

http://server-name:portno/cwportal/c/portal/StaleUserDeletion.
Step 2
In the URL, enter a server name and launch the URL in the browser window.
The Portal Stale User Deletion page is displayed.
Step 3
Click the Delete Stale Users button.

The stale users are deleted from the Portal database.
Assigning Roles on NDG Basis

You can choose to assign any number of role and device group combinations for a selected user or user
group to operate on Network Device Groups.
You should note the following to assign roles on a NDG basis:
If you have assigned a Network Device Group to your AAA client (LMS Server and network
devices), you must assign that device group to a role.
You cannot have role and device group combinations assigned to a user without assigning the
Network Device Group to your AAA client.
You can assign only one role to a user, to operate on an NDG.
If a user requires privileges other than those associated with the current role, to operate on an NDG,
a custom role should be created. All necessary privileges to enable the user to operate on the NDG
should be given to this role.
For example, if a user needs to have Approver and Network Operator privileges to operate on
NDG1, you can create a new custom role with Network Operator and Approver privileges, and
assign the role to the user to operate on NDG1.
You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device
group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen.
To assign the proper role, the network access server (NAS) should be added to device groups other
than DEFAULT.
Modifying Your Profile

To edit your profile:
Step 1
Step 2
Click Modify My Profile to modify the credentials of the logged in user and the network device login
credentials.
Step 3
Enter the user login details like username, password, and e-mail address.
The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.

OL-25947-01
2-13
Chapter 2
Setting up Security
Step 4
Enter the network device login credentials for LMS to communicate with the network devices.
Enter the values for username, password, and enable password.
Step 5
Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.
Creating Self Signed Certificates

Cisco Prime allows you to create security certificates that enable SSL communication between your
client browser and management server.
Self signed certificates are valid for five years from the date of creation. When the certificate expires,
the browser prompts you to install the certificate again from the server where you have installed Cisco
Prime.
Note
If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break.
The peers need to re-import the certificate in this scenario.
This section explains the following:
Working With Third Party Security Certificates
2-14
OL-25947-01
Chapter 2
Setting up Security

To create a certificate from the user interface:
Step 1
Select Admin > Trust Management > Local Server > Certificate Setup.
The Certificate Setup page appears.
Step 2
Enter the values required for the fields described in the following table:
Field
Usage Notes
Country Name
Two character country code.
State or Province
Two character state or province code or the complete name of the

state or province.
City
Two character city or town code or the complete name of the city or
town.
Organization Name
Complete name of your organization or an abbreviation.
Organization Unit Name
Complete name of your department or an abbreviation.
Server Name
DNS name, IP Address, or hostname of the computer.

Enter the server name with a proper and resolvable domain name.
This is displayed on your certificate (whether self-signed or third
party issued). Local host or 127.0.0.1 should not be given.
Email Address
Step 3
E-mail address to which the mail has to be sent.
Click Apply to create the certificate.

The process generates the following files:
server.keyPrivate key of the server.
server.crtSelf- signed certificate of the server.
server.pk8Private key of the server in PKCS#8 format.
server.csrCertificate Signing Request (CSR) file.
You can use the CSR file to request a security certificate, if you want to use a third party security
certificate.
If the certificate is not a Self signed certificate, you cannot modify it.
To return to the Cisco Prime home page, click Cancel.

OL-25947-01
2-15
Chapter 2
Setting up Security

Cisco Prime provides an option to use security certificates issued by third party certificate authorities
(CAs). You may want to use this option in cases where your organizational policy prevents you from
using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a
particular CA.
You can use these certificates to enable SSL when you need secure access between LMS Server and your
client browser.
You can upload Third Party Security Certificates using the SSL Utility Script. See Working With Third
Party Security Certificates.

Communication among peer servers that are part of a multi-server domain has to be secure. In
multi-server mode the server is configured as DCR Master/Slave or Single Sign-On Master/Slave. In a
multi-server scenario, secure communication between peer LMS Servers is enabled using certificates
and shared secrets.
You must copy certificates between the LMS Servers. You should also generate a shared secret on one
server, and configure it on the other servers that need to communicate with the server. The shared secret
is tied to a particular Cisco Prime user (for authorization).
You can configure the following in Multi-Server mode:
Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform
certain tasks. These users should be set up to enable communication among multiple LMS Servers.
System Identity Setup: Enables communication among multiple LMS Servers based on a trust model
addressed by Certificates and shared secrets. System Identity setup should be used to create a trust
user on slave or regular servers for communication to happen in multi-server scenarios.
Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This
allows LMS Servers to communicate with one another using SSL.
Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple
LMS Servers without authenticating to each server.
The Current Multi-Server Settings page displays the mode of server security and the information on self
signed certificate.
To open the Current Multi-Server Settings page:
Step 1
Select Admin > Trust Management > Multi Server.
Step 2
Click Current Multi-Server Setting in TOC.

The Current Multi-Server Settings page displays the Single Sign-On details.
2-16
OL-25947-01
Chapter 2
Setting up Security
This section has the following information that helps you to understand better, the features that enable
secure communication between peer servers in a multi-server domain:
This section contains:
Setting up Peer Server Account
Setting up System Identity Account
Setting up Peer Server Certificate
Enabling Single Sign-On
Setting up Peer Server Account

Peer Server Account Setup helps you create users who can login to LMS Servers and perform certain
tasks. These users should be set up to enable communication among multiple LMS Servers. Users
created using Peer Server Account Setup can authenticate processes running on remote LMS Servers.
You can add a Peer Server user, edit user information and role, and delete a user.
To add a Peer Server user:
Step 1
Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2
Click Add.
Step 3
Enter the username in the Username field.
Step 4
Enter the password in the Password field.
Step 5
Re-enter the password in the Verify field.
Step 6
Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
To edit Peer Server user information:

Step 1
Step 2
Click Edit.
Step 3
Step 4
Step 5
Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

OL-25947-01
2-17
Chapter 2
Setting up Security
To delete a Peer Server user:

Step 1
Step 2
Select the check box corresponding to the user you want to delete.
Step 3
Click Delete.
The confirmation dialog box appears.
Step 4
Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click
Cancel.
Setting up System Identity Account

Communication between multiple LMS Servers is enabled based on a trust model addressed by
certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are
part of a multi-server setup. This user enables communication among servers that are part of a domain.
There can be only one System Identity User for each machine.
The System Identity User you configure must be a Peer Server User. The System Identity User you create
must be a local user with all privileges.
You can either configure the System Identity User with the predefined Super Admin role or with a
custom role created with all privileges. If you change the System Identity User later, you must ensure
that you add the local user with all privileges in Cisco Prime.
Cisco Prime installation program allows you to have the admin user configured as the default System
Identity User.
For the admin user to work as a System Identity User, the same password should be configured on all
machines that are part of the domain, while installing Cisco Prime on the machines part of that domain.
If this is done, the user admin serves the purpose of System Identity user. See Installing and Migrating
to Cisco Prime LAN Management Solution 4.2 for details.
If you create a System Identity User, the default System Identity User, admin, is replaced by the newly
created user.
While you create the System Identity User, LMS checks whether:
The user is a Local User with all privileges. If the user is not present, or if the user does not have all
privileges, an error message appears.
The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User.
For peer to peer communication to work in a multi-server domain, you have to configure the same
System Identity User on all the machines that are part of the domain.
For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say
Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on
all the other servers, S2, S3, and S4, to enable communication between them.
See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage
of this features.
2-18
OL-25947-01
Chapter 2
Setting up Security
To add a System Identity user:

Step 1
Select Admin > Trust Management > Multi Server > System Identity Setup
Step 2
Enter the username in the Username field.
Step 3
Step 4
Step 5
Click Apply.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
Setting up Peer Server Certificate

You can add the certificate of another LMS Server into its trusted store. This will allow one LMS Server
to communicate with another using SSL. If a LMS Server needs to communicate with another LMS
Server, it must possess the certificate of the other server. You can add certificates of any number of peer
LMS Servers to the trusted store of each server.
You must add peer server certificates if LMS Servers are configured with Self-Signed Certificates. If the
certificates have been signed by popular CAs such as Verisign, and GlobalSign. this is not compulsory.
However we recommend that you add peer server certificates to avoid any possible problems with SSL
communication.
You can setup peer server certificates from the client browser and from a browser session on the server
where LMS Server is installed.
Ensure that there are no mismatches in the date and time settings between the servers. In case you find
any date or time mismatch, you need to correct it before proceeding.
If you change the date or time of the peer server, you must regenerate the self signed certificate of the
peer server.
To add peer LMS Server certificates:
Step 1
Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
The Peer Server Certificate page appears with a list of certificates imported from other servers.
Step 2
Click Add.
Step 3
Enter the IP address/hostname of peer LMS Server in the corresponding fields.

If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address.
Step 4
Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the
peer LMS Server is 443.
Step 5
Click OK. To return to the Peer Server Certificate page, click Cancel.

OL-25947-01
2-19
Chapter 2
Setting up Security
To delete peer certificates:

Step 1
Select the check box corresponding to the certificate you want to delete.
Step 2
Click Delete.
The confirmation dialog box appears.
Step 3
Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.
You can also view the details of the client certificates. For this, select the check box corresponding to
the certificate and click View.
Enabling Single Sign-On

With Single Sign-On (SSO), you can use your browser session to transparently navigate to multiple LMS
Servers without authenticating to each of them. Communication among multiple LMS Servers is enabled
based on a trust model addressed by Certificates and shared secrets.
Single Sign-On Setup
Changing the Single Sign-On Mode

The following tasks need to be done initially:
One of the LMS Servers should be set up as the Authentication Server (AS).
Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate
is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is
maintained by the certificate management framework in LMS.
Each LMS Server should setup a shared secret with the authentication server. The System Identity
user password acts as a secret key for Single Sign-On.
The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server
(RS) is called the Slave.
You must perform the following tasks if the server is configured either as Master or as Slave:
Configure the System Identity User and password in both Master and Slave. The System Identity
User name and password you specify in Master and Slave should be the same.
Configure the Master Self Signed Certificate in Slave.
Single Sign-On uses System Identity user password as the secret key to provide confidentiality and
authenticity between Master and Slave. We recommend that you have the same user name and password
for both Master and Slave.
The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise
it would not be considered as a valid certificate.
2-20
OL-25947-01
Chapter 2
Setting up Security
Single Sign-On is used only for authentication and not for authorization. In Single Sign-On,
authentication always takes place from the Single Sign-On Master server (Authentication Server-AS).
Hence, you need to provide the username and password as configured in Single Sign-On AS.
Authorization happens at the respective servers.
If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active
Directory (AD), and AS is configured for Local Authentication, then authentication happens as per the
credentials in Local Authentication (AS) and vice versa.
For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active
Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is
Local Authentication:
When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS)
and you get authenticated according to the username and password configured in AD. However,
authorization happens only in server B.
The privileges for the logged in user in any server within the Single Sign-On domain will depend upon
the user roles configured in that server. If the user is present only in the Single Sign-On Authentication
Server and not in the Regular Server, then that user gets authenticated according to the credentials in the
authentication server, but has only HelpDesk privileges in the Regular Server.
We recommend that you:
Add the user across all servers within the Single Sign-On domain.
Assign appropriate roles to the user, in each of the LMS Servers.
See Setting up System Identity Account for more information on how to set up System Identity User.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management >
Multi Server > Peer Server Certificate Setup.
The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it
would not be considered as a valid certificate.

The Authentication Server and all Regular Servers that are configured on this Authentication Server
forms an Single Sign-On domain. If you login to any of the servers that are part of the same Single
Sign-On domain, you can launch any other server that is part of the domain.
You can navigate through the Single Sign-On domain in two ways:
Registering Server Links
Launching a New Browser Instance
Registering Server Links
You can register the links of the servers part of the Single Sign-On domain, in any of the servers, using
the Link registration feature.
The registered links will appear either under Third Party or Custom tools, depending on what you specify
during registration. If you click on the registered link, it launches the page corresponding to the
registered link.

OL-25947-01
2-21
Chapter 2
Setting up Security
You must specify the URL, with the context while registering the server link.
For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for
ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
In the above example, clicking on the registered link will launch the Cisco Prime home page of server
ABC.
Launching a New Browser Instance
After logging into any of the servers that are part of the Single Sign-On domain, you can open a new
browser instance from that server, and provide the URL of any other server of the Single Sign-On
domain, to which you need to navigate.
Note
We recommend that you do not use the IP address of the servers that are part of Single Sign-On or
localhost, while specifying the URL.
For example, suppose ABC and XYZ are part of an Single Sign-On domain.
Step 1
Login to ABC.
Step 2
Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser
window.
Step 3
Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new
browser instance.
This launches the Cisco Prime home page of XYZ, directly.
Changing the Single Sign-On Mode

The LMS server can be configured for Single Sign-On. It can also be configured to be in Standalone
mode (Normal mode, without Single Sign-On).
When the server is configured for Single Sign-On, it can either be in:
Master modeThe Single Sign-On Authentication Server does the authentication and sends the
result to the Regular Server.
Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular
servers. Login requests for all the Single Sign-On regular servers will be served from the Master.
Slave modeSingle Sign-On Regular server for which authentication is done at the Master.
While logging into regular server, if the authentication server is not reachable, the following
message appears:
SSO unreachable
2-22
OL-25947-01
Chapter 2
Setting up Security
Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If
the server is configured as an Single Sign-On Regular server (Slave), you should provide the following
details:
Master server name

The Master server name must be DNS resolvable. If you change the name of the Single Sign-On
Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution
to reflect in the Slave.
If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master
server, you must ensure that you enter either the fully qualified domain name or hostname of the
Master consistently in all the Slave servers.
Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave
and hostname of the Master in another Single Sign-On Slave of the same Master server.
Login Port of the Master (443)
To change the Single Sign-On mode to Standalone:

Step 1
Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2
Select Standalone (Normal) radio button.
Step 3
Click Apply. To return to the Cisco Prime home page, click Cancel.
To change the Single Sign-On mode to Master:

Step 1
The Single Sign-On Setup page shows the current Single Sign On mode.
Step 2
Select the Master (SSO Authentication Server) radio button.
Step 3
Click Apply. To return to the Cisco Prime home page, click Cancel.
To change the SSO mode to Slave:

Step 1
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2
Select the Slave (SSO Regular Server) radio button.
Step 3
Enter the Master server name and port number.

If you select the Slave mode, ensure that you specify the Master server name and port. The default port
is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.

OL-25947-01
2-23
Chapter 2
Setting up Security
Step 4
Click Apply.
It checks if:
The System Identity user password of the Slave matches that of the Master.
The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common
Name (CN) in the certificate matches with the Master server name.
The Master is up and running on the specified port.
In case any of these checks fail, you are prompted to perform these steps before proceeding.
To return to the Cisco Prime home page, click Cancel.

Depending on your LMS Server platform (UNIX or Windows), different login modules that provide
Authentication, Authorization, and Accounting services are available. This feature allows you to select
login modules and set their options.
The LMS Server provides mechanisms used to authenticate users for Cisco Prime applications.
However, many network managers already have a means of authenticating users. To use your current
authentication database for Cisco Prime authentication, you can select a login module (TACACS+,
RADIUS, and others).
This section contains the following topics:
Authentication Using Login Modules - Overview
Cisco Secure ACS Support for LMS Applications
After you select and configure a login module, all authentication transactions are performed by that
module.
To assign a user to a different role, such as the System Admin role, you must configure the user locally.
Such users must have the same user ID locally, as they have in the alternative authentication source.
Users log in with the user ID and password associated with the current login module.
Authentication Using Login Modules - Overview

Cisco Prime login modules allow administrators to add new users using a source of authentication other
than the native LMS Server mechanism (that is, the Local Authentication login module).
About Cisco Prime Pluggable Authentication
Understanding Fallback Options
Debugging
2-24
OL-25947-01
Chapter 2
Setting up Security
About Cisco Prime Pluggable Authentication
By default, Cisco Prime LMS uses LMS Server authentication (Local Authentication) to authenticate
users, and authorize them to access Cisco Prime LMS.
After authentication, your authorization is based on the privileges that have been assigned to you.
A privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role. It dictates how much, and what type of system access you have.
The LMS Server authorization scheme has the following default or predefined roles. You can also create
user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing
Roles for more information. The predefined roles are listed here in order from the least privileged to
most privileged:
Help Desk Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device, or schedule a job that will reach the network.
Approver Can approve all LMS tasks.
Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
Network Administrator Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
System Administrator Can perform all Cisco Prime system administration tasks.
Super Admin Can perform all Cisco Prime operations including administration and approval
tasks. By default, this role has full privileges.
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
Understanding Fallback Options
Fallback options allow you to access the software if the login module fails, or you accidentally lock
yourself or others. There are three login module fallback options. These are available on all platforms.
The following table gives you the details:
Option
Description
Allow all Local Authentication users to fallback to All users can access Cisco Prime using the Local
the Local Authentication login.
login if the current login module fails and only if
PAM is unreachable.
Warning
Selecting this option allows local

authentication for users when the
external authentication server is
unreachable.
Only allow the following user to fallback to the

Local Authentication login if preceding login
fails: username.
Specified users can access Cisco Prime using the

Local login if the current login module fails. Use
commas between user names.
Allow no fallbacks to the Local Authentication

login.
No access is allowed if the current login module

fails.

OL-25947-01
2-25
Chapter 2
Setting up Security
Debugging
Cisco Prime allows you to enable debugging on the current login module so that you have additional
information in the log files that you can use for troubleshooting. Turn debugging on only when requested
to do so by your customer service representative.
Enabling debugging does not alter the behavior of the modules.
Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the
following locations:
NMSROOT/MDC/tomcat/logs/stdout.log (on Solaris/Soft Appliance)
NMSROOT\MDC\tomcat\logs\stdout.log (on Windows)
where NMSROOT is the Cisco Prime installation directory.
Cisco Secure ACS Support for LMS Applications

Cisco Prime LMS supports TACACS+ mode of authentication. To use this mode, you must have a Cisco
Secure ACS (Access Control Server), installed on your network. LMS 4.2 supports the following
versions of Cisco Secure ACS:
Note
Cisco Secure ACS 4.2 for Windows Server
Cisco Secure ACS 5.x for Windows Server
Cisco Secure Appliance 4.2
Cisco Secure Appliance 5.x
Cisco Secure ACS also supports RADIUS mode of authentication.

The Login Module defines how authorization and authentication are performed and how the login
modules are changed.
Changing Login Module to Local Authentication
Changing Login Module to Local Unix System
Changing Login Module to Local NT System
Changing Login Module to MS Active Directory
Changing Login Module to RADIUS
Changing Login Module to TACACS+
To set the login module:

Step 1
Select Admin > System > Authentication Mode Setup.

The Authentication Mode Setup page appears.
Step 2
The Authentication Mode Setup page displays the current login module, and the available login modules.
The available login modules are:
2-26
OL-25947-01
Chapter 2
Setting up Security
Local Authentication
Local Unix System
Local NT System
MS Active Directory
RADIUS
TACACS+

OL-25947-01
2-27
Chapter 2
Setting up Security
The login username is case sensitive when you use the following login modules:
Local Unix System
RADIUS (only on Solaris)
TACACS+ (only on Solaris)
Step 3
Select a login module.
Step 4
Click Change.
The Login Module Options popup window appears.
Step 5
Enter the corresponding login module information.

See the respective login module section for login module options.
Step 6
Click OK. To return to the Authentication Mode Setup page, click Cancel.
Changing Login Module to Local Authentication
To change the login module to Local Authentication:

Step 1

Step 2
Select the Local Authentication radio button.
Step 3
Click Change.
The Login Module Options popup window appears.
Step 4
Set the Debug option to False.

Set it to True for debugging purposes, when requested by your customer service representative.
Step 5
Changing Login Module to Local Unix System
This option is available only on Unix systems.

To change the login module to Local Unix System:
Step 1

Step 2
Select the Local Unix System radio button.
Step 3
Click Change.
The Login Module Options popup window appears with the following details:
Field
Description
Selected Login Module
Local UNIX System.
Description
Cisco Prime native Solaris module.
2-28
OL-25947-01
Chapter 2
Setting up Security
Field
Description
Debug
Set to False, by default.

Set to True for debugging purposes, when requested by your customer
service representative.
Login fallback options
Step 4
Set the option for fallback to the Local Authentication module if the
alternative service fails.
Changing Login Module to Local NT System
This option is available only on Windows

To change the login module to Local NT System:
Step 1

Step 2
Select Local NT System radio button.
Step 3
Click Change.
Field
Description
Local NT System.
Description
Cisco Prime native NT login module.
Debug

Step 4
Domain
Set to localhost.
Changing Login Module to MS Active Directory
The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP).
Before a user logs in, the user account should be set up in the LDAP server.
When you change the login module to MS Active Directory, you should configure any one of the
following options to integrate LMS Server with Active Directory server for authentication services:
Distinguished Name (DN)

A distinguished name is made up of three parts, Relative Distinguished Name Prefix (RDN-Prefix),
User login, and Usersroot.

OL-25947-01
2-29
Chapter 2
Setting up Security
You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to
RDN-Prefix when the user logs into Cisco Prime.
For example, a distinguished name could be represented as:
cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and
Usersroot is ou=org1 dc=embu, dc=cisco.
A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
You can specify more than one usersroot value. Each usersroot value should be separated by a
semicolon.
User Principal Name (UPN)

User principal name is composed of two parts, User login and User Principal Name Suffix
(UPN-Suffix).
The User Principal Name suffix configured in Cisco Prime is appended to the login name when the
user logs into Cisco Prime.
The second part of the UPN, the UPN suffix, identifies the domain in which the user account is
located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name
created by an administrator and used just for log in purposes.
For example, a User Principal Name could be represented as user1@mydept.mycompany.com,
where user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix.
Domain name
You should configure the Active Directory domain name in Cisco Prime that contains a set of users
which needs to be integrated, for a domain based authentication.
For example, if you want the users of MyDomain domain in MS Active Directory server to be
authenticated in LMS Server, you should specify MyDomain in this field.
Each domain also has a pre-Windows 2000 domain name for use by computers running operating
systems released earlier than Windows 2000 operating systems. Similarly each user account has a
pre-Windows 2000 user login name.
The user account in the DomainName\UserName format used to log into the operating systems
released earlier than Windows 2000 operating systems is called Security Account Manager (SAM)
account. You can also configure SAM account in the LDAP server and enter the same name in Cisco
Prime when you change the login module to Microsoft Active Directory.
When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime
attempts to authenticate the Active Directory server using the User Principal Name string.
When both the Distinguished Name based authentication and the User Principal Name based
authentication fails, LMS Server tries to authenticate using the Domain name.
To change login module to MS Active Directory:
Step 1

Step 2
Select MS Active Directory radio button.
Step 3
Click Change.
2-30
OL-25947-01
Chapter 2
Setting up Security
Field
Description
Name of the login module (MS Active Directory) you have selected in the
Authentication Mode setup page.
Description
Brief description about the login module you have selected.

For the MS Active Directory login module, the description displayed is
Cisco Prime MS Active Directory module.
Server
Name of the LDAP server.
Usersroot
Default set to ldap://ldap.company.com.

User objects in MS Active Directory.
Default set to cn=users, dc=servername, dc=company, dc=com.
For example, if users in the Active Directory have
ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN)
strings, you should specify the same in this field to integrate the LMS
Server with the MS Active Directory server.
You can also enter multiple usersroot values separated by semicolon.
For example, you can enter ou=myDept, dc=myCompany, dc=com;
ou=Dept1, ou=Dept2, dc=myCompany, dc=com.
When you integrate your LMS Server with MS Active server, you should
configure this field for a Distinguished Name based authentication.
If you are using Windows 2008 Active Directory, you have to provide the
complete Usersroot information (including cn=Username). This is because
Windows 2008 Active Directory implementation has disabled anonymous
search requests.
Otherwise, if your Active Directory Server allows anonymous binds, you
need to specify only dc=servername, dc=company, dc=com.
RDN-Prefix
String prefixed with login username to form a Relative Distinguished Name

(RDN).
Default is set to cn=.
For example when you have configured this field as cn= and log into the
server as MyUser, the RDN formed is cn=MyUser.
When you integrate your LMS Server with MS Active server, you must
configure this field for a Distinguished Name based authentication.
UPN-Suffix
String suffixed with login username, usually the domain in which the user
account is located to form a User Principal name.
You should configure this field for a UPN based authentication.
For example, if the UPN of Active Directory users who need to be
integrated with Cisco Prime are user1@mydept.mycompany.com,
user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you
should mention @mydept.mycompany.com in this field.

OL-25947-01
2-31
Chapter 2
Setting up Security
Field
Description
AD-Domain
Active Directory domain.

You should configure this field for a domain based authentication. Users of
the specified domain in MS Active Directory server are authenticated when
you integrate the LMS Server with MS Active Directory server.
Debug

You can set any of the following options:
Allow all Local Authentication users to fallback to the Local

Authentication login.
Allow only the specified users to fallback to the Local Authentication

login.
When you select this option, you should enter one or more Local
Authentication usernames separated by commas.
This is the default login fallback option.
Note
Step 4
Do not allow any fallback to the Local Authentication login.
Important configuration guidelines are listed below:
You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You
cannot leave all the three fields blank.
To allow only particular group of users to log into LMS, do not configure UPN-Suffix, and
AD-Domain.
After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with
an Active Directory username and the corresponding password.
MS Active Directory server provides authentication services to LMS Server by the default simple
authentication mechanism.
To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Step 1
Edit the Account Options of a user in the MS Active Directory Server and enable the Store password
using reversible encryption option.
Step 2
Reset the password of the user to authenticate properly.
Step 3
Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is
your Cisco Prime Installation directory.
You must change the following line in the cam.properties file from:
2-32
OL-25947-01
Chapter 2
Setting up Security
#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
If you want the secure authentication mechanism to fallback to simple authentication mechanism, you
must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property.
You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True
to
LDAP_FALLBACK_AUTHENTICATION_NEED=True
Step 4
Save the changes to the cam.properties file.
Note
You need not restart the Daemon Manager.
Digest-MD5 authentication supports only User Principal Name and Security Account Manager user
accounts. You cannot log into LMS Server with the User login name.
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name.
For example, to assign the System Administrator privileges to a MS Active Directory users User1 and
User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator
role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Changing Login Module to RADIUS
To change login module to RADIUS:

Step 1

Step 2
Select the RADIUS radio button.

OL-25947-01
2-33
Chapter 2
Setting up Security
Step 3
Click Change.
Field
Description
RADIUS.
Description
Cisco Prime RADIUS module.
Server
Set to module type servername, radius.company.com.
Port
Set to 1645. Attempt to override it only if your authentication

server was configured with a non-default port.
Key
Enter the secret key.
Debug

Set to True for debugging purposes, when requested by your
customer service representative.
Step 4
Set the option for fallback to the Local Authentication module if

the alternative service fails.
Changing Login Module to TACACS+
To change login module to TACACS+:

Step 1

Step 2
Select TACACS+ radio button.
Step 3
Click Change.
Field
Description
TACACS+.
Description
Cisco Prime TACACS+ login module.
Server
Set to module type tacacs.company.com
Port
Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Secondary Server
Set to module type tacacs.company.com. This is the secondary

fallback server.
Secondary Port
protocol.
2-34
OL-25947-01
Chapter 2
Setting up Security
Field
Description
Tertiary Server
Set to module type tacacs.company.com. This is the tertiary

fallback server.
Tertiary Port
protocol.
Key
Enter the secret key.
Debug

Set to True for debugging purposes, when requested by your
customer service representative.
The values True or False should not be entered in the Server, Secondary Server and Tertiary
Server fields, the corresponding Port fields or the Key field.
Note
Step 4
Set the option for fallback to the Local Authentication module

if the alternative service fails.
After you change the login module, you do not have to restart Cisco Prime. The user who logs in after
the change, automatically uses the new module. Changes to the login module are logged in the following
files:
NMSROOT/MDC/Tomcat/logs/stdout.log (On Solaris/Soft Appliance)
NMSROOT\MDC\Tomcat\logs\stdout.log (On Windows)
where NMSROOT is your Cisco Prime Installation directory.
Resetting Login Module

To reset the login module of LMS Server to Local Authentication:
Step 1
Stop the Daemon Manager using:
net stop crmdmgtd
(On Windows)
or
Step 2
/etc/init.d/dmgtd stop
(On Solaris/Soft Appliance)
Run the following script:
NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl (On Windows)

or
NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl (On Solaris/Soft Appliance)

OL-25947-01
2-35
Chapter 2
Setting up Security
Managing Roles
Step 3
Start the Daemon Manager using:
net start crmdmgtd
(On Windows)
or
/etc/init.d/dmgtd start
This resets the login module to Local Authentication mode.

Step 4
Enter a username in the User ID field.
Step 5
Enter the corresponding password in the Password field.
Step 6
Click Login or press Enter.

You are now logged into LMS Server.
Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A
privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role.
The LMS authorization scheme provides you with the following system-defined roles.
Help Desk Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device or schedule a job which will reach the network.
Approver Can approve all tasks.
Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
Network Administrator Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
System Administrator Can perform all Cisco Prime system administration tasks.
Super Admin Can perform all Cisco Prime operations including the administration and approval
tasks. This role has full privileges.
You can select a role and set it as the default role. After installing LMS 4.2, Help Desk will be the default
role.
If you do not want to use the system-defined roles, you can create custom roles and associate tasks to
them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool,
see, Removing Custom Roles Using CLI.
To manage roles:
Step 1
Select Admin > System > User Management > Role Management Setup. The Role Management
Setup Page appears with the available roles, their descriptions, and the default role.
Note
You cannot edit, delete, or export system-defined roles.
2-36
OL-25947-01
Chapter 2
Setting up Security
Managing Roles
Step 2
You can do the following:
Button
Description
Add
Click Add to add user-defined roles. The Role Management Page appears.
To add a role:
1.
Enter the role name and description.
2.
Select the tasks that have to be assigned to the new role.

The task can be identified using the search option. The search uses the task name and the task
description to perform a complete search. The search results and All tab contents are
synchronized. Any selections made on search results will reflected in all tab. For more details
see Searching LMS Tasks.
3.
Click OK to add the new role or click Cancel to return to the Role Management Setup Page.
For more information on the various tasks in LMS 4.2, see Understanding LMS Tasks.
Edit
Delete
Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit
a role:
1.
Modify the role description if required.
2.
Select or deselect the check box corresponding to the required tasks.
3.
Click OK to save the changes, or click Cancel to return to the Role Management Setup Page.
To delete a role:
1.
Select one or more user-defined roles and click Delete to delete the roles.
2.
Click OK to confirm or Cancel to return to the Role Management Setup Page.
If the deleted role is assigned to any user, then it will remove the association of this role with the user.
Copy
You can use this option to modify a system-defined role.

To copy a role:
Export
1.
Select a role from the roles and click Copy. The Role Management Page appears.
2.
Enter the role name and description.
3.
Select or deselect the check box corresponding to the tasks.
4.
Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.
You can export roles only in the XML format. The file will be saved in the client.
To export roles:
Select the user-defined roles that you want to export and click Export. A message appears prompting
you to open or save the LMSRoleExport.xml file.

OL-25947-01
2-37
Chapter 2
Setting up Security
Managing Roles
Button
Description
Import
You can import roles only in the XML format.

To import roles:
1.
Click Import.
2.
Click Browse and select a file from the client.
3.
Specify if you want to to overwrite, merge or backup the existing roles when you import
roles:
4.
Click Submit to import the roles or Cancel to return to the Role Management Setup Page.
You can choose to:
Set as Default
OverwriteRoles with the same names will be overwritten.
MergeRoles with the same names will be updated with details of the existing role and details
of the imported role.
BackupRoles with the same names will be overwritten. The existing role will be renamed as
CopyOf<Role name>.
Default role will be assigned to users who:
Do not have any role assigned to them.
Have logged in using an external authentication server, like PAM, and are not available in the
local database.
When multiple roles are set as default role, the user will be assigned with all the roles selected as
default roles.
If there is no default role configured, then authorization will fail for users who:
Do not have any role assigned to them.
Have logged in using an external authentication server, like PAM, and are not available in the
local database.
To set a default role:
Clear Default
1.
Select a role from the roles listed in the Role Management Setup Page.
2.
Click Set as Default. The selected roles will be the default roles.
Click Clear Default to clear the default role. After you clear the default role, authorization will fail
for any user assigned without this role.
Note
After adding roles you must assign one or more roles to your users, select Admin > System > User
Management > Local User Setup.
Searching LMS Tasks
To search the LMS tasks,

Step 1
Specify the exact task name or the first few characters of the task name in the search text box and click
the search icon. The task name is case-insensitive.
2-38
OL-25947-01
Chapter 2
Setting up Security
For example enter admin or *admin or admin* or *change* in the search text box.
admin will search for the task and task description that contains the exact term admin.
*admin will search for the task and task description that ends with the term admin either in task
name or description.
admin* will search for the task and task description that begins with the term admin either in task
name or description.
*change* will search for the task and task description that contains the term change.
If there are no search results generated, then a pop-up window appears.
Note
Step 2
You are not allowed to use any other wildcard character apart from *.
Click the Search Results tab to see the corresponding search result.
In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree
will be in the expanded state.
You will note that when you select or unselect a particular set of tasks in the Search Results tab, the
same set of tasks will be automatically selected or unselected in the All tab.
Removing Custom Roles Using CLI
You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles.
To do this:
On Windows, run:
NMSRoot\bin\ResetToFactoryRole.pl
On Solaris/Soft Appliance, run:
NMSRoot/bin/ResetToFactoryRole.pl

Certain Software Center features require Cisco.com access. This means that Cisco Prime must be
configured with a Cisco.com account, which is to be used when downloading new and updated packages.
Setting Up the Proxy Server
To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings >
Connection Management. The Cisco.com Connection Management page displays the current Proxy
Server settings.

This feature lets you add and modify Cisco.com user login names and password.
To set up Cisco.com login account:

OL-25947-01
2-39
Chapter 2
Setting up Security
Support Settings
Step 1
Select Admin > System > Cisco.com Settings.
Step 2
Click User Account Setup in the TOC list.

The User Account Setup page appears.
Step 3
Enter your Cisco.com Username, and Cisco.com Password.
Step 4
Re-enter the password in the Verify Password field.
Step 5
Click Apply.
Setting Up the Proxy Server

You can update the proxy server configuration using the Proxy Server set up option.
To update your proxy server configuration:
Step 1
Select Admin > System > Cisco.com Settings.
Step 2
Click Proxy Server Setup in the TOC list.

The Proxy Server Setup page appears.
Step 3
Enter the Proxy Server host name or IP address, and the port number.
Optionally, you can enter the Username and Password for accessing the proxy server.
If you have entered your password, re-enter the same password in the Verify Password field.
Step 4
Click Apply.
Support Settings
From LMS 4.2.2, Cisco Prime LAN Management Solution will support the Support Settings feature to
allow user to set the following two types of interactions:
Enabling interactions directly from the LMS server
Enabling interactions only through client system
For more information on creating a new service request and updating an existing service request, see
Creating/Updating Support Case section in Getting Started with Cisco Prime LAN Management
Solution 4.2.
2-40
OL-25947-01
CH A P T E R

LMS includes several administrative features to ensure that the server is performing properly. You can
manage processes, set up backup parameters, update licensing information, collect server information,
manage jobs and resources, and configure system-wide information on the LMS Server.
Managing Processes
Backing Up Data
This chapter has the following information:
Managing Processes
Backing Up Data
Managing Resources
Managing Resources

OL-25947-01
3-1
Chapter 3
Configuring TFTP

The Daemon Manager provides the following services:
Maintains the startup dependencies among processes.
Starts and stops processes based on their dependency relationships.
Restarts processes if an abnormal termination is detected.
Monitors the status of processes.
The Daemon Manager is useful to applications that have long-running processes that must be monitored
and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start
transient jobs.
Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager
will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you
start the Daemon Manager.
If the System resources are less than the resources required to install the application, the Daemon
Manager restart displays warning messages that are logged into dmgtd.log.
You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server
when SSL is enabled in LMS.
Restarting Daemon Manager on Solaris/Soft Appliance
To restart Daemon Manager on Solaris/Soft Appliance:

Step 1
Log in as root.
Step 2
Enter /etc/init.d/dmgtd stop to stop the Daemon Manager.
Step 3
Enter /etc/init.d/dmgtd start to start the Daemon Manager.
Restarting Daemon Manager on Windows
To restart Daemon Manager on Windows:

Step 1
Go to the command prompt.
Step 2
Enter net stop crmdmgtd to stop the Daemon Manager.
Step 3
Enter net start crmdmgtd to start the Daemon Manager.
Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager
will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute
before you start the Daemon Manager.
If the System resources are less than the required resources to install the application, Daemon Manager
restart displays warning messages that are logged into syslog.log.
3-2
OL-25947-01
Chapter 3

Managing Processes
Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The
process management tools enable you to manage these backend processes to optimize or troubleshoot
the LMS Server.
You can do the following activities:
View the details of all processes
Filter and show only processes of a specific state
Start the processes
Stop the processes
All mandatory processes are started when you start the system.
See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS.
You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for
more information.
Note
Your role and privileges determine whether you can use this option.
Process States
Viewing Process Details
Viewing Processes of a Specific State
Starting a Process
Stopping a Process
Process States
The state of the Cisco Prime backend processes fall under either one of the following categories:
State
Description
Running normally
Processes are started and are running normally.

Sometimes, you find the state of a few processes as follows:
Program started - No mgt msgs received
This indicates that the processes are started automatically at boot and are
running normally.
Never started
Processes that cannot start automatically and are to be started by operator

or administrator.
Failed to run
Processes that failed to start because of an error in the system.
Administratively
shutdown
Processes that are stopped by the system or by the administrator.

OL-25947-01
3-3
Chapter 3
Managing Processes
State
Description
Transient Terminated
Terminated transient processes.

Processes that are created or started by Daemon Manager whenever
required are called transient processes.
Waiting to Initialize
Processes that are yet to run normally and are in initialization phase.
Viewing Process Details
To view Process details:

Step 1
Select Admin > System > Server Monitoring > Processes.

The Process Management page appears with all Cisco Prime processes listed.
You can see the following information of a Cisco Prime process in the Process Management window:
Column
Description
ProcessName
Name of the process. Describes how the process is registered. See LMS
Back-end Processes for more information on process description. For
information on suite-specific processes, see the relevant Online help.
You cannot view the details of Apache and Tomcat processes or restart them from
the user interface. But you can view the details of these processes in Process
Status report (Reports > System > Status > Process).
Step 2
ProcessState
Process status and a summary of the log file entries for the process. If the process
fails, this column is highlighted in red.
ProcessId
Unique number by which the operating system identifies each running program.
ProcessRC
Return code. 0 represents normal program operation. Any other number

represents an error. See the error log for details.
ProcessSigNo
Signal number. 0 represents normal program operation. Any other number is the
last signal delivered to the program before it terminated.
ProcessStartTime
Time and date on which the process was started.
ProcessStopTime
Time and date on which the process was stopped.
Click the ProcessName link of a process to view its details.

The Process Details popup window appears with the following information:
Column
Description
Process
Name of the process.
Path
File Location.
Flags
Flags used to register the process with the Daemon Manager.
Startup
Method used to start the process (manual or automatic).
Dependencies
Other processes that are running, and that are required for this process to
run.
3-4
OL-25947-01
Chapter 3

Managing Processes
Step 3
Click OK.
You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the
updated information of the processes.
Viewing Processes of a Specific State
To view processes of a specific state:

Step 1

The Process Management page appears.
Step 2
Select a process state from the Show Only process state.

You can select any one of the following process states:
Never started
Waiting to initialize
Running normally
Failed to run
Transient terminated
Administrator has shut down this server
Program started No mgt msgs received
See Process States for description of each of these process states.

The details of processes of the selected state appears.
Starting a Process
To start a process:
Step 1

Step 2
Select the check box corresponding to the process.
Step 3
Click Start.
Stopping a Process
To stop a process:
Step 1

Step 2
Select the check box corresponding to the process.

OL-25947-01
3-5
Chapter 3
Managing Processes
Step 3
Click Stop.
LMS Back-end Processes

The back-end processes in the LMS Server are required to manage application specific activities and
jobs.
Table 3-1 lists the back-end processes in LMS Server, their description and dependent processes.
In LMS 4.2, Compliance and Audit Manager (CAAM) Server is added as a new back-end process.
Log files for most of the processes are located in the following locations:
On Solaris/Soft Appliancevar/adm/CSCOpx/log
On WindowsNMSROOT\log, where NMSROOT is your Cisco Prime default installation directory.
You can also manage the Cisco Prime processes through CLI. You can perform the following activities
through CLI:
Viewing Process Details Through CLI
Viewing Brief Details of Processes
Viewing Processes Statistics
Starting a Process
Stopping a Process
Server Back-end Processes
Inventory, Config and Image Management Processes
Network Topology, Layer 2 Services and User Tracking Processes
IPSLA Performance Management Processes and Dependency Processes
Device Performance Management Module Processes
Fault Management Processes
Server Back-end Processes

Table 3-1 lists the LMS 4.2 Server Back-end processes and their dependency processes.
3-6
OL-25947-01
Chapter 3

Managing Processes
Table 3-1
Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Process Name
Description
Apache
Apache web server used on both UNIX

and Windows systems. This hosts the
base Cisco Prime home page and all
major applications.
Normal Process
State
Dependent Process
Program started - TomcatMonitor

No mgt msgs
received
Log Files
NMSRoot\MDC\
Apache\logs
(On Windows)
/opt/CSCOpx/MDC/
Apache/logs
You cannot view the details of this

process or restart this process from the
user interface (from Process Management page).
CmfDbEngine
Sybase database instance used by the

base Cisco Prime framework.
Program started - None

No mgt msgs
received
CmfDbMonitor
Monitors the CmfDbEngine process and Running

periodically checks for connectivity and normally
SQL errors.
CmfDbEngine
NMSRoot/MDC/log/
daemons.log
(On Solaris/Soft
Appliance only)
NMSRoot\log\
CmfDbMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/CmfDbMonitor.log
CMFOGSServer
Device grouping service in CS that

provides grouping capability based on
device attributes stored in DCRServer.
Program started - CmfDbMonitor,

No mgt msgs
EssMonitor,
received
DCRServer
NMSRoot\log\
CMFOGSServer.log
(On Windows)
/var/adm/CSCOpx/log
/CMFOGSServer.log
CSDiscovery
Transient process created by Daemon

Manager. This process initiates Device
Discovery.
NMSRoot\log\
CSDiscovery.log
(On Windows)
/var/adm/CSCOpx/log
/CSDiscovery.log

OL-25947-01
3-7
Chapter 3
Managing Processes
Table 3-1
Process Name
Description
Normal Process
State
CSRegistryServer Registry Server for other CS processes

Running
such as DCRServer and CMFOGSServer normally
and provides the backbone for inter-process communication for DCRServer and
CMFOGSServer.
Dependent Process
Log Files
NMSRoot\log\
CSRegistryServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
Sometimes, the Tomcat process may start

this process. In such cases, the process
status is displayed as follows:
Administrator has shut down this
server
You can ignore this error message.

DCRServer
DCRDevicePoll
Device List and Credential Repository

Server that provides the repository for
shared device list and credentials to be
used across applications.
Running
normally
Transient process created by Daemon

Manager. This process initiates Device
Polling.
TomcatMonitor,
CmfDbMonitor,
EssMonitor
NMSRoot\log\
DCRServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
NMSRoot\log\
DCRDevicePoll.log
(On Windows)
/var/adm/CSCOpx/log
/DCRDevicePoll.log
diskWatcher
Monitors disk space availability on the

LMS Server.
Running
normally
See Configuring Disk Space Threshold

Limit for more information.
EDS
Legacy Event Distribution engine. This Running

is currently used by some applications to normally
send and receive event messages.
NMSRoot\log\
diskWatcher.log
(On Windows)
/var/adm/CSCOpx/log
/diskWatcher.log
NameServiceMonitor
NMSRoot\log\
EDS.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
3-8
OL-25947-01
Chapter 3

Managing Processes
Table 3-1
Process Name
Description
EDS-GCF
EDS - Generic Consumer Framework

process. It is an extension to EDS that
allows Generic Event Consumers to
provide a pluggable event interface.
ESS
EssMonitor
Normal Process
State
Dependent Process
Running
normally
EDS, CmfDbMonitor
Log Files
NMSRoot\log\
EDS-GCF.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
Event Services Software. The new

Program started -
engine that handles distribution of events No mgt msgs
between processes. This is slated to
received
eventually replace EDS.
NMSRoot\log\ESS.log
(On Windows)
Monitors ESS process to check if events Running

normally
related functionality works properly.
This process shuts down automatically
when the ESS process fails or does not
function properly.
NMSRoot\log\
EssMonitor.log
(On Windows)
ESS
/var/adm/CSCOpx/log
/daemons.log
/var/adm/CSCOpx/log
/daemons.log
EventFramework
Event management bus, LMS uses this to Program started - EssMonitor

No mgt msgs
facilitate event transmissions between
received
daemons.
No log files
FDRewinder
Enables the rotation of log files function- Never started

ality using logrot.
/var/adm/CSCOpx/log
/daemons.log
(Solaris/Soft
Appliance Only)
jrm
LicenseServer
Job and Resource Manager. This allows

scheduling of jobs to be run at specific
times. It also allows locking and
unlocking of resources.
Program started - CmfDbMonitor,

No mgt msgs
NameServicereceived
Monitor, EDS, EssMonitor
Provides Licensing functionality for

Program started -
evaluation and file based licensing mech- No mgt msgs
anisms.
received
NMSRoot\log\
jrm.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
NMSRoot\log\
LicenseServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log

OL-25947-01
3-9
Chapter 3
Managing Processes
Table 3-1
Normal Process
State
Process Name
Description
NameServiceMonitor
Running
Name Service agent that monitors
Normally
objects and messages and acts as a
gateway between the JacORB clients and
the Name Server.
Dependent Process
NameServer
Log Files
NMSRoot\log\
NameServiceMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
NameServer
Object Request Broker for the JacORB

framework used in Cisco Prime.
Program started -
No mgt msgs
received
NMSRoot\log\
NameServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
Tomcat
Java servlet engine used on Windows,

Solaris and Soft Appliance systems
hosting applications based on the Cisco
Prime desktop.
Program started -
No mgt msgs
received
/opt/CSCOpx/MDC/
tomcat/logs/stdout.log(On
You cannot view the details of this

process or restart this process from the
user interface (from Process Management page).
TomcatMonitor
Monitors the health of the Tomcat

process and shuts down automatically
when Tomcat fails or does not function
properly.
NMSRoot\MDC\
tomcat\logs\stdout.log
(On Windows)
Running
normally
Tomcat
NMSRoot\log\
TomcatMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
3-10
OL-25947-01
Chapter 3

Managing Processes
Inventory, Config and Image Management Processes

Table 3-2 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes
Process Name
Dependency
(Sequential)
Log Information
Description
RMEDbEngine
None
NA
System service: the database engine for

applications.
ConfigMgmtServer
EssentialsDM
dcmaservice.log
Configuration Management service performs

the following tasks,
ConfigUtilityService EssentialsDM
cfgutilservice.log
Collects the configuration for the LMS

managed devices on request from jobs or
user Interface.
Archives new version if there is a

difference between the fetched
configuration and the latest configuration
in archive.
Parses the configuration based on configlet

rules and generates differences between the
configurations.
Logs change record for every new version

of archived running configuration.
Detects config changes on the device and

triggers configuration collection
Caches the device and NetConfig template

mapping information.
Populates the database with NetShow

system-defined command sets and
NetShow commands by retaining them
from device packages.
ConfigUtilityService parses the archived

configurations of the devices for assessing the
technology readiness of the devices. It does
config and CLI parsing.
ConfigUtilService also performs OGS grouping
attributes updates at the end of Inventory
collection.
SyslogCollector
ESS
SyslogCollector.log
Filters and sends the syslog objects to various

SyslogAnalyzer services subscribed to it.

OL-25947-01
3-11
Chapter 3
Managing Processes
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Process Name
Dependency
(Sequential)
EssentialsDM
ESS
DCRServer
LMSDbEngine
Log Information
Description
EssentialsDM_Server.log It publishes a dummy Common Services

Transport Mechanism (CSTM) service name to
synchronize publishing of service names with
CSTM.
All other LMS services that publish service
names with CSTM are made dependant on this
service either directly or indirectly.
After adding devices to LMS, this service
triggers for Inventory and Configuration
collection.
System service that monitors the accessibility
of the LMS database engine that helps to ensure
that the system is not started until the database
engine is ready.
EnergyWise
EssentialsDM ICServer
EnergyWise.log
EnergyWise process provides services for:
EnergyWiseUI.log
EnergyWise endpoint and device collection
EnergyWiseConfiguratio
n.log
EnergyWise monitoring
EnergyWise compliance check
Auto-push of EnergyWise policies on the

devices.
EnergyWiseMonitoring.l
og
EnergyWiseCollection.lo
g
EnergyWiseNative.log
EnergyWiseComplianceC
heck.log
EnergyWiseNativeCompl
iance.log
EnergyWise_Purge.log
EnergyWiseNativePolicy.
log
CTMJrmServer
EssentialsDM
CTMJrmServer.log
This service is a proxy to the JRM service. This

is used by LMS to connect to the JRM service.
It hides all the direct interaction with JRM.
ChangeAudit.log
Change Audit program that provides back-end

database services for applications that want to
log network changes and for Change Audit
reports and Automated actions
jrm
Tomcat
ChangeAudit
EssentialsDM
CTMJrmServer
jrm
3-12
OL-25947-01
Chapter 3

Managing Processes
Table 3-2
Inventory, Config and Image Management Processes and Dependency Processes (continued)
Process Name
Dependency
(Sequential)
Log Information
Description
ICServer
ESS
IC_Server.log
This is a service that collects and stores

Inventory information from the device using
SNMP.
CTMJrmServer
It also detects changes that occurred between

the last time Inventory was collected for a
device, and the current Inventory collection.
SyslogAnalyzer
ESS
EssentialsDM
CTMJrmServer
SyslogAnalyzer.log for
Windows
AnalyzerDebug.log for
Solaris/Soft Appliance
jrm
It takes the filter definition from the user and

sends it to the various Syslog Collectors it is
subscribed to.
Receives the syslogs from the Syslog collector
and inserts them into the database and also takes
automated actions from the user.
PMCOGSServer
LMSOGSServer
PMCOGSServer.log
Port and Module group administration service.

This is used for managing Port and Module
groups.
ANIDbEngine
None
None
System service: Database engine for Topology

and Identity Services.
ANIServer
EDS
ani.log
System service: Collects device information for

Topology and Identity Services.
macuhic.log
System service: Receives and processes SNMP

traps for Dynamic UT
utlite.log
System service: Receives and processes the

UTLITE data
UTMajorAcquisition ANIServer
ut.log
UTMajor Acquisition is a transient process.

System service: Collects end hosts information.
UTManager
utm.log
System service: Queries external system for

Dynamic UT
ANIDbEngine
MACUHIC
EssMonitor
ANIDbEngine
UTLITE
EssMonitor
ANIDbEngine
EssMonitor
ANIDbEngine
DCRServer
VNMServer
ANIDbEngine
Vnmserver.log
System service: Handles VRF Lite Services like

configuration, VRF Lite collector job
scheduling
WlseUHIC
ANIDbEngine
wlseuhic.log
System service: Collects information from

Wlse Device
Compliance and
Audit Manager
(CAAM) Server
Essentials DM
caam_server.log
The Compliance and Audit Manager server

collects information from the Inventory and
Configuration management servers and stores
the details in a database.
cammserverui.log
caamservercollection.log
If you stop or restart any of these processes you must stop and restart their dependency processes. See
Table 3-2 for the list of dependent processes.
You can stop and restart the process using Admin > System > Server Monitoring > Processes.

OL-25947-01
3-13
Chapter 3
Managing Processes
Network Topology, Layer 2 Services and User Tracking Processes

Table 3-3 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-3
Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes
Process Name
Dependency
(Sequential)
Log Information
Description
ANIDbEngine
None
None
System service: Database engine for

Topology and Identity Services.
ANIServer
EDS
ani.log
System service: Collects device information

for Topology and Identity Services.
macuhic.log
System service: Receives and processes

SNMP traps for Dynamic UT
utlite.log
System service: Receives and processes the

UTLITE data
ANIDbEngine
MACUHIC
EssMonitor
ANIDbEngine
UTLITE
EssMonitor
ANIDbEngine
UTMajorAcquisition
ANIServer
ut.log
UTMajor Acquisition is a transient process.

System service: Collects end hosts
information.
UTManager
EssMonitor
utm.log
System service: Queries external system for

Dynamic UT
ANIDbEngine
DCRServer
VNMServer
ANIDbEngine
Vnmserver.log
System service: Handles VRF Lite Services

like configuration, VRF Lite collector job
scheduling
WlseUHIC
ANIDbEngine
wlseuhic.log
System service: Collects information from

Wlse Device
3-14
OL-25947-01
Chapter 3

Managing Processes
IPSLA Performance Management Processes and Dependency Processes

Table 3-4 lists the LMS 4.2 Performance Management processes and their dependency processes.
Table 3-4
LMS 4.2 IPSLA Performance Management Process and the Dependency Processes
Dependency (Sequential)
Process Name
Description
IPMProcess
Provides core function of managing

Devices, Collectors and Operations in
LMS.
DCRServer,
IpmDbEngine
Log Files
Program
Started
ipmserver.log,dmgtd.log
Program
Started
IPMOGSServer.log,
Program
Started
dmgtd.log
jrm
IPMOGSServer IPSLA Performance Management

group administration service. This is
used for managing IPSLA Performance
Management collector groups. It is also
used for IPSLA Performance Management Collector selector.
CmfDbMonitor,
IpmDbEngine
NA

Database Engine service.
Default State
EssMonitor,
IPMOGSClient.log
DCRServer,
IpmDbEngine
It is used for managing and storing

related information on the database
Device Performance Management Module Processes

Table 3-5 gives a description of key processes in Device Performance Management module.
Table 3-5
Key Processes in LMS 4.2 Device Performance Management Module
Dependent
Process
Process Name
Description
UPMDbEngine
None
This is the Device
Performance Management
database engine process. If
this process is down, you will
not be able to access Device
module of LMS, and polling,
threshold monitoring, and
trendwatch monitoring will
fail.
Default
State
Log Files
Started
None

OL-25947-01
3-15
Chapter 3
Managing Processes
Table 3-5
Process Name
Key Processes in LMS 4.2 Device Performance Management Module
Description
UPMDbMonitor Responsible for monitoring

the UPMDbEngine process.
UPMProcess
Dependent
Process
Default
State
Log Files
UPMDbEngine
Started
UPMDbMonitor.log
DCRServer,
Started
Responsible for the Polling
UPMDbMonitor
engine, Threshold
monitoring and Poller
Management features of
LMS. If this process is down,
poller management,
threshold management,
trendwatch management will
fail.
upm_process.log
Fault Management Processes

Table 3-6 provides a complete list of Fault Management-related Cisco Prime processes. Logs for most
of these processes are provided in Table 17-2.
Table 3-6
Fault Management Related Processes
Name
Description
Dependency
Default State Log Files
AdapterServer/
AdapterServer 1
Event adapter takes events from backend

servers.
None
Program
Started
DataPurge
Data PurgeStarts as scheduled in the GUI and jrm

purges the Fault History database.
adapterServer.log,
adapterServer1.log
, daemons.log
Administrato DPS.log,
daemons.log
r has shut
down this
server
3-16
OL-25947-01
Chapter 3

Managing Processes
Table 3-6
Fault Management Related Processes (continued)
Name
Description
Dependency
DfmBroker
Fault Management Broker maintains a registry None

about Fault Management domain managers, that
register the following information with the
broker when its initialization is complete:

Program
Started
brstart.log
None
Program
Started
DfmLogService.lo
g, daemons.log
DFMMultiProcLog Handles processes with multiple threads.

ger
None
Program
Started
MultiProcLogger.l
og, daemons.log
DFMOGSServer
Fault Grouping Service Server evaluates group

membership.
CmfDbEngine,
Program
ESS, DCRServer, Started
TISServer
DFMOGSServer.l
og
DfmServer/DfmSe
rver 1
Infrastructure device domain manager, a

program that provides backend services for
Fault Management. Services include SNMP
data retrieval and event analysis. The
DfmServer log is
NMSROOT/objects/smarts/logs/DFM.log.
DfmBroker
Running
Normally
DFM.log,
DFM1.log
Application name of the domain manager
Hostname on which the domain manager is

running
TCP port at which the HTTP server is

listening
When a client needs to connect to the domain

manager, it first connects to the broker to
determine the hostname and TCP port the HTTP
service of that server is listening.
It then disconnects from the broker and
establishes a connection to the domain manager.
The DfmBroker log file is located at
NMSROOT/objects/smarts/local/logs/brstart.log
.
DFMLogServer
Controls Fault Management logs.
If there are two instances of the DfmServer

running, each will have a log file, DFM.log and
DFM1.log.
DFMCTMStartup
Handles interprocess communication.
None
Administrato DFMCTMStartup.
log, daemons.log
r has shut
down this
server
EPMDbEngine
Event Promulgation Module (EPM) database

engineRepository for the EPM module.
None
Program
Started
EPM.log
EPMServer
Sends events to notification services.
EPMDbEngine
Running
Normally
EPM.log
FHDbEngine
Fault History database engineRepository for

alerts and events.
None
Program
Started
daemons.log

OL-25947-01
3-17
Chapter 3
Managing Processes
Table 3-6
Fault Management Related Processes (continued)
Name
Description
Dependency
FHPurgeTask
Fault History purge task.
None
Transient
terminated
FHCollector.log,
FHUI.log
FHServer
Fault History server, a program that runs

backend services for Fault History.
EPMServer,
EPMDbEngine,
FHDBEngine
Running
Normally
FHServer.log
Interactor
Provides inventory and device information to

the Detailed Device View (DDV); updates the
DDV with events.
InventoryCollect
or
Program
Started
Interactor.log
Interactor 1
Provides inventory and device information to

the Detailed Device View (DDV); updates the
DDV with events.
Inventory
Collector 1
Program
Started
Interactor1.log
InventoryCollector
/
InventoryCollector
1
Synchronizes voice device inventory with

infrastructure device inventory. Handles all
inventory events, such as adding and deleting
devices.
ESS, TISServer,
DFMOGSServer
Running
Normally/Pr
ogram
Started
InventoryCollector
.log,
InventoryCollector
1.log
INVDbEngine
Inventory database engineRepository for

devices.
None
Program
Started
daemons.log
NOSServer
Notification Server monitors alerts and sends

notifications based on subscriptions.
EPMDbEngine,
EPMServer,
INVDbEngine,
DFMOGSServer
Running
Normally
nos.log
PTMServer
Polling and thresholds server.
DFMOGSServer
Running
Normally
PTMServer.log
PMServer
PMServer is used for the Partition Manager

funtionality for the Fault Management module
of LMS. When you add a device to the Fault
Management module, it is always added to the
default partition 0.
INVDbEngine
Running
Normally
PMServer.log (For
Windows)
EssMonitor
daemons.log (For
Solaris/Soft
Appliance)
All the debug logs related to PMServer can be

found at NMSROOT/log/dfmLogs/PM
TISServer
Inventory server.
EssMonitor,
INVDbEngine
Program
Started
TISServer.log
3-18
OL-25947-01
Chapter 3

Backing Up Data
Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule
immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges
to use this option.
You cannot back up the database while restoring the database. LMS uses multiple databases to store
client application data. These databases are backed up whenever you perform a backup.
Backup requires enough storage space on the target location for the backup to start.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
Caution
You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes,
storing the backup data in this location may corrupt the Cisco Prime installation.
Scheduling a Backup
Restoring Data
Changing the Database Password
Effects of Backup-Restore on DCR
Effects of Backup-Restore on Groups
Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up
Data Using CLI for more information.
To schedule a backup:
Step 1
Select Admin > System > Backup.

The Backup Job page appears.
Step 2
Enter the appropriate information in the following fields:

Field
Backup Directory
Generations
Time
Description
Location of the backup directory. We recommend that your target location be on
a different partition than the Cisco Prime installation location.
The backup directory should not contain any special character.
Maximum number of backups to be stored in the backup directory.
From the lists, select the time period between which you want the backup to
occur. Use a 24-hour format.

OL-25947-01
3-19
Chapter 3
Backing Up Data
Field
E-mail
Description
Enter a valid e-mail ID in this field.
You can enter multiple e-mail IDs separated by commas.
The system uses the e-mail ID or e-mail IDs to notify you the following:
New backup schedules.
Status of immediate or scheduled backup jobs upon their completion.
Cancelled backup schedules.
Warning
Frequency
There may be a problem in sending e-mails when you have enabled

virus scanner in the Cisco Prime LMS Server.
Select the backup schedule:
Immediately - The database is backed up immediately.
Daily - The database is backed up every day at the time specified.
Weekly - The database is backed up once a week on the day and time
specified. Select a day from the Day of week list.
Monthly - The database is backed up once a month on the day and time
specified. Select a day from the Day of month list.
You cannot schedule more than one backup at a time. The new schedule
overwrites the previous schedule, if any.
Step 3
Click Apply.
The Schedule Backup message verifies your schedule and provides the location of backup log files.
Examine the log file at the following location to verify backup status:
/var/adm/CSCOpx/log/dbbackup.log
On Windows:
NMSROOT\log\dbbackup.log
You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job.
The Remove button appears only if you have scheduled any backup.
Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from
versions 3.1, 3.2. The restore framework checks the version of the archive.
If the archive is of the current version, then the restore from current version is run.
If the backup archive is of an older version, the backup data is converted to LMS format, if needed,
and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and
restart Cisco Prime while restoring data.
3-20
OL-25947-01
Chapter 3

Backing Up Data
In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is
restored on the same machine A, or on a different machine B.
Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data
of such tasks.
For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on
DCR and Effects of Backup-Restore on Groups.
Caution
Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on the LMS
Server where you want to restore the data. You should not continue the restore when there is a mismatch,
as it may cause problems in the functionality of Cisco Prime applications.
Restoring Data On Solaris/Soft Appliance
Restoring Data On Windows
Restoring Data On Solaris/Soft Appliance
To restore the data on Solaris/Soft Appliance:

Step 1
Log in as the superuser, and enter the root password.
Step 2
Stop all processes by entering:

Step 3
Restore the database by entering:

/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]
[-t temporary directory]The restore framework uses a temporary directory to extract the content
of backup archive.
By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData.
You can customize this, by using this t option, where you can specify your own temp directory.
This is to avoid overloading NMSROOT
[-gen generationNumber]Optional. By default, it is the latest generation. If generations 1 through

5 exist, then 5 will be the latest.
[-d backup directory]Required. Which backup directory to use.
[-h]Provides help. When used with -d <backup directory> syntax, shows correct syntax along
with available suites and generations.
To restore the most recent version, enter:

/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl -d backup directory
For example, -d /var/backup
Step 4
Examine the log file in the following location to verify that the database was restored by entering:
/var/adm/CSCOpx/log/restorebackup.log
Step 5
Restart the system:


OL-25947-01
3-21
Chapter 3
Backing Up Data
Restoring Data On Windows
To restore the data on Windows, make sure you have the correct permissions, and do the following:
Step 1
Stop all processes by entering the following at the command line:

net stop crmdmgtd
Step 2
Restore the database by entering:

NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]
where NMSROOT is the Cisco Prime installation directory. See the previous section for command option
descriptions.
To restore the most recent version, enter the following command:
NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory
Step 3
Examine the log file in the following location to verify that the database was restored by entering:
NMSROOT\log\restorebackup.log
Step 4
Restart the system by entering:

net start crmdmgtd
Note
For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.2 in
Installing and Migrating to Cisco Prime LAN Management Solution 4.2
Changing the Database Password

You must enter the database password while installing Cisco Prime. If you do not enter the password,
Cisco Prime generates the password at random. However, we recommend that you change the password
periodically to ensure system security.
Caution
You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes
to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data.
Changing Password on Solaris/Soft Appliance
Changing Password on Windows
Formats Available for Changing the Database Password
Changing Password on Solaris/Soft Appliance
To change the password on Solaris/Soft Appliance:

Step 1
3-22
OL-25947-01
Chapter 3

Backing Up Data
Step 2

Step 3
Change to the installation directory by entering:

cd
NMSROOT/bin
NMSROOT is your default Cisco Prime installation directory.

Step 4
Enter the following command to list the different formats available for changing the database password:
NMSROOT/bin/perl dbpasswd.pl
Step 5
When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.
Step 6
Start all processes by entering:

Changing Password on Windows
To change the password on Windows:

Step 1
At the command line, make sure you have the correct permissions.
Step 2

net stop crmdmgtd
Step 3
Change to the Installation Directory by entering:

cd
NMSROOT\bin
NMSROOT is your default Cisco Prime installation directory.

Step 4
Enter the following command to list the different formats available for changing the database password:
NMSROOT\bin\perl dbpasswd.pl
Step 5
When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.
Step 6
Start all processes by entering:

net start crmdmgtd

OL-25947-01
3-23
Chapter 3
Backing Up Data
Formats Available for Changing the Database Password
The different formats available and the commands for changing the database passwords on Windows,
Solaris and Soft Appliance platforms are tabulated below:
Format
Command
Format 1 detects the available datasource names

and databases and prompts you to enter and
confirm the passwords for each of them.
It also allows you to encrypt the password.
NMSROOT/bin/perl dbpasswd.pl all

On Windows:
NMSROOT\bin\perl dbpasswd.pl all
Format 2 allows you to list all the databases and

datasource names (DSNs) available in the server.
NMSROOT/bin/perl dbpasswd.pl listdsn
On Windows:
NMSROOT\bin\perl dbpasswd.pl listdsn
Format3 allows you to change the database

password.
NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource
Format 4 allows you to change the database

password for a specific DSN.
It also allows you to enter a new password in the
command line using the npwd option.
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
Format 5 allows you to encrypt the existing

database password.
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes
Format 6 allows you to change the database

password for a specific DSN.
Format 6.0 also:
encryption=yes
Allows you to enter a new password in the

command line using the npwd option.
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password

On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password

Allows you to encrypt the password using the encryption=yes
encryption option.
Effects of Backup-Restore on DCR

Data changes are a normal part of any restore from a backup. However, because Device and Credential
Repository (DCR) is a distributed system with varying modes, it is also possible for any restored DCR to:
Change modes.
3-24
OL-25947-01
Chapter 3

Backing Up Data
For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is
performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from
which the backup was taken (source machine), and the machine on which the data was restored
(target machine).
Change Master/Slave relationships.

For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain
may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed,
the Slave will attempt to use Master A.
For detailed information on DCR, see Managing Device and Credentials in Inventory Management
Guide.
The following scenarios helps you understand the implications of Restore operations on DCR.
Restoring Data From a DCR Standalone
Restoring Data From S1 on S1
Restoring Data From S1 to M1
Restoring Data From S1 on M2
Restoring Data From M1 on M1
Restoring Data From M1 to M2
If you restore the data backed up from a machine in the Standalone mode, on any machine whose
working mode is either Standalone, Master, or Slave, the end mode will be Standalone.
Let X be a machine in Standalone mode.
If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a
Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to
Standalone mode.
Further scenarios can be better explained based on the following DCR set up.
Let us assume there are two DCR domains.
For Domain 1, you have M1 as Master, and S1, and S2 as Slaves.
For Domain 2, you have M2 as Master, and S3, and S4 as Slaves.
Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1
will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1
is available.
However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize
after the restore on S1. The changes that have taken place after the backup was taken from S1 will be
reflected in S1, even if S1b is restored on S1.
In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the
end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1
is down.
Restoring Data From S1 to M1
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to
Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to
Standalone mode.

OL-25947-01
3-25
Chapter 3
Backing Up Data
At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices.
Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However,
after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent
than the data on M1.
Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master
in the DCR Domain 2 in our example.
After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3,
and S4, which were Slaves of M2, will switch to the Standalone mode.
Suppose you take a back up from M1. After the backup you would be performing several operations that
would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example.
Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older
than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that
on the Master.
To avoid this, you must perform the Restore operation in the following sequence:
Step 1
Back up data from the slaves, S1 and S2.
Step 2
Back up data from the Master, M1.

This is to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2.
Step 3
Stop Daemon Manager on all three machines.
Step 4
Restore data on the Master, M1.
Step 5
Restart Daemon Manager on M1.
Step 6
Restore data on S1, and S2 after the Master is up and stable,
Step 7
Restart Daemon Manager on S1, and S2.
This ensures that Master has more recent data than the Slaves.
Note
To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take
a back up of all machines at the same time.
Restoring Data From M1 to M2
Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2.
S3, and S4 which were Slaves of M2, will switch to Standalone mode.

DCR Master-Slave setup requires you to perform certain tasks prior to Master-Slave configuration, to
enable proper, and secure communication between them. This involves copying certificates, and setting
up a valid system identity user. For details, see Master-Slave Configuration Prerequisites.
3-26
OL-25947-01
Chapter 3

Backing Up Data
Restore operations can affect Master-Slave relationships because they may modify these pre-configured
parameters.
For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server.
Suppose you take a backup from S1, and restore the backed up data, say S1b on X.
Now, X has to be in Slave mode.
Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1,
and S1 will have the certificate of M1.
After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not
present on M1, X will not be able to have M1 as its Master.
So you have to ensure that the certificates of the peer machines are in place, before you do a Restore.
Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer
Server Account user configuration might get affected by Restore operations.
For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user.
You take a backup from S1.
After you take the backup, say you change the Peer Server User and System Identity User to Bob.
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This
will upset the Master-Slave relationship.
During restore you are prompted to confirm whether you need to overwrite the SSL certificate.
SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it
on another, you should be careful not to overwrite the SSL certificate.
However, if you backup data from a machine and restore it to the same machine, you may overwrite the
SSL certificate.
Effects of Backup-Restore on Groups

Backup-Restore operations have an implication on the way Groups will be displayed in the LMS. The
changes in Groups behavior is discussed in relation with the Device and Credential Repository (DCR)
mode changes explained in Effects of Backup-Restore on DCR.
If you perform a backup on machine A and restore the backed up data, say Ab, on the same machine, the
system-defined groups, and the user-defined groups created after the data backup will be removed.
The following scenarios helps you understand the implications of Restore operations on Groups.
The following scenarios have to be considered:
Restore data from a Standalone machine A to another Standalone machine B:

The provider group name will change accordingly. That is, the provider group CS @A will become
CS@B.

OL-25947-01
3-27
Chapter 3
Restore data from a Standalone machine A to a Master M:

The Master will switch to Standalone mode. The provider group name will be updated accordingly.
The Slave groups will be removed from the Master.
Only the groups pertaining to LMS and the applications installed in the Standalone machine will be
visible. All dependent Slaves of M will become Standalone.
Restore data from a Standalone machine A to a Slave S:

The Slave will switch to Standalone mode. The provider group name is updated accordingly. The
groups pertaining to other Slaves in the domain, and the Master of S, will be removed from S. The
groups UI will be enabled.
The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.
No impact on CS groups.
There may be applications installed on S1. Say you create 10 groups in the Applications before you
backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore,
the 10 groups you created after backup will not be present. This loss of newly added groups also
propagates to other Slaves in the domain.
After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups
pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other
Slaves of M1 will switch to Standalone mode.
After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all
the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of
M2 (before restore) will now switch to Standalone mode.
Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be
deleted from M2.
In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated
in the target machine.

From LMS 4.2.2, Cisco Prime LAN Management Solutions will support data migration to Cisco Prime
Infrastructure (PI) and the device data from LMS 4.2.x versions can be exported to PI 1.2.
The following two procedures will be used to export data from LMS to PI:
Exporting Device Credentials Repository (DCR) data from LMSUser can export the Device List
and Credentials to a CSV file that would be shown as a link. The data backup status and backup
location will be displayed at the bottom of the Export Data to Prime Infrastructure page.
3-28
OL-25947-01
Chapter 3

Exporting complete data of LMSThis option enables you to store data in an external server or
LMS server. The default backup location will be populated in the Backup location field at the bottom
of the Export Data to Prime Infrastructure page. If the user chooses storing data in external server,
the external server credentials namely Server IP or Host name, username, password and backup
location will be required.

You must register your software and obtain a product license before you start using an application. You
can obtain a product license and license your application, view details of your current software license,
or update to a new license from the Licensing page.
LMS will authenticate and perform the license check.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
Obtaining a License for Cisco Prime LMS
Licensing the Application
Viewing License Information
Updating Licenses
Ordering LMS licenses
Obtaining a License for Cisco Prime LMS
To obtain a product license for your Cisco Prime applications, register your software at one of the
following websites. You will need to provide the Product Authorization Key (PAK), which is printed on
a label affixed to the Bundle sub-box.
If you are a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license
If you are not a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license/public
The product license will be sent to the e-mail address you provide during registration. Retain this license
with your Cisco Prime software records.
Licensing the Application
After you obtain the product license, perform these steps to license your software:
Step 1
Copy the new license file to the LMS Server, with read permission for casuser/casusers.
Step 2
Select Admin > System > License Management.

The License Information page appears. The License Information page displays the name, version, size,
status and expiration date of the license.
Step 3
Click Update.
Step 4
Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 5
Click OK.

OL-25947-01
3-29
Chapter 3
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise an error message is displayed.
To return to the License Information page, click Cancel.
Note
You must have Compliance and Audit Manager (CAAM) server license for accesing the CAAM features
in LMS 4.2. For more details, refer Compliane and Audit Manager (CAAM) Server License.
Viewing License Information
To view details of your current software license, select Admin > System > License Management to
open the License Information page.
The license name, license version, size (device limit for the licensed application), status of the license,
and the expiration date of the license appear under License Information.
The license version shows the major version of the application.
Updating Licenses
You can view details of your current software license, or update to a new license from the License page.
To update to a new license from the Licensing page:
Step 1
Select Admin > System > License Management.

The License Information page displays the license name, license version, status of the license, and the
expiration date of the license.
Step 2
Click Update.
Step 3
Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 4
Click OK.
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise, an error message is displayed.
To return to the License Information page, click Cancel.
Ordering LMS licenses
For availability, ordering, upgrade, and licensing options refer to www.cisco.com/go/lms

You must have CAAM server license for accessing the following CAAM features in LMS:
Compliance data collection
Compliance profile execution
Compliance Policy and groups
HIPAA Compliance Reports
SOX(COBIT) Compliance Reports
3-30
OL-25947-01
Chapter 3

ISO/IEC 27002 Compliance Reports
NSA Compliance Reports
PCI DSS Compliance Reports
Department of Homeland Security (DHS) Checklist Reports
Defense Information Systems Agency (DISA) Checklists
Center for Internet Security (CIS) Benchmarkss
The following Compliance and Audit Reports are supported only by LMS license and do not require
CAAM server license.
Service Reports
Lifecycle Management Reports
Vendor Advisory Reports

This SMTP server is used by default when you add or edit subscriptions for e-mail notifications or send
e-mail notifications from the Alerts and Activities display. LMS also provides a facility for specifying a
default SMTP server. Specifying a default server here will override the setting used by LMS.
Step 1
Select Admin > System > SMTP Default Server.
Step 2
Enter a fully qualified SMTP server name.
Step 3
Click Apply.

This feature helps you to get the required information about the server. The information about the server
includes system information, environment, configuration, logs, web server information, device and
credentials administration information, and grouping services information.
You can use the collected server information for troubleshooting.
For example, when you have chosen to collect the grouping services information about the server, the
following details will be collected and stored:
Status of LMS grouping server. The status values are Running, and Not Running.
List of groups created in the LMS grouping server.
Content of the registry and properties files associated with LMS.
Status of the grouping server installed on same Cisco Prime

Server. The status values are Running, and Not Running.
List of groups created in the LMS grouping server.
Content of the properties files associated with other applications.
Error encountered if the grouping servers are not running or if they are not reachable.

OL-25947-01
3-31
Chapter 3
You can look into this collected information to find out the errors with grouping servers and debug them.
You can also collect server information using CLI. See Collecting Server Information Using CLI
To collect the server information:
Step 1
Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.
Step 2
Click Create to collect the current server information.

The Collect Server Information popup dialog box appears with a list of options. The available options
are:
Step 3
System Information Displays the server type, operating system version, installation date of
operating system, and other system information.
Event Logs Displays the logs of events in the LMS Server.
Cisco Prime Registry Displays the registry entries of Cisco Prime components installed in the
server.
Tomcat Log Files Displays the log files corresponding to the application server.
Grouping Service Displays the information of grouping servers and the groups created in the
grouping server.
Application Registry Details Displays the information of applications registered with Cisco
Prime home page.
Device Credentials Admin Information Displays the details of DCR mode, status of DCR Master,
number of devices in DCR and the contents of DCR configuration files.
ODBC Configuration Displays the information about the configuration of database connection
in the LMS Server.
Product Log Files Displays the contents of log files of all Cisco Prime components.
Environment Variables Displays the list of environmental variables set up in the LMS Server.
Process Status Displays the name of processes, current state of the process, process ID, start and
finish time of the process, and other information.
Network Configuration Displays information about the various configurations in a network.
Memory and Harddrive Status Displays details of free space and total space of memory and hard
disk drives in the LMS Server.
JRE Registry Displays information about the Java Runtime Environment registry files.
Select the check boxes corresponding to the options you need.

You can use the All check box to select or deselect all the available options.
By default all the check boxes are selected.
Step 4
Click OK.
The server information for the selected components is collected.
Collecting server information may take longer if more components are selected.
To return to the Collect Server Information page, click Cancel.
You can click Refresh in the Collect Server Information page to see the latest status.
3-32
OL-25947-01
Chapter 3

To view the collected information:

Step 1
Step 2
Click Server Information at the date time link to view the collected server information.
The popup window displays the server information collected.
Step 3
View server information by clicking the corresponding link in the Table of Contents.
To delete the collected server information:

Step 1
Select Admin > System > Server Monitoring > Collect Server Information
Step 2
Select the corresponding check box of the server information you want to delete.
Step 3
Click Delete.
Collecting Server Information Using CLI
You can also collect server information using CLI.

Enter the following command:
NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows)
or
NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance)
where NMSROOT is the directory where you installed Cisco Prime.

You can view self test reports using this option. Self test feature helps to test certain basic functions of
the server.
Execute the following steps to receive the system generated self test report to your Email ID.
Step 1
Go to Admin > System > Server Monitoring > Selftest.
Step 2
Select the E-mail text box and enter your Email ID.
Step 3
Click Save.
The system generated self test report will be sent to the specified Email ID.
Execute the following steps to create a self test report.

Step 1
Select Admin > System > Server Monitoring > Selftest.

OL-25947-01
3-33
Chapter 3
Step 2
Click Create to perform a selftest and to view the report.
Step 3
Click the Selftest Information at date time link.

A popup window displays the selftest information report.
To delete a Selftest Information report, select the checkbox and click Delete.
In LMS 4.2, the selftest report provides the following Hardware Parameters details:
Memory availability
Swap
CPU
DSN
Backup status
Number of MIB objects being polled
Maximum number of MIB objects that can be managed
Syslog database size
If the syslog database size exceeds 10 GB you need to purge the syslog records to reclaim space. Do the
following to purge syslog records and reclaim the database space:
Note
If you want to backup the syslogs, refer Setting the Syslog Backup Policy.
Step 1
Perform a forced purge of Syslog messages, refer Performing a Syslog Forced Purge.
Step 2
Open RMEDebugToolsReadme.txt from

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools.
Step 3
Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and execute the
perl script DBSpaceReclaimer.pl.
Note
The perl script will reclaim the space occupied by SyslogFirst.db, SyslogSecond.db and
SyslogThird.db files present in the server. The amount of space reclaimed will depend on the
purge criteria that you specify. The most effective way to reclaim the space is to purge the
records older than 1 day.

You can use the Notify User feature in LMS to broadcast messages to online users.
You can post messages to users with active Cisco Prime browsers. By default, the messages will be
received within 60 seconds. You can also change this polling interval.
To send a broadcast message:
3-34
OL-25947-01
Chapter 3

Managing Resources
Step 1
Select Admin > System > User Management > Notify Users.
The Notify Users page lists all the users currently logged in.
Step 2
Enter the message in the Message field and click Send.

The Status field displays the status of the message.
Note
If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every
visit to the page.
Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when
necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can
access the Resource browser page. The Refresh icon in the Resource browser is available for all users.
Note
The System Identity user must configure all the Resource management related tasks. The Browse
Resources and Free Resources tasks should be enabled.
To view Resource details:
Step 1
Select Admin > Network > Resource Browser.

The Resource Browser page displays the following details:
Item
Description
Resource
Name of the resource currently locked.
Job ID / Owner
Number assigned to this task at creation time. Identifies all related locked
resources, and user who locked the resource.
Time Locked
Time this lock was established.
Expire Time
Lock expiration time.
To free locked resources:

Step 1
Select Admin > Network > Resource Browser.

The Resource Browser page appears.
Step 2
Check the check box corresponding to the Job ID.
Step 3
Click Free Resources.

All users (except those with Help Desk and Approver role) can perform the Free Resource operation in
the Resource browser.

OL-25947-01
3-35
Chapter 3
To view updated resources, click Refresh.

You can configure system-wide information on the LMS Server using the System Preferences option. It
is a way to centrally locate information that is used by Cisco Prime applications.
Field
Description
SMTP Server
System-wide name of the SMTP server used by Cisco Prime applications to

deliver reports. The default server name is localhost.
Administrator
E-mail ID
Cisco Prime Administrator e-mail ID.

This e-mail address is used as the From Address in all mails sent from LMS
Server.
There is no default e-mail ID.
Enable E-mail
Attachment
Allows you to enable e-mail attachments in the mails sent from LMS Server.
This option helps you to attach PDF or CSV reports with the e-mail after the
scheduled jobs have completed.
This option is disabled by default.
Maximum
Attachment Size
Maximum size of the e-mail attachments that are allowed to be sent from LMS
Server.
You can specify the attachment size in KB or MB.
RCP User
Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.
SCP User
Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
SCP Password
Enter the password for SCP User in this field.

The password you have entered here is used for authentication while
transferring software images using SCP protocol.
You must specify a user name that has SSH authentication on a Solaris system.
SCP uses this authentication for transferring the software images.
LMS Server.
3-36
OL-25947-01
Chapter 3

RCP User
Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.
SCP User
Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
LMS Server.
SCP Password
Enter the password for SCP User in this field.

The password you have entered here is used for authentication while
transferring software images using SCP protocol.
You must specify a user name that has SSH authentication on a Solaris system.
SCP uses this authentication for transferring the software images.
LMS Server.
To edit system preferences:

Step 1
Select Admin > System > System Preferences.

OL-25947-01
3-37
Chapter 3
The System Preferences page appears.

Step 2
Caution
Enter the following information:
SMTP Server
Administrator E-mail ID
Maximum Attachment Size
RCP User
Set this information carefully. If you introduce errors, users may not be able to log in.
Step 3
Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution
for the crmlog service, on a Windows system.
Step 4
Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the
LMS Server:
Step 5
SCP User
SCP Password
SCP Verify Password
Click Apply after making the changes. To cancel the changes, click Cancel.

Log files can expand and fill up disk space. Log files rotation helps you manage the log files more
efficiently. See Maintaining Log Files for an overview of maintaining the log files in LMS Server.
Logrot is a log rotation program that enables you to control the size growth of the log files. It helps you
to:
Rotate log files while Cisco Prime is running.
Optionally archive and compress rotated logs.
Rotate log files only when they have reached a particular size.
Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI.
The following log files are maintained by the log rotation program:
Daemon Manager
Web server log files
Configuring Log Files Rotation Settings From the User Interface
Configuring Log Files For Rotation From the User Interface
Scheduling Log Files Rotation
Configuring Logrot Utility
Running Logrot Script
Viewing the Scheduled Logrot Job
3-38
OL-25947-01
Chapter 3

Configuring Log Files Rotation Settings From the User Interface
To configure log files rotation from the user interface:

Step 1
Select Admin > System > Log Rotation.

The Log Rotation page appears.
Step 2
Set your backup directory in the Backup Directory field.

This backup directory stores the rotated log files.
You can also use the Browse button to select a directory from the file browser. The default directory is:
NMSROOT\log on Windows systems
/var/adm/CSCOpx/log on Solaris/Soft Appliance systems
If you do not set a backup directory, each log file will be rotated in its current directory.
Step 3
Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log
rotation starts. This is optional.
Configuring Log Files For Rotation From the User Interface
To add the log files for rotation:

Step 1

Step 2
Click Add to add the log files you wish to rotate.

The Configure Logrot page appears.
Step 3
Enter the name of the log file in the Select Log File field.
You can enter only one log file at a time.
You should specify log file using its fully-qualified path. If the log files do not exist in the path you have
specified, this will not be considered for rotation.
You can also click Browse to select a log file name from the file system.
Step 4
Enter the maximum file size in the Maximum Logrot Size field.
The log file will not be rotated until this size is reached.
You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log
rotation is 4096 MB.
Step 5
Select a file compression type from Compression Format.

The supported formats are:
Step 6
ZUNIX compression (on Solaris/Soft Appliance only)
gzGNU gzip
bz2bzip2 (on Solaris/Soft Appliance only)
Specify the number of backups in the No of Backups field.

If you do not want to keep any archives, enter 0 (the default) for this option.
Step 7

OL-25947-01
3-39
Chapter 3
To return to the Log Rotation page, click Cancel.
To edit the log files that you have configured for rotation:
Step 1

Step 2
Select a record from the list of log files displayed.
Step 3
Click Edit.
The Edit Logrot page appears.
Step 4
Edit the name of the log file. The rotated log files will be stored with the new name you have edited.
Step 5
Edit the log file size, compression type or number of archive revisions.
Step 6

To return to the Log Rotation page, click Cancel.
Scheduling Log Files Rotation
To schedule log files rotation:

Step 1

Step 2
Click Schedule.
The Schedule Logrot appears.
Step 3
Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should
start.
You should specify the time in 24-hour format.
Step 4
Select a periodic or immediate backup schedule in the Frequency field.

The available schedule frequencies are:
Step 5
ImmediateLog rotation job runs immediately.
DailyLog rotation job runs every day at the time specified.
WeeklyLog rotation job runs once a week on the day and time specified. Select a day from the
Day of Week list.
MonthlyLog rotation job runs once a month on the day and time specified. Select a day from the
Day of Month list.

You can remove a schedule at any time. Click Remove to delete the scheduled job. The Remove button
is enabled only if you have scheduled a log rotation. To return to the Log Rotation page, click Cancel.
Configuring Logrot Utility
Logrot should be installed on the same machine where you have installed LMS.
3-40
OL-25947-01
Chapter 3

To configure the Logrot script:

Step 1
Enter:
NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows)
Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance)
The Logrot configuration menu appears. You have the following options:
Step 2
Edit variables.
Edit log files.
Quit and save changes.
Quit without saving change.
Select Edit variables to set your Backup Directory.

If you do not set a backup directory, each log will be rotated in its current directory.
Step 3
Select Edit log files to add log files you wish Logrot to rotate.
You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log
file does not exist in that path, the default log file path for your operating system will be added during
rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).
Step 4
Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default)
for this option.
Step 5
Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in
kilobytes (KB). The default is 1024 KB or 1 MB.
Step 6
Specify the file compression type to be used. It can be:
ZUNIX compression (on Solaris/Soft Appliance only)
gzGNU gzip
bz2bzip2 (on Solaris/Soft Appliance only)
When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a
certain pattern.
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for
example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that
match the pattern *.log.
You can also specify the special pattern, *, which means delete all logfiles in the configuration.
Running Logrot Script
To run the Logrot Script enter:
On Windows:
Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl
Run /opt/CSCOpx/bin/logrot.pl
You can schedule log rotation so that the utility works on a specified time and day.
The following command line flags are accepted:

OL-25947-01
3-41
Chapter 3
Caution
-v
option to get verbose messages.
-s
option shuts down dmgtd before rotating logs.
The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is
shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.
-c
option reruns the configuration tool.
-h
option displays the help.
The following wrapLogrot permissions should be checked for proper working of LogRotation.
For Solaris:
bash-3.00# ls -l /opt/CSCOpx/bin/wrapLogrot
-r-sr-x--- 1 root
casusers
6852 Oct 1 19:08
/opt/CSCOpx/bin/wrapLogrot
For Virtual Appliance:
[root@HOSTNAME bin]# ls -l wrapLogrot
-r-sr-s--- 1 root casusers 7430 Sep 26 16:00 wrapLogrot
Viewing the Scheduled Logrot Job
You can view the scheduled jobs log file to troubleshoot the logrot utility.
To look at the scheduled logrot job:
On Windows, use the command: crontab.cmd
On Solaris, use the command:

crontab -l <UserName>
Example:
To view the job scheduled to run as root user, use the command:
crontab -l root
To view the job scheduled to run as casuser, use the command:

crontab -l casuser
On Soft Appliance, use the command:

crontab -lu <UserName>
Example:
To view the job scheduled to run as root user, use the command:
crontab -lu root
To view the job scheduled to run as casuser, use the command:

crontab -lu casuser
3-42
OL-25947-01
Chapter 3


DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file.
Disk space information is calculated for the following directories on LMS Server:
Cisco Prime Installation directory (on both platforms)
/var directory (on Solaris/Soft Appliance platform only)
/tmp directory (on Solaris/Soft Appliance platform only)
The process calculates the disk space availability of the LMS Server directories at a regular interval of
approximately one hour.
In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one
hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes
and in the last 15 minutes of an approximate one hour time interval.
This process also alerts you when the disk space is less than the threshold level you have configured in
the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert
messages through e-mail if you have configured your e-mail ID along with threshold level.
This process records the alert information in the system log files. The alert information is recorded in
diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and
daemons.log files in Solaris machines.
To configure the disk space threshold limit:
Step 1
Select Admin > System > Server Monitoring > DiskWatcher Configuration.
The DiskWatcher Configuration page appears.
Step 2
Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk
space in the Cisco Prime Installation directory. This is mandatory.
You should enter the threshold value in units of MB or GB.
Step 3
Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in
Solaris file systems. This is mandatory.
You should enter the threshold value in units of MB or GB.
Note
Step 4
This field is available only on Solaris systems.
Enter a valid e-mail in the E-mail ID field.

You can enter multiple e-mail addresses separated by commas.
The system uses the e-mail addresses to notify about the disk space availability when the disk space is
less than the threshold limit you have configured.
There may be a problem in sending e-mails if you have enabled virus scanner in the LMS Server.
Step 5
Click Apply to save the changes or click Cancel to reset the values.

OL-25947-01
3-43
Chapter 3

Sometimes, the LMS database fails to run and throws the following Sybase Assertion error message:
*** ERROR *** Assertion failed: 100909 (9.0.0.1383).
100909 is the Assertion ID.
The following are the scenarios where Assertion Error might appear:
If you use any third-party backup software to back up a live, running database, the Assertion Error
might be thrown.
This is because some of the database pages that have been modified will be in the database server
cache, so the database file will be in an inconsistent state.
If you use any anti-virus software.

The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O
operations, which contribute to the good performance of Adaptive Server Anywhere. However,
anti-virus software might detect this as a potential problem and quarantine the file.
This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption
by interfering with the normal functions of the database. Poor performance can also occur if the
anti-virus software is checking all I/O operations performed by the database server.
We recommend that you do not use third-party backup software for backing up a running database.
We also recommend that you configure your anti-virus software so that it must not scan the
NMSROOT/databases directory.
NMSROOT is the directory where you have installed Cisco Prime.
Configuring TFTP
This applies only to Solaris.
The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP
(Transmission Control Protocol) Wrappers.
If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the
jobs requiring TFTP may fail.
To ensure that TFTP works properly, check the following configuration files:
Note
If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the
command is not there in the file at all, add it as in.tftpd:ALL
If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file
If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any
changes
The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon
under its control. It provides logging support, returns messages to connections, and permits a daemon to
accept only internal connections.
3-44
OL-25947-01
Chapter 3

Displaying LMS Server Name With Browser Title
Displaying LMS Server name with browser title helps you to identify the server from which the
application window is launched especially in a multi-server setup and Single Sign-On based setup.
You can enable or disable the option of displaying the LMS Server name along with the browser title.
When you choose to display the server name in the browser title, the browser window displays the title
in the following format:
Hostname - ApplicationWindowTitle
where,
Hostname is the name of the LMS Server
ApplicationWindowTitle is the title of application window launched from LMS Server.
Note
By default, the option of displaying the LMS Server name with the application window title in the
browser is enabled.
For example, if the name of your LMS Server is lmsdocultra, then the title of the Cisco Prime home
page is displayed as lmsdocultra - CiscoPrime.
If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra
- LMS Home.
You can also enable or disable the display of server name with the browser title by changing the
configurations in a properties file.
Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:
Enable or disable the option of displaying server name with browser title.
Change the format of display from Hostname - ApplicationWindowTitle to

ApplicationWindowTitle - Hostname and vice versa.
Replace hyphen (-) with any other delimiter except empty spaces.
Trim the spaces between the Hostname, delimiter and Application window title.

The Cisco Network Analysis Module Traffic Analyzer (NAM) offers flow-based traffic analysis of
applications, hosts, and conversations, performance-based measurements on application, server, and
network latency, quality of experience metrics for network-based services such as voice over IP (VoIP)
and video. Only NAM 4.1 is supported in LMS 4.2. The Cisco Prime Integration Application Settings
page allows you to configure NAM.
To add, edit, or delete the NAM configuration details:
Step 1
Select Admin > Cisco Prime Integration > Application Settings. The Application Settings page
appears.
Step 2
You can do the following:
Add
Click Add. The Server Configuration page appears.
Select NAM from the drop-down list.

OL-25947-01
3-45
Chapter 3
Enter the IP Address in the NAM IP field.

Enter the user name and password in the corresponding fields.
Enter the SNMP read community.
Select either HTTP or HTTPS as the protocol.
Enter the port number.
Click Add to add the new NAM configuration details or Cancel to return to the NAM
Configuration page.
Edit
Select a configuration detail that has to be edited.
Click Edit. The Edit NAM Configuration page appears.
Enter the IP Address in the NAM IP field.
Enter the user name and password in the corresponding fields.
Enter the SNMP read community.
Select either HTTP or HTTPS as the protocol.
Enter the port number.
Click Edit to save the changes or Cancel to return to the NAM Configuration page.
Delete
Select a configuration detail that has to be deleted.
Click Delete. A confirmation dialog box appears.
Click OK to confirm or Cancel to return to the NAM Configuration page.
Filter
In the Filter By field, select the filter criteria e.g. ApplicationName from the drop-down list.
In the Matches text box, enter the matching details e.g. NAM.
Click Go, to execute the selected filter condition.
Click Clear Filter, to clear the filter condition.
3-46
OL-25947-01
CH A P T E R
Administering Discovery Settings and Device

and Credential Repository
You can configure discovery settings, and perform some administrative tasks in DCR.
This chapter contains:
Configuring Device Selector
Administering Device and Credential Repository
For details on configuring discovery logging, see Configuring Discovery Logging.

You can schedule one or more Device Discovery jobs. The optimum Device Discovery schedule depends
on the size of network and changes in the network.
Before you schedule a Device Discovery job, read the following:
Only one Device Discovery job can run at a time.
Ensure jobs, other than Device Discovery, are not scheduled parallely along with the Device
Discovery jobs. If any other jobs are scheduled parallely, Device Discovery job will take more than
5 min to complete.
When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each
other. Otherwise, one of the Device Discovery jobs may fail.
You should configure the Device Discovery settings before you schedule a Device Discovery job.
Otherwise, the system displays an error message when you try add a schedule. However, you can
edit the Device Discovery settings for the scheduled job later.
From the Discovery Schedule page, you can:
Add a Device Discovery schedule. See Adding Device Discovery Schedule for details.
Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details.
Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details.
Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for
details.
Start device discovery. See Starting Device Discovery for details.

OL-25947-01
4-1
Chapter 4
Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple
Discovery Settings for Multiple Scheduled Jobs for details.
View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing
Discovery Settings for Selected Discovery Schedule for details.
Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery
Settings for Selected Discovery Schedule for details.
Adding Device Discovery Schedule
To add a Device Discovery schedule:

Step 1
Select Admin > Network > Discovery Settings > Schedule.

The Discovery Schedule page appears.
Step 2
Click Add.
The Add Discovery Schedule popup window appears.
The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add
button if you have not configured Device Discovery Settings.
The Add button is disabled on a fresh installation of LMS in LMS Server.
Step 3
Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should
start.
You should specify the time in 24-hour format.
Step 4
Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 5
Enter a description in the Job Description field. This is optional.

You cannot edit the description entered in this field later.
Note
Step 6
The job description should not contain special characters like , and #.
Click Schedule.
The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the
email address you have configured in the Discovery Settings wizard.
Editing Device Discovery Schedule
To edit a Device Discovery schedule:

Step 1

Step 2
Select a Device Discovery schedule from the list.
Step 3
Click Edit.
The Edit Discovery Schedule popup window appears.
Step 4
Edit the values in the Hour and Min drop-down list, if required.
4-2
OL-25947-01
Chapter 4

Step 5
Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 6
Click Schedule to save the changes.
Deleting Device Discovery Schedule
To delete a Device Discovery schedule:

Step 1

Step 2
Select a Device Discovery schedule from the list.
Step 3
Click Delete.
The Delete Confirmation dialog box appears.
Step 4
Click OK.
The selected Device Discovery schedule is deleted from the list of schedules.
Caution
Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the
Device Discovery job is running, deleting the schedule will stop the job first and then will
remove it.
Starting Device Discovery
To start immediate discovery for scheduled job:

Step 1

Step 2
Select a job from the list.
Step 3
Click Start Discovery. A popup window appears with the information on the immediate jobID.
The Start Discovery button will be disabled before setting any jobs or if a discovery is already running.
Step 4
Click OK. The Device Discovery summary screen appears.

You can view the status of the job in Job Browser page (Admin > Jobs > Browser).
Viewing the Status of Device Discovery Schedules
You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status
of Device Discovery jobs.
To do so:
Step 1


OL-25947-01
4-3
Chapter 4
Step 2
Click the link provided at the bottom of the page.

The Job Browser page displays the Device Discovery jobs.
Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs
Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the
settings for scheduled jobs later and maintain different settings for different jobs.
To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for
Selected Discovery Schedule.
To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected
Discovery Schedule.
Viewing Discovery Settings for Selected Discovery Schedule
You can view the Discovery settings used to create the selected Discovery Schedule job.
To do so:
Step 1

Step 2
Select a Discovery schedule from the list.
Step 3
Click View Settings.

The View Discovery Settings dialog box appears.
Step 4
Click OK to return to the Discovery Schedule page after you have view the schedule.
Editing Discovery Settings for Selected Discovery Schedule
You can edit the Discovery Settings used to create the selected Discovery Schedule job.
To do so:
Step 1

Step 2
Select a Discovery schedule from the list.
Step 3
Click Edit Settings.

The Module Settings page of Discovery Settings wizard appears.
Step 4
Edit the required module settings and click Next. The Seed Devices Settings page appears.
Step 5
Edit the required seed devices settings and click Next. If you do not want to proceed further, click
Finish. The SNMP Settings page appears.
Step 6
Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish.
The Filter Settings page appears.
Step 7
Edit the Filter settings and click Next. If you do not want to proceed further, click Finish.
The Global Settings page appears.
Step 8
Edit the Global settings and click Next. If you do not want to proceed further, click Finish.
4-4
OL-25947-01
Chapter 4

The Discovery Settings Summary page appears.

Step 9
Click Finish to return to Discovery Schedule page.

The improved Device Selector allows you to search the devices in DCR. It helps to locate the devices
and perform the various device management tasks quickly. With this improved Device Selector, you need
not remember the device type or application group hierarchy to locate the devices.
The devices are categorized under Device Type based groups, User Defined groups, Subnet Based
groups, or under All Groups.
You can define the settings of the Device Selector pane to customize the display of devices and the order
of display. You can customize the top level groups, sub-groups and the list of devices displayed under
each group using the Group Customization option.
The Group Ordering option allows you to specify the order of display in which the groups are seen in
the Device Selector pane. See Device Selector Settings for more information.
The Device Selector Settings are specific to each user. You can search for devices using a Simple search
or an Advanced search. See Searching Devices for more information.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
The Device Selector is used to select devices to perform various device management tasks. The device
selector lists all devices in a group. The Device Name of the devices added in DCR is displayed in the
Device Selector pane.
The Device Selector contains the following components:
Component Name
Description
Search Input
Enter your search expression in this text field.

You can enter a single device name or multiple device names in this field.
You can enter the following as search inputs for searching multiple devices:
Comma separated list of full device names
Device names with wildcard characters, (?) and (*), to search for
multiple devices matching the text string entered in this input field.
The wildcard character ? matches a single character in a device name
and the wildcard character * matches multiple characters in a device
name.
Combination of comma separated list of device names, and device

names with wildcard characters.
See Performing Simple Search for more information.

Search
Use this icon to perform a Simple search of devices, after you have entered
your search input. See Performing Simple Search for more information.
Advanced Search
Use this icon to perform an Advanced search of devices. See Performing

Advanced Search for more information.

OL-25947-01
4-5
Chapter 4
Component Name
Description
All
This tab lists all the top-level device groups and the device names under
each group in a hierarchical format (tree view).
The top-level device groups include:
All Devices
Device Type Groups
Subnet Groups
User Defined Groups
See Understanding Device Groups for more information on types of device

groups.
Search Results
This tab displays all the Simple or Advanced search results and you can
select all devices, clear all devices, or select a few devices from the list.
The Simple search results are based on the device name of the devices
added to DCR. The Advanced search results are based on the grouping
attributes of the grouping services server.
Selection
This tab lists all the devices that you have selected in the All or Search
Results tab or through a combination of both. You can also use this tab to
deselect the devices you have already selected.
You can perform more than one search and can accumulate your selection
of devices.
The Device Selector displays the number of devices selected by you at the bottom. When you click the
link provided, it launches the Selection Tab.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
This section contains the following information:
Selecting Devices for Device Management Tasks
Searching Devices
Device Selector Settings
Selecting Devices for Device Management Tasks

You can select devices to perform various device management tasks such as editing device credentials
and viewing device credentials, using any of these methods:
Selecting Devices From All Tab
Selecting Devices From Search Results
Combination of Selection From All Tab and Search Results
Selecting Devices From All Tab
The All tab lists the top-level device groups and the device names under each group in a hierarchical
format (tree view).
4-6
OL-25947-01
Chapter 4

You can select the devices from the tree view. The Selection tab shows the flat list of selected devices
from the All tab.
You should expand the nodes of the top-level device groups and sub groups to see the list of devices
within a group and select the devices you want. We recommend that you do not expand all and leave all
the multiple group nodes open. This may affect the performance of the device selector.
Selecting Devices From Search Results
You can perform a Simple Search or an Advanced Search, and the search results are displayed under the
Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab
and the All tab, display the devices you have selected from the Search Results tab.
Note
You can perform more than one search and can accumulate your selection of devices.
Combination of Selection From All Tab and Search Results
You can select the devices from the All tab and add more devices to the Selection list from the Simple
or Advanced search results in the Search Results tab.
The Selection tab displays the accumulated list from both All and Search Results tabs.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the Selection tab.
Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an
Advanced search. In both cases, you do not need to remember the name of the devices and the groups in
which the devices are grouped.
Note
The search string is not case sensitive in LMS.

Performing Simple Search
Performing Advanced Search
Performing Simple Search

You can enter your search criteria in the Search Input field and search for the devices using the Search
icon. The search results are based on the device name of the devices added in DCR.
Note the following points when you perform a Simple search.
You can enter a comma separated list of device names to search for multiple devices.
You can use the wildcard characters, * and ?, to search for multiple devices that match the text string
entered in this input field. Multiple wildcard characters are allowed in a search string.
You can use the combination of comma separated list of device names and wildcard characters in
the device names to search for multiple devices.
If you are not using the wildcard characters, make sure that you enter the full device name.
For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:

OL-25947-01
4-7
Chapter 4
Device names starting with device2 and with only one character after device2
Device names ending with .cisco1
Device names containing the text string device10
Performing Advanced Search

Use the Advanced Search icon to open the Advanced Search popup window and specify a set of rules for
performing an Advanced search. The advanced search is based on the grouping attributes of the
application's grouping server.
You can create a rule in the Advanced Search dialog box by either:
Using Expressions
or
Using Rule Text Fields
You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule
you have created using the Clear button.
Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression
contains:
Device Type Object type used for forming a group. All expressions start with the string Device
Variables Device attributes used to form a device group. The list of variables for advanced search
are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress,
MDFId, Model, Series, SystemObjectID, and the user-defined data, if any.
The list of device attributes are different across Cisco Prime modules. The Advanced Search window
in the Device Selector of Cisco Prime applications displays the respective device attributes as
variables.
Operators Various operators to be used with the rule. The list of operators includes equals,
contains, startswith, and endswith. The list of operators changes dynamically with the value of the
variable selected.
For the ManagementIpAddress variable, you can select the range operator other than the standard
list of operators. The range operator enables you to search for devices of the specified range of IP
Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.
Value Value of the variable. The value field changes dynamically with the value of the variable
and operator selected, and this may be a text field or a list box.
After you define the rule settings, click Add Expression to add the rule expression.
You can also enter multiple rule expressions using the logical operators. The logical operators include
OR, EXCLUDE and AND.
Using IP Address Range to Form a Search Rule
The range operator enables you to search the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:
4-8
OL-25947-01
Chapter 4

Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
Use the hyphen character (-) as a separator between the numbers within a range.
Specify the range of IP Addresses within the [ and ] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
Enter numbers lesser than 0 and greater than 255 in the IP Address range.
Enter any characters other than the range separator (-).
Enter the value of highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
Example for forming a Search Rule Using Expressions
For example, if you want to search all the devices in the network whose device name contains
TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform
the following:
Step 1
Click the Advanced Search icon in the Device Selector pane.

The Define Advanced Search Rule dialog box appears.
Step 2
Step 3
Create a search rule expression. To do so:

a.
Select Variable as DisplayName
b.
Select Operator as equals
c.
Enter the Value as TestDevice
Click Add Rule Expression.

The rule is added into the Rule Text.
Step 4
Step 5
Create another rule expression. To do this:

a.
Select OR as the logical operator
b.
Select Variable as ManagementIPAddress/IP.Address
c.
Select Operator as range
d.
Enter the Value as 10.10.[210-212].[207-247]

The rule is appended into the Rule Text.
Step 6
Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.

OL-25947-01
4-9
Chapter 4
Using Rule Text Fields

You can use Rule Text Fields to directly enter a rule without building any expressions. Ensure the rule
you create follows the syntax Object type.Variable Operator Value.
You can also enter multiple rule expressions using the logical operators.
For example, if you want to search all the devices in the network whose device name contains
or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:
TestDevice
Device.DisplayName contains "TestDevice" OR Device.SystemObjectID startswith

1.3.12.1.4"
Note
We recommend that you use expressions to construct a complex rule instead of creating them using the
Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.
Additional Notes
Read the following notes before you perform an advanced search:
You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith
or contains.
You can use Check Syntax button, when you add or modify a rule manually.
You must delete the complete rule expression including the logical operator, when you delete a
portion of your rule.
The search string is case-insensitive.
Device Selector Settings

The devices are categorized under Device Type groups, User Defined groups, Subnet groups,
Application specific groups or under All groups.
You can define the settings of the Device Selector pane to customize the display of devices and the order
of display. These configurations are specific to each user and you can save them.
The devices are displayed in the appropriate category based on your roles and privileges. All the devices
will be listed to the administrator role.
This section has the following information:
Understanding Device Groups
Customizing Device Grouping
Customizing Display Order of Device Groups
Understanding Device Groups

The Device Selector pane displays the following top-level device groups:
All Devices
Device Type Groups
Subnet Groups
User Defined Groups
4-10
OL-25947-01
Chapter 4

All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their device
names. The device names are defined when you have added the devices in DCR.
Device Type Groups

The Device Type Groups displays all devices in groups and subgroups based on their Device Category,
Series and Model. By default, the device grouping is based on their Device Categories such as Routers,
Switches and Hubs.
The Device Category Groups folder can contain devices in subgroups based on their Device Series. For
example, the Device Category Group Router can contain devices (Routers) in subgroups Cisco 7000
Router Series and Cisco 12000 Router Series.
The Device Series subgroup can contain subgroups of devices based on their Model. For example, the
subgroup Cisco 12000 Router Series can contain the devices Cisco 12012 Router and Cisco 12816
Router.
See Customization of Device Type Groups for information on customizing the display of devices under
Device Type Groups.
Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can
check the functionality settings at Admin > System Administration > Collection Settings >
Functionality Settings.
In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services,
then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups
folder in the Device Selector pane.
See Customization of Subnet Groups for information on customizing the display of devices under this
group.
User Defined Groups

The User Defined Groups are created by users to administer the applications. The User Defined Groups
are created in Groups Administration window based on defined group rules.
All User Defined Groups (shared groups) from all application group hierarchies are collated and shown
as subgroups under this group. In a Multi Server Setup, the top level User Defined Groups will be named
as User Defined Groups@Server Name.
When there two or more User Defined Groups with the same name, the Device Selector displays all of
them. You have to use the Tooltip to find the source server where the User Defined Group is created.
Tip
We recommend you to provide unique and meaningful names to User Defined Groups when you create
them to avoid the display of multiple User Defined Groups with the same name.
See Customization of User Defined Groups for information on customizing the display of devices under
this group.

OL-25947-01
4-11
Chapter 4
Customizing Device Grouping

You can customize the device grouping and display the customized device groups in the Device Selector
pane. See Understanding Device Groups for more information on Device Groups.
You can use the Group Customization option to customize the display of device groups.
Customization of Device Type Groups
Customization of Subnet Groups
Customization of User Defined Groups
Customization of Device Type Groups

You can display or hide the Device Type Groups folder in the Device Selector pane using the Group
Customization option. You can customize the Device Type Based Groups folder to display:
All devices in groups, based on their Device Category only
All devices in groups and subgroups, based on their Device Category and Series
All devices in groups and subgroups, based on their Device Category, Series and Model
By default, the Device Type Group folder displays the devices in sub groups based on their category only.
To display the devices in groups based on their Device Category:
Step 1
Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2
Check the Show Category Groups check box from the Device Type Based Groups panel.
Step 3
Click Apply to save your changes or click Restore Defaults to restore the default values.
To display the devices in groups and subgroups based on their Device Category and Series:
Step 1
Step 2
Check the Show Series Groups check box from the Device Types Based Groups panel.
When you check the Show Series Groups check box, the Show Category Groups check box will also be
checked automatically and will be disabled.
Step 3
4-12
OL-25947-01
Chapter 4

To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 1
Step 2
Check the Show Model Groups check box from the Device Type Based Groups panel.
When you check the Show Model Groups check box, the Show Category Groups and Show Series
Groups check boxes will also be checked automatically and will be disabled to you.
Step 3
To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 1
Step 2
Go to the Device Type Based Groups Panel and uncheck all the check boxes.
Step 3
Click Apply to save your changes.
Customization of Subnet Groups

The Subnet Groups contains device groups from the Topology and Identity Services. By default, the
Subnet Based Groups folder is not displayed in the Device Selector pane.
You can customize the Device Selector pane to display the Subnet Based Groups folder using the Group
Customization option.
To display the devices under Subnet Based groups in the Device Selector Pane:
Step 1
Step 2
Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel.
Step 3
Customization of User Defined Groups

You can customize the User Defined Groups folder in the Device Selector pane to contain the following:
Only User Defined Groups created by you in the local server
Only User Defined Groups created by you in all Peer Servers in a Multi Server setup
All User Defined Groups created by any user in the local server
All User Defined Groups created by any user in all Peer Servers in a Multi Server setup
By default, you can view all the User Defined Groups (irrespective of any user) created in the local server
in the Device Selector pane.

OL-25947-01
4-13
Chapter 4
To display only the User Defined Groups created by you:

Step 1
Step 2
Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel.
Step 3
Select either:
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
created by you in the local server.
Or
All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups created by you in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
To display all the User Defined Groups created by all users:

Step 1
Step 2
Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups
panel.
Step 3
Select either:
Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
in the local server.
Or
All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4
Click Apply to save your preferences or click Restore Defaults to restore the default values.
Customizing Display Order of Device Groups

You can specify the order in which device groups appear in the Tree view on the Device Selector pane
using the Group Ordering option.
The Group Ordering setup is specific to each user and the changes will be reflected in the Device
Selector panes of all applications.
The default order of the groups displayed in the Device Selector pane is:
1.
All Devices
2.
Device Type Groups
3.
User Defined Groups
4-14
OL-25947-01
Chapter 4

4.
Subnet Groups
5.
Application Specific Groups
You can change the order and save the configurations.

To change the order of the device groups:
Step 1
Select Admin > Network > Display Settings > Group Ordering.
The Group Ordering page appears.
Step 2
Select a group from the list displayed.
Step 3
Click Up to move the device group up in the displayed order or click Down to move down.
Step 4
Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.

The DCR Administration feature allows you to do the following tasks:
Changing DCR Mode
Configuring Device Polling
Configuring User Defined Fields
To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page
appears with the current DCR Administration settings.
You can change the Mode Settings or modify User Defined fields.
Changing DCR Mode

To change Mode Settings:
Step 1
Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page
appears.
Step 2
Click Change Mode to change the current mode.

The DCR Mode dialog box appears. You can select the required mode from this dialog box.
This section contains information on:
Master-Slave Configuration Prerequisites
Changing the Mode to Standalone
Changing the Mode to Master
Changing the Mode to Slave

OL-25947-01
4-15
Chapter 4
Master-Slave Configuration Prerequisites
Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure
communication takes place between the Master and Slave.
Tip
We recommend you to configure the Master and all its Slaves in the management domain with the same
version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory
Management Guide.
If machine M is to be the Master and S is to be the Slave:
Step 1
Add a Peer Server User and password in M

See Setting up Peer Server Account for details.
Step 2
Add a System Identity user and password in S. This should be same as the Peer Server User set up in M.
See Setting up System Identity Account for details.
Step 3
Copy the Self-Signed Certificate of S to M. Also, copy the Self-Signed Certificate of M to S.

See Creating Self Signed Certificates for details on creating Self-Signed Certificate and Setting up Peer
Server Certificate for details on copying Peer Certificate.
Step 4
Configure S as Slave and M as Master.
Changing the Mode to Standalone

Step 1
Select the Standalone radio button.
Step 2
Click Apply to change mode.

The default DCR mode is Standalone.
Changing the Mode to Master
Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in
place.
Step 1
Select the Master radio button.
Step 2
Click Apply to change mode.
Changing the Mode to Slave
Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place.
You need to perform the following tasks:
Step 1
Select the Slave radio button.
Step 2
Enter the hostname of the Master in the Master field.

This hostname should exactly match the Hostname field in the Self Signed Certificate of the Master.
4-16
OL-25947-01
Chapter 4

Step 3
Specify the SSL port of the master. Default is 443.
Step 4
Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from
Master to Slave.
If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave)
will be informed of the new master hostname. That is, they will become the slaves of the new Master.
Step 5
Select the Add new devices to Master check box to add the devices in Slave to the new Master.
If the devices are already available in the new Master, they will be discarded.
Step 6
Click Apply.
A warning message appears when the Master server has the earlier version of LMS.
Step 7
Click OK to change the mode to Slave.

To cancel the change of mode, click Cancel.
Note
You must restart the daemon manager after the mode change to Slave is complete.
Changing the Hostname of a Master
Changing the hostname of a Master is equivalent to pointing Slaves to a new Master.

When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same
Domain ID as the current machine.
If Domain ID is the same, DCR displays an error message that Master cannot be configured since the
new Master has the same Domain ID.
In this case, you need to convert the Slave to Standalone, and then register the machine with the new
Master. When you re-register, the applications on Slave will clean up the device list.
When you change the host name of the current Master, you must change the Slave mode to Standalone,
and then re-register the machine as a Slave by providing the new Master hostname. However, when the
machine is re-configured as Slave, the applications will clean up the device list.
For example, if you have a Master M and Slave S, and if you change the hostname of M, you should
change the mode of S to standalone. Then, you have to configure S as the Slave of M. But when you
re-configure S as Slave, the applications on S will clean up their device lists.
Therefore, you have to be aware that while changing the hostname of a Master, application data is
cleaned up on all Slaves.

OL-25947-01
4-17
Chapter 4
Configuring Device Polling

In the earlier releases, there was no mechanism to detect the devices that were not reachable for a certain
time period and easily identify the devices to be deleted.
The Device Polling configuration feature overcomes this and helps you to:
Activate Device Polling to check whether the devices can be reached
Configure Device Polling policy
Schedule Device Polling
Display a list of devices that are not reachable for a certain period of time
Delete the selected unreachable devices from DCR
You should have the required privileges to configure Device Polling policy.
You should be a Network Administrator, or a System Administrator to perform this task in Local
Authentication mode.
You should have the following privileges to delete the devices:
Privileges to perform the Delete Devices task
Device level authorization
Configuring Device Polling Settings
Deleting Unreachable Devices from DCR
Configuring Device Polling Settings

You can configure a Device Polling policy and schedule a Device Polling job to check whether the
devices can be reached.
Read the following notes before you configure Device Polling settings:
You can use any one or more of the following protocols to poll devices:
ICMP (Ping)
SNMPv3
SNMPv2c/SNMPv1
When you select all protocols, the devices in the network are polled using ICMP (Ping) first
followed by SNMPv3, and later by SNMPv2c/SNMPv1.
When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1
is used to poll the devices only if the SNMPv2c protocol has failed to query the device.
If you use more than one protocol for polling and if a device is reachable using the first protocol,
the other protocols will not be used.
You can configure only one job at a time to detect unreachable devices. You can modify the schedule
later at any point of time.
You cannot schedule an immediate Device Polling job.
In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job
only from Master server.
4-18
OL-25947-01
Chapter 4

To configure a Device Polling policy:

Step 1
Select Admin > Network > Timeout and Retry Settings > Device Poll Settings.
The Device Poll Settings page appears.
Step 2
Select the Activate Device Polling to Check Reachability check box to enable Device Polling.
Device Polling is not enabled by default. You must select this check box to activate Device Polling.
Step 3
Configure a Polling Policy. To do so:

a.
Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for
polling:
ICMP (Ping)
SNMPv3
SNMPv2c/SNMPv1
You must select at least one protocol to activate Device Polling.

b.
Enter the timeout value for the selected protocols in the appropriate Timeout fields.
The timeout denotes the time period after which the ICMP or SNMP query of devices times out.
You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds
and the maximum value is 20000 milliseconds.
Default value is 1000 milliseconds.
You cannot leave this field blank.
c.
Enter the value of retries for the selected protocols in the appropriate Retries fields.
The retry denotes the number of attempts made to query the device.
You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for
both ICMP and SNMP protocols.
You cannot leave this field blank.
d.
Enter the number of instances in Notify when devices not reachable for, to receive notifications
when the devices are not reachable for a specific time period.
This is mandatory.
For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily,
you will receive notifications of devices that are not reachable for two days or more than 2 days.
If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will
receive notifications of devices not reachable for last 18 hours or more than 18 hours.
See Step 4 for details on the job frequencies available.
Step 4
Schedule the Device Polling task. To do this:

a.
Select a job frequency from the Run Type drop-down list.

You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily,
Weekly, or Monthly.
b.
Enter a date in the Date field or select a date from the date picker to start the scheduled job.
The current date on the client system is displayed in the Date field by default.
You can edit the schedule at a later point of time. See Step 5 for details.
If you do not want to edit the schedule, go to Step 7.

OL-25947-01
4-19
Chapter 4
Step 5
Select the Change Schedule check box if you want to edit the schedule information (Run Type and
Starting Date).
This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not
been scheduled earlier.
If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager
(JRM) and a job is scheduled. The device reachability status is also reset.
A warning message appears if you select this check box.
Step 6
Click OK.
Step 7
Enter the Job information. To do this:

a.
Select the Report Attachment field if you want to receive the report through e-mail.
b.
Select the Attachment Option as either PDF or CSV.
c.
Enter a brief description about the Device Polling job in the Job Description field.
d.
Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device
Polling job.
Entering an e-mail ID is mandatory when you have selected the Report Attachment field.
Step 8
Click Apply for the Device Polling settings to take effect.

The Device Polling schedule is created and assigned with a job ID.
Notification is sent to the e-mail address you have configured in the Device Polling Settings page.
Deleting Unreachable Devices from DCR

The possible reasons for device unreachability are:
Connectivity protocols such as SNMP or ICMP may be disabled on the device.
Incorrect credentials may be configured for the device.
Invalid timeout and retries may have been configured on the device.
To delete unreachable devices from DCR, select Reports > Inventory > Management Status >
Unreachable Devices.
Configuring User Defined Fields

The User Defined Fields (UDFs) are used to store the additional information about a device. DCR
supports a maximum of ten UDFs.
By default, the user interface provides four UDFs:
user_defined_field_0
4-20
OL-25947-01
Chapter 4

You can add six more UDFs through the user interface. You can rename or delete all the UDFs including
the four default UDFs provided by the user interface.
Adding User Defined Fields
Renaming User Defined Fields
Deleting User Defined Fields
Adding User Defined Fields

To add a User Defined Field (UDF):
Step 1
Select Admin > Network Administration > Device Credential Repository Settings > User Defined
Fields.
The User Defined Fields page appears with the current settings.
Step 2
Click Add to add a UDF.
Step 3
Enter the field label and description in the corresponding fields.
Step 4
Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.
Renaming User Defined Fields

To rename a UDF:
Step 1
Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2
Select the radio button corresponding to the UDF you want to rename.
Step 3
Click Rename.
The User Defined Field dialog box opens in a new window.
Step 4
Enter the UDF label and description in the corresponding fields.
Step 5
Click Apply. To return to the User Defined Fields page, click Cancel.

OL-25947-01
4-21
Chapter 4
Deleting User Defined Fields

By default, you can define four attribute fields for a device. These fields are used to store additional
user-defined data for the device. You can add up to ten UDFs.
To delete a UDF:
Step 1
Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2
Select a UDF and click Delete.

A confirmation message window appears.
Step 3
Click OK. To return to the User Defined Fields page, click Cancel.

Devices added or imported into DCR do not contain all credentials required by the network management
applications to manage them. Sometimes this could lead to failure of application jobs.
The default credentials feature helps you to add or import devices into DCR with the default credentials
and prevents the management applications from failing when the network management applications
manage the devices added or imported in DCR.
Default credentials are stored in DCR and are not associated with any device.
You can configure multiple default credential sets. You can set these default credential sets for a range
of devices to be added or imported to DCR based on certain policies.
You should be a Network Administrator, a System Administrator, or a Super Admin to configure default
credential sets and default credential set policies.
Using Default Credentials
Important Notes on Default Credentials
Configuring Default Credential Sets
Configuring Default Credential Set Policy
Using Default Credentials

You can choose to use the default credentials when you:
Manually add devices in DCR

When you manually add devices with a similar credential set in DCR, you have to enter the
credentials repetitively for every device addition. Instead, you use the default credentials defined in
default credential sets or default credential set policies to populate DCR.
Add devices into DCR through Discovery

Discovery populates only the SNMP read community string in DCR during device addition and
leaves the other credentials as blank.
4-22
OL-25947-01
Chapter 4

When other applications manage the newly added device, the management operations fail if they
cannot retrieve the required credentials from DCR. To prevent the management operations failing,
you can use the default credentials while adding devices through Discovery.
Import devices into DCR

Importing devices from a file, NMS or any other third party applications into DCR populates the
SNMP read-only community string and the SNMP read/write community string.
When other applications manage the newly imported devices, the management operations fail if they
could not retrieve the required credentials from DCR. To prevent the management operations from
failing, you can use the default credentials while importing devices from NMS or any other third
party application.
Important Notes on Default Credentials

You should read the following notes about the default credentials before you configure them and choose
to use them in various flows:
The default credentials you use while adding or importing devices into DCR will not be verified.
You can configure multiple default credential sets and add or import a set of devices in DCR with
default credentials from a default credential set. Later, you can edit the value of the credentials in a
default credential set and add another set of values with the edited default credentials.
The devices that are already added or imported into DCR will not be affected if you edit the values
of the default credentials or remove the default credentials from DCR.
Devices added with default credentials in DCR populates all the credentials you have configured for
the default credential set irrespective of the device management type.
For example, if you have configured the default credential set with Standard credentials, SNMP
credentials, and Auto Update Server Managed Device credentials and if you add a device of
Standard management type in DCR, the Auto Update Server Managed Device credentials are also
populated for that device.
We recommend you to configure a default credential set with the values common for most of the
devices that are to be added or imported into DCR.

You can configure the default credential sets and policies only in the DCR Master and Standalone modes.
This option is not available in the DCR Slave Server.
However, you can use the default credentials in the Cisco Prime applications in DCR Slave Server while
adding the devices to DCR. If you opt to use the default credentials, the DCR Slave Server uses the
credentials stored at the DCR Master Server.
If you configure a LMS Server from DCR Standalone to DCR Slave mode, the default credentials entered
in the server will not be used after the mode is changed to Slave. However, when you change the DCR
mode back to the Standalone mode from the Slave mode, the default credential sets and policies are
restored as configured earlier.

OL-25947-01
4-23
Chapter 4
Configuring Default Credential Sets

You can configure a maximum of 50 default credential sets.
Each default credential set comprises the following credentials:
Primary Credentials (Username, Password, Enable Password)
Secondary Credentials (Username, Password, Enable Password)
SNMPv2c/SNMPv1Credentials (Read-Only Community String, Read-Write Community String)
SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm,

Privacy Password, Privacy Algorithm)
HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and
Password, HTTP port, HTTPS port, Current Mode)
Auto Update Server Managed Device Credentials (Username and Password)
Rx Boot Mode Credentials (Username, Password)
Configuring a Default Credential Set
Editing a Default Credential Set
Deleting a Default Credential Set
Configuring a Default Credential Set

To configure a default credential set:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2
Click Next or select Credential Sets name from the Default Credentials list panel and enter the
respective credential information.
Step 3
Enter a name of the credential set in the Credential Set Name field. This is mandatory.
The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9).
You can include the following special characters in the Credential Set Name:
Special Character
Description
Underscore
Hyphen
Period
4-24
OL-25947-01
Chapter 4

Step 4
Enter a description of the credential set in the Set Description field.
Step 5
Click Next or select a credential type from the Default Credentials list panel and enter the respective
credential information. You can select any of the credential types from the panel.
Step 6
Standard Credentials
SNMP Credentials
HTTP Credentials
Auto Update Server Managed Device Credentials
Rx-Boot Mode Credential
Enter the following credentials as required:
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm)

You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these
fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is
AuthPriv.
HTTP Credentials
Primary Credentials (Username, Password)
Secondary Credentials (Username, Password)
Other Information (HTTP Port, HTTPS Port, Current Mode)
Auto Update Server Managed Device Credentials (Username, Password)
Rx-Boot Mode Credentials (Username, Password)
Note
Re-enter the value of passwords in the respective Verify fields.
You must enter a value for at least one credential before applying the default credentials.
Step 7
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.

OL-25947-01
4-25
Chapter 4
Editing a Default Credential Set

To edit a default credential set:
Step 1
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2
Click Next or select Credential Set Name from the Default Credentials list panel.
Step 3
Select a default credential set name from the Credential Set drop-down list box.
Step 4
Edit the description of the credential set in the Set Description field.
You cannot edit the name of the credential set.
Step 5
Click Next or select a credential type from the Default Credentials list panel.
Step 6
Edit the following credentials as required:
SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm)

You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default,
these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode
is AuthPriv.
HTTP Credentials
Primary Credentials (Username, Password)
Secondary Credentials (Username, Password)
Other Information (HTTP Port, HTTPS Port, Current Mode)
Auto Update Server Managed Device Credentials (Username, Password)
Rx-Boot Mode Credentials (Username, Password)
Note
Step 7
Re-enter the value of passwords in the respective Verify fields.
Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.
4-26
OL-25947-01
Chapter 4

Deleting a Default Credential Set

To delete a default credential set:
Step 1
The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS
Servers. You cannot see this list item in DCR Slave Server.
Step 2
Select a credential set from Credential Set drop-down list box.
Step 3
Click Remove to delete a default credential set.

The selected default credential set is deleted from the LMS Server.
The default credential set policies that you have configured with this default credential set will also be
deleted.
Configuring Default Credential Set Policy

You can configure default credential set policies and apply the default credentials for a range of devices
to be added or imported to DCR.
We recommend that you create up to 50 default credential set policies.
You can create default credential set policies based on following policy types:
IP Address
Hostname
Device Name
Before Configuring a Credential Set Policy
Creating a Default Credential Set Policy
Patterns in IP Address Default Credential Set Policy Rules
Regular Expressions in Default Credential Set Policy Rules
Examples For Default Credential Set Policies
Deleting Default Credential Set Policies
Defining the Order of Default Credential Set Policies
Before Configuring a Credential Set Policy

Read the following notes before configuring a default credential set policy:
You can include patterns when creating rules for IP Address based default credential set policies.
See Patterns in IP Address Default Credential Set Policy Rules for more information.
Regular expressions are supported for policies based on Hostname and Device Names. IP Address
based policy types do not support regular expressions.
See Regular Expressions in Default Credential Set Policy Rules for more information.

OL-25947-01
4-27
Chapter 4
The expressions in default credential set policy rules are case insensitive.
You can include the following characters in Device Name and Hostname:
Lower case alphabets
Upper case alphabets
Numerals ( 0 to 9)
Special characters such as hyphen (-), underscore (_), period (.) and colon (:)
When you define more than one policy for a default credential set, all these policy rules work
together. The policies will be applied in the same order in which they appear on the Credentials Sets
Policy Configuration page.
See Defining the Order of Default Credential Set Policies for more information.
Creating a Default Credential Set Policy

To create a default credential set policy:
Step 1
Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Default Credentials Sets Policy Configuration page appears.
The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master
and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Click Add to add a default credential set policy.

The Add Credentials Policy Configuration dialog box appears.
Step 3
Construct a policy rule. To do so:

a.
Select a parameter from the Select a Policy Type drop-down dialog box.
The listed parameters are IP Range, Hostname and Device Name.
Based on the parameter that you have selected, the value field name changes dynamically.
b.
Enter a value for the rule parameter.

If you have selected IP Range as the rule parameter, enter a value in the IP Range field.
If you have selected Hostname as the rule parameter, enter a value in the Hostname field.
If you have selected Device Name as the rule parameter, enter a value in the Device Name field.
See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default
Credential Set Policy Rules for more information.
The expressions in credential set policy rules are case insensitive.
c.
Select a credential set name from the Credentials Set drop-down list box to associate the rule
expression with the default credential set.
Select No Default if you do not want to enter a credential set name.
Step 4
Click OK to go back to Credentials Sets Policy Configuration page.

The policy that you have configured is listed in the Credentials Sets Policy Configuration page.
You can edit a default credential set policy later. To do so, you must select a default credential set policy
in the Credentials Sets Policy Configuration page and click Edit.
4-28
OL-25947-01
Chapter 4

Patterns in IP Address Default Credential Set Policy Rules

When you define a default credential policy type based on IP Address, you should follow these
guidelines:
Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format.
Any octet can have one of the following:

Any Octet can have..
Example
Numbers between:
10.77.240.225 (IPv4 Address)
001:DB8:0:2AA:FF:C0A8:0:640A
(IPv6 Address)
Asterisk (*) as wildcard denoting all numbers from

0 to 255 in an IPv4 Address and 0 to FFFF in an
IPv6 Address.
10.*.*.240 (IPv4 Address)
001:*:0:2AA:FF:*:*:* (IPv6 Address)
Range of numbers in the

[StartingNumber-EndingNumber] format, where:
10.77.[220-240].[210-220] (IPv4
Address)
001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA
F] (IPv6 Address)
0 to 255 for an IPv4 Address
0 to FFFF for an IPv6 Address
StartingNumber and EndingNumber should
be numbers between 0 to 255 in an IPv4

Address and 0 to FFFF in an IPv6 Address
StartingNumber should not be greater than
or equal to EndingNumber
The following are examples of invalid IP

Address ranges:
10.77.[250-200].221
10.77.200-250.221
001:DB8:0:[EEEE-FF]:FF:C0A8:0:[D-5]
001:DB8:0:AA-BB:FF:C0A8:0:[D-5]
The octets in an IP Address policy type can also contain the combination of wildcard characters and
range of numbers. Some examples of IP Address filter combinations include:
10.77.[210-230].*
10.77.*.[110-210]
001:DB8:*:*:FF:[C0A-DD8]:0:[5-D]
[10-20]:[10-20]:[A-F]:2:4:*:*:*

OL-25947-01
4-29
Chapter 4
Regular Expressions in Default Credential Set Policy Rules

Hostname and Device Name policy types supports regular expressions.
You can use the following characters in regular expressions:
Character Description
Purpose
Period
Matches any character
Opening parenthesis
Marks the beginning of a group of matched characters
Closing parenthesis
Marks the end of a group of matched characters
Asterisk
Matches zero or more occurrences of regular expression specified

earlier
Plus character
Matches zero or more occurrences of regular expression specified

earlier
Trailing slash
Identifies a special character within a regular expression
Examples For Default Credential Set Policies

Example 1 - IP Range Policy Type
Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added
or imported to DCR with the default credentials defined in a default credential set IPSet.
You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2

Step 3
Step 4
Construct the policy:

a.
Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b.
Enter the IP Range value as 10.77.[210-230].*
c.
Select the Default Credential Name as IPSet
Click OK to go back to Default Credential Sets Policy Configuration page.

The policy that you have configured will be listed in a table format.
Example 2 - IP Range Policy Type
Consider that all devices whose IP Addresses are within the range
100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default
credentials defined in a default credential set IPv6Set.
You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1
Configuration.
4-30
OL-25947-01
Chapter 4


Step 2

Step 3
Step 4

a.
Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b.
Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15]
c.
Select the Default Credential Name as IPv6Set

Example 3 - Device Name Policy Type
Consider that all devices whose Device Names end with or contain device, should be added or imported
to DCR with the default credentials defined in a default credential set SetName2.
You should create a default credential set policy based on the Device Name policy type. To do so:
Step 1
Configuration.
Step 2

Step 3
Step 4

a.
Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b.
Enter the value as (.)*device
c.
Select the Default Credential Name as SetName2

Example 4 - Device Name Policy Type
Consider that all devices whose Device Names contain 1.3.6.1.4.1.9.1.n, should be added or
imported to DCR with the default credentials defined in a default credential set SOIDset.
You should create a default credential set policy based on the Device Name policy type. To do so:
Step 1
Configuration.
Step 2


OL-25947-01
4-31
Chapter 4
Step 3
Step 4

a.
Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b.
Enter the value as (.)*\.1\.3\.6\.1\.4\.1\.9\.1\.(.)
c.
Select the Default Credential Name as SOIDset

Example 5- Host Name Policy Type
Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with
the default credentials defined in a default credential set SetName1.
You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Configuration.
Step 2

Step 3
Step 4

a.
Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b.
Enter the value as Che(.)*
c.

Example 6- Host Name Policy Type
Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the
default credentials defined in a default credential set SetName3.
You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1
Configuration.
Step 2

Step 3

a.
Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b.
Enter the value as (.)*lab2(.)*.
c.
4-32
OL-25947-01
Chapter 4

Step 4

Deleting Default Credential Set Policies

To delete default credential set policies:
Step 1
Configuration.
The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR
Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2
Select a default credential set policy to delete.

You can also select multiple default credential set policies to delete.
Step 3
Click Delete to remove the default credential set policies.
Defining the Order of Default Credential Set Policies

You can specify the order in which the default credential set policies should be applied for devices that
are added or imported into DCR.
The default credential set policies are applied in the order they appear on the Credentials Sets Policy
Configuration page. The default credential set policies appearing at the top of the list are applied first.
You can create more than one default credential set policy for a default credential set.
When you define more than one policy for a default credential set, all these policy rules work together.
For example, consider 10.77.240.[50-52] as a first IP Address policy associated with a default credential
set name Test1 and 10.77.240.* as the second IP Address policy associated with a default credential set
name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.240.[50-52]
added or imported into DCR. The default credentials defined in Test2 will be applied for all devices in
the IP range 10.77.240.* except the devices with IP Addresses 10.77.240.50, 10.77.240.51 and
10.77.240.52.
For example, consider 10.77.*.* as a first IP Address policy for a default credential set name Test1 and
10.77.210.* as the second IP Address policy for a default credential set name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.*.* added
or imported into DCR. The policy rule 10.77.210.* will never be applied as 10.77.210.* is a subset of
10.77.*.*.
To specify the order of default device credentials policies:
Step 1
Configuration.
The Credentials Sets Policy Configuration page appears with a list of default credential set policies.
Step 2
Select a default credential set policy.

OL-25947-01
4-33
Chapter 4
Step 3
Either:
Click the Up Arrow icon to move the selected default credential set policy up in the displayed order.
Or
Step 4
Click the Down Arrow icon to move the selected default credential set policy down in the displayed
order.
Click Apply Settings to save the changes.
4-34
OL-25947-01
CH A P T E R
Managing Groups
LMS 4.2 combines the device grouping with a new attribute list.
The other grouping services that are available in LMS are:
Fault Group - supports 50 groups
IPSLA Collector Group - supports 100 groups
Port and Module Group - supports 100 groups
The numbers of groups that LMS supports will vary according to the SKU that you use. For more details,
see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN
Management Solution 4.2 guide.
Device Group Administration
DCR Mode Changes and Group Behavior
Port and Module Group Administration
Managing Fault Groups
Viewing Fault Group Details
Viewing Fault Membership Details
Refreshing Fault Membership
Deleting Fault Groups
Understanding Collector Group Rules
IPSLA Collector Group Administration Process
Working with User-Defined Collector Groups

OL-25947-01
5-1
Chapter 5
Managing Groups

This section explains the components of a group and the basic concepts of a group.
Components
The following are the components of a group:
Group Server:
Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by
the application. It interfaces with an application service adapter (ASA) to evaluate group rules and
retrieve devices of a particular group.
Application Service Adapters (ASAs):

Application-specific information repository that serves as source of the devices and attributes that
are grouped by the Groups Server.
Till LMS 3.2, ASA was an interface between applications and Groups Server.
In LMS 4.2, there is only a single ASA.
Group Admin:
Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.
Basic Concepts
The following are the basic concepts of a group:
Group Class:
Representation of a set of devices belonging to DCR. In this context a device in Device and
Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set
of attributes and a unique device ID.
Group Object:
Device in a group class. Each device in the group will have a set of attributes stored in DCR.
Associated with every device is a unique and immutable device ID.
Group:
Named aggregate entity comprising a set of devices belonging to a single class or a set of classes,
with a common superclass. Groups can be shared between users or applications, subject to
access-control restrictions. The membership of a group is determined by a rule.
Group Rule:
Consists of one or more rule expressions combined by operators, which can be AND, OR or
EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.
5-2
OL-25947-01
Chapter 5
Managing Groups

This section has the following subsections:
Groups in Single Server Scenario
Groups in Multi-Server Scenario
Groups in Single Server Scenario

The devices you see in the Group Administration UI in depends on whether the devices are being
managed by LMS or not, and not on any application like CS, RME, CM.
In LMS 3.2, if there are Common Services, LMS, and RME installed on a server, you can see the
following groups in the Groups UIs of the applications.
CS@hostname
RME@hostname
Campus@hostname
In LMS 4.2, there are no separate applications and there are four types of groups:
Device Groups
The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and
Campus@hostname. LMS supports 200 device groups.
Fault Groups
These groups are created by the Fault Management module in LMS, and consist of interface, trunk
port, and access port groups. Each group has a set of properties (such as a name, description, and
permission.), and are defined by the rules associated with the group.
IPSLA Collector Groups

You can group IPSLA collectors based on a set of criteria such as operation name, operation type,
source address, target address.
Port and Module Groups

You can group ports and modules for easy port and module selection in various configuration
workflows.
Groups in Multi-Server Scenario

Groups you create in LMS groups UI in the Master get synchronized with the Slave.
If you create a subgroup under LMS@Master hostname in one server, it appears under LMS@Slave
hostname in the peer server.
However, in the Master server, if you create a subgroup under LMS@Master hostname, it will always
appear under LMS@\Slave hostname\, in the Slave. That is, the subgroup created in the Master appears
under the shared group of the application in the Slave.
When the user-defined group under master and the user-defined group under slave has the same group
name, then when doing master slave setup, the master group will be retained in slave. The slaves group
will get deleted.

OL-25947-01
5-3
Chapter 5
Managing Groups
Once the master slave setup is done, when we add a group in master it will be synced with slave only
after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both
the OGS will act as a individual servers.
Note
You can create groups in LMS even if the server on which it is installed is in Slave mode.
If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under
LMS@Slave hostname.
In a cluster, if you have M as the Master, and S1 and S2 as Ms slaves, and you want to evaluate S1s
groups from S2, you need to import the certificate of S1 to S2 and vice versa.

The Group Administration UI helps you to create, edit, view, delete, export, import, and refresh groups.
The UI displays a Group Selector that contains the following predefined higher-level groups:
System-defined Groups
User-defined Groups
The System-defined Groups shows subgroups only after Device and Credential Repository is populated.
The predefined sub-groups under System-defined Groups are:
Cisco Interfaces and Modules
Network Management
Non Cisco Devices
Routers
Switches and Hubs
Subnet Based Groups

Contains sub folders representing subnets (one folder per subnet) discovered in the network. Each
folder contains the devices corresponding to those subnets.
Note
Subnets groups will appear only after a successful Data Collection.
Voice and Telephony
Unknown Device Type
Universal Gateways and Access Servers
Wireless
You can create subgroups only under User-defined Groups. You cannot create them under
System-defined Groups. However, you can view the details of a subgroup under System-defined Groups
and refresh the group.
Note
Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone
mode. The groups created in DCR Master will be copied to Group Administration instances on servers
where DCR is in Slave mode.
5-4
OL-25947-01
Chapter 5
Managing Groups
The following sections provide information on how to perform group administrative tasks in LMS 4.2:
Migrating Device Groups from Previous Releases of LMS
Creating Groups
Viewing Group Details
Modifying Group Details
Refreshing Groups
Deleting Groups
Exporting Groups
Importing Groups
Overview of Subnet Based Groups
Migrating Device Groups from Previous Releases of LMS
The following table explains migration of device groups from previous releases of LMS, in the table. In
this example, Group A is an application group created separately in CS, RME, and CM, in earlier
versions of LMS:
LMS Version
Common Services
UDG/SDG
RME UDG/SDG
Campus Manager UDG/SDG
3.2.1
Group A
Group A
Group A
4.2
After migration to
After migration to LMS
LMS 4.2, Group A is 4.2, Group A is not
available
Available
After migration to LMS 4.2,

Group A is not available
3.2.1
Group A
Group A
4.2
After migration to LMS After migration to LMS 4.2,

4.2, Group A will not be Group A will not be available
available
3.2.1
4.2
You must create new

subnet-based groups
after a successful
Data Collection
Subnet-based groups
After migration to LMS 4.2, CM
Subnet-based groups will not be
available.
Creating Groups
Specifying Group Properties
Defining Group Rules
System Defined Attributes
Assigning Group Membership
You can create device groups using this feature.

To create a new device group:

OL-25947-01
5-5
Chapter 5
Managing Groups
Step 1
Either:
Select Admin > System > Group Management > Device.

The Group Administration page appears.
Or
Select Inventory > Group Management > Device.

The Group Administration in the Group Administration page provides you with Group Selector.
Step 2
Select the group from the groups listed in Group Selector to create a new subgroup.
The Group Info fields on the right, display details of the selected group.
The group you select here is the Parent group for the new group that you are about to create. You can
change the Parent group later, if required. You cannot create groups under System-defined Groups but
you can view details and refresh the group.
Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public
or Private). If you have the required permissions, you can create subgroups under groups.
Step 3
Click Create to create a new group.

The Group Administration Creation wizard is launched and guides you through the process of creating
a new group.
Perform the following tasks using the Groups Create wizard.
a.
Specify group properties. See Specifying Group Properties for information.
b.
Define group rules. See Defining Group Rules for information.
c.
Assign group membership. See Assigning Group Membership for information.
The first page in the wizard is the Properties:Create window. While creating a new group you must complete
all of the above three tasks in this sequence to create a group.
If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the
group will not be created.
The recommended limit for creating User-Defined group is 200, but you are allowed to create upto 600
User-Defined groups in LMS.
Example
To create a group of all Energywise capable devices:

Step 1
Either:

Or

The Group Administration in the Group Administration page provides you with Group Selector.
Step 2
Select User Defined Groups from the groups listed in Group Selector to create a new subgroup.
5-6
OL-25947-01
Chapter 5
Managing Groups
Step 3
Click Create to create a new group.

The Properties page appears.
Step 4
Enter the name Energywise_capable devices in the Group Name field in the Properties:Create dialog
box.
See Specifying Group Properties for more details.
Note
Step 5
Click Next.
The Rule Dialog box appears.
Step 6
Step 7
Create an expression in the Rules:Create dialog box by entering:

a.
Select Variable as EnergyWise.EnergyWisestate
b.
Select Operator as =
c.
Enter the Value as EnergyWise_capable

You can also check the syntax of the group rule entered.
Note
Step 8
See Defining Group Rules for more details.
Click Next.
The Group Membership Assigning page appears.
Step 9
Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.
Step 10
Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
Note
Step 11
See Assigning Group Membership for more details.
Click Next.
The Summary page appears.
Step 12
Click Finish.
Specifying Group Properties

While specifying group properties, you can enter the properties such as name and description, and
modify the parent group, if required, and update membership, and specify the visibility scope.
To complete the tasks in this phase:
Step 1
Either:

OL-25947-01
5-7
Chapter 5
Managing Groups
Select Admin > System > Group Management > Device. Click
Or

Step 2
Click the Create button in the Group Administration.

Step 3
Enter a name for the group in the Group Name field in the Properties:Create dialog box.
The group name should be unique within the Parent group. However, it need not be so across groups.
The same group name cannot be used in the same group hierarchy.
For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create
another group with the same name MyView under /LMS@Servername/User Defined Groups.
Step 4
Click Select Group, if you want to copy the attributes of an existing group.
The Replicate Attributes dialog box appears.
Step 5
Select the group you need from the Replicate Attributes list and click OK. To return to the Properties
page, click Cancel.
Step 6
Click Change Parent, to change the Parent group.

The Group Selector page appears.
Step 7
Select the group you need from the Select Parent list.
Step 8
Click OK.
The Group Administration wizard changes the Parent group to the one you selected. To return to the
Properties page, click Cancel.
Step 9
Enter a description for the group.

Typically, you can enter a detailed description of the group that identifies its characteristics in this field.
Step 10
Select the Membership Update mode for the group.

The modes of membership updates available are:
Automatic:
The membership of the group is updated when you add a new device to the group, and each time the
group is invoked.
Only Upon User Request:

The membership of the group is recomputed only when an explicit request is made, using the
Refresh option.
If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request,
the group will be a Static group.
Step 11
Select either Public or Private to specify the visibility scope.
Private
The group created can be viewed only by user who creates the group.
Public
The group created can be viewed by all users.
5-8
OL-25947-01
Chapter 5
Managing Groups
Step 12
Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and
composite group rules.
Defining Group Rules

In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase
determine the contents of the group. The rules you specify here determine the devices to be included in
the group.
In the Rules:Create dialog box, you can either enter the rules directly in the Rule Text field, or select the
components of the rule from the Rule Expression fields, and form a rule.
The rule expression has the following components:
Object.Variable operator value
If you have created the group by copying the attributes of another group, the rules specified for that group
appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a
new set of rules.
The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this
facility to validate the rules you have created. If you leave the rule blank, it creates a Container group.
Click View Parent Rules to display the rules defined for its ancestor groups.
Defining a Group Rule
Defining Composite Group Rules
Using IP Address Range Operator
Examples
Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in
Properties:Create dialog box. See Specifying Group Properties for more information.
Defining a Group Rule

To create a group rule:
Step 1
Complete all the tasks in the Properties page. See Specifying Group Properties for more information.
Step 2
Delete the rules displayed in the Rule Text field, if any.
Step 3
Select appropriate parameters for the following:
Object Type Denotes the object type used for forming a group. All expressions start with the
string Device.
Variables Denotes the device attributes, which are used to form a device group.
See System Defined Attributes for details on the variables.
Operators Denotes the various operators to be used with the rule. The list of operators includes
equals, contains, startswith and endswith. The list of operators changes dynamically with the value
of the variable selected.

OL-25947-01
5-9
Chapter 5
Managing Groups
For the ManagementIpAddress variable, you can select a range operator other than the standard list
of operators. See Using IP Address Range Operator for more information.
Step 4
Value Denotes the value of the variable. The value field changes dynamically based on the value
of the variable and operator selected, and the field type can be a text field or a list box.

The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
For example, the rule type:
Device.DisplayName equals "joe"
will select the device with the DisplayName joe.

The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.
You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field.
See Defining Composite Group Rules for more information.
You can validate rules that are entered directly into the Rules Text field, or rules formed using the Add
Rules Expression option in the dialog box.
Step 5
To check whether the syntax is valid, click Check Syntax.
To view the rules defined for the parent groups, click View Parent Rules.
Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
If you have entered an invalid IP Address range or invalid values in the Value field, an error message will
be displayed. You should correct the values and then navigate to the Membership:Create dialog box.
Defining Composite Group Rules

A Composite rule contains more than one rule expression separated by a Boolean operator.
The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you
have entered at least one rule expression.
When the composite rule has more than two simple rule expressions, you can adjust priorities among the
expressions using opening and closing parenthesis.
To create a composite rule:
Step 1
Delete the rules displayed in the Rule Text field and click any other field.
Step 2
Form a simple rule. See Defining a Group Rule for details.
Step 3

The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.
Step 4
Select a Boolean Operator from the drop-down list.
5-10
OL-25947-01
Chapter 5
Managing Groups
Step 5
Select the appropriate parameters for Object Type, Variables, and Operators.
Step 6
Enter a value in the Value field.
Step 7

You can validate rules that are entered directly into the Rules Text field or rules formed using the Add
Rules Expression option in the dialog box.
Step 8
To check whether the syntax is valid, click Check Syntax.
To view the rules defined for the parent groups, click View Parent Rules.
Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
Using IP Address Range Operator

The range operator enables you to group the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:
Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
Use the hyphen character (-) as a separator between the numbers that indicate a range.
Specify the range of IP Addresses within the [and] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
Enter numbers less than 0 and greater than 255 in the IP Address range.
Enter any characters other than the range separator (-).
Enter the value of the highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on
the IP Address Range based device groups in a multi-server setup.
Examples
Example to Create a Simple Group Rule
Example to Create a Composite Group Rule
Example to Create a Group Rule Using Range Operator
Example to Create a Simple Group Rule
To create a group of all devices ending with the hostname Test, you should:

OL-25947-01
5-11
Chapter 5
Managing Groups
Step 1
Step 2

a.
Select Variable as HostName
b.
Select Operator as endswith
c.
Enter the Value as Test

Example to Create a Composite Group Rule
If you want to group all the devices in the network that match the following criteria:
Device Name of the device should contain TestDevice
Category of the device should be equal to Routers or IP Address of the device should starts with
10.77
To create this composite rule:

Step 1
Step 2

a.
Select Variable as DisplayName
b.
Select Operator as contains
c.
Enter the Value as TestDevice

Step 3
Step 4
Create another rule expression by entering:

a.
Select AND as the Boolean operator
b.
Select Variable as Category
c.
Select Operator as equals
d.
Enter the Value as Routers

The rule is appended into the Rule Text.
Step 5
Step 6
Create another rule expression by entering:

a.
Select OR as the Boolean operator
b.
c.
Select Operator as startswith
d.
Enter the Value as 10.77

The following composite rule is formed in the Rule Text Area:
Device.DisplayName contains TestDevice AND
Device.Category equals Routers OR
Device.ManagementIpAddress startswith 10.77
5-12
OL-25947-01
Chapter 5
Managing Groups
Step 7
Edit the rule expression in the text area to adjust the priorities among the group expressions.
You should place two rule expressions together within an opening and a closing parentheses. Ensure that
you leave a space between the parenthesis and the group expressions.
The edited composite rule is:
Device.DisplayName contains "TestDevice" AND
( Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77" )
Step 8
Click Next to proceed further.
Example to Create a Group Rule Using Range Operator
To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you
should:
Step 1
Step 2

a.
b.
Select Operator as range
c.
Enter the Value as 10.10.[0-212].[207-247]

You can also check the syntax of the group rule entered

The following table provides details on some of the System Defined attributes that are available in LMS.
These are predefined attributes, available by default.
Note
In LMS 4.2, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are
not available. If you backup and restore any group created in older versions of LMS using these
attributes, the groups will not be restored.

OL-25947-01
5-13
Chapter 5
Managing Groups
Table 5-1
Group Attributes in LMS
Attribute
Description
Example
Asset.CLE_Identifier
CLE identifier of the asset.
To create a group of all devices having asset

CLE identifier CLE12:
Asset.Part_Number
Asset.User_Defined_Identifier
Category
Orderable part number of the asset.
User-defined identifier of the asset
Select the variable

Select the operator equals.
Enter the value CLE12.
To create a group of all devices having asset

part number PN123:
Select the variable

Asset.Part_Number
Enter the value PN123.
To create a group of all devices having user

defined asset identifier UD34:
Select the variable

Asset.User_Defined_Identifier.
Enter the value UD34.
Category into which the device falls. The To create a group of all routers in the
first level entries in the Device Type tree network.
in DCR Device Management UI.
Select the variable Category.
Chassis.Model_Name
Chassis.Number_Of_Slots
Name of the model.
Number of slots in that chassis.
Select the operator contains.
Enter the value router.
To create a group of all devices containig

chassis model name WS-C6506:
Select the variable

Chassis.Model_Name
Enter the value WS-C6506.
To create a group of all devices containig 10

chassis slots.
Select the variable

Select the operator =.
Enter the value 10.
5-14
OL-25947-01
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Chassis.Port_Count
Total port count of the chassis.
To create a group of all devices having

chassis port count more than 5.
Chassis.Serial_Number
Chassis.Vendor_Type
Chassis.Version
DeviceName
DomainName
Serial number of the chassis.
Vendor type of the chassis.
Select the variable

Chassis.Port_Count.
Select the operator >.
Enter the value 5.
To create a group of all devices containing

chassis serial number SSI1.
Select the variable

Chassis.Serial_Number.
Enter the value SSI1.

chassis vendor type cevChassisN5k.
Version number of the chassis.
Device name, as you want it to be

represented in reports or graphical
displays. This can be derived from Host
Name, Management IP Address or
Device Identity.
Domain name of the device.
Select the variable

Chassis.Vendor_Type.
Enter the value cevChassisN5k.

chassis version 0.102.
Select the variable Chassis.Version.
Enter the value 0.102.

Device Name starting with 10.77.132.
Select the variable DeviceName.
Select the operator startswith
Enter the value 10.77.132.
To create a group of all Cisco.com devices.
Select the variable DomainName.
Enter the value Cisco.com.

OL-25947-01
5-15
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
EnergyWise.Domain_Name
Name of the EnergyWise domain.

EnergyWise Interfaces Information.
EnergyWise.EnergyWiseState
Select the variable

EnergyWise.Domain_Name.
Enter the value Interfaces

Information.
To create a group of all EnergyWise-capable

EnergyWise status of the device, for
devices.
example, EnergyWise-capable devices,
EnergyWise-enabled devices,
Select the variable
EnergyWise-hardware-incapable devices
EnergyWise.EnergyWiseState.
and EnergyWise-software-incapable
devices.
EnergyWise.Importance
EnergyWise Importance of the device.

This value prioritizes the devices in a
domain based on their power usage.
EnergyWise.Keyword
EnergyWise.Role
Flash.File_Name
Enter the value EnergyWise-capable

devices.

EnergyWise importance 2.
Select the variable

EnergyWise.Importance.
Enter the value 2.
A word that will help you identify a

specific device or group of devices in the EnergyWise keyword switch.
EnergyWise domain.
Select the variable
EnergyWise.Keyword.
Role or function of the device in the

EnergyWise domain.
Location of Flash file.
Enter the value switch.

EnergyWise role router.
Select the variable EnergyWise.Role.
Enter the value router.
To create a group of all devices having Flash

file name /20-oct.cfg.
Select the variable Flash.File_Name.
Enter the value /20-oct.cfg.
5-16
OL-25947-01
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Flash.File_Size
Flash file size in MB.

file size greater than 20 KB.
Flash.Model_Name
Flash.Partition_Free
Flash.Partition_Name
Flash.Partition_Size
Flash.Size
Model name of the Flash device.
Free space in MB.
Select the variable Flash.File_Size.
Enter the value 20.

model name starting with c3725-i.
Select the variable

Flash.Model_Name.
Select the operator startswith.
Enter the value c3725-i.

free space greater than 50 MB.
Flash partition name.
Select the variable

Flash.Partition_Free.
Enter the value 50.

partition name flash:1.
Flash partition size in MB.
Select the variable

Flash.Partition_Name.
Enter the value flash:1.

partition size less than or equal to 20 MB.
Total Flash device size in MB.
Select the variable

Flash.Partition_Size.
Select the operator <=.
Enter the value 20.

size greater than or equal to 50 MB.
Select the variable Flash.Size.
Select the operator >=.
Enter the value 50.

OL-25947-01
5-17
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
HostName
Device Host name.
To create a group of all devices ending with

the hostname 3750:
Image.ROM_Sys_Version
Image.ROM_Version
Image.Sys_Description
Image.Version
ImageVersion
IP.Address
System ROM software version
Version of ROM.
Image system description
Running device image version.
Software version running on the device.
Device IP address.
Select the variable HostName
Select the operator endswith.
Enter the value 3750.

system ROM software version 12.4(25):
Select the variable

Image.ROM_Sys_Version.
Enter the value 12.4(25).
To create a group of all devices having ROM

image version 12.2(8r)T2:
Select the variable

Image.ROM_Version.
Enter the value 12.2(8r)T2.
To create a group of all devices having ROM

image version 12.2(8r)T2:
Select the variable Image.Sys_Version.
Enter the value 12.2(8r)T2.
To create a group of all running devices

having image version 12.4(25):
Select the variable Image.Version.
Enter the value 12.4(25).

image version 12.2(52)SE:
Select the variable ImageVersion.
Enter the value 2.2(52)SE.
To group all devices whose IP Addresses are

within the range 10.10.0.0 to 10.10.50.255
Select the variable IP.Address.
Select the operator range.
Enter the value 10.10.[0-50].[0-255].
5-18
OL-25947-01
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
IP.Address_Type
Version of IP, IPv4 or IPv6
To group all IPv6 devices:
IP.Network_Mask
IPv4.Subnet
IPv4.SubnetMask
IPv6.Subnet
IPv6.SubnetMask
ManagementIpAddress
Network mask address
Select the variable IP.Address_Type.
Select IPv6.
To group all devices having network mask

address starting with 255.255.255:
IPv4 subnet of a device.
Select the variable IP.Network_Mask.
Enter the value 255.255.255.

subnet 32:
IPv4 subnet mask of a device.
IPv6 subnet of a device.
Select the variable IPv4.Subnet.
Enter the value 32.

subnetmask starts with 255.
Select the variable IPv4.SubnetMask.

subnet 32
IPv6 subnet mask of a device.
IP Address used to access the device.

Both IPv4 and IPv6 address types are
supported.
Select the variable IPv6.Subnet.
Enter the value 32.

subnetmask starts with 255.
Select the variable IPv6.SubnetMask.
To group all devices having Management IP

address starting with 10.77.215:
Select the variable

ManagementIpAddress.
Enter the value 10.77.215

OL-25947-01
5-19
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
MDFId
To create a group of all devices having MDF

Normative name for the device type as
described in Cisco Meta Data Framework ID 323.
(MDF) database. Each device type has a
Select the variable MDFID.
unique normative name defined in MDF.
Memory.Free
Memory.Name
Memory.Size
Memory.Type
Memory.Used
Model
Free memory in MB.
Name of the memory.
Total RAM size in MB.
Memory type.
Used memory in MB.
Model of the device. The third level

entries in the Device Type tree in DCR
Device Management UI.
For example, the model Cisco 3101
Router falls under the Cisco 3100
Series Routers, which comes under the
category Routers.
To create a group of all devices having free

Memory greater than 83 MB.
Select the variable Memory.Free.
Enter the value 83.

Memory name starting with workspace:
Select the variable Memory.Name.
Enter the value workspace.

Memory size greater than 512 MB.
Select the variable Memory.Size

processorMemory.
Select the variable Memory.Type
Enter the value processorMemory.

Memory used size less than 30 MB.
Select the variable Memory.Used
Select the operator <.
Enter the value 30.
To create a group of all Cisco 3101 Routers.
Select the variable Model
Enter the value Cisco 3101 Routers.
5-20
OL-25947-01
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Module.HW_Version
Module hardware version.

Module hardware version 3.x
Module.Model_Name
Module.Port_Count
Module.Serail_Number
Module.Vendor_Type
Processor.Model_Name
Name of the model.
Select the variable

Module.HW_Version.
Enter the value 3.

model name starting with NM-16.
Total ports on that module.
Select the variable

Module.Model_Name.
Enter the value NM-16.
To create a group of all devices having 16

port modules.
Serial number of the module.
Vendor type of the module.
Name of the model.
Select the variable

Module.Model_Count.
Enter the value 16.

module serial number starting with FOC08.
Select the variable

Module.Serail_Number.
Enter the value FOC08.

module vendor type starting with cevPwr.
Select the variable

Module.Vendor_Type.
Enter the value cevPwr.

pentium processor.
Select the variable

Processor.Model_Name.
Enter the value pentium.

OL-25947-01
5-21
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Processor.NVRAM_Size
Size of the processor NVRAM in MB.

NVRAM greater than 512 KB.
Processor.NVRAM_Used
Processor.Port_Count
Processor.RAM_Size
Processor.Serial_Number
Processor.Vendor_Type
Size of the processor NVRAM that has

been utilized, in MB.
Total port count of the processor
Size of the processor RAM in MB.
Serial number of the processor.
Vendor type of the processor.
Select the variable

Processor.NVRAM_Size.
To create a group of all devices with

NVRAM used size greater than 23 KB.
Select the variable

Processor.NVRAM_Used.
Enter the value 23.
To create a group of all devices having 24

ports processor.
Select the variable

Processor.Port_Count.
Enter the value 24.

processor RAM of 0f 128 MB.
Select the variable

Processor.RAM_Size.

processor serial number JAE081.
Select the variable

Processor.Serial_Number.
Enter the value JAE081.

processor vendor type cevCpu37252fe.
Select the variable

Processor.Vendor_Type.
Enter the value cevCpu37252fe.
5-22
OL-25947-01
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
Series
Series to which the device belongs. The

second level entries in the Device Type
tree in DCR Device Management UI.
To create a group of Cisco 3100 Series

Routers.
System.ASP_Capability
System.Contact
System.Description
System.DomainName
System.Identity_Capability
Groups devices according to their Auto

Smartport capability
Device contact person name.
Description of the system.
Select the variable Series.
Enter the value Cisco 3100 Series

Routers.
To create a group of all ASP_Enabled

devices.
Select the variable

System.ASP_Capability.
Select the value ASP_Enabled.
To create an User Defined group whose

member devices have a common system
contact person, J Smith
Select the variable System.Contact.
Enter the value J Smith.
To create a group of all devices having Cisco

IOS software.
Device domain name.
Select the variable

System.Description.
Enter the value Cisco IOS software.
To create a group of all Cisco.com devices.
Groups devices according to their

Identity capability
Select the variable

System.DomainName.
Enter the value Cisco.com.
To create a group of all Identity_Enabled

devices.
Select the variable System.Identity_

Capability.
Select the value Identity_Enabled.

OL-25947-01
5-23
Chapter 5
Managing Groups
Table 5-1
Attribute
Description
Example
System.Location
Device location information.
To create a System Defined Group whose

member devices are located in Bldg 1
Devices
System.Name
Name of the device as configured by the

Administrator.
System.OSTYPE
Type of the operating system.
System.Smart_Install_Directors
SystemObjectID
Groups devices according to their Smart

Install capability
SysObjectID of the device as configured

by the Administrator. It may be
UNKNOWN in the case the facility that
populates the repository does not know
the value.
Select the variable System.Location.
Enter the value Bldg 1 Devices.
To create a group of all devices whose

system name has NDX
Select the variable System.Name.
Enter the value NDX.

UNIX OS.
Select the variable System.OSTYPE.
Enter the value UNIX.
To create a group of all Smart Install

software incapable devices.
Select the variable

System.Smart_Install_Directors.
Enter the value Smart

Install_SW_Incapable.
To group all devices whose systemObjectID

starts with 1.3.6.1.4.1.9
Select the variable SystemObjectID.
Enter the value 1.3.6.1.4.1.9.
The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can
create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details,
see Adding User Defined Fields.
If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is
appended to the User-Defined Field you add, to distinguish these two attributes.
For example if you create a UDF called DisplayName (which is one of the predefined attributes present
in the Variable drop-down list), this will be displayed as DisplayName_UDF.
Note
You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field
stands for any attribute listed in the above table.
5-24
OL-25947-01
Chapter 5
Managing Groups
By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum
number of UDFs that can be added in the Variable drop-down list is 10.
Assigning Group Membership

You can include more devices or exclude devices using this option. To decide the devices that will be
available to the group you have created, the wizard uses the details of the parent members and rules you
have already specified.
These devices appear in Available Objects From Parent Group column based on the properties and rules
you have already specified in the Properties:Create and Rule:Create dialog boxes. See Specifying Group
Properties and Defining Group Rules for more information.
Note
You can add devices from the list of available objects in the parent group even if they do not match
membership criteria.
To add devices to the group you have created:
Step 1
Select one or more devices in Available Objects From Parent Group column.
Step 2
Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
To remove devices from the group:

Step 1
Select one or more devices in Object Matching Membership Criteria column.

Step 2
Click Remove.
The selected devices are removed from the Object Matching Membership Criteria column and added to
Available Objects From Parent Group.
Step 3
Click Next.
The Summary:Create window appears. It displays the group name, the parent group, description, the
membership update type, group rules, and the visibility scope of the group you created.
If you want to change the parameters, click Back to go back to the previous windows and make changes.
Step 4
Click Finish to create the group based on the parameters specified.

OL-25947-01
5-25
Chapter 5
Managing Groups

You can view the details of a group using this feature.
To view the details of a group:
Step 1
Either:

Or

Step 2
Select a group from the Group Selector pane.

The Group Info pane on the right side displays the high-level properties of the selected group.
Step 3
Click Details.
The Group Administration wizard displays the details of the group in Properties:Details window.
Click View Parent Rules to display the rules set for the parent group.
The rules set for the parent group are displayed in the Show Parent Rules window.
Click Membership Details to display a list of devices and their corresponding object types.
The membership details are displayed in Membership:Details window.
In the Membership:Details window, you can:
Click on the column headers to sort the entries in the table.
Select the number of rows to be displayed in the table in the Rows per page option.
Step 4
Click Property Details to return to the Property:Details window.
Click Cancel to return to the Group Administration and Configuration page.
5-26
OL-25947-01
Chapter 5
Managing Groups
Modifying Group Details

You can modify some of the details for a group using this feature.
To modify the details of a group:
Step 1
Either:

Or

Step 2

The Group Info fields on the right side displays details of the selected group.
Step 3
Click Edit.
The Group Administration wizard guides you through the process of editing a group. It displays the
details of the group in Properties:Edit window.
Step 4
Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit
dialog box.
You cannot change the Parent group or copy attributes from a different group in Edit mode.
Step 5
Click Next.
The wizard takes you to the Rules:Edit window.
Step 6
Change the rules as required. For details on creating the rules, see Defining a Group Rule.
Step 7
Click Next.
The wizard takes you to the Membership:Edit window.
Step 8
Add or remove devices from the list of objects in Objects Matching Membership Criteria as required.
For details on creating the rules, see System Defined Attributes.
Step 9
Click Next.
The wizard takes you to the Summary window.
If you want to change the parameters specified, click Back to go back to the previous windows and make
changes to the properties or rules.
Step 10
Click Finish to modify the group.
Step 11
Click OK.
The Group Administration wizard copies the attributes of the selected group and displays it in the
corresponding fields in Properties:Create window.
Note that the Parent group you have selected for the group does not change even if you are copying
attributes from a group that belongs to a different Parent group.

OL-25947-01
5-27
Chapter 5
Managing Groups
Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of
Automatic groups is recomputed dynamically.
The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with
this option.
Note
Only users with read-write access can refresh the Only-upon-user-request groups.
To refresh a group:
Step 1
Either:

Or

Step 2

The Group Info fields on the right pane displays details of the selected group.
Step 3
Click Refresh.
The Group Administration popup window prompts you for confirmation.
Step 4
Click Yes.
The selected group is recomputed and the window, refreshed.
Whenever you delete devices from a group, refresh the group so that group membership is recomputed.
Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the
group are also deleted. You can also delete the stale groups (groups that belong to users removed from
Cisco Prime).
To delete a group:
Step 1
Either:

Or

Step 2
Select the group from the Group Selector.
5-28
OL-25947-01
Chapter 5
Managing Groups
The Group Info fields on the right pane displays details of the selected group.
Step 3
Click Delete.
The Group Administration prompts you for confirmation.
Step 4
Click Yes.
The selected group is deleted.
See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.
Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file.
You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to
an output file.
Private User-defined groups created by other users will not be exported. However, the
privateUser-defined groups created by you will be exported.
You must have Network Administrator, System Administrator or Super Admin privileges to export
groups.
In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same
DCR domain. You can do this from a DCR Master Server and a Slave server.
Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are
not supported.
See Sample Export Groups Output File for sample XML file generated by the Grouping Services export
utility.
Note
We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details.
or
Export Groups through the CLI. See Exporting Groups Through CLI for details.
Sample Export Groups Output File
Exporting Groups From User Interface
Sample Export Groups Output File

<?xml version="1.0" encoding="UTF-8"?>

<ogs-groups>
<server name="LMS@server-name">
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSDyna</name>

OL-25947-01
5-29
Chapter 5
Managing Groups
<description> </description>
<rule/>
<evaluation-type>2</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_ID" tag-value="CS$216"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
</tags>
</ogs-group-definition>
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSStat</name>
<description/>
<rule>:CMF:DCR:Device.DisplayName contains "77"</rule>
<evaluation-type>1</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
<tag tag-name="__GROUP_ID" tag-value="CS$221"/>
</tags>
</ogs-group-definition>
</server>
</ogs-groups>
Exporting Groups From User Interface

To export device groups from the user interface:
Step 1

Step 2
Select a User-defined Group hierarchy from the Group Selector.
Step 3
Click Export.
The Export Groups dialog box appears.
Step 4
Select either one of the following options:
Export the selected User-defined Group hierarchy Exports the selected User-defined Group and
its child groups.
Or
Export All Applications User-defined Groups Exports all User-defined Groups from all
applications installed on all LMS Server in the same DCR domain.
The browser-specific File Download window appears prompting you to open or save the output XML
OGSExport.xml file.
Step 5
Click either of the following buttons:
Open to open the XML file
Or
Save to store the file on the client system with the same or a different filename.
5-30
OL-25947-01
Chapter 5
Managing Groups
Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS
Server.
Note
You cannot import User-defined groups from older versions of LMS to LMS 4.0 and later versions.
You can import User-defined groups from an input file to the LMS Server.
The private User-defined groups in the input XML file will be imported as your private User-defined
groups in LMS Server. They will not be visible to other users.
You must have Network Administrator, System Administrator or Super Admin privileges to import
groups.
In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave
server.
Note
We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
Importing Groups From User Interface

Or
Importing Groups Through CLI
Important Notes on Importing Groups
Important Notes on Importing Groups

Read the following notes before importing User-defined groups:
You must have the required file permissions to select a source XML file for import groups operation.
After importing groups, the group selector may take some time to refresh and display the latest
groups information.
You must launch the Groups Administration page again to view the newly imported groups.
To launch the Groups Administration page, select Admin > System > Group Management >
Device.
Importing groups from an input XML file fails if:

The groups to be imported to the selected Grouping Server locations already exist.
The User-Defined Fields (UDF) that are configured for the import group rules are not available
in the Grouping Servers to which the groups are to be imported.

To import device groups from the user interface:

OL-25947-01
5-31
Chapter 5
Managing Groups
Step 1
Either:

Or

Step 2
Click Import.
The Import Groups - File Selection dialog box appears.
Step 3
Enter an input XML file name in the File Name field or click Browse to select a file from the client
system.
The Import Groups dialog box appears with a list of import groups specified in the input XML file.
Step 4
Select the list of groups to be imported from the Import Groups From field.
Step 5
Select a server location to which the groups are to be imported in the Import Groups to Servers field.
You can select multiple Grouping Server locations or All to select all the Grouping Server locations.
This field is disabled on LMS Servers operating in the DCR Standalone mode.
Step 6
Click OK.
A message appears indicating if the groups were imported or not.
See Important Notes on Importing Groupsfor the possible causes of the import job failure.
See Using Group Administration Features Through CLI for more information on using group
administration feature using CLI.
Overview of Subnet Based Groups

Subnet based groups are automatically created when devices are managed. These are a part of System
defined groups. You cannot create, edit or delete them.
Subnet based groups help you work on smaller subsets of devices that are logically grouped. They are
automatically deleted when all the devices in a subnet are deleted.
This topic covers:
Accessing Subnet Based Groups
Understanding Subnet Based Groups
Creating Groups Based on Subnet
Accessing Subnet Based Groups

To access Subnet based groups:

Or
5-32
OL-25947-01
Chapter 5
Managing Groups

This displays the Group Management page. The Group Selector field displays two groups,
System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System
Defined Groups.
Understanding Subnet Based Groups

The Subnet based groups use the following name format:
Subnet -- Subnet Mask.
The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"
For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"
The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.
Creating Groups Based on Subnet

When you need to create subnet based groups, you can do it under User defined groups.
For example, the following rules might be used to create two groups based on the IP address subnet:
Device.IP.Subnet equals "172.29.252.32"
Device.IP.Subnet equals "172.29.252.64"
The examples provided here are simple. However, the Grouping Service allows complex rules to be
arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives
the administrator the power and flexibility to create view partitions tailored to the needs of their site.

The DCR modes have a bearing on how groups are displayed in the Groups UI. Also the DCR mode
decides whether you can perform any operation on the groups.
In Standalone mode, you can create system-defined and user-defined groups.
In Slave mode, LMS allows you to preserve the user-defined groups, and create new system-defined
device groups.
The port and module groups, Fault groups and Collector groups are not affected by the change in the
DCR mode.
All DCR devices in the Slave are removed, and synchronized with the Master server. Therefore, in a
cluster that has several Slaves and a Master, if you need to create LMS group, you need to go to the LMS
Groups UI in the Master and create the group. The group you create there, will be synchronized with the
Slaves.

OL-25947-01
5-33
Chapter 5
Managing Groups
The following table gives details of DCR mode changes and implications on Groups.
Mode Changed to:
The Initial
Mode
Standalone
Slave
Master
Standalone
Not applicable.
Slave will get Masters groups, both

system-defined and user-defined groups.
No change in the Group

hierarchy.
You can also create new user-defined

groups in the Slave. These groups will not
be shared with the Master or other slaves in
the domain.
Device Allocation Policy gets disabled
(Inventory > Device Administration >
Device Allocation Policy).
Slave
Device Allocation Policy gets Not applicable.

enabled. The groups pertaining
to Master and Slaves will be
removed.
The existing Device Allocation
Policy is retained.
Device Allocation Policy gets

enabled. Groups pertaining to the
previous Master and the
associated Slaves will be
removed.
Local groups will behave in the
same manner.
The existing Device Allocation
Policy is retained.
Master
All dependent Slaves will

switch to Standalone mode.
All groups pertaining to other
machines will be removed.
Device Allocation Policy will
be enabled on all machines in
the cluster.
If you select Inform current Slaves of new Not applicable.

Master Hostname when you change the
mode to Slave, all the Slaves in the domain,
switch to the new Master.
In this case, the groups in the Master will be
seen in the new Slave. Device Allocation
Policy gets disabled.
If this check box is not selected, the new
Slave will pickup the groups of the new
Master. Other Slaves in the domain will
move to Standalone mode.
Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain.
The utility is useful in the following scenarios:
Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone
or Master belonging to a different domain.
When you uninstall Cisco Prime from the Slave.
Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode
changes, the Master will not be aware of the Slave mode change, when it comes up.
The Master will not receive any data from the Slave, but the Slave information will still be in its registry.
A redundant group (such as LMS@Slave) will still appear in the Master Groups UI.
5-34
OL-25947-01
Chapter 5
Managing Groups
In the case of DCR, any device operation on Master will update the Slave list. However, this does not
happen in the case of Groups.
You can run the UnregisterSlave utility to remove any unwanted slave information:
From the CLI, run:
NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name
You have to enter the hostname of the machine you want to unregister.
For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of
Backup-Restore on DCR and Effects of Backup-Restore on Groups.
Behavior of IP Address Range Based Device Groups in Multi-Server Setup

The range operator allows you to group devices within a specified range of IP addresses.
In a Master-Slave setup:
When the Master server is using an earlier version of LMS, you cannot create device groups based
on IP Address range.
When the Slave server is using an earlier version of LMS, the IP Address Range based device groups
information in the Master is synchronized with the Slave.
Even if you change the mode of Slave server to Standalone, the IP address range based device groups
will remain as they were in the Groups Server.
However, you cannot retrieve the device group information from the Standalone LMS Server to view
it in the user interface. To retrieve and view the device group information, you should either:
Upgrade the LMS in Standalone LMS Server to LMS 4.2.
Or
Change the mode of the LMS Server that has the earlier version of LMS 4.2 from Standalone to
Slave for a DCR Master with the latest version of the software.

LMS allows you to create groups based on ports and modules for a selected set of devices or device
groups using Port and Module Group Administration.
Notes for Port and Module Configuration
1.
Port and Module configuration depends on the data collected by LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
2.
You must trigger a fresh inventory collection to update all the port and module attributes.
3.
If the data collection is not successful, then data will not be available for some attributes.
4.
The following are the recommended number of ports in LMS:

1.
The maximum number of ports supported in LMS is 500,000 ports.
2.
The maximum number of ports supported in a port group is 100,000 ports.
3.
The maximum number of ports supported in an LMS job is 250,000 ports.

OL-25947-01
5-35
Chapter 5
Managing Groups
4.
In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry
for the ifName will be considered and the duplicate entries will be dropped.
5.
The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in
the device, then port configuration for the device will not work.
For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the
device. In this case, the port configuration for the device will not work.
The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Table 5-2
Fields on Port and Module Group Browser
Field/Button
Description
Group Name
Name of the group created.

By default, the following System-defined groups are displayed:
1 Gbps Ethernet PortsContains all 1 Gbps Ethernet ports in the network.
10 Gbps Ethernet PortsContains all 10 Gbps Ethernet ports in the network.
10 Mbps Ethernet PortsContains all 10 Mbps Ethernet ports in the network.
100 Mbps Ethernet PortsContains all 100 Mbps Ethernet ports in the network.
Access PortsContains all the Access mode ports.
DMP PortsContains all ports connected to DMP.
End HostsContains all ports connected to End Hosts.
IP PhonesContains all ports connected to IP Phones.
IPVSC PortsContains all ports connected to IPVSC.
Link PortsContains all ports connected to other devices.
Description
Description of the group created.
Group Type
Type of the group created. For example, Port or Module.
Created By
User who created the group.
Last Modification
Time.
Time at which the group settings were last modified.
Rows per page
This page displays the number of rows you have set for display in the Rows per page field.
You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You
can navigate through the pages of the report using the navigation icons at the bottom right of this table.
Create
Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module
Groups.
Edit
Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module
Groups.
View
Allows you to view the group details, as described in the Viewing Port and Module Group Details.
Delete
Deletes the group, as described in the Deleting Port and Module Groups.
You can perform the following tasks from the LMS Port and Module Group Browser window:
Creating Port and Module Groups
Editing Port and Module Groups
5-36
OL-25947-01
Chapter 5
Managing Groups
Viewing Port and Module Group Details
Deleting Port and Module Groups
Creating Port and Module Groups

Creating a Port and Module Group involves the following steps:
1.
Entering the Port and Module Group Properties Details
2.
Selecting Group Source
3.
Defining Rule Expression for Port or Module Groups
4.
Understanding the Summary
You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using
Cancel, the details you have specified will be lost and the group will not be created.
Note
Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
Entering the Port and Module Group Properties Details

In this step, you will enter the name and description for the group.
The Port and Module Group Properties dialog box contains the following fields. (See Table 5-3)
Table 5-3
Fields on the Port and Module Group Properties dialog box
Field
Description
Group Name
Name of the group you are creating.
Description
Text description of the group.
To enter the values in Port and Module Group Properties dialog box:
Step 1
Either:
Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
Select Inventory > Group Management > Port and Module.

Step 2
Click Create.
The Group Properties page appears.
Step 3
Enter a unique name for the group in the Group Name field.
Step 4
Enter a description for the group in the Description field (optional).
Step 5
Click Next.

OL-25947-01
5-37
Chapter 5
Managing Groups
The Select Group Source page appears, displaying the Device Selection dialog box.

In this step, you need to select the Group source. This can be either devices or groups (System-defined
or User-defined).
The Select Group Source page displays the Device Selection and Group Selection dialog box. The
Device Selection and Group Selection dialog box contains the following fields. (See Table 5-4)
You must select either devices or device groups from Device Selector or Group Selector, respectively.
Table 5-4
Fields on the Device Selection dialog box
Fields
Description
Device Selector
Displays all LMS devices in the group.
Search Input
Enter the search expression in this field.

You can enter single device names or multiple device names. If you are entering
multiple device names, separate them with a comma. You can also enter the
wildcard characters * and "?".
For example: 192.168.10.1*, 192.168.20.*
Search
Use this icon to perform a simple search of devices based on the search criteria
you have specified in the Search Input text field.
For information on Search, see Performing Simple Search.
Advanced Search
Use this icon to perform an advanced search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Advanced Search, see Performing Advanced Search.
All
Lists all User-defined and System-defined groups for all applications that are
installed on LMS Server.
For more information, see Selecting Devices From All Tab.
Search Results
Displays all the search results from Search or Advanced Search.

For more information, see Selecting Devices From Search Results.
Selection
Lists all the devices that you have selected in the Search Results or All tab.
Using this tab, you can deselect devices from the list.
Group Selector
Displays all groups in LMS.
To select the group source:

Step 1
Either:
Select Device Selector.
Select the devices.
or
Select Group Selector.
5-38
OL-25947-01
Chapter 5
Managing Groups
Step 2
Select the groups.
Click Next.
The Rule Express page appears.
Defining Rule Expression for Port or Module Groups

In this step, you will define the rules for creating port or module groups. The rules you define in this
phase, determine the contents of the group. The rules you specify here, determine the ports and modules
to be included in the group.
You can either enter the rules directly in the Rule Text field, or select the components of the rule from
the Rule Expression fields, and form a rule.
The Rules Expression page contains the following fields:
Field/Buttons
Description
Object Type
Select the following object types to form a group:
Variable
Module
Port
Object type attributes, based on which you can define the group.
See Rule Attributes for Port and Module Creation.
Operator
Operator to be used in the rule. The list of possible operators change, based on the variable
selected.
When using the equals operator the rule is case-sensitive.
Value
Value of the rule expression. The possible values depend upon the variable and operator that you
select. Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.
Add Rule Expression
Adds the rule expression to the group rules.
(Button)
Rule Text
Displays the rule.
Check Syntax
Verifies that the rule syntax is correct.
(Button)
Use this button to verify the syntax of the rule that you have created before proceeding to the
next step.

OL-25947-01
5-39
Chapter 5
Managing Groups
Field/Buttons
Description
Include
Include List popup opens and lists all the modules or ports from the selected devices that do not
match the rule. You can choose to include those modules or ports for group creation.
(Button)
The Include List popup will also list the modules or ports that match the rule but will not be
enabled for selection.
Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in
the Include List window.
You can also include modules or ports for the selected devices, without specifying a rule, by
clicking Include.
Exclude
Exclude List popup opens and lists all the modules or ports from the selected devices that match
the rule. You can choose to exclude those modules or ports for group creation.
(Button)
The Exclude List popup will also list the modules or ports that do not match the rule but will not
be enabled for selection.
Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields
in the Exclude List window.
To define the group rule:
Step 1
Go to the Rules Expression page.
Step 2
Set the parameters for Object Type, Variable and Operator.
Step 3
Enter the desired value for the Variable you have selected.
Step 4

The LMS Port and Module Group Administration creates the rule based on the parameters you have
specified and adds it to the rules already present in the Rules Text field. You can use the same procedure
to add more rules.
You can manually add or change any text in the Rule Text box.
Step 5
Step 6
Click Include or Exclude.
IncludeA popup window appears, allowing you to include ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Include List window.
ExcludeA popup window appears, allowing you to exclude ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Exclude List window.
Click Check Syntax to validate the rules expression syntax.
If the syntax is correct, an information box appears with a message, The rule syntax is valid.
If the syntax is incorrect, an error box appears with a message, You have entered an invalid
rule. Enter a valid rule. See the Help for examples of valid rules.
For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7
Click Next.
The Summary page appears, displaying the group properties. See Understanding the Summary.
5-40
OL-25947-01
Chapter 5
Managing Groups
Note
You can also include modules or ports for the selected devices, without specifying a rule, by clicking
Include.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have a higher priority.
Rule Attributes for Port and Module Creation
The following table lists the available attributes that you can use to define rules to create port and module
groups.
Object Type Attribute
Description
Module
AdminStatus
Administrative status of the module. For example,

Enabled/Commissioned.
FW_Version
Firmware version of the module. For example, 12.1(27b)E1
ModuleName
Name of the module. For example, Linecard
OperStatus
Operational status of the module. For example, Dormant
SlotNumber
Slot number of the module. For example, 6
SW_Version
Software version of the module. For example, 12.1(27b)E1
VendorType
Vendor type of the module. For example, cevAS53004ct1
AdminStatus
Administrative status of the port. For example, Disabled/Decommissioned
CM.AccessStatus
Whether the port is an Access port or not.
CM.Channel
Whether the port is a channel port.
CM.Duplex
The duplex mode of the port. The values could be unknown-duplex,

full-duplex, half-duplex, default, disagree, auto-duplex.
CM.JumboFrameEnabled
Whether the port is JumboFrame enabled or disabled.
CM.L2L3
Whether the port is in switched or routed mode.
CM.LinkStatus
Link status of the port. Whether the link is up or down.
CM.Neighbor
Whether the port is connected to a device, IP Phone, or End Host.
CM.TrunkStatus
Whether the port is a Trunk port. If trunk is configured in the port, then it
is a trunk port.
CM.VLAN_ID
The index of the VLAN configured on the port.
CM.VLAN_NAME
Name of the VLAN configured on the port.
CM.VTP_DOMAIN
Name of the VTP Domain that the port is associated with.
EnergyWise_Importance
EnergyWise Importance of the device.
Port
This value prioritizes the devices in a domain based on their power usage.
EnergyWise_Role
Role or function of the device in the EnergyWise domain.
EnergyWise_Keyword
A word that will help you identify a specific device or group of devices in
the EnergyWise domain.
FlexLink
Whether the FlexLink status of the port is enabled or disabled.
IFIndex
IFIndex of the port. For example, 10
IsEnergyWisePort
Specifies if the port is EnergyWise-enabled.

OL-25947-01
5-41
Chapter 5
Managing Groups
Object Type Attribute
Description
Port
(contd.)
Specifies the security mode, based on the level of security you wish to
implement in your network. The three types of security modes are:
Identity_Security_Mode
Monitor Mode
Low Impact Mode
High Security Mode
MACsecStatus
You can enable or disable MACsec on the interface. MACsec provides

secure, encrypted communication on wired LANs.
OperStatus
Operational Status of the port. For example, Stopped/Suspended
PortDescription
Description of the port. For example, FastEthernet0/1
PortName
Name of the port. For example, Fa0/1
SpanEnabled
Whether the port is Span enabled.
Speed
Speed of the port. For example, 10000000 (for 10 Mbps)
Type
Enter the value for the port type.

For example, if you want to define a rule for the port type ethernetCsmacd,
you need to enter 6 as the value.
For information on the port type values, see
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift
ype&translate=Translate&submitValue=SUBMIT&submitClicked=true
Note
For the port attributes that start with name CM. , the data collection for the attributes must be successful.
Examples for Port and Module Groups
This section shows examples of a valid rule.

The following are some examples for grouping tasks:
Rule to select all the Ports whose Port Description contains the string: Ethernet
Rule to select all the Ports that are connected to another device
Rule to select all the Modules whose Slot number is 1
Rule with OR Operator
Rule with AND Operator
Rule to select all the Ports whose Port Description contains the string: Ethernet
This rule filters all ports whose Port description consists of the string Ethernet.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1
Select Port from the Object Type drop down listbox
Step 2
Select PortDescription from the Variable drop down listbox
Step 3
Select contains from the Operator drop down listbox
5-42
OL-25947-01
Chapter 5
Managing Groups
Step 4
Enter Ethernet in the Value textbox
Step 5
Click Add Rule Expression

The following rule gets added to the Rule Text:
Port.PortDescription contains "Ethernet"
Rule to select all the Ports that are connected to another device
This rule filters all Ports that are connected to another device.
Step 1
Step 2
Select CM.LinkStatus from the Variable drop down listbox
Step 3
Select = from the Operator drop down listbox
Step 4
Select Configured in the Value drop down list box.
Step 5

Port.CM.LinkStatus = "Configured"
Rule to select all the Modules whose Slot number is 1
This rule filters all the modules that are placed in slot number 1.
Step 1
Select Module from the Object Type drop down listbox
Step 2
Select SlotNumber from the Variable drop down listbox
Step 3
Step 4
Enter 1 in the Value textbox
Step 5

Module.SlotNumber = "1"
Rule with OR Operator
Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet.
Step 1

a.

OL-25947-01
5-43
Chapter 5
Managing Groups
b.
c.
Select StartsWith from the Operator drop down listbox
d.
Enter Ethernet from the Value drop down listbox
e.

Port.PortDescription StartsWith "Ethernet"
Step 2
Select the OR option from the logical operator list box.
Step 3

a.
b.
c.
d.
Enter FastEthernet in the Value textbox
e.

The following rule gets appended to the Rule Text:
Port.PortDescription StartsWith "Ethernet" OR
Port.PortDescription StartsWith "FastEthernet"
The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected
based on either or both of the matching criteria.
Rule with AND Operator
Rule to select all the FastEthernet Ports whose Operational status is up.
Step 1

a.
Select Ports from the Object Type drop down listbox
b.
Select OperStatus from the Variable drop down listbox
c.
d.
Select OK from the Value drop down listbox
e.

Port.OperStatus = "OK"
Step 2
Select the AND option from the logical operator list box.
Step 3

a.
Select Ports from the Object Type drop down listbox
b.
c.
d.
Enter FastEthernet in the Value textbox
e.
5-44
OL-25947-01
Chapter 5
Managing Groups
The following rule gets appended to the Rule Text:

Port.OperStatus = "OK" AND
Port.PortDescription StartsWith "FastEthernet"
The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both
the criteria are selected.
Include and Exclude
Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and
Module Group Administration.
Table 5-5
Include and Exclude Window Fields Description
Window
Fields/Buttons
Description
Include List
Device Selector
Devices selected for group creation.
Port Name/Module Name Name of the port or module in the device.

For some of the devices, if ports or module names
are not available in the device, the message Not
Available will be shown.
Description/Vendor Type Description of the port or module.
For some of the devices, if ports description or
module vendor type is not available in the device,
the message Not Available will be shown.
Slot Number
Slot number of the module.

This field is available only for modules.
Include
The selected ports or modules are included for

group creation.
(Button)
Filter by Port/Module
Name
Enter the filter expression and click Filter to filter

the port or modules in the device.

OL-25947-01
5-45
Chapter 5
Managing Groups
Table 5-5
Include and Exclude Window Fields Description
Window
Fields/Buttons
Description
Exclude List
Device Selector
Port Name/Module Name Name of the port or module in the device.

For some of the devices, if ports or module names
are not available in the device, the message Not
Available will be shown.
Description/Vendor Type Description of the port or module.
For some of the devices, if ports description or
module vendor type is not available in the device,
the message Not Available will be shown.
Slot Number
Slot number of the module.

This field is available only for modules.
Exclude
The selected ports or modules are excluded from

group creation.
(Button)
Filter by Port/Module
Name
Enter the filter expression and click Filter to filter

the port or modules in the device.
Understanding the Summary

The final step in creating the port or module group is a summary page that displays the new group
definition.
The Summary page contains the following information. (See Table 5-6):
Table 5-6
Fields on the Summary page.
Field
Description
Group Name
Description
Rule
Rules used to filter the group.
Devices/Groups in Rule
List of devices or groups to which the rule will be applied.
After reviewing the group summary, either:

Step 1
Click Finish to complete the procedure for Creating Groups.

A confirmation box appears.
Step 2
Click OK.
You can view the newly created group in the Port and Module Group Browser page.
Or
Click Back to change the group properties.
5-46
OL-25947-01
Chapter 5
Managing Groups
Viewing Port and Module Group Details

To view the existing port or module group details:
Step 1
Either:
Or

Step 2
Select the group name and click View.

The View Group Details page appears, displaying Group: Details dialog box with the following details:
Field/Button
Description
Group Name
Name of the group you are viewing.
Parent Group
Parent group of the group you are viewing.
Type
Type of the objects that belong to the group.
Description
Rule
Rules used to create the group.
Created By
User who created the group. This also displays the time at which the
group was created.
Last Modified By
User who last modified the group. This also displays the time at which
the group was last modified.
Devices/Groups
Devices or Device Groups that are part of the port or module group.
Membership Details
Used to view the list of devices that belong to the group. See Viewing
Membership Details.
(Button)
Cancel
(Button)
Closes the page and takes you back to the Port and Module Group
Browser page.
Viewing Membership Details
You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.
Step 1
Either:
Or


OL-25947-01
5-47
Chapter 5
Managing Groups
Step 2
Select the group name for which you want to view the membership details and click View.
The Group: Details dialog box appears.
Step 3
Click Membership Details.

The View Group Members dialog box appears with the following information:
Field/Button
Description
Device Selector
Port Name/Module Name
Name of the port or module in the device that are part of the group.
Description
Description of the ports or modules in the device that are part of the
group.
Filter by Port/Module Name
Enter the filter expression and click Filter to filter the port or modules
in the device that are part of the group.
Close
To close the View Group Members dialog box.
(Button)
Editing Port and Module Groups

You can edit all attributes that are defined while creating a group, except Group Name.
To edit a port and module group:
Step 1
Either:
Or

Step 2
Select the group by checking the check box.
Step 3
Click Edit.
The Group Properties page appears, displaying Port and Module Group Properties dialog box. See
Entering the Port and Module Group Properties Details.
You cannot:
Modify the Group Name field.
Click Finish to complete the edit flow.
5-48
OL-25947-01
Chapter 5
Managing Groups
Step 4
Click Next.
The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box.
Device Selection
If you have selected devices using Device Selector in the Create flow.
If you have created the group by including the ports or modules without specifying the rule in
the Create flow. In this case, only the devices for which you selected ports or modules are
displayed.
Or
Group SelectionIf you have selected device groups using Group Selector in the Create flow.
You can modify the devices or groups that you have selected, based on your requirement.
Step 5
Click Next.
The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression
for Port or Module Groups.
You can modify and define new rules.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have the higher priority.
Step 6
Click Next.
The Summary page appears, displaying the group details. Understanding the Summary.
Step 7
Either:
Click Finish to complete the editing procedure for the group.
Or
Click Back to change the group properties.
Note
You can click Finish at any point in the workflow.
Deleting Port and Module Groups

To remove an existing port or module group:
Step 1
The Port and Module Group Browser page appears, displaying the list of groups.
Step 2
Select the group to remove from the Port and Module Group Browser dialog box.
Step 3
Click Delete.
A confirmation dialog box shows that the group will be deleted.
Step 4
Click OK.

OL-25947-01
5-49
Chapter 5
Managing Groups

The group selector displays some groups such as Access Port Groups, Trunk Port Groups, and Interface
Port Groups. See Fault System Defined Groups for more information.
You can control the polling and thresholds settings for these groups using Monitor > Threshold
Settings > Fault. See Monitoring and Troubleshooting Online Help for more information.
These system defined groups can be used when searching for devices using the Advanced Search option
in the device selector.
LMS System-defined Groups
Fault System Defined Groups
LMS System-defined Groups

The LMS system defined groups are visible to all Cisco Prime users, and are the factory default groups
administered by LMS. Device Groups appear in the group selector when they have device members, that
is, devices in the DCR that belong to that group.
The following are the LMS system defined groups:
Broadband Cable
Content Networking
DSL and LRE
Interfaces and Modules
Network Management
Non Cisco Devices
Optical
Routers
Security and VPN
Server Fabric Switches
Storage Networking
Switches and Hubs
Server Fabric Switches
Unknown Device Types
Voice and Telephony
Wireless
5-50
OL-25947-01
Chapter 5
Managing Groups
Fault System Defined Groups

The fault system defined groups are visible to all Cisco Prime users, and are the factory default groups
that are administered by the Fault Management module in LMS 4.0.
The following are the Fault Management system defined groups:
System defined access port groups:

1 GB Ethernet
10 GB Ethernet
10MB-100MB Ethernet
ATM
Others
System defined interface groups:

1 GB Ethernet
10 GB Ethernet
10MB-100MB Ethernet
ATM
Backup
Dial-on-Demand
FDDI
ISDN B channel
ISDN D channel
ISDN physical interface
Others
Serial
Token Ring
System defined trunk port groups:

1 GB Ethernet
10 GB Ethernet
10MB-100MB Ethernet
ATM
Others
A 10 GB Ethernet interface device, during an upgrade, behaves in the following ways:
If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group,
then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB
Ethernet Group, you must set the priority of the group to high.
If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group,
then the 10GB device falls under 10 GB group.
For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.

OL-25947-01
5-51
Chapter 5
Managing Groups

Customizable groups are the only user-defined groups for which you can set polling and threshold
parameters. They are provided so you can create groups that fit your needs. Fault Management in
LMS 4.0 provides 28 customizable groups, which are divided into four categories:
Access Port Groups
Trunk Port Groups
Interface Groups
Device Groups
Table 5-7 lists the seven customizable groups that appear in each of the four categories.
Table 5-7
Polling and Thresholds: Customizable Groups
Customizable
Groups
Intended Use
Consider reserving customizable groups A, B, and C to troubleshoot
Add one device to any of these groups when you need to test. For example, to test a
changed threshold or interval value for a polling setting.
C
1
2
Consider using customizable groups 1, 2, 3, and 4 when you want to override polling
settings and thresholds for more than one device.
3
4
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section
in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups
before you can set polling parameters or threshold values for them. To do so, see Working with
Customizable Groups.
Since you cannot change the rules for system defined groups, Fault Management provides groups that
you can customize so that they contain devices, ports, or interfaces.
Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold
Settings > Fault).
After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
Table 5-8
Fault Management Customizable Groups
Use this group to

monitor...
Settings you can

configure for this group:
Customizable Access Port

Groups
Access ports
Thresholds
Customizable Groups
Devices
Polling and thresholds
Customizable Interface Groups
Interfaces
Thresholds
Customizable Trunk Ports

Groups
Trunk ports
Thresholds
Group Name
5-52
OL-25947-01
Chapter 5
Managing Groups
For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable
subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Table 5-9
Fault Management Customizable GroupsRestrictions
Group Name
Customizable Group A
Restrictions
Use to troubleshoot a single device (but can

contain more than one device)
Cannot be deleted
Cannot have subgroups
Cannot have name changed
Customizable Group 1
Can contain multiple devices
Cannot be deleted
Cannot have subgroups
Cannot have name changed
Customizable Group B
Customizable Group C

The Fault Group Administration and Configuration page is where all group management activities take
place.
To open the Group Administration and Configuration page:
Either:
Select Admin > System > Group Management > Fault.
Or
Select Inventory > Group Management > Fault.
Note
If you are connecting to the LMS server for the first time, a Security Alert window is displayed
when you select an option. Do not proceed without viewing and installing the self-signed
security certificate.
See Editing and Creating Fault Groups for information on how to use Group Administration to create
and edit groups. In addition to creating and editing groups, Group Management provides the following
functions:

OL-25947-01
5-53
Chapter 5
Managing Groups
Table 5-10 describes the fields in the Group Administration and Configuration page.
Table 5-10
Fields on Group Administration and Configuration Page
Field/Button
Description
Group Selector
Hierarchical display of all available groups.
Group Info
When you select an item from the Group Selector, the Group Info pane displays the
following information:
Group NameName of the group you selected.
TypeType of objects in the selected group.
DescriptionText description of the group.
Created ByPerson who created the group.
Last Modified ByLast person to modify the group settings.
Create
Starts the Group Creation Wizard for creating a group, as described in Editing a
Fault Group.
Edit
Starts the Group Edit Wizard for editing user defined groups, as described in Editing
a Fault Group. Not supported for view groups created from the Alerts and Activities
Defaults page.
Details
Opens the Properties: Details page, as described in Viewing Fault Group Details.
Refresh
Refreshes a group memberships, as described in Refreshing Fault Membership. Not

supported for port and interface groups.
Delete
Deletes a group, as described in Deleting Fault Groups.
Editing and Creating Fault Groups

The processes for editing and creating groups are similar. Keep these points in mind:
You can edit user defined customizable subgroups. For example, the subgroup Customizable
Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with
Customizable Groups.
You can create or edit user defined miscellaneous groups. These groups can be used with views in
the Alerts and Activities display, or with notification groups in Notification Services.
You cannot edit or view groups created from the Alerts and Activities Defaults page.
This section contains information on:
Editing a Fault Group
Creating a Fault Group
Understanding Rules
Finalizing Fault Group Membership
Viewing the Fault Group Summary
5-54
OL-25947-01
Chapter 5
Managing Groups
LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group.
The wizard consist of four steps:
1.
Setting properties (for details, see Editing a Fault Group)
2.
Creating rules (for details, see Understanding Rules).
3.
Modifying group membership (for details, see Finalizing Fault Group Membership).
4.
Viewing the summary (for details, see Viewing the Fault Group Summary).
Editing a Fault Group

You can edit the properties of user defined customizable port, interface, and device groups. You can also
edit miscellaneous user defined groups you created using Group administration.
Procedure
Step 1
Either:

The Fault Group Administration and Configuration page appears.
Or

Step 2
In the Group Selector, select the group you want to edit, click Edit.
The Properties: Edit page appears.
You can modify the following in the Properties: Edit page:
Group Name
Will be automatically populated when editing customizable subgroups; for example, Customizable
Group 1 under Customizable Access Port Groups.
Description
Membership update type (not supported for port and interface groups)
The parent group is displayed, but it cannot be modified.
Step 3
Visibility Scope
Click Next.
The Rules: Edit page appears. For more information on creating rules, see Understanding Rules.
To return to any of the previous pages in the wizard, click Back.
Note
If you edit a device-type group, you can launch the Preview.

OL-25947-01
5-55
Chapter 5
Managing Groups
Adding and Deleting Rules from the Rules:Edit Page
Adding and Removing Objects from the Rules: Edit Page
Adding and Deleting Rules from the Rules:Edit Page

You can add new rules or delete existing rules in the Rules: Edit page.
To add a new rule:
Step 1
From the first list, select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.+
Step 2
From the Object Type list, select an object type.
Step 3
From the Variable list, select a variable.
Step 4
From the Operator list, select an operator.
Step 5
In the Value field, enter a value.
Step 6

The rule expression appears in the Rule Text box.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
(AccessPort.Mode equals OR
AccessPort.Mode contains BACKUP OR
AccessPort.Mode contains NORMAL) AND
AccessPort.DuplexMode contains HALFDUPLEX OR
AccessPort.DuplexMode contains FULLDUPLEX)
Step 7
Verify whether the syntax of the rule is correct by clicking Check Syntax.
A dialog box appears, stating that the syntax is valid.
Step 8
Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.
Step 9
Click Next.
The Membership: Edit page appears.
5-56
OL-25947-01
Chapter 5
Managing Groups
To delete a rule:
Step 1
In the Rule Text box, select the entire rule text and press the Delete key.
After deleting the rule, you must click the page so that the page can refresh, removing the list of logical
operators.
Step 2
Click Next.
The Membership: Edit page appears.
Adding and Removing Objects from the Rules: Edit Page

You can add or remove specific objects from the group membership. This feature is not supported for
port and interface groups.
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1
In the Available Objects from Parent Group column, select the device you want to add.
Step 2
Click Add.
Step 3
Click Next.
The groups information appears in the Summary: Create page.
Step 4
Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5
Click OK.
To remove an object:
Step 1
In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 2
Click Remove.
Step 3
Click Next.
Step 4
Click Finish.
Step 5
Click OK.

OL-25947-01
5-57
Chapter 5
Managing Groups
Creating a Fault Group

Creating fault groups is supported only for user defined miscellaneous groups. Once created, you can
edit these groups.
Note
When you create a fault group, at least one device must be in the managed state.
Procedure
Step 1
Either:

Or

Step 2
In the Group Selector, select User Defined Groups.
Step 3
Click Create.
The Properties: Create page appears.
Step 4
Enter a group name for the new group.

If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If
you want to copy the attributes of an existing group to the new group, do the following:
a.
Click Select Group.

The Replicate Attributes page appears.
b.
Select the group from which you want to copy the attributes.
c.
Click OK.
All attributes except the group name are copied to the new group.
If you want to change the parent group (the location where the group will reside in the Group Selector),
do the following:
a.
Click Change Parent.

The Select Parent page appears.
b.
Step 5
Select the parent group.
Click OK.
Enter a description. This is optional.
Step 6
Choose how you want the group membership updated.

This choice is not displayed for port and interface groups):
If you want the membership for this group updated automatically, select Automatic.
If you want the membership for this group updated only when the Refresh button is clicked, select
Only Upon User Request.
5-58
OL-25947-01
Chapter 5
Managing Groups
Step 7
Step 8
Select a Visibility Scope:
Available to Created User Only
Available to All Cisco Prime Users
Click Next.
The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.)
Step 9
Do one of the following:
To create rules to apply to the group, go to Step 10.
Click Next and select the objects on the Membership: Create page (not supported for port and
interface groups). Then go to Step 10.
If you need to return to any of the previous pages in the wizard, click Back.
Step 10
Create all rules that you want to apply to the group:

a.
Select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.
b.
Select an object type.
c.
Select a variable.
d.
Select an operator.
e.
Enter a value.
f.

The rule expression appears in the Rule Text box.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
AccessPort.DuplexMode contains HALFDUPLEX OR
g.
Verify that the rule syntax is correct by clicking Check Syntax.

A dialog box appears, stating the syntax is valid.
h.
Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
i.
Click Next.
The Membership: Create page appears.

OL-25947-01
5-59
Chapter 5
Managing Groups
Adding and Removing Objects from the Rules: Create Page

You can add or remove specific objects from the group membership. This feature is not supported for
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1
In the Available Objects from Parent Group column, select the device you want to add.
Step 2
Click Add.
Step 3
Click Next.
Step 4
Click Finish.
Step 5
Click OK.
To remove an object:
Step 1
In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 2
Click Remove.
Step 3
Click Next.
Step 4
Click Finish.
Step 5
Click OK.
5-60
OL-25947-01
Chapter 5
Managing Groups
Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
Rules are created to filter in the objects that you want to belong to the group, and to filter out those that
you do not want in the group. When determining the objects that belong to a group, Group Management
compares object information to the rule. If an object information satisfies all of the rule requirements, it
is placed in the group.
One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
Object Type.Variable Operator Value
For example:
Routers.Location equals "San Jose"
Complex rules that contain both OR and AND conditions require you to edit the rule manually. For
example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.DuplexMode contains HALFDUPLEX OR
Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You
can define the following:
Logical Operators
Object Type
Variable
Operator
Value
Logical Operators
The logical operator field appears when you are defining multiple rules. The logical operators can be:
ORInclude devices that fulfill the requirements of either rule.

For interface, access port, and trunk port groups, this operator can only be used between the
variables of the same type, as in the following valid rule:
AccessPort.DuplexMode equals HALFDUPLEX OR
AccessPort.DuplexMode equals FULLDUPLEX
If you used an AND operator in the previous port rule, it would be invalid.
ANDInclude only objects that fulfill the requirements of both rules.

For interface, access port, and trunk port groups, this operator can only be used between the
variables of different types, as in the following example:
AccessPort.Mode equals AND
AccessPort.DuplexMode equals FULLDUPLEX
If you used an OR operator in the previous rule, it would be invalid.

OL-25947-01
5-61
Chapter 5
Managing Groups
For device groups, this operator can only be used between variables of the same type, as in the
following example:
Routers.Model equals "12816" AND
Routers.Model equals 12810
The following would be an invalid rule for a device group:

Routers.Model equals "12816" AND
SwitchesAndHubs.Type equals "6509"
In the previous example, you would have to use the OR operator.
EXCLUDEDo not include these devices.
Object Type
The Object Type field lists the available objects that you can use to form a group.
Depending upon the type of group you are creating, the Object Type field may contain the following
choices:
AccessPort
TrunkPort
Interface
Cable
ContentNetworking
Device
DSLAndLRE
Group
InterfacesAndModules
NetworkManagement
Optical
Routers
SecurityAndVPN
ServerFabricSwitches
StorageNetworking
SwitchesAndHubs
UniversalGatewaysAndAccessServers
Unknown
VoiceAndTelephony
Wireless
Variable
The Variable field lists the possible attributes for the selected object type to be used for the rule. The list
of possible variables changes based on the object type that is selected. Some variables for port and
interface groups are described in Table 5-11.
Operator
The Operator field defines the operator to be used in the rule. The list of possible operators changes
based on the object type and the variable selected.
When using the equals operator, the rule is case-sensitive.
Value
The Value field describes the value of the rule expression. The possible values depend upon the object
type, variable, and operator selected. Depending on the operator selected, the value may be free-form
text or a list of values.
5-62
OL-25947-01
Chapter 5
Managing Groups
Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some
of the objects in the Variables field have special meanings or restrictions on how to enter the related
attribute in the Value field.
Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need
further explanation.
Table 5-11
Explanations for the Values of Special Variables
Variable
Explanation
Description
Interface or port description.
DuplexMode
Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED).
InterfaceCode
Interface types, protocols, or encapsulations.
MaxSpeed
Maximum speed, in bits per second.
MaxTransferSpeed
Speed of the largest datagram that can be sent or received, specified in

octets.
For interfaces that use transmitting network datagrams, this is the speed of
the largest network datagram that can be sent.
Note
Mib2ifType
Type of interface, distinguished according to the physical or link protocols

immediately below the network layer in the protocol stack, represented as
a digit.
Mode
Intended purpose (for example, for interfaces, backup, dial-on-demand, and

so forth).
Name
Name of object.
SystemModel
Name of the system.
SystemName
Name of system containing this element.
SystemObjectID
System Object Identifier associated with vendor of system.
SystemVendor
Name of system supplier.
Type
Type of element (for example, interface), distinguished according to the

physical or link protocols immediately below the network layer in the
protocol stack.
After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page.
Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Table 5-12
Fields on the Rules: Edit Page
Field/Button
Description
Add Rule Expression
Used to add the rule expression to the group rules.
Rule Text
Displays the rule. For complex rules (which contain both OR and AND
conditions), you must manually add parentheses in this field. (In Editing a
Fault Group, see Step 10 and Step 6.)

OL-25947-01
5-63
Chapter 5
Managing Groups
Table 5-12
Fields on the Rules: Edit Page (continued)
Field/Button
Description
Check Syntax
View Parent Rules
Used to view the parent group rules.

All parent group rules apply to the subgroups.
Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location.
Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains Dallas
Interface
VariableDuplex.Mode
OperatorContains
ValueFULLDUPLEX
Logical OperatorAnd
VariableLocation
Operatorcontains
ValueDallas
You want to create a group that contains all of the security and VPN devices in the San Jose location.
Form the following rule:
SecurityAndVPN.Location contains "SanJose"
Object TypeSecurityAndVPN
VariableLocation
OperatorContains
ValueSan Jose
To understand the group rules, see the rules used for system defined groups. These rules appear in the
Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group
Details.
Finalizing Fault Group Membership

After the group rules have been defined, they are evaluated, and you can view the group members (except
for port and interface groups, which are only used for polling and threshold purposes). In addition, the
group membership can be modified by adding or removing specific objects.
The group rule will be automatically modified to reflect the objects that were added or removed from the
group. You add or remove specific objects from a group membership in the Membership: Edit page of
the Create Group Wizard.
5-64
OL-25947-01
Chapter 5
Managing Groups
Viewing the Fault Group Summary

The final step in the Create Group Wizard is viewing a summary page that displays the new group
definition. Table 5-13 describes the fields on the Group Summary page of the Group Creation Wizard.
Table 5-13
Fields on the Group Summary Page
Heading/Button
Description
Group Name
Parent Group
Parent group of the group you are creating.
Description
Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button).
Rules
Rules used to filter group membership.
Visibility Scope
Setting that determines whether all Cisco Prime users or only the created user
can view the group.
Polling Overriding
Group preview
Click to display the Preview page. This page displays the priorities of the
Polling Overriding Groups.
Threshold
Overriding Group
preview
Click to display the Preview page. This page displays the priorities of the
Threshold Overriding Groups.
Viewing Fault Group Details

Information about a group is displayed on the Properties: Details page.
To view the Fault group details:
Step 1
Either:

Or

Step 2
In the Group Selector, select the group for which you want to view details.
Step 3
Click Details.
The Properties: Details page appears.

OL-25947-01
5-65
Chapter 5
Managing Groups
Table 5-14 describes the fields on the Properties: Details page.

Table 5-14
Fields on the Properties: Details Page
Heading/Button
Description
Group Name
Parent Group
Type
Description
Membership Update
Automatic (updated whenever the group is accessed) or upon user request

(updated only when you click the Refresh button)
Created By
Person who created the group.
Last Modified By
Last person to modify the group.
Rules
View Parent Rules
Used to view the parent group rules. All parent group rules apply to the
subgroups.
Membership Details
Used to view the list of devices that belong to the group. Does not apply to
Cancel
Closes the page and takes you back to the Group Administration and
Configuration page.
Viewing Fault Membership Details

You can view a list of the objects that belong to a group by accessing the Properties: Details page.
Membership is not displayed for port and interface groups, which are used only for polling and threshold
purposes.
Procedure
Step 1
Either:

Or

Step 2
In the Group Selector, select the group for which you want to view details.
Step 3
Click Details.
The Properties: Details page appears.
Step 4

The Membership: Details page appears.
5-66
OL-25947-01
Chapter 5
Managing Groups
Table 5-15 describes the fields on the Membership: Details page.

Table 5-15
Fields on the Membership: Details Page
Heading/Button
Description
Name
Name of the device for which you want to view membership details.
Object Type
Type of object for which you want to view details.
Property Details
Takes you back to the Properties: Details page.
Cancel
Closes the page and takes you back to the Group Administration and
Configuration page.

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules
and obtaining membership information from the data collectors. Port and interface group membership
lists are not supported, because these groups are only used for polling and threshold purposes.
Procedure
Step 1
Either:

Or

Step 2
In the Group Selector, select the group you want to refresh.
Step 3
Click Refresh.
Step 4
In the confirmation dialog box, click Yes.
Step 5
In the next dialog box, click OK.

OL-25947-01
5-67
Chapter 5
Managing Groups

You can only delete user defined groups that are not one of the seven customizable groups.
Procedure
Step 1
Either:

Or

Step 2
In the Group Selector, select the group you want to delete.
Step 3
Click Delete.
Step 4
In the confirmation dialog box, click Yes.
Step 5
In the next dialog box, click OK.
Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a
period of high CPU utilization after these processes are triggered.

Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
You can access the IPSLA Collector groups using either:
Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
Select Inventory > Group Management > IPSLA Collector.

The IPSLA Collector Group page appears.
Rules are created to filter in the devices that you want to include in the group, and to filter out those that
you do not want in the group.
While determining the devices that belong to a group, Group Management compares device information
to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the
group.
The devices are filtered based on the data present in the IPSLA Performance database.
One or more rule expressions can be applied to form a rule.
Each rule expression contains the following:
object type.variable operator value
5-68
OL-25947-01
Chapter 5
Managing Groups
Table 5-16 lists the various operators that can be used to create rules to group Collectors.
Table 5-16
Field/Button
Description
OR, AND, EXCLUDE,

INCLUDE
Logical operators.
ORInclude objects that fulfill the requirements of either rule.
EXCLUDEDo not include these objects.
INCLUDE Include these objects
The Rule Text field appears only after a rule expression is added.
Object Type
Type of object (collector) that is used to form a group.
Variable
Collector components, based on which you can define the group.

For more information, see Collector Components.
Operator
Operator to be used in the rule. The list of possible operators changes based on the Variable
selected.
When using the equals operator the rule is case-sensitive.

OL-25947-01
5-69
Chapter 5
Managing Groups
Table 5-16
Field/Button
Description
Value
Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-from text or a list of
values.
The following are the values for the corresponding operations:
1 = echo
2 = pathEcho
5 = udpEcho
6 = tcpConnect
7 = http
8 = dns
9 = jitter
10 = dlsw
11 = dhcp
12 = ftp
14 = RTP
16 = icmpjitter
18 = VoipCallSetupPostDialDelay
19 = VoipGKRegDelay
1019-Ethernetping
1020-Ethernetjitter
1119-EthernetPingAutoIPSLA
1120-EthernetJitterAutoIPSLA
Add Rule Expression
Rule Text
Displays the rule.
Check Syntax
Verifies if the rule syntax is correct.

Use this button if you have entered the rules manually.
View Parent Rules

5-70
OL-25947-01
Chapter 5
Managing Groups
Collector Components
Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Table 5-17
Collector Components
Component Type
Description
Source Address
Device IP address.
Target Address
Device IP address.
Operation Type
All IPSLA operations available for LMS
Operation Name
Name of a user-defined operation.
VRF
Name of the VRF (Virtual Routing and Forwarding).

The IPSLA Collector Group Administration depends on the IPMOGSServer processes. If these
processes are not running, then an error message appears:
Error in communicating with Group Administration Server.
It may be down or not yet up. Please make sure that the Group Administration Server is
up and running, then refresh the page.
You can resolve this error by starting the IPMOGSServer process.

You can start this process using Admin > System > Server Monitoring > Processes.
The Process Management page appears with all Cisco Prime processes listed. In the Process
Management page, select the IPMOGSServer and click Start.
If the IPMOGS Server is down, do the following:
You can start the IPMOGS Server either from the CLI, or from the LMS UI.
To start IPMOGS Server from the CLI:
Enter NMSROOT/bin/pdexec IPM OGSServer
To start IPMOGS server from the LMS UI:
Step 1

The Process Management page appears with all Cisco Prime processes listed.
Step 2
Select IPM OGSServer in the Process Management dialog box.
Step 3
Click Start.

OL-25947-01
5-71
Chapter 5
Managing Groups
If the CMFOGS Server is down, do the following:
You can start the CMFOGS Server either from the CLI, or from the LMS UI.
To start CMF OGS Server from the CLI:
Enter NMSROOT/bin/pdexec CMFOGSServer
To start CMFOGS server from the LMS UI:
Step 1
Step 2
Select CMFOGSServer in the Process Management dialog box.
Step 3
Click Start.

This section explains the various tasks that you can perform on the IPSLA Collector Group
Administration.
Table 5-18 lists the Fields and buttons available in the Group Administration page.
Table 5-18
IPSLA Collector Group Administration Page
Field/Buttons
Description
Group Selector
Hierarchical display of all available groups.
Group Info
Displays the following collector group information:
Group NameThe name of the group you selected.
TypeThe type of objects in the selected group.
DescriptionA text description of the group.
Created ByThe person who created the group. You can also view the time at which the
group was created.
Last Modified ByThe last person to modify the group settings. You can also view the time
at which the group was modified.
Create
Starts the Group Creation Wizard for creating a group, as described in the Creating and
Modifying User-Defined Collector Groups.
Edit
Starts the Group Edit Wizard for editing an existing group, as described in the Creating and
Modifying User-Defined Collector Groups.
Details
Opens the Properties: Details page, as described in the Viewing Collector Group Details and
Viewing Membership Details.
Refresh
Refreshes a group membership, as described in the Refreshing User-Defined Collector Group

Membership.
Delete
Deletes a group, as described in the Deleting User-Defined Collector Groups.
5-72
OL-25947-01
Chapter 5
Managing Groups

These are collector groups created by the user based on a set of criteria such as operation name, operation
type, source address, and target address.
For example, if you want to create a location-based collector groups, you must select the devices used
by that location and define the collector groups based on the criteria mentioned above.
You can perform the following tasks on user-defined collector groups:
Creating and Modifying User-Defined Collector Groups
Deleting User-Defined Collector Groups
Viewing User-Defined Collector Groups
Refreshing User-Defined Collector Group Membership
Creating and Modifying User-Defined Collector Groups

LMS provides a single wizard-based approach that leads you through the procedure to create multiple
user-defined collector groups. This wizard process involves the following four steps:
1.
Setting Collector Group Properties
2.
Defining Collector Group Rules
3.
Assigning Collector Group Membership
4.
Viewing the Collector Group Summary
You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard
at any stage using Cancel, the details you have specified will be lost and the collector groups will not be
created.

In this step, you can enter the group properties such as name and description, copy the attributes from
another group, change the parent group, and modify the parent group and membership update details, if
required.

OL-25947-01
5-73
Chapter 5
Managing Groups
To set or edit the collector group properties:

Step 1
Either:
Or

The IPSLA Collector Group page appears.
Step 2
Select the required group from the Group Selector pane.

For example:
Step 3
If you want to create or edit a group, select the User Defined Group folder from the Group Selector
pane.
If you want to create or edit a subgroup, select the required collector group under the User Defined
Groups folder.
You can either:
Click Create to create a group or subgroup.

Or
Click Edit to edit a group or subgroup.

Step 4
Specify the collector group name and description in the Group Name and Description fields.
The Group Name must be unique within the parent group. However, you can specify the same name in
some other groups.
For example, if you already have a group named MyGroup in a group named Views under
User-Defined Groups, you cannot use the same name for another subgroup in the group Views.
However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups.
After entering the group name and description, you can either copy the attributes of an existing group to
the new group or proceed to Step 5.
To copy the attributes of an existing group to the new group, do the following:
a.
Click Select Group.

The Replicate Attributes window appears.
b.
Select the required collector group from the User Defined Groups folder.
c.
Click OK.
All attributes except the group name are copied to the new group.
The parent group you have selected for the group does not change even if you are copying attributes
from a group that belongs to a different parent group.
5-74
OL-25947-01
Chapter 5
Managing Groups
To change the parent group, do the following:

a.
Click Change Parent.

The Select Parent window appears.
b.
Select the required group.
c.
Click OK.
The Properties page appears with the new parent group.
Step 5
Select the Membership Update and Visibility Scope for the group.
For more information, see Table 5-19.
Step 6
Click Next.
The Rules page appears.
Table 5-19
Field
Description
Group Name
Copy Attributes from

Group
Copy the attributes of an existing group to your new group using Select Group.
Parent Group
Parent group of the group you are creating. You can change the parent group using Change
Parent.
Description
Membership Update
Group Membership is updated.
Visibility Scope
Automatic: Updates whenever the group is accessed.
Only Upon User Request: Click Refresh.
Private Groups: Visible only to users who created the group.
Public: Visible to all users.

In this step, you can define the rules for the collector groups. This rule determines the contents and the
collectors to be included in the collector group.
This rule allows you to add collectors and VRFname based on the variables such as operation name,
operation type, source address, and target address. You can use one or a combination of variables while
defining the rule. The collectors that satisfy the rule will be added to the collector group.
If you have created the collector group copying the attributes of another group, the rules specified for
that group appears in the Rule Text field. You can retain these and add more rules, or delete these rules
and create a new set of rules.
Note

OL-25947-01
5-75
Chapter 5
Managing Groups
In the Rules page, you can either enter the rules directly in the Rule Text field or select the components
of the rule from the Rule Expression fields and define a rule.
Table 5-20 lists the various Fields and Buttons available in the Rules page.
Table 5-20
Field/Buttons
Description
OR, AND, EXCLUDE
Logical operators.
ORInclude objects that fulfill the requirements of either rule.
The Rule Text field appears only after a rule expression is added.
Object Type
Type of object (Collector) that is used to form a group. All IPSLA Collector group rule
expressions begin with the same Object Type, IPM:Collector Management: Collector.
Variable
Collector attributes, based on which you can define the group.

For more information, see Collector Components.
Operator
Operator to be used in the rule. The list of possible operators change based on the Variable
selected.
When using the Equals operator, the rule is case sensitive.
Value
Value of the rule expression. The possible values depend upon the variable and operator selected.
Depending on the operator selected, the value may be free-form text or a list of values.
Add Rule Expression
Rule Text
Displays the rule.
Check Syntax

View Parent Rules

For group rule restrictions and examples, see Understanding Collector Group Rules.
5-76
OL-25947-01
Chapter 5
Managing Groups
To define the collector group rules:

Step 1
Either:
Or

Step 2
Select the Object Type from the drop-down list.
Step 3
Select the required variables from the Variable drop-down list. You can select one or a combination of
variables.
The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target
Address.
Step 4
Select the Boolean operator from the Operator drop-down list.

The Boolean operators change based on the variable you have selected.
Step 5
Specify the Value for the variable you have selected.
Step 6

The IPSLA Collector Group Administration creates the rule based on the parameters you specified and
adds it to the rules already present in the Rules Text field. You can use the same procedure to add more
rules.
If you want to delete a rule expression, you have to select the complete expression including the logical
operator and press the Delete key on your keyboard.
Step 7
Click Check Syntax to validate the rules expression syntax.

If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is
incorrect, an error message appears with syntax error messages along with the line and column number.
Step 8
Click View Parent Rules to view the parent and group rules.
Step 9
Click Next.
The Membership page appears.
Assigning Collector Group Membership

The Membership page allows you to create a highly customized user-defined collector group. This page
lists the collectors in two panes, namely Objects From Parent Group and Objects Matching Membership.
Objects From Parent GroupLists the collectors in the parent group.
Objects Matching MembershipLists the collectors that satisfy the rule defined by you. You can
add or delete collectors from this pane. You can also add collectors from the parent group to create
the collector group.

OL-25947-01
5-77
Chapter 5
Managing Groups
To assign collector group membership:

Step 1
Select the required collectors from the Objects From Parent Group pane.
Step 2
Click Add.
The selected collectors are added to the Objects Matching Membership pane.
Step 3
Click Next.
The Summary page appears with the User-Defined Group properties.
To remove collectors from the group:

Step 1
Select the required collectors from Objects Matching Membership pane.
Step 2
Click Remove.
The selected collectors are removed from the Objects Matching Membership pane and added to the
Objects From Parent Group pane.
Step 3
Click Next.
The Summary page appears with the summary of the user-defined collector group.
Viewing the Collector Group Summary

The final step is the Summary page that displays the new group definition as in Table 5-21.
Table 5-21
Understanding Collector Group Summary
Field
Description
Group Name
Description
Parent Group
Parent group of the group you are creating. You can change the parent group using Change
Parent.
You can select only IPSLA Collector User-Defined groups.
You cannot edit this field in the Edit flow.
Membership Update
Updates group membership.

Membership updates can be automatic (updated every time the group is accessed) or upon user
request only (updated only when you click Refresh).
Rules
Visibility Scope
Describes if the group is public (all users) or private (only for the group owner).
5-78
OL-25947-01
Chapter 5
Managing Groups
To view the collector group summary:

Step 1
Click Finish to complete the procedure for creating collector groups.

A confirmation message appears.
Step 2
Click OK.
You can view the newly created user-defined collector group in the Group Selector pane.
Or
Click Back to modify the group properties.
Deleting User-Defined Collector Groups

In the The IPSLA Collector Group Administration page, you can use the Delete option to delete the
user-defined collector groups. During the deletion process, only the collector group is deleted , and the
associated collectors are not deleted. You cannot delete the system-defined collector groups.
To delete user-defined collector groups:
Step 1
Select the group for which you want to view details from the Group Selector pane.
Step 2
Click Delete.
Viewing User-Defined Collector Groups

This section explains how to view the group and membership details and refresh the same.
Viewing Collector Group Details

The Property Details page displays the group details.
To view the collector group details:
Step 1
Either:
Or


OL-25947-01
5-79
Chapter 5
Managing Groups
Step 2
Step 3
Click Details.
The Property Details page appears. For more information, see Table 5-22.
Table 5-22
Field/Button
Description
Group Name
Parent Group
Type
Description
Membership Update
How group membership is updated.
Created By
Person who created the group. This also displays the time at which it was created.
Last Modified By
Last person to modify the group. This also displays the time at which it was modified.
Rules
Visibility Scope
Indicates whether the group is Public (visible to all users) or Private (visible only for the group
owner).
View Parent Rules
Allows you to view the parent group rules.

Membership Details
Allows you to view the membership details.
Cancel
Takes you back to the Group Administration page.

The Property Details page allows you to view a list of the objects that belong to a group.
To view the membership details:
Step 1
Either:
Or

Step 2
Step 3
Click Details.
The Property Details page appears.
5-80
OL-25947-01
Chapter 5
Managing Groups
Step 4

The Membership Details page appears. For more information, see Table 5-23.
Table 5-23
Field/Button
Description
Name
Name of the device.
Object Type
Type of object.
Property Details
Takes you back to the Property Details page.
Cancel
Takes you back to the Group Administration page.

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules
and obtaining membership information from the data available.
To refresh the membership of the group:
Step 1
Either:
Or

Step 2
Step 3
Click Refresh to refresh the membership of the selected group.

The Refresh Group Confirmation dialog box appears.
Step 4
Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.

OL-25947-01
5-81
Chapter 5
Managing Groups

The operation-based collector groups are predefined groups available with IPSLA module in LMS by
default. They are also referred as system-defined collector groups.
The various operation-based collector groups available are Echo, Path Echo, UDP Echo, ICMP Jitter,
UDP Jitter, Call Setup Post Dial Delay, Gatekeeper Registration Delay, RTP, DNS, DHCP, HTTP, FTP,
DLSW, TCP Connect, Ethernet Jitter, Ethernet Ping, Ethernet Jitter Auto IP SLA and Ethernet Ping Auto
IP SLA.
You can perform the following tasks on operation-based collector groups:
Viewing Operation-Based Collector Details
Refreshing Operation-Based Collector Groups
To view the details of an operation-based collector group:

Step 1
Either:
Or

Step 2
Select the default operation name from the Group Selector pane for which you want to view the collector
group details.
Step 3
Click Details.
The system-defined collector group details appear.
Step 4
Click Membership Details to know the membership details of this system-defined collector group.
The Membership Details page appears.
To refresh the membership of an operation-based group:

Step 1
Step 2
Click Refresh to refresh the membership of the selected group.

The Refresh Group Confirmation dialog box appears.
Step 3
Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.
5-82
OL-25947-01
CH A P T E R

Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
Modifying Data Collection SNMP Timeouts and Retries.
Scheduling Data Collection.
Data Collection Critical Device Poller.
Compliance and Audit Settings

You can modify the SNMP timeouts and retries when Data Collection fails for a particular device with
SNMP timeout exceptions.
The SNMP fallback methodology applicable for Data Collection, UT Acquisition, and Dynamic UT is
as follows:
If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially
queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1.
If you have configured a device with SNMPv3 settings in DCR, then the device is queried with
SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
To modify SNMP timeouts and retries:

Step 1
Select Admin > Network > Timeout and Retry Settings > Data Collection SNMP Timeouts and
Retries.
The SNMP Timeouts and Retries dialog box appears.
Step 2
Modify the SNMP settings as given in Table 6-1.

OL-25947-01
6-1
Chapter 6
Table 6-1
Modify Data Collection SNMP Timeouts and Retries
Field
Description
Target
Denotes the Target device.

You should enter IPv4 or IPv6 address of the target device in this field.
You can also use wildcard characters or range of numbers to specify the
target device.
For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB]
as the target device
Timeouts
Time period after which the query times out.

This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If timeout is increased, discovery time could also increase. Enter the value in
seconds.
For every retry, the timeout value is doubled.
For example, If the timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which LMS stops
querying the device.
Retries
Number of attempts made to query the device. The allowed range is 0-8.
Step 3
Click Add to add SNMP settings.
Step 4
Select a row and either:
Click Edit to edit the timeouts and retries values.
Or
Click Delete to delete the timeouts and retries values.
Click OK to save the changes or click Cancel to exit.

Step 5
Click Apply.
6-2
OL-25947-01
Chapter 6


Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
You can also schedule the day and time of data collection using this feature.
You can start data collection immediately for all or failed devices and schedule data collection for all
devices. All devices is a default option. You can select the Failed devices option to run data collection
for failed devices.
To schedule data collection:
Step 1
Select Admin > Collection Settings > Data Collection > Data Collection Schedule.
The Data Collection Schedule dialog box appears.
Step 2
Modify the data collection settings as described in Table 6-2.

Table 6-2
Data Collection Schedule Settings
Field
Description
Usage Notes
Days on which and the time at

which data collection is
scheduled.
The optimum data collection schedule depends

on the size of the network and the frequency of
network changes.
Schedule
Days, Hour, Min
The default data collection schedule is every 4

hours, on the 4-hour mark, daily: 04.00, 08.00,
12.00, 16.00, 20.00, 24.00 Note that time is in
the 24-hour format.
Step 3
Select a schedule and click Edit to edit the schedule.
Select a schedule and click Delete to delete the schedule.
Click Add to add a new schedule.
Best Practices
Be cautious while scheduling Data Collection:
Data Collection consumes significant resources on the network management system.
Use the Polling option to see the device and link status without running data collection. For more
details on polling see, Data Collection Critical Device Poller

OL-25947-01
6-3
Chapter 6

LMS polls the entire network for device and link status periodically.This feature allows you to:
Configure the time interval at which the network is polled.
Poll only a critical set of devices.

Use this option to see the device and link status without running Data Collection.
Since Data Collection consumes significant system resources, you can simply poll the network and
view the device and link status in Topology maps.
Adding Critical Devices to the Device Poller
To add a device to the Critical Devices list from Topology Map:

Step 1
Launch a Topology map.
Step 2
Right click a device and select Add device to Critical Poller.
To add a device to the Critical Devices list from N-Hop View Portlet:
Step 1
Launch N-Hop View Portlet.
Step 2
Go to the configuration screen and select Poll devices.
Caution
If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle
will use a large amount of bandwidth.
To configure Device Poller:
Step 1
Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller.
The Device Poller screen appears.
Step 2
Configure the device poller options as specified in Table 6-3.

Table 6-3
Field
Device Poller Options
Description
Usage Notes
Polling Details
All Devices
Specifies that all devices in the network will By default the whole network is polled every 2
be polled at the specified interval.
hours.
Critical Devices
Specifies that only critical devices in the

network will be polled at the specified
interval.
You can configure this option when you need to

poll a few devices in the network more frequently.
By default, the critical devices are polled every
five minutes.
6-4
OL-25947-01
Chapter 6

Table 6-3
Device Poller Options
Field
Description
Usage Notes
Time Interval
Time interval at which the specified devices Configure this option to change the interval from
the default value.
are polled.
The time interval is added to the completion
time of Data Collection.
For example, you have configured the
following:
Data Collection is scheduled to run at

07:00 hours
Time interval is set to 4 hours.
If Data Collection completes at 08:00 hours,

the next polling will happen at 12:00 hours
(8 + 4).
Show Devices
For Critical Devices:

Displays the list of critical devices in the
network.
The following information about the Critical

Devices is displayed:
IP Address
DeviceName
You can choose any device and click Delete to

remove it from the Critical Device poller list.
For All Devices:
Launches the Data Collection report.
Step 3
The following information about the devices in the

network is displayed:
IP Address
DeviceName
DeviceType
Neighbors
Click Apply to save the configuration.

The following topics are discussed in this section:
Compliance Data Collection
Import Contracts
Import Policy Updates
Compliance Data Collection

The Compliance Data Collection allows you to schedule the Compliance Data Collection System Job.

OL-25947-01
6-5
Chapter 6
The Compliance Data Collection job runs daily by default. The user can schedule a Compliance Data
Collection Job.
To schedule a Compliance Data Collection System Job do the following:
Step 1
Select Admin > Compliance and Audit Settings > Compliance Data Collection > Compliance Data
Collection System Job Schedule.
The Compliance Data Collection System Job Schedule page appears.
Step 2
Enter the information required to scheule a Compliance Data Collection System Job
Field
Description
Job Type
Command Output Collection Job .
Scheduling
Run Type
Specifies the type of schedule for the job:
DailyRuns daily at the specified time.
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
Date
1.
Enter the start date in the dd mmm yyyy format, for example, 06 Oct 2011, or click on the
calendar icon and select the date.
2.
Enter the start time by selecting the hours and minutes from the drop-down list.
Job Info
Job Description
The default job description is, System-defined job for Compliance data Collection.
E-mail
Enter e-mail addresses to which the job sends messages when the job has run.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
Step 3
Click Apply.
The scheduled job appears in the Compliance Data Collection Jobs.
6-6
OL-25947-01
Chapter 6

Compliance Data Collection Jobs

The Compliance Data Collection Jobs enables you to view the status of all the Compliance Data
collection jobs.
Table 6-4
List of Compliance Data Collection Jobs
Column
Description
Job ID
Unique number assigned to this task at scheduling time. This

number is never reused. There are two formats:
Job ID:
Identifies the task. This does not maintain a history. For
Example:1002
JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1002.1, 1002.2
Status
Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Description
Owner
Username of the job creator.
Job Type
Type of job e.g. system compliance.
Scheduled At
Date and time at which the job was scheduled.
Completed At
Date and time at which the job was completed.
Schedule Type
Frequency of the job. This can be:
Daily
Weekly
Montly.
Work Order
Displays information about the Job Description, Owner, Schedule

Type, Schedule Time, E-mail Notification, E-mail IDs and Devices
List.
Device Details
Displays the Device IP, Job Status and Message Summary.
Job Summary
Displays the Job Status, Job Message, Start Time, End Time and
Device Updates.
Import Contracts
The Import Contracts enables you to import customer contracts into the Compliance and Audit Manager
Database.
The contract summary report can be generated only after importing contracts into the Compliance and
Audit Manager Database.

OL-25947-01
6-7
Chapter 6
The following steps should be performed for importing contracts into the Compliance and Audit
Manager Database:
Step 1
Go to
http://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do?method=viewContractMgr.
Note
Step 2
Open the link in Internet Explorer and use your Cisco.com credentials.
A contract Manager screen listing the contracts associated with your Cisco.com ID appears.
Note
If you do not see the contracts then there are no contracts associated with your Cisco.com ID.
Open a case with Cisco to get access to your contracts.
Step 3
Select Download Contract or Selected Data option from the Action drop-down menu.
Step 4
Select the contracts from the Contract Table.
Step 5
Click Go.
A Download Contract or Selected Data window appears
Step 6
In the Download Contract or Selected Data window, perform the following:

a.
Select Products + Configurations.
b.
Click Save Now radio button, to save a Zip file containing a CSV file in your local system.
c.
Click Send by Email to radio buttion, to receive a zip file containing a CSV file by Email.
Step 7
Go to Import Contracts page and Click Browse to select the downloaded contract file from your local
system.
Step 8
Click Import Contracts File to import the contracts file into the Compliance Engine.
Import Policy Updates

The Import Policy Updates allows a user to manually download policy updates patch file from
cisco.com.
The following steps should be performed for manually downloading the policy updates patch file from
Cisco.com and importing the downloaded policy patch file into the Compliance and Audit Manager
Engine:
Step 1
Go to Admin > Compliance and Audit Settings > Import Policy Updates
Step 2
In Cisco.com, navigate to Home > Products > Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN
Management Solution 4.2 > Compliance Policy Updates.
Step 3
You will be prompted to enter your Cisco.com credentials.
Step 4
Login using your Cisco.com credentials to open the LMS Compliance Policy Updates page in the
browser.
6-8
OL-25947-01
Chapter 6

Step 5
Download the CompliancePolicyUpdates.vX-y.jar patch file, where X is the major version and y is the
minor version.
Step 6
Save the CompliancePolicyUpdates.vX-y.jar patch file in your local system.
Step 7
Go to Import policy updates page and click Browse to select the downloaded
CompliancePolicyUpdates.vX-y.jar file from your local system
Step 8
Click Import Policy Updates to import the CompliancePolicyUpdates.vX-y.jar patch file into the
Compliance Engine.
A message appears indicating the successful importing of policy into the Compliance Engine.
Note
Ensure that the CAAM Server process is re-started to effect the changes.
Restarting CAAM server from User Interface
Perform the following to restart CAAM server from user interface:

Step 1
Go to Admin > System > Server Monitoring > Processes.

Step 2
Select CAAM Server from the Process Management Grid and click stop.
Step 3
After the CAAM server stops, click start to restart the CAAM server.
Restarting CAAM server from CLI
Perform the following to restart the CAAM Server from CLI:

Step 1
Enter NMSRoot/bin/pdterm CAAMServer to stop the CAAM server.
Step 2
Enter NMSRoot/bin/pdexec CAAMServer to start the CAAM server.

where NMSROOT is the root directory of the LMS Server.
Note
The policy updates patch file can be automatically downloaded and posted into the CAAM server by
scheduling a system defined job under Admin > Network > Compliance Policy/PSIRT/EOS/EOL
Settings.

OL-25947-01
6-9
Chapter 6
6-10
OL-25947-01
CH A P T E R

User Tracking application of LMS allows you to track end stations. This chapter contains the following
sections:
Understanding User Tracking
Using User Tracking Administration
Understanding Dynamic Updates
Using User Tracking Utility

User Tracking helps you to locate and track the end hosts in your network. In this way, you get the
information required to troubleshoot and analyze connectivity issues. The application identifies all end
users connected to the discovered Cisco access layer switches on the network, including printers,
servers, IP phones PCs and wireless hosts.
User Tracking collects the details of the end users and the layer 2 connections, and updates User
Tracking table in the LMS database. This is done through automated polling of the network, by User
Tracking (UT) Major Acquisition process.
In addition to polling the network, the Dynamic UT process receives details from the end users and
updates the database dynamically. User Tracking also computes subnet related data and updates the
database with complete host information. Thus you get latest information about the changes in the
connections on your network.
You can also configure User Tracking to collect usernames of the end hosts connected in the network.
The user names are collected from the UTLite process installed in UNIX hosts, Primary Domain
Controller (PDC), or Novell Directory Services (NDS). This makes it easier for you to locate and track
specific users in your network.
You can sort and query the User Tracking table that contains details such as VLANs, switches and switch
ports to which the end users are connected. Predefined reports such as the reports on duplicate IP
addresses or MAC addresses, multiple MAC addresses enable you to accurately locate the end users.
Switch Port reports give you information on:
Recently down ports
Ports that are in unused condition for the specified interval
Connected ports and Free ports
Percentage utilization of ports for each device

OL-25947-01
7-1
Chapter 7
These reports give a clear picture of the switch port utilization in the network and help you in doing
capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from
the megamenu.
This topic covers:
Using User Tracking
Accessing UT Data
Using User Tracking

You can use User Tracking to:
Display information about the connectivity between the devices, users, and hosts in your network.
For example, you might want to identify all users connected to a particular subnet, or all hosts on a
particular switch.
Display information about the IP phones registered with discovered Media Convergence Servers.
Use simple queries to limit the amount of information User Tracking displays.
Configure or limit the User Tracking acquisition by subnets.
Create and save simple and advanced queries.
Modify, add, and delete username and notes.

You can configure User Tracking Acquisition settings to collect usernames during UT Major
Acquisition and update the UT table. The user names are collected from the UTLite process.
Customize User Tracking table layouts.

For example, you can design a layout that displays only the MAC addresses of hosts on your
network.
View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC
addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses.
You can also view History Reports for Switch port utilization, and the connection and disconnection
of endhosts and users from your network.
You can set the schedule for generating the reports, and also generate the reports for a subset of
devices.
Launch Device Center, host center, phone center.
Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports
You can generate End hosts or IP Phones report based on the given filter criteria
For example, you can generate reports on end hosts that belong to a specific VLAN.
To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.
7-2
OL-25947-01
Chapter 7

Scheduled Reports
You can schedule reports that run at the specified date and time. You can generate immediate reports or
schedule them to run once or at repetitive intervals.
Custom Reports
You can customize the layout and columns displayed in the reports to suit your needs. To generate these
reports select Reports > Report Designer > User Tracking > Custom Reports.
Command Line Interface
You can generate various User Tracking reports from the Command Line Interface also.
For more details, see User Tracking Command Line Interface.
Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format.
For more details, see Overview of Data Extraction Engine.
User Tracking Utility
Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful
information about users or hosts discovered by LMS User Tracking application.
You can use UTU search band to search for the users or hosts in your network. You can search using user
name, host name or IP address, or MAC address.

This section explains the various acquisitions that can be done using LMS, to get information about the
end users.
User Tracking Major Acquisition
Discovers all the end hosts that are connected to the devices managed by LMS.
For details on the various options that can be set before starting an acquisition, see Modifying UT
Acquisition Settings.
User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following
command:
NMSROOT/campus/bin/ut cli
performMajorAcquisition u
userid -p password
where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User
Tracking Command Line Interface.
User Tracking Minor Acquisition
Minor acquisition occurs on a device if any of the following changes take place:
A new endhost or IP phone is added to the network.
Port state changes (when the port comes up or goes down).
A new VLAN is added to the network.
There is a change in the existing VLAN.

OL-25947-01
7-3
Chapter 7
Minor acquisition updates the LMS database with just the changes that have happened in the network. It
is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the
interval at which the acquisition takes place.
For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
User Tracking IP Phone Acquisition
Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.
Subnet based User Tracking Major Acquisition
User tracking subnet based acquisition would run only on those subnets that are configured in LMS.
LMS discovers end hosts on all the VLANs available in the configured subnets.
Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet
or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by
LMS.
For details on running subnet based acquisition, see Configuring UT Subnet Acquisition
Single device on-demand User Tracking Acquisition
This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is
useful for collecting information only on end hosts connected to the specified device.
For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions

You can perform the following administrative tasks using User Tracking Administration:
Modify Acquisition settings.

Before you start collecting information about the hosts in your network, you can set various options
that control the way in which Acquisition happens.
For example, you can set LMS to perform DNS lookup, while resolving the IP address of a host.
For complete details, see Modifying UT Acquisition Settings
Schedule Acquisition.
You can set the day and time of the week when you want to run Major Acquisition. The time interval
at which Minor Acquisition happens in the network can also be set.
For more details, see Modifying UT Acquisition Schedule
Configure Ping Sweep options for Acquisition.

You can configure LMS to perform Ping Sweep on selected subnets, during Acquisition.
For more details, see Modifying Ping Sweep Options
Configure Subnet Acquisition.

You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition
collects details about the end hosts that are connected to a particular subnet or a select set of subnets.
This Acquisition completes faster, since it is not run on all devices managed by LMS.
For more details, see Configuring UT Subnet Acquisition
7-4
OL-25947-01
Chapter 7

Configure end host and IP phone data delete interval.

You can modify the time interval for deleting entries from the End Host Table, IP Phone Table, or
the History Table from the database.
For more details, see Deleting User Tracking Purge Policy Details
Configure UT Acquisition to discover end hosts connected to non-link trunk ports.

Normally UT Acquisition only discovers end hosts that are connected to access ports. If you enable
this feature, UT Acquisition also discovers end hosts that are connected to non-link trunk ports.
For more details, see Configuring UT Acquisition in Trunk for End Host Discovery
Specify Purge Policy.

You can specify the intervals at which you want old reports and jobs to be purged. You can save the
Purge Policy, so that the older jobs and archives are purged at the specified interval.
For more details, see Specifying User Tracking Report Purge Policy
Specify Domain Name display.

You can specify the way in which domain names are to be displayed in User Tracking Reports.
For more details, see Specifying Domain Name Display.
Import information on end hosts.

You can import user names and notes of end hosts that are already discovered by User Tracking,
from a file.
For more details, see Importing Information on End Host Users
Enable Dynamic User Tracking.

Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. LMS
tracks changes about the end hosts and users on the network to provide real-time updates, based on
these traps.
For more details, see Understanding Dynamic Updates
Enable Debugging options.

When you face issues in running User Tracking, logging can be enabled for debugging purposes.
For more details, see Debugging Options for User Tracking Server and Debugging Options for User
Tracking Reports

OL-25947-01
7-5
Chapter 7
Viewing User Tracking Acquisition Information

You can view acquisition information.
To view acquisition information:
Step 1
Either:
Select Admin > Collection Settings > User Tracking > Acquisitions Info.
Or
Select Inventory > User Tracking Settings > Acquisition Summary.
The acquisition information appears with the following information:

Field
Description
Acquisition status
Status of the User Tracking Major Acquisition process. It can be

either Idle or Running.
Last acquisition type
Type of User Tracking acquisition that you had performed last time.
Types of acquisition are:
MajorUser Tracking Major Acquisition
DevicesUser Tracking Acquisition for a device
SubnetsUser Tracking Acquisition for subnets
IP PhonesUser Tracking Acquisition for IP phones
Acquisition start time
Date and time at which User Tracking started the Acquisition

process. This is displayed in the format dd mon yyyy hh:mm:ss.
Acquisition end time
Date and time at which User Tracking stopped the Acquisition

process. This is displayed in the format dd mon yyyy, hh:mm:ss
time zone.
Number of acquisitions
Number of major and minor acquisitions performed.
Number of host entries
Number of hosts found after User Tracking acquisition.
Number of duplicate MAC
Number of MAC addresses that have duplicate entries in the list of

hosts found.
Number of duplicate IP
Number of IP addresses that have duplicate entries in the list of end

hosts found.
Number of CCM hosts
Number of Cisco CallManagers in the list of devices found after

Data Collection.
Number of IP phone entries
Number of IP phones available in the LMS managed network.
Last Campus data collection

completed at
Date and time of the previous LMS Data Collection process. This
is displayed in the following format: dd mon yyyy hh:mm:ss time
zone.
Data collection status
Status of the LMS Data Collection process. It can be either Idle or

Running.
7-6
OL-25947-01
Chapter 7

Configuring User Tracking Acquisition Actions

You can trigger the following acquisitions from this page:
Device based Acquisition
Subnet based Acquisition
IP Phone Acquisition
To configure the required acquisition:

Step 1
Either:
Select Admin > Collection Settings > User Tracking > Acquisition Action.
Or
Select Inventory > User Tracking Settings > Acquisition Actions.
The Acquisition Actions dialog box appears.

Step 2
Table 7-1
Configure Acquisition Actions as specified in Table 7-1.
Acquisition Actions
Field
Description
Select a type
You can select the type of acquisition. Type When you select a type of acquisition the appropriate
of acquisition can be:
fields are displayed.
Scope Selection
Device
Subnet
IP Phones
Usage Notes
Select the All hosts and users check box to

acquire information about all hosts and
users in your network.
If you do not select the All hosts and users check box, the
device selection field is enabled and you can enter the
name or IP address of the device for which you require
data.
Device Name or IP Enter the name or IP address of the device

Address
about which data is to be acquired.
Click Select to select the device from the list of available

devices.
Device Selection
Subnets
Type Selection
You can choose to get data about a particular If you choose to acquire data about a particular subnet, the
subnet or about all the configured subnets. subnet selection fields are enabled.
Subnet Selection
Subnet ID
Select the IDs of the subnets on which you

need to get data.
This field is enabled only if you select the Subnet option

in the Type Selection area.
Click Select to select the subnet ID from the list of
available subnets.

OL-25947-01
7-7
Chapter 7
Table 7-1
Acquisition Actions (continued)
Field
Description
Usage Notes
Subnet Mask
Enter the subnet mask.
If you select the subnet ID, the subnet mask is

automatically entered.
Acquire Only
VLAN Specific to
Subnet
Select this check box to get data only about

the VLANs specific to the subnet.
If you select this check box, only the work stations

associated with the VLANs that are mapped to the
selected subnets will be acquired.
If you do not select this check box, work stations

associated with all the available VLANs in the
You do not have to specify any details for the IP Phones option.
Step 3
Click Start Acquisition.
Using User and Host Acquisition

You can modify the Acquisition settings and Acquisition schedule using the User and Host Acquisition
option.
Modifying UT Acquisition Settings
Configuring Rogue MAC List
Modifying UT Acquisition Schedule
Modifying Ping Sweep Options
Configuring UT Subnet Acquisition
Deleting User Tracking Purge Policy Details
Importing Information on End Host Users
Modifying UT Acquisition Settings

You can modify User Tracking Acquisition settings.
Modifying Acquisition Settings from UI
UT Behaviour in DHCP Environment for Missing IP address
Configuring Properties That Support Duplicate MAC Addresses
Configuring User Tracking Properties from the Backend
7-8
OL-25947-01
Chapter 7

Modifying Acquisition Settings from UI
To modify acquisition settings:

Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The Acquisition Settings dialog box appears.
Step 2
Table 7-2
Modify the acquisition settings as specified in Table 7-2.
Acquisition Settings Field Description
Field
Description
Usage Notes
Enable User Tracking for

DHCP Environment
Enables User Tracking for DHCP

Environment.
If you enable this property, it allows you to control

inclusion and exclusion of Duplicate MAC addresses in the
Acquisition.
To understand the behavior of User Tracking in case of
missing IP address, see UT Behaviour in DHCP
Environment for Missing IP address.
For details on properties that support Duplicate MAC
addresses, see Configuring Properties That Support
Duplicate MAC Addresses.
Enable User Tracking on

Access Points
Enables User Tracking on Access

Points
This is enabled by default and allows UT Major Acquisition

process to collect Access point information. However,
WlseUHIC cannot collect Wlse related end host
information.
If disabled, it precludes Access point acquisition. However,
WlseUHIC collects Wlse related end host information.
Get user names from

UNIX hosts
Select this option to allow

Acquisition to collect the active
usernames of UNIX hosts.
Collects information only for users, who are logged into the
console port of the UNIX hosts.
UNIX user names are updated at

the end of major acquisitions.
Get user names from hosts Allows LMS to collect active user This option helps you to:
in NT and NDS
names on the Windows or Novell
Collect information only for users who are currently
Directory Service (NDS) servers.
logged into the network.
Collect information from NDS hosts. You must use

NDS 5.0 or later.
For this option you need to install the UTLite script.

OL-25947-01
7-9
Chapter 7
Table 7-2
Acquisition Settings Field Description (continued)
Field
Description
Usage Notes
Use DNS to resolve host

names
Resolves host names using DNS.
User Tracking performs DNS Lookup for a host to resolve

its IP address.
When you choose this option the Advanced button is
enabled. Click on this to launch the Advanced UT
Acquisition Settings window.
The following options are available:
DNS threads
Number of parallel threads allowed for name
resolution. The default value is 1. Maximum number of
threads allowed is 12.
DNS Timeout
Time duration for which UT waits for a response from
the DNS server, for name resolution. The value should
be entered in milli seconds. The default value is 2000
milliseconds (2 seconds).
Enter values and click OK to save changes.

User Port Number
Specify the UDP port number from You must use the default port number unless it is already in
where logon and logoff messages use. This port number must match the port indicated in the
login script.
are received from hosts in
Windows and NDS.
Rogue MAC Detection
Enable notification when Rogue

LMS sends e-mails to the specified addresses, when
MACs are detected in the network. unauthorized end hosts are detected in the network.
E-Mail
Specify the E-mail IDs to be

notified when Rogue MACs are
detected in the network.
Define Rogue MACs
Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List.
the screen that is launched.
New MAC Detection
Enable notification when new

LMS sends e-mails to the specified addresses, when new
MACs are detected in the network. end hosts are detected in the network.
E-Mail
Specify the E-mail IDs to be

notified when new end hosts are
detected in the network.
You can enter multiple E-mail IDs separated by commas.

This field is enabled only when you check the Rogue MAC
Detection field.
You can enter multiple E-mail IDs separated by commas.

This field is enabled only when you check the New MAC
Detection field.
Step 3
Click Apply to save the modifications in the settings.
Step 4
Click Start Acquisition to start User Tracking Acquisition with the modified settings.
7-10
OL-25947-01
Chapter 7

Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion
and exclusion of Duplicate MAC addresses in UT Acquisition.
LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In
such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment
property, is explained in Table 7-3.
The conventions used in Table 7-3 are:
Note
Table 7-3
MACx MAC address of the endhost
IPx IP address of the endhost
Device x Device to which the end host is connected.
Time in xx:xx format Time entries in the Last seen column
NA Not Available.
The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User
Tracking for DHCP Environment property.
Scenario
Explanation
What gets Updated in Database
For an endhost, if the IP address is

not available in the first UT
acquisition, but is available in the
next, the IP address field in the
database is updated with the value
that is currently discovered.
MAC1
IP1
Device 1
6:40
For an endhost, if the IP address is MAC1

available in the first UT acquisition,
but is not available in the next, the
older value for IP address is
retained in the database.
IP1
Device 1
6:50
MAC1
For an endhost with Single MAC
address but multiple IP addresses, if MAC1
UT does not get the IP address in
the current acquisition, it retains the MAC1
older values in the database.
IP1
Device 1
7:00
IP2
Device 1
7:00
IP3
Device 1
7:00
Scenario1: Missing IP Address

MAC1
NA
Device 1
6:35
MAC1
IP1
Device 1
6:40
Scenario 2: Missing IP Address

MAC1
IP1
Device 1
6:45
MAC1
NA
Device 1
6:50
Scenario 3: Single MAC, Multiple IP

Addresses
MAC1
IP1
Device 1
6:55
MAC1
IP2
Device 1
6:55
MAC1
IP3
Device 1
6:55
MAC1
NA
Device 1
7:00
Scenario 4: Dynamic change in IP

Address

OL-25947-01
7-11
Chapter 7
Table 7-3
Scenario
Explanation
What gets Updated in Database
MAC1
IP1
Device 1
4:00
MAC1
IP1
Device 1
4:00
MAC1
IP2
Device 1
5:00
IP2
Device 1
5:00
MAC1
IP3
Device 1
6:00
IP3
Device 1
7:00
MAC1
NA
Device 1
7:00
MAC1
For an endhost with different IP
addresses at different points of
MAC1
time, if UT does not get the IP
address in the current acquisition, it
retains the value that was last
discovered.
When an end host moves between MAC1

devices, if UT does not find the IP
address in the current acquisition, it
retains the IP address value that was
last discovered for that device.
IP1
Device 1
6:00
Scenario 5: Endhost moving between

devices
MAC1
IP1
Device 1
4:00
MAC1
IP1
Device 2
5:00
MAC 1
NA
Device 1
6:00
Configuring Properties That Support Duplicate MAC Addresses
The following properties can be configured in the ut.properties file stored in

NMSROOT/campus/etc/cwsi/
where NMSROOT is the root directory where you installed Cisco Prime.
Table 7-4 lists the properties that support Duplicate MAC Addresses
Table 7-4
Properties Supporting Duplicate MAC Addresses
Property
Description
UT.DuplicateMac.Include_SwitchPorts
List of switchports connected to endhosts, for which

duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Exclude_SwitchPorts
List of switchports connected to endhosts, for which

duplicate MAC entries need to be excluded in UT Major,
Acquisition.
UT.DuplicateMac.Include_Switches
List of switches connected to end hosts, for which

Acquisition.
UT.DuplicateMac.Exclude_Switches
List of switches connected to end hosts, for which

Acquisition.
UT.DuplicateMac.Include_Vlans
List of VLANs associated with endhosts, for which

Acquisition.
7-12
OL-25947-01
Chapter 7

Table 7-4
Properties Supporting Duplicate MAC Addresses
Property
Description
UT.DuplicateMac.Exclude_Vlans
List of VLANs associated with endhosts, for which

Acquisition.
UT.DuplicateMac.Include_Subnets
List of subnets associated with endhosts, for which

Acquisition.
UT.DuplicateMac.Exclude_Subnets
List of subnets associated with endhosts, for which

Acquisition.
For the above list of properties:
Values should be separated by commas.
IP addresses of the devices should be given.
Port numbers should be given along with the device IP address as deviceip:port.
The Exclude list takes precedence over the Include list.
The usage scenario for the above lists is as follows:
If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included
or excluded as specified.
For example, if you set the Include list as,
UT.DuplicateMac.Include_Switches=X,Y
Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y.
Duplicate addresses will not be allowed for any other endhost.
If you set both Include and Exclude list as,

UT.DuplicateMac.Include_Switches=X,Y
UT.DuplicateMac.Exclude_Switches=A,B
Duplicate MAC addresses will not be allowed for endhosts connected only to Switches A and B.
Duplicate addresses will be allowed for all other end hosts, even for those connected to switches not
specified in the Include list. Thus when an Exclude list is set, the Include list is ignored.
The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs.
The order of priority for the property list is as follows:

a. SwitchPorts
b. Switches
c. VLANs
d. Subnets

OL-25947-01
7-13
Chapter 7
The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list.
For example, if you set
UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2
UT.DuplicateMac.Exclude_Switches=10.77.211.33
Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also
present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch.
Thus the SwitchPorts list has higher priority over the Switches list.
Configuring User Tracking Properties from the Backend
This section explains the new user configurable properties that have been added to UT.
You can configure properties that control DNS name resolution and history reports, by editing them in
the file ut.properties, stored in
NMSROOT/campus/etc/cwsi/
7-14
OL-25947-01
Chapter 7

Table 7-5 lists the new properties added to UT:

Table 7-5
Configuring User Tracking Properties
Property
Default Value
Description
HistoryHostPurgeTime
10 days
Purges history entries that are older than the specified time.
The value should be provided in minutes.
For example,
If you want to purge entries older than 10 days, set
HistoryHostPurgeTime=14400
UT.nameResolution
both
Name resolution for end hosts using Java APIs JNDI and
InetAddres.This property can have the following values:
wins (Use only InetAddress)
dns (Use only JNDI)
wins,dns (First InetAddress then JNDI)
both (JNDI first and InetAddress next)
UT.nameResolution.dnsTimeout
2000
Time duration for which UT waits for response from the DNS
server, for name resolution. The value should be entered in
milliseconds.
UT.nameResolution.winsTimeout
2000
Time duration for which UT waits for response from the DNS
server, for name resolution.The value should be entered in
milliseconds.
This property must be enabled only for windows server.
UTMajorUseDNSCache
false
Uses cache memory for name resolution in subsequent User

Tracking discoveries.
User Tracking performs DNS Lookup for a host only if the IP
address of the host is being resolved for the first time.It does
not perform DNS Lookup for every Major Acquisition.
This helps the application to reduce the number of queries
during User Tracking Acquisition. This in turn reduces the
time taken for Acquisition process.
UT.RunLookupAnalyzer
OFF
To analyze the performance of DNS servers and provide the

following information in the NMSROOT\log\ut.log file:
DNS Server Efficiency for each DNS Server
Overall Summary of DNS Servers
Namelookup related settings in ut.properties file
Issues found and recommendations to overcome them
Set the value to ON to turn on the feature.

You need not enable debugging for UT to get the
LookupAnalyzer data in the ut.log file.
For details on running Lookup Analyzer utility from the
command prompt and example output of the utility, see Using
Lookup Analyzer Utility

OL-25947-01
7-15
Chapter 7
Configuring Rogue MAC List

MAC Addresses that are not authorized to exist in your network are termed as Rogue MAC addresses.
When you enable the Rogue MAC notification feature, you need to define the list of MAC addresses that
are to be classified as unauthorized addresses in the network.
You can also import MAC addresses to Acceptable OUI either from a file or directly from UT.
If you import the MAC Addresses from a file or directly from UT, the MAC addresses in the file are
converted to OUIs before you add them to the Acceptable OUI list.
To do so:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The User Tracking Acquisition settings window appears.
Step 2
Click Define Rogue MACs.

The Rogue MAC Configuration window appears. The lists displayed in the window are:
Rogue MAC/OUI List
Acceptable MAC/OUI List
Step 3
Click Add MAC/OUI to add new entries to the list.

The Add MAC/OUI window appears.
The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely
identify the vendor, manufacturer, or a worldwide organization.
An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses,
and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC),
network protocol, or MAC addresses for Ethernet.
In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three
octets of the address are the OUI.
7-16
OL-25947-01
Chapter 7

The Add MAC/OUI page is as explained in Table 7-6:

Table 7-6
Populating the MAC/OUI list
Property
Description
Select Mode
Provides the following options to add MAC addresses to

MAC/OUI List:
Add MAC/OUI
Manual Enables you to add MAC/OUI to either the

Acceptable MAC/OUI List or to the Rogue MAC/OUI
list. The Manual Add option is selected by default.
Import from file Enables you to import MAC

Addresses from a file to the Acceptable MAC/OUI List
Import from UT Enables you to import MAC

Addresses directly from UT to Acceptable MAC/OUI
List
Enter the MAC Address or OUI in the text box provided.

The values should be separated by spaces, tabs, or commas.
You can also enter values on separate lines.
The address can have only hexa decimal numbers separated
by hyphen.
Example:
00-c0-1d-99-06-b6
OUI List
Displays predefined values in LMS. You can select values

from the list, to add to the Rogue OUI or Acceptable OUI
list.
To add more values to the list, add them to the Property file:
NMSROOT/campus/etc/cwsi/OUI.properties
where NMSROOT is the directory where you installed
Cisco Prime.
To get the latest OUIs listed by IEEE, see
http://standards.ieee.org/regauth/oui/index.shtml

OL-25947-01
7-17
Chapter 7
Step 4
Select any of the following:
Manual Add
a.
Select the required OUIs from the list displayed in OUI List.
b.
Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your
requirement.
The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list
that you selected.
Import From File
a.
Click Browse and browse to the folder location and choose the file to be imported
b.
Click the Import to Acceptable OUI list.

The MACs are converted to OUIs before you add them to the Acceptable MAC/OUI list.
Import From UT
Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to
the Acceptable MAC/OUI List.
It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header MAC Address followed by MAC Address entries.
For example: In the example, the file to be imported includes a MAC Address column with MAC
Address entries.
MAC Address
MAC 1
MAC 2
MAC 3
The newly added values are reflected in the Rogue MAC Configuration screen.
Step 5
Check Consider unqualified MAC as Rogue

When you check this, LMS treats any new MAC address coming into the network as Rogue MAC. This
is if it is not defined in the Acceptable MAC list.
Step 6
Click any of the following:
Save
Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle.
If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the
network, are sent immediately.

If WLSE is integrated with LMS, notification for wireless MACs detected in the network is sent.
Delete
Deletes entries.
Cancel
Cancels changes and closes the window.
7-18
OL-25947-01
Chapter 7

Modifying UT Acquisition Schedule

You can modify UT acquisition schedule.
To modify acquisition schedule:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Schedule.
The Acquisition Schedule dialog box appears.
Step 2
Start the user tracking major acquisition for all or failed devices as specified below:
Select either All devices or Failed devices .
Click Start to start the user tracking major acquisition immediately for the selected devices.
The UT Acquisition Confirmation pop up appears.
Click OK to start user tracking acquisition. A success message appears. Click OK.
To cancel the user tracking acquisition process, click Cancel.
Step 3
Table 7-7
Modify the acquisition schedule as specified in Table 7-7.
Acquisition Schedule Field Description
Field
Description
Usage Notes
Minor Acquisition
Specify, in minutes, the periodicity at which a

minor acquisition should take place.
None.
Major Acquisition
Specify the time at which a major acquisition is to None.

take place.
Specify the days of the week on which a major
acquisition is to be scheduled.
Days, Hour, Min
Days on which and the time at which a major

acquisition is to be carried out.
You can add new schedules and edit or delete

existing schedules.
Recurrence Pattern
Select the days of the week on which a major

acquisition is to be scheduled.
This field is available only when you are adding

or editing a schedule.
Step 4
Select the schedule and do any of the following:
Click Edit to edit the schedule.
Click Delete to delete the schedule.
Click Add to add a new schedule.
Step 5
Click OK to save the changes or Cancel to cancel the changes.
Step 6
Click Apply after adding or editing a schedule.

OL-25947-01
7-19
Chapter 7
Modifying Ping Sweep Options

A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine
the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out
whether a specific end host exists on the network.
A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple
hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older
and slower methods used to scan a network.
When Ping Sweep is enabled in LMS, the UTPing program in NMSROOT/campus/bin will be invoked
during acquisition to send out a sweep of pings for each subnet.
Before collecting information from a device, the subnets connected to the device are pinged. This serves
as a connectivity check, as well as loads the ARP table of the layer 3 device with the latest information.
After pinging, acquisition process starts collecting end host information from the device.
To modify Ping Sweep options:
Step 1
Select Admin > Collection Settings > User Tracking > Ping Sweep.
The Ping Sweep dialog box appears.
Step 2
Choose any of the following:
Disable Ping Sweep
Perform Ping Sweep on all subnets
Exclude subnets from Ping Sweep

When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude
from Ping Sweep. You can select subnets from the list of available subnets and add to the list of
subnets to be excluded.
Step 3
Specify the Wait Interval, if Ping Sweep is enabled.

Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not
flooded with ping packets.
For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10
seconds.
If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10
seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on
Device 1. Same happens with Device 2.
Step 4
Click Apply.
User Tracking does not perform Ping Sweep on large subnets.
For more details, see Notes on Ping Sweep Option.
7-20
OL-25947-01
Chapter 7

Notes on Ping Sweep Option

User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A
and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not
display the IP addresses.
Ping Sweep will not refresh the ARP cache, if firewall or Access Control List is enabled to block the
ICMP packets to the network devices. Hence, User Tracking will not display the IP addresses of the
associated hosts.
In larger subnets, the Ping process leads to numerous ping responses that might increase the traffic on
your network and result in extensive use of network resources.
You can increase the value of the wait interval. Wait interval helps the ping response traffic to settle,
which may appear as Denial Of Service (DOS) or may affect the functioning of router by high CPU
usage.
To perform Ping Sweep on larger subnets, you can:
Configure a higher value for the ARP cache time-out on the routers. To configure the value, you
must use the arp time-out interface configuration command on devices running Cisco IOS.
Use any external software, that will enable you to ping the host IP addresses. This will ensure that
when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.
Configuring UT Subnet Acquisition

You can configure LMS to perform User Tracking Acquisition on selected subnets. These configurations
are used for User Tracking Major Acquisition and Configured Subnets based acquisition. You can choose
to include or exclude specified subnets to perform User Tracking major acquisition.
To configure Subnet acquisition:
Step 1
Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration.
The Configure Subnet Acquisition dialog box appears.
Step 2
Select either of the following options:
Perform acquisition on all subnets

All the subnets are included for User Tracking Major Acquisition. If you select this option do not
perform steps 4 and 5.
Or
Perform Subnet-based acquisition

The action depends on the Filter value.
Step 3
Select either of the following Filter values:
Perform major acquisition on selected subnets

All subnets added to the Selected Subnets list are included for User Tracking acquisition.
Or
Do not perform major acquisition on selected subnets

All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.

OL-25947-01
7-21
Chapter 7
Step 4
Select subnets from the list of Available Subnets and add them to the list of Selected Subnets.
In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking >
Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.
If you select this check box, only the work stations associated to the VLANs that are mapped to the
If you do not select this check box, work stations associated to all the available VLANs in the
For more information, see Configuring User Tracking Acquisition Actions.

Step 5
Click Apply.
Deleting User Tracking Purge Policy Details

Using this option, you can modify the time interval and delete entries from the End Host Table, IP Phone
Table, or the History Table from the database.
To delete user tracking purge policy details:
Step 1
Select Admin > Network > Purge Settings > User Tracking Purge Policy.
The Delete Interval dialog box appears.
Step 2
Specify delete intervals for end host, IP phone and history tables.
Step 3
Either:
Click Delete now to delete the entries immediately.

If you select this step do not perform Step 4.
Or
Select Delete After Every Major Acquisition.

If you select this option, LMS will delete records older than the specified interval, after every UT
Major Acquisition.
Step 4
Click Apply.
7-22
OL-25947-01
Chapter 7


Normally UT Acquisition discovers end hosts connected only to access ports. If you enable this feature
UT Acquisition discovers end hosts connected to non-link trunk ports also.
LMS classifies trunk ports as follows:
Link ports Trunk ports connected to Cisco devices (Switch or Router).
Non-link ports Trunk ports connected to end hosts or IP phones.
Scenarios where a Trunk port is connected to an end host:
In a switched network, many clients from different VLANs might access an enterprise resource, such as
a database server.
If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a
different VLAN would have to send their traffic to a router. The router forwards the frames to the
database server. The problem with this approach is the latency introduced by the router.
To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN
information. With this arrangement, an end station need not send its frame to the router. Instead it can
directly access the file server. This makes the access much faster.
To configure trunk ports:
Step 1
Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk.
The Configure Trunk for End Hosts Discovery page appears.
Step 2
You can:
Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT
Major Acquisition. After choosing this option, go to Step 8.

Select Enable End Host Discovery on selected Trunks to include only the required set of
non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the
end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing
this option, go to Step 8.
Step 3
Select the list of switches where end hosts are connected to trunk ports, from the device selector.
Step 4
Click Show Trunks.

This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down
state are also listed here.
If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the
same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display
the ports. Link ports are not listed here.
Step 5
Select the list of trunk ports where end hosts are connected from the Available Trunks list.
Step 6
Click Add.
The selected ports are displayed under the Selected Trunks list.

OL-25947-01
7-23
Chapter 7
Step 7
Select either
Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition.
Or
Step 8
Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition.
Click Apply.
This saves the configuration on the server.
After saving the configuration, run Data Collection. End hosts connected to trunk ports will be
discovered in successive UT Major Acquisitions.
For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these
ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.
Importing Information on End Host Users

You can import from a file, user names and notes for end hosts already discovered.
To import information in end host users:
Step 1
Select Admin > Collection Settings > User Tracking > Table Import.
The End Host Table Import dialog box appears.
Step 2
Specify the name of the file from which you are importing the end host table data.
Step 3
Click Apply.
Note
We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory
headers: MAC Address, User Name and Notes.
For example:
MAC1 Peter Finance department

User Tracking generates reports on various functions and attributes of the end hosts and devices
connected to your network that are managed by LMS. These reports are generated by polling the network
at intervals set by the network administrator.
In addition to polling the network at regular intervals, LMS tracks changes in the end hosts and users on
the network to provide real-time updates.
Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.
When an endhost is connected to a switch managed by LMS, an SNMP MAC notification trap is sent
immediately from the switch to the LMS Server, indicating an ADD event. This trap contains the MAC
address of the end host connected to the switch.
7-24
OL-25947-01
Chapter 7

Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from
the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts
coming into and moving out of the network.
Traps from suspended devices are not processed by LMS.
The difference between a UTMajor Acquisition and a Dynamic UT process is:
LMS collects data from the network at regular intervals for UTMajor Acquisition.
In Dynamic UT, the devices send traps to LMS as and when changes happen in the network.
This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have
happened in your network. This is an improvement over the earlier versions, where updates on endhost
information happened based on the polling cycle.
As a result of Dynamic updates, the following reports contain up-to-date information:
End-Host Report
Contains information from UT Major Acquisition and the recently added end-hosts.
History Report
Contains information from UT Major Acquisition and the recently disconnected end-hosts or
end-hosts that have moved between ports or VLANs.
Switch Port reports

Contains information about the utilization of switch ports.
SNMP Traps are generated when a host is connected to the network, disconnected from the network or
when it moves between VLANs or ports in the network.
To enable the Dynamic Updates feature:
Switches must be managed by LMS.
Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP
MAC Notification Listener.
Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port
number that you would have configured on LMS Administration screen). For more details, see
Enabling SNMP Traps on Switch Ports.
Configure DHCP snooping on the switches

Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that filters untrusted
DHCP message received from outside the network or Firewall, and builds and maintains a DHCP
snooping binding table.
LMS queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected.
For details on configuring DHCP, see
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati
on/guide/scg.html
User Tracking collects username and IP address through UTLite for Windows environment. For
more details, see Understanding UTLite.
In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address
of the end host. They can also co-exist.

OL-25947-01
7-25
Chapter 7
If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host
connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device
should be populated with the IP address, for UT Major Acquisition to discover it.
The User Tracking Dynamic Updates process includes:
User Tracking Manager (UTManager) Process
UTLite

MAC User-Host Information Collector tracks wired end users dynamically. It receives MAC
notifications from the switches either directly or through LMS or HPOV.
After receiving the MAC notifications, MACUHIC validates the traps as follows:
Checks whether the traps are generated from a switch managed by LMS.
Checks whether the source is an access port.
If the traps are from valid sources:
Updates LMS database.
Informs UTManager if the trap is received for an ADD event.
User Tracking Manager (UTManager) Process

UTManager receives the information from MACUHIC about the ADD MAC notification trap that is
received. This information is not complete and can be completed using updates from DHCP or UTLite
or from both.
In the UTLite process, UTLite receives details of changes in username, and the time at which the host
has logged in or logged out of the network.
UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
For complete information, see Understanding UTLite.
When an end-host is connected to your network, the following happens in the background.
1.
The switch to which it is connected sends a MAC notification.
2.
The MACUHIC process in LMS receives the MAC notification either directly from the switch or
through other applications like LMS Monitor and Troubleshoot module or HPOV.
3.
After processing this MAC notification, MACUHIC informs the UTManager.
7-26
OL-25947-01
Chapter 7

4.
LMS updates the database with the username and IP Address received from the UTLite. Database
does not contain the complete information about the end host.
5.
UTManager finds the following details:

Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data
Collection.
Hostname from DNS Server
LMS updates the database with the complete User Tracking information for the host.
The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients,
duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating
reports.
Viewing Dynamic Updates Process Status

You can check whether the Dynamic Updates processes are running or not.
To check the status:
Step 1
Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status.
The Dynamic Updates Process Status window appears.
If you have started the process already, the status window shows Dynamic Updates Processes are
RUNNING.
Step 2
Click Stop to stop the Dynamic Updates processes.

The Stop button then toggles to Start, and the status window shows Dynamic Updates Processes are
When you stop these processes, LMS stops processing traps sent by devices.
STOPPED.
Step 3
Click Start to restart the Dynamic Updates processes.

The Start button again toggles to Stop.
Enabling SNMP Traps on Switch Ports

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a
host is connected to or disconnected from that port.
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
You can configure the ports CLI (see the Appendix Commands to Enable MAC Notification Traps on
Devices ) or Through LMS Interface.
Ensure that you have configured System Identity User under Admin > Trust Management > Multi
Server > System Identity Setup, and the same username and password is configured under Admin >
System > User Management > Local User Setup.
If you do not have Configuration Management functionality enabled on your LMS Server, you have to
manually configure the switches, for the switches to send MAC Notifications to the LMS server.

OL-25947-01
7-27
Chapter 7
Note
LMS supports only those switches that contain the Management Information Base (MIB) named MAC
Notification, for enabling the SNMP traps.
Through LMS Interface
Prerequisites to enable MAC Notification on switches through LMS UI:
The switches must be managed by LMS.

If the devices are managed in SNMP version 2 (SNMPv2), you need to configure the Read as well
as the Write community strings to enable MAC Notification in the switches.
Note
Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection
Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.
LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic
Updates.
To enable MAC notification in switches:
Step 1
Select Admin > Collection Settings > User Tracking > Device Trap Configuration.
The Configure Trap on Devices dialog box appears.
Step 2
Select the switches for which you want to enable the traps, from the Device Selector.
Step 3
Click Configure to see the devices that you have selected.
Step 4
Click Configure to configure MAC notification on the ports in the devices.

The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in
the Configure MAC-Notification Trap on Ports dialog box.
Table 7-8
Configure MAC-Notification Trap on Ports Field Description
Field
Description
Add LMS Server as Trap

Receiver
Check the check box to configure devices, to send SNMP traps to LMS.
Trap Community
Set a community string for the SNMP traps sent by devices. This property
is enabled only when LMS is the Primary receiver for SNMP traps. This
string is added to the list of valid strings in the Dynamic User Tracking
Configuration screen.
Set as Dynamic User

Tracking Default
Check the check box to make this community string as the default for
future configurations, if LMS is the Primary Trap receiver.
Filter
Allows you to filter the ports listed, based on port name, device name and
the device address (IP address of the device).
Trap Receiver Port
Port number that you entered for receiving traps.
To configure LMS to listen to traps sent from devices, see Configuring

SNMP Trap Listener.
The default trap receiver port number of the LMS server is 1431.
Port
Name of the port.

Access ports as well as Non-link Trunk ports are listed.
7-28
OL-25947-01
Chapter 7

Table 7-8
Configure MAC-Notification Trap on Ports Field Description (continued)
Field
Description
Device Name
Name corresponding to IP address of the switch.
Device Address
IP address of the switch.
Rows per page
Select to view 10 to 50 rows on a page.
Step 5
Check the check boxes to select the ports that you want to enable SNMP traps.
Step 6
Click Configure to enable the SNMP traps.

An Information window appears.
Step 7
Click OK.
SNMP MAC Notification Listener

You must enable the switches to send SNMP MAC notifications to the listener, to avail the Dynamic
Updates feature. After you enable the switches, you can choose either LMS Monitor and Troubleshoot
module, or HP OpenView (HPOV) as the primary listener for MAC notifications.
Note
If you select LMS as the Primary listener, the MAC notifications reach the application directly from
the switches.
If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module
as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and
Troubleshoot module.
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
To select the MAC notification listener, see the following sections:
Configuring SNMP Trap Listener
HPOV as Primary Listener
LMS Fault Monitor Module as Primary Listener
Configuring SNMP Trap Listener

LMS receives SNMP traps directly from the switches, unless you configure the port to direct the traps
through HP Open View (HPOV) or Cisco Prime Monitoring Services.
To configure the trap listener:
Step 1
Select Admin > Collection Settings > User Tracking > Trap Listener Configuration.
The Trap Listener Configuration dialog box appears.
Step 2
Check Listen traps from Device to configure the trap reception directly from the devices
This makes LMS as the primary listener for receiving SNMP traps from devices.
OR

OL-25947-01
7-29
Chapter 7
Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications.
In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They
forward it to LMS which acts as the secondary listener for traps.
If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS
Fault Monitor module.
Step 3
Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port
field.
The default trap listener port number of the LMS server is 1431.
Step 4
Click Apply to save the details.
HPOV as Primary Listener

If you select HPOV as the primary listener, you must perform the following to receive the Dynamic
Updates through LMS:
Install Cisco Works Integration Utility
Install Trap Adapter for HPOV
The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.
Install Cisco Works Integration Utility
You must have Cisco Prime Integration Utility (Integration Utility) installed on your system. Integration
Utility is a utility that integrates Cisco Prime applications with third-party Network Management
Systems (NMS).
This utility is available as part of the DVD in the LMS 4.0.
This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from
NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications.
See User Guide for Cisco Prime Integration Utility 1.11, for more details on the integration utility.
Note
You must install the Integration Utility on the same machine on which you have installed HPOV.
Install Trap Adapter for HPOV
LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems.
To install the adapter on Windows:
Step 1
Locate the TrapListener.conf file in the NMSROOT/campus/hpovadapter/WIN/ directory.
Step 2
Modify the Trap Receiver address and the port number to the LMS values, in the file.
Step 3
Set the LIB environment variable to HP OpenView lib directory.
Step 4
Run the fwdTrap.exe program located in the same directory.

The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.
To install the adapter on Solaris/Soft Appliance:
7-30
OL-25947-01
Chapter 7

Step 1
Locate the TrapListener.conf file in the /opt/CSCOpx/campus/hpovadapter/SOL directory.
Step 2
Modify the Trap Receiver address and the port number to the LMS values, in the file.
Step 3
Set the LD_LIBRARY_PATH environment variable to HP OpenView lib directory.
Step 4
Run the fwdTrap program located in the same directory.

The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.

OL-25947-01
7-31
Chapter 7
Supported Platforms (Operating Systems)
The supported platforms for the HP NNM and HPOV adapters are:
Network Management System
HP OpenView 9.1
HP OpenView 9.01
HP OpenView 9.0
Supported Platforms
Solaris 10
Windows 2008 R2 Standard x 64 Edition
Solaris 10
Windows 2008 R2 Standard x 64 Edition
Solaris 10
Windows Server 2008 x64 with Service Pack 2
Windows Server 2008 x64 R2 with Service Pack 2
LMS Fault Monitor Module as Primary Listener

If you select Fault Monitor Module as the primary listener, you must perform the following to receive
MAC Notifications.
The default port number of the Fault Monitor Module for receiving Traps from the switches is 9000. You
must configure or verify this port number on the device, for the device to forward the Traps to the Fault
Monitor Module. The trapd.conf file has the details of the port number that receives the Traps from the
Fault Monitor server.
To enable Fault Monitor Module to forward the MAC Notifications, you must modify the trapd.conf file
in the Fault Monitor Module server, at NMSROOT/object/smarts/conf/trapd directory. You can modify
the file through the command line interface or through the application interface.
You can configure the application to forward the MAC Notifications to LMS Server in two ways:
From LMS
From the LMS Fault Monitor Server
From LMS
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
The Notification Services page appears.
Step 2
Enter the Hostname and the port number of the LMS server to which you want to forward the MAC
Notifications.
Step 3
Click Apply to configure.

The trapd.conf file is modified and the DFMServer process is restarted.
Note
If you configure through Cisco Prime, LMS server receives all Traps including MAC Notification.
From the LMS Fault Monitor Server
Step 1
Access the LMS Fault Monitor server using Telnet.
7-32
OL-25947-01
Chapter 7

Step 2
Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server.
Step 3
Navigate to NMSROOT/object/smarts/conf/trapd directory.
Step 4
Edit the trapd.conf file in the directory to reflect the following changes.
Enter:
FORWARD:
address OID generic type specific type \ host [:port] | [:port:community] [host [:port] |
[:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.
Step 5
Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.
Configuring Dynamic User Tracking

You can configure certain properties in Dynamic User Tracking to enhance the security of the system.
These properties make the server receive traps only from specified devices and with specified
community strings.
To configure properties for filtering SNMP Traps:
Step 1
Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration.
The Dynamic User Tracking Configuration page appears.
Step 2
Select the Validate SNMP Community check box.

LMS validates the community string in SNMP traps, with the values you have set. You can add
community strings only after checking this check box.
Step 3
If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried
with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1.
If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3.
However, if the query fails, the same device will not be queried with SNMP v2 or v1.
Enter the community string in the Valid Community List text box and click Add.
You can add the community strings one at a time. You can use the Delete button to remove the extra or
erroneous strings.
The default Trap community string that you might have added in the Device Trap configuration screen
is also listed here.
Step 4
Select the Validate Trap Source check box.

LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking
this check box.
Step 5
Enter the IP Address in the text box provided and click Add.
You can use the Delete button to delete extra or erroneous entries.
Step 6
Click Apply to save changes to the server.

To revert to the default values, click Reset.
You can use any one of the options to filter SNMP traps.
For example:

OL-25947-01
7-33
Chapter 7
To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box)
Community String = private, test
Validate Trap Source =false
then traps from all sources with community string private or test will be processed by LMS.
To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true
Community String = private, test
Validate Trap Source =true
Valid IP Addresses = 10.77.210.211, 10.77.210.212
then traps from the listed IP addresses, with the community string private or test will be processed by
LMS. In this case, LMS first validates the community string, and if it matches, validates the source
address.

Cisco Prime User Tracking Utility (UTU) is a Windows desktop utility that provides quick access to
useful information about users, hosts, or IP Phones discovered by LMS User Tracking application.
Understanding UTU
Hardware and Software Requirements for UTU
Downloading UTU
Installing UTU
Accessing UTU
Configuring UTU
Searching for Users, Hosts or IP Phones Using UTU
Uninstalling UTU
Upgrading to UTU 2.0
Re-installing UTU 2.0
Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones
discovered by LMS User Tracking application. UTU comprises a server-side component and a client
utility.
UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and
LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.2, Network Topology, Layer 2 Services and
User Tracking must be enabled and accessible through the network.
UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS
server in Secure Sockets Layer (SSL) mode.
The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:
7-34
OL-25947-01
Chapter 7

Windows Vista Support
Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts.
UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this,
UTU 2.0 now works on Windows Vista client systems
Support for Phone Number Search
In this release, UTU supports searching phone numbers in addition to existing search criteria.
Hardware and Software Requirements for UTU

Table 7-9 lists the minimum system requirements for UTU.
Table 7-9
System Requirements for UTU
Requirement Type Minimum Requirements

System hardware
System software
Memory (RAM)
Additional
required software
IBM PC-compatible computer with Intel Pentium processor.
Windows 2008
Windows XP with SP2 or SP3
Windows Vista
512 MB
LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or
LMS 3.2 (Campus Manager 5.2.1), or LMS 4.2 (Network Topology, Layer 2
Services and User Tracking)
Microsoft .Net Runtime 3.5 Service Pack 1

You can download Microsoft .Net Runtime 3.5 Service Pack 1 from
http://www.microsoft.com
Network
Connectivity
LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS
3.2 (Campus Manager 5.2.1) or LMS 4.0 (Network Topology, Layer 2 Services and
User Tracking) must be running, and accessible through the network
Downloading UTU
UTU requires Cisco PrimeUserTrackingUtility2.0.exe file to be downloaded and installed.
To download UTU 2.0:
Step 1
Click http://www.cisco.com/cisco/software/navigator.html.
You must be a registered Cisco.com user to access this Software Download site. The site prompts you to
enter your Cisco.com username and password in the login screen, if you have not logged in already.
Step 2
From the Software Product Category, select Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution.
Step 3
Select the latest version of Cisco Prime LAN Management Solution.
Step 4
Select the appropriate product software type.

OL-25947-01
7-35
Chapter 7
Step 5
Select a product release version from the Latest Releases folder and locate the software update to
download.
Step 6
Locate the file CiscoWorksUserTrackingUtility2.0.zip

This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent
installation).
Step 7
Click the Download Now button to download and save the device package file to any local directory on
LMS Server.
Step 8
Extract the file using any file extractor such as WinZip.
Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode.
Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware
and Software Requirements for UTU.
Installing UTU in Silent Mode
Installing UTU in Normal Mode
Installing UTU in Silent Mode

To install UTU in silent mode, run the following command at the command prompt:
exe-location\CiscoWorksUserTrackingUtility2.0.exe a s f1file-location\setup.iss
where
exe-location is the directory where you have extracted the
CiscoWorksUserTrackingUtility2.0.exe file
file-location is the directory where you have the setup.iss file.
Do not use space after the -f1 option. Use the complete path for file-location.
For example, if the install directory for UTU is c:\utu, enter the following at the command prompt:
c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss
Editing Setup.iss File
UTU is installed in the C:\Program Files\CSCOutu2.0 directory, by default.

If you want to install UTU in some other directory, you must edit the content of the setup.iss file. Change
the value of the szDir attribute in the setup.iss file.
For example, if you want to set the installation directory as D:\utu20, change
szDir=C:\Program Files\CSCOutu2.0 to szDir=D:\utu20 in the setup.iss file.
Setup.log File
The setup.log file is created during the installation in the same directory where you have extracted the
setup.iss file.
You should see the setup.log file to check the installation completion status.
7-36
OL-25947-01
Chapter 7

The value of the ResultCode attribute in the setup.log informs you whether the installation has completed
successfully. The value 0 denotes that the UTU installation in silent mode is successful.
When the value of the ResultCode attribute is other than 0, you must install UTU again.
Installing UTU in Normal Mode

To install UTU in normal installation mode:
Step 1
Log into the system with local system administrator privileges.
Step 2
Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe.
Step 3
Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation.

The User Tracking Utility Welcome screen appears.
Step 4
Click Next.
A warning message appears if you have not installed .Net Framework 3.5 SP1.
You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before
completing the current UTU installation.
Step 5
Click Next.
Step 6
Click Yes.
The Choose Destination Location dialog box appears. By default, UTU is installed in the directory
C:\Program Files\CSCOutu2.0.
Note
If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to
the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome
screen.
If you click No in the confirmation message, the warning message appears again stating that you have
not installed .Net Framework 3.5 SP1.
You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7
Click Next to install UTU in the default directory.

or
a.
Click Browse to choose a different directory and click OK.
b.
Click Next to continue with the installation.
The installation continues.

Step 8
Click Finish to complete the installation. User Tracking Utility is installed at the destination location
you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see
Accessing UTU.

OL-25947-01
7-37
Chapter 7
Accessing UTU
To access UTU, click either:
Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0
Or
UTU 2.0 shortcut available on the desktop
The UTU band appears. See Figure 7-1 for UTU 2.0 band.
You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
Figure 7-1
User Tracking Utility - Search Band
1 - Settings Icon
2 - Minimize icon
3 - Close icon
4 - UTU task bar icon
After a system restart and during the startup, the system launches the UTU automatically.
7-38
OL-25947-01
Chapter 7

Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2
server configurations.
To configure UTU:
Step 1
Click the Settings icon.

Or
a.
Right-click the UTU search band.

A popup menu appears.
b.
Click Settings.
The Cisco Prime Server Settings dialog box appears.

Step 2
Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS
4.0), or LMS 4.2 is installed.
Step 3
Enter the port number of the LMS Server.

The default HTTP port number is 1741.
You can modify the port number if required.
Step 4
Click Enable SSL for communicating with an SSL enabled server.

The port is changed to 443, which is the default port for SSL.
You can modify the port number if required. See Figure 7-2.
Figure 7-2
Step 5
Enabling SSL
Enter a valid Cisco Prime Server user name and password.

This is used to verify the validity of the user when searching for users, hosts, or IP Phones.
Step 6
Confirm the password by re-entering it.
Step 7
Select the Remember me on this computer checkbox if you want the client system to remember your
credentials.
The credentials are preserved only for the current user of Windows system. The credentials are not
available when you log into the Windows system with a different user name.

OL-25947-01
7-39
Chapter 7
Step 8
Searching for Users, Hosts or IP Phones Using UTU

You can use the UTU Search Band to search for the users, hosts, or IP Phones in your network.
Note
UTU search is case-insensitive.

To search for users, hosts, or IP Phones:
Step 1
Right-click the UTU search band.

A popup menu appears with the default search criterion Host name/IP Address selected.
Step 2
Select a search criterion from the popup menu.

You can search using:
User name
Host name or IP Address
Device name or IP Address
MAC Address
Phone number
The default search criterion is host name or IP Address of the host.

The selected criterion is set for future searches until you change the criterion.
Step 3
Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC
Address in the UTU search field.
For example, you can enter 10.77.208 in the search field.
Step 4
Press Enter.
If your server is not SSL enabled, go to Step 7.
When you query for data from an SSL enabled server, the Certificate Summary dialog box appears.
Step 5
Click Details to view the certificate details.

You can verify the authenticity and correctness of the SSL server here. See Figure 7-3.
7-40
OL-25947-01
Chapter 7

Figure 7-3
Certificate Details
You can click Summary to go back to the Certificate Viewer dialog box.
Step 6
Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the
certificate.
SSL connection is established with the server.
If you click No, the certificate is not stored and no connection is established with the server.
Note
Step 7
The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes
the first time, you are not prompted to store the certificate during subsequent sessions.
Click the X Record(s) Found button to launch the results window.
X denotes the number of matches found.
For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See
Figure 7-4.

OL-25947-01
7-41
Chapter 7
Figure 7-4
UTU Search Band displaying the number of matching records
UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your
search if you want better and more accurate results.
Step 8
Select an entry in the Results window.

UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC
Addresses, in a Results window.
The Results window has the following options:
Copy to Clipboard, where you can copy the selected search result record.
Copy All to Clipboard, where you can copy all the search result records.
Close, which you can use to close the window.
For a selected search result record, the Results window displays the details as described in:
Table 7-10 for all search criteria except Phone Number
Table 7-11 for search based on Phone Number
See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results
window.
Table 7-10
Details for Each Entry in Results Window For a User or Host Search
Entry
Description
User Name
Name of the user logged in to the host.
MAC Address
Media Access Control (MAC) address of network interface card in end-user

node.
Host IP Address
IP Address of the host.
Host Name
Name of the host discovered by User Tracking.
Subnet
Subnet to which the host belongs.
Subnet Mask
Subnet mask of the host
Device name
Name of the switch.
Device IP Address
IP Address of the switch
VLAN
VLAN to which the port of the switch belongs.
Port
Port number to which the host is connected.
Port Description
Description of the port number to which the host is connected.
Port State
State of the port: Static or Dynamic.
Port Speed
Bandwidth of the port of the switch.
7-42
OL-25947-01
Chapter 7

Table 7-10
Details for Each Entry in Results Window For a User or Host Search
Entry
Description
Port Duplex
Port Duplex configuration details on the device.
Last Seen
Date and time when User Tracking last found an entry for this user or host
in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-5
Table 7-11
MAC Address Search Results Window
Details for Each Entry in Results Window For a Phone Number Search
Entry
Description
Phone Number
IP Phone number
MAC Address
Media Access Control (MAC) address of network interface card on the

phone.
Phone IP Address
IP Address of the phone.
CCM Address
IP Address of the Cisco Call Manager
Status
Status of the phone, as known to Cisco Call Manager
Phone Type
Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus,
30VIP, SoftPhone, or unknown.
Phone Description
Description of the phone.
Device Name
Name corresponding to IP Address of device.
Device IP Address
IP Address of the device
Port
Port number to which the phone is connected.

OL-25947-01
7-43
Chapter 7
Table 7-11
Details for Each Entry in Results Window For a Phone Number Search
Entry
Description
Port Description
Description of the port to which the phone is connected.
Last Seen
Date and time when User Tracking last found an entry. Last Seen is
displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-6
IP Phone Number Search Results Window
The search results for the value you enter in the search field depends on the default search
criteria.
Note
Using Search Patterns for UTU

UTU searches for the users, hosts, or IP Phones that match the search criterion. See Searching for Users,
Hosts or IP Phones Using UTU for more information.
You can search for users, hosts, or IP Phones by entering a search pattern or substring of a search pattern.
For example, entering Cisco displays host names that start with, end with or contain Cisco for a search
on host names.
You do not have to use wildcard character * to match a pattern or substring of the pattern.
To search for a MAC Address, you can use one of the following MAC Address patterns or a substring of
these patterns:
xxxx.xxxx.xxxx
7-44
OL-25947-01
Chapter 7

xx:xx:xx:xx:xx:xx
xxxxxxxxxxxx
xx-xx-xx-xx-xx-xx
Here x denotes a hexadecimal number.
Uninstalling UTU
Ensure that UTU is not running while uninstalling.
If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates.
To uninstall UTU:
Step 1
Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall Cisco Prime User Tracking Utility 2.0
from the windows task bar.
The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation.
Step 2
Click Yes.
The Uninstallation continues.
Step 3
Click Finish to exit the uninstallation wizard.
Upgrading to UTU 2.0

You can install UTU 2.0 on the same system where UTU 1.1.1 is installed.
You can choose to install UTU 2.0 on any directory other than the directory where UTU 1.1.1 is installed.
See Installing UTU for installation instructions.

OL-25947-01
7-45
Chapter 7
Re-installing UTU 2.0

Re-installation of UTU 2.0 is supported on the normal mode of installation.
In the normal mode of installation, you are prompted with a confirmation message to continue the
installation. You must provide your inputs to continue the installation.
See Installing UTU for installation instructions.
The user profiles that are created are not lost during re-installation.
7-46
OL-25947-01
CH A P T E R

All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout
settings are grouped under the collection settings in the Admin tab in the menu.
Using the Inventory Job Browser
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and
PSIRT/EOX System
PSIRT or End-of-Sale or End-of-Life Data Administration
Administering VRF Lite
Configuring Fault Management Rediscovery Schedules
IPSLA Application Settings
Setting Up Archive Management
Configuring Transport Protocols

OL-25947-01
8-1
Chapter 8

The Inventory Job Browser displays all user-defined jobs. It also displays the system-defined inventory
collection and polling jobs. You can create and manage inventory jobs using the Job Browser. You can
edit, stop, cancel or delete jobs using this Job Browser.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
When you install LMS, a default job is defined for Inventory Collection and Inventory Polling.
When the default job runs, LMS evaluates the all devices group and executes the job. This way,
whenever new devices are added to the system, these devices are also included in the default
collection/polling job.
For the default system jobs, the device list cannot be edited. You can only change the schedule of those
jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the
scheduled job is not displayed in the Inventory Job Browser.
The default system jobs for Inventory Collection and Inventory Polling are created immediately after
installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers >
Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job
Browser (Admin > Jobs > Browser) only after some time has elapsed.
The jobs are displayed in the Job Browser when they are running, or after they are completed, with all
the details such as Job ID, Job Type, and Status.
User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are
running, and after they are completed.
You can do the following tasks from the Inventory Job Browser:
Viewing Job Details
Creating and Editing an Inventory Collection or Polling Job
8-2
OL-25947-01
Chapter 8

To invoke the Inventory Job Browser, either:
Select Inventory > Job Browsers > Inventory Collection.

Or
Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs.
The columns in the Inventory Job Browser dialog box are:
Column
Description
Job ID
Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the
Job details (see Viewing Job Details.)
Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the
number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that
this is the third instance of the job ID 1001.
Job Type
Type of jobSystem Inventory Collection, System Inventory Polling, Inventory Collection and Inventory
Polling.
Status
Status of the jobScheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start.
The number, within brackets, next to Failed status indicates the count of the devices that had failed for
that job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions.
Description
Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values.
The field is restricted to 256 characters.
Owner
Scheduled at
Completed at
Schedule Type
Type of schedule for the job:
ImmediateRuns the report immediately.
6 - hourlyRuns the report every 6 hours, starting from the specified time.
OnceRuns the report once at the specified date and time.
WeeklyRuns weekly on the specified day of the week and at the specified time.
MonthlyRuns monthly on the specified day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will
start only at 10:00 a.m. on November 3.
Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.

OL-25947-01
8-3
Chapter 8
You can filter the jobs using any of the following criteria and clicking Filter:
Filter Criteria
Description
All
Select All to display all jobs in the Job Browser
Job ID
Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display.
Select Job Type and then select any one of the following:
Job Type
Status
Inventory Polling
System Inventory Polling
Inventory Collection
System Inventory Collection

Select Status and then select any one of these:
Schedule
Successful
Failed
Cancelled
Stopped
Running
Missed Start
Missed start is the status when the job could not run for some reason at the scheduled time.
For example, if the system was down when the job was scheduled to start, when the system comes up
again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the
specified job will be displayed as Missed Start.
Description
Select Description and enter the first few letters or the complete description.
Owner
Select Owner and enter the user ID or the beginning of the user ID.
Schedule
Type
Select the Schedule Type and select any one of these:
Refresh
Immediate
Once
6-hourly
12-hourly
Daily
Weekly
Monthly
Click on this icon to refresh the Inventory Job Browser.
(Icon)
8-4
OL-25947-01
Chapter 8

To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.
Table 8-1
Inventory Browser Buttons, the Tasks they Perform and their Description
Button
Task
Description
Create
Create jobs
You can create a new job.
Edit
Edit jobs
You can edit only a scheduled job.

You can select only one job at a time for editing. If you select more than one job, the Edit button
is disabled.
Cancel
Cancel jobs
You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are
prompted to confirm the cancellation.
If it is a periodic job, you are prompted to confirm whether you want to cancel only the current
instance of the job or all future instances.
1.
Select a periodic job and click Cancel.

The Cancel Confirmation dialog box appears.
2.
Select one of the following options:

Cancel only this instance
Cancel this and all future instances
3.
Stop
Stop jobs
Click OK.
You can stop a running job.

However, the job will be stopped only after the devices currently being processed are completed.
This is to ensure that no device is left in an inconsistent state.
Delete
Delete jobs
You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However,
you cannot delete a running job.
You can select more than one job to delete, provided they are scheduled, successful, failed,
stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete
button is disabled.
If you are deleting a scheduled periodic inventory job, the following message is displayed:
If you delete periodic jobs, or instances of a periodic job, that are yet to be
run, the jobs will no longer run, nor will they be scheduled to be run again. You
must recreate the deleted jobs.
You are prompted to confirm the deletion.

Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a
default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge
Settings.

OL-25947-01
8-5
Chapter 8
Viewing Job Details

In the Inventory Job Browser, click on the Job ID hyperlink to view the following job details for
Inventory collection, or polling jobs:
Job DetailsExpand this node to display Job Summary and Job Results for the inventory collection
or polling job.
Job SummaryClick on this node to view the following for the inventory collection or polling job:
Job SummaryDisplays information about the job type, the job owner, the status of the job, the
start time, the end time, the schedule type, and details of email notification.
Device SummaryDisplays information about the total devices submitted for the job, the
number of devices that were scanned, the number of devices that were pending, the devices that
were successful with change, successful without change, and the failed devices.
Also, the Device Details and Not Attempted information appears.
Not Attempted displays the number of devices for which the Inventory collection module did
not attempt to collect the data.
Job ResultsDisplays information about the number of devices scanned, the names of the scanned
devices, the duration of scanning, the average scan time per device, and the job results description,
for the inventory collection or polling job.
To see more details, expand the Job Results node. You will see the following details:
FailedIf you click on this node, you will see the collective list of failed devices and the reason
for their failure in the right pane, for the inventory collection or polling job.
If you expand this node, the list of failed devices appears.
If you select a device, the right pane displays the device name and the reason for the failure. For
example, Device sensed, but collection failed, or Device not reachable.
Successful: With Changes
For a Inventory collection job:

Expand the Successful: With Changes node to display a list of devices.
If you select a device, the right pane displays the device name and a hyperlink: View Changes.
If you click on this hyperlink, the Inventory Change Details report appears for the device. The
report displays information about the attribute, the type of change, the time of change, the
previous value and the current value for the collection job.
If you do not expand this node, you will see the collective list of devices with the status Success:
With changes with their View Changes hyperlinks, in the right pane, for the collection job.
There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the
changes on the devices are displayed.
For a Inventory polling job:
Click on the Successful: With Changes node to display a list of devices that have changes, as a
comma separated list, in your right pane.
When there is a change in the config of a device and when the device is polled, the information
like Collection initated will appear in the job results. A separate job will be created for the
inventory collection as a result of changes occuring in the inventory .
8-6
OL-25947-01
Chapter 8

Successful: Without Changes
If you click on this, you will see as a comma-separated list in your right pane, the devices that
were successful for the inventory collection or polling job.
Note
Inventory Poller creates a Collection job when it detects changes.
Creating and Editing an Inventory Collection or Polling Job

To create or edit an Inventory collection or polling job:
Step 1
Either:
Select Inventory > Job Browsers > Inventory Collection.

Or
Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser appears.

Step 2
Select either:
Click Create.
The Create Inventory Job dialog box appears.
Or
Step 3
Select a job and click Edit.
Select either:
Device Selector, if you want to schedule report generation for static set of devices
Or
Group Selector, if you want to schedule report generation for dynamic group of devices.

OL-25947-01
8-7
Chapter 8
Step 4
Enter the information required to create a job:
Field
Description
Job Type
Select either Inventory Collection or Inventory Polling, as required.
Scheduling
Run Type
Specifies the type of schedule for the job:
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
If you select Immediate, the date field option will be disabled.
Date
1.
Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the calendar icon and select the date.
2.
Enter the start time by selecting the hours and minutes from the drop-down list.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.
Job Info
Job Description
Enter a description for the report that you are scheduling. This is a mandatory field. Accepts alphanumeric values. This field is restricted to 256 characters.
E-mail
Enter e-mail addresses to which the job sends messages when the job has run.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
8-8
OL-25947-01
Chapter 8

Step 5
Click Submit.
You get a notification that the job has been successfully created, and it appears in the Inventory Job
Browser.
To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit.
The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change
the Scheduling and Job Info fields as required, and click Submit.
The job is edited.

You can stop, cancel or delete Inventory Collection or Polling jobs.
Stopping a job, see Stop in Table 8-1.
Cancelling a job, see Cancel in Table 8-1.
Deleting a job, see Delete in Table 8-1.

This option enables you to set the default values for Inventory, Config timeout and retry settings. These
values are applicable to all devices in LMS.
SNMP RetryNumber of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero and the maximum value is 6.
SNMP TimeoutAmount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the total transaction time of SNMP Packets.
The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value
limit. Changing the SNMP timeout value affects inventory collection.
Telnet TimeoutAmount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the initial response time required to create a socket.
The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value
limit.
Changing the Telnet timeout value affects inventory collection.
Natted LMS IP AddressThe LMS server ID. This is the translated address of LMS server as seen
from the network where the device resides.
You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the
NAT boundary.
The default value is Not Available.
TFTP TimeoutAmount of time that the system should wait to get the result status of the copy
operation. Changing the TFTP timeout value affects Config collection.
The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit.
Read DelayAmount of time the system will sleep in between each read iteration.
The default read delay is 10 milliseconds.

OL-25947-01
8-9
Chapter 8
Transport TimeoutAmount of time the socket will be blocked for read operation.
The default value is 45000 milliseconds.
Login TimeoutAmount of time in milliseconds after which it will start reading the user prompt.
Tune SleepAmount of sleep time in milliseconds after sending tune command 3 to 4 times.
Delay After ConnectAmount of waiting time in milliseconds after initial socket connection. It
will wait for the set time before doing the next operation.
To edit the Inventory, Config timeout and retry settings:

Step 1
Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings.
The Inventory, Config timeout and retry settings page appears.
Step 2
Step 3
Enter the default values for:
SNMP Retry
SNMP Timeout
Telnet Timeout
Natted LMS IP Address
TFTP Timeout
Read Delay
Transport Timeout
Login Timeout
Tune Sleep
Delay After Connect
Click Apply.
Note
Step 4
Modifying the default timeout values will apply to all the devices and impact the work flows of
all devices. To edit per device level attributes, go to Editing Device Attributes.
Click OK.
A confirmation message appears:
The settings are updated successfully
Note
When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry
values will not be restored by default. To restore the values for all the devices, edit the default values in
Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection
Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings
8-10
OL-25947-01
Chapter 8

The LMS server polls and receives two types of credentials from each device and populates the Device
Credential Repository (DCR).These credentials are:
Primary Credentials
LMS uses either the primary or secondary credentials to access the devices using the following
protocols:
Telnet
SSH
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried
out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as
a fallback mechanism in LMS for connecting to devices.
For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to
failure.
You can add or edit the Secondary Credentials information through the DCR page (Select Inventory >
Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is
not available for a device.
Note
The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials
fallback when the Primary Credentials for a device fails. This is a global option which you can use to
enable or disable the use of Secondary Credential fallback for all LMS applications.
To enable or disable the Secondary Credentials fallback:
Step 1
Select Admin > Collection Settings > Config > Secondary Credential Settings.
or
Select Admin > Collection Settings > Inventory > Secondary Credential Settings.
The Secondary Credentials dialog box appears.
Step 2
Do either of the following:
Check Fallback to Secondary Credentials check box if you want to enable the Secondary
Credential fallback.
Or
Step 3
Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary
Credential fallback.
Click either Apply to apply the option or click Cancel to discard the changes.

OL-25947-01
8-11
Chapter 8
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System
Changing the Schedule for System Inventory Collection or

Polling, Compliance Policy and PSIRT/EOX System
At the time of LMS installation, system jobs are created for both Inventory collection and polling, with
their own default schedules. A periodic inventory collection job collects inventory data from all
managed devices and updates your inventory database.
Similarly, the periodic polling polls devices and updates the inventory database. You can change the
schedule of these default, periodic system jobs.
For inventory collection or polling to work, your devices must have accurate read community strings
entered. The changes detected by inventory collection or polling, are reflected in all associated inventory
reports.
Changing the Schedule for System Inventory Collection or Polling Settings
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Changing the Schedule for System Inventory Collection or Polling Settings

Note that the inventory poller allows you to collect inventory less often. The poller detects most changes
in managed devices, with much less impact on your network. If the poller detects changes, it initiates
inventory collection.
To collect inventory or poll devices as a one-time event or for selected devices only, create user-defined
inventory collection or polling jobs (see Creating and Editing an Inventory Collection or Polling Job).
Note
Step 1
Select Admin > Collection Settings > Inventory > Inventory System Job Schedule.
The System Job Schedule dialog box displays the current collection or polling schedule.
Step 2
Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2.
Inventory data does not change frequently, so infrequent collection is better. However, if you are
installing much new equipment, you may need more frequent collection.
Infrequent collection reduces the load on your network and managed devices. Collection is also best
done at night or when network activity is low.
Also, make sure your collections do not overlap, by checking their duration using the Inventory Job
Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Step 3
Click Apply.
The new schedule is saved.
8-12
OL-25947-01
Chapter 8

Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Note
Step 1
Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and
Psirt/Eox System Job Schedule.
The Compliance Policy and PSIRT/EOX System Job Schedule page appears.
Step 2
Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2.
Step 3
Click Apply.
The new schedule is saved.
Table 8-2
Details of Inventory system schedule and CAAM Policy and PSIRT/EOX System Job Schedule
Field
Description
Scheduling
Run Type
Select the run type or frequency for inventory collection or polling, CAAM Policy and PSIRT/EOXDaily,
Weekly, or Monthly.
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If
the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date
Select the date for the collection or polling to begin, using the date picker.
at
Enter the time for the collection or polling to begin, in the hh:mm:ss format.
Job Info
Job Description
Has a default Job Description:

If the Job Type is Inventory Collection, the description is, System Inventory Collection Job.
If the Job Type is PSIRT and EOX Or Compliance Policy, the description is, System Compliance Policy and
PSIRT/EOX Job.
E-mail
Enter e-mail addresses to which the job sends messages when the collection or polling job has run.
You can enter multiple e-mail addresses, separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin
> System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address.

OL-25947-01
8-13
Chapter 8
Compliance Policy and PSIRT/EOX Job Report
Perform the following steps to view the Compliance Policy and PSIRT/EOX Job Report:
Step 1
Go to Admin > Jobs > Browser.
Step 2
Select Type in the Filter by field and SystemPsirtJob in the drop-down list.
Step 3
Click Filter.
The SystemPsirtJob will be filtered and displayed.
Step 4
Click the JOB ID e.g 1005.1 to view the Compliance Policy and PSIRT/EOX Job Report.

Product Security Incident Response Team (PSIRT) of Cisco is a dedicated, global team that manages the
receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco
products and networks.
For every security vulnerability, a PSIRT document is created with a PSIRT Document ID. This
document consists of definitions of the vulnerabilities, the IOS image version that is affect by the PSIRT,
as well as the device that is impacted.
Note
System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or
End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the
selected devices.
The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1.
If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not
configured the Cisco.com credentials.
2.
If the system PSIRT job fails due to problems in the downloaded local XML file.
3.
If there is no PSIRT/EoX data in the database for the selected devices.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and
End-of-Sale or End-of-Life (EOX) job runs.
LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You
can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see
Changing the Data Source for PSIRT/EOS/EOL Reports.
Changing the Data Source for PSIRT/EOS/EOL Reports

You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or
End-of-Sale or End-of-Life report.
To access this option, select Reports > Fault and Event > PSIRT Summary
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com
8-14
OL-25947-01
Chapter 8

When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the
data either from Cisco.com or from a local text file with XML data, depending upon the option you have
set.

OL-25947-01
8-15
Chapter 8
To change the PSIRT or End-of-Sale/End-of-Life report settings:

Step 1
Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option.
The PSIRT/EOX Reports dialog box appears.
Step 2
Either:
Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data
from Cisco.com
Or
Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from
local file.
The local file location is shown if you have selected Local.
Step 3
Click Apply
The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com

You can use the Cisco.com option, if you have access to Cisco.com from the LMS server. When you
schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data from
Cisco.com. The report so generated consists of latest data from the system PSIRT and EOX job.
If you have opted to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com,
you must setup the Cisco.com user account using Admin > System > Cisco.com Settings > User
Account Setup. If you do not configure the Cisco.com user account, the System PSIRT and EOX job
will fail.
Note
While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com
method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy
Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy
Password fields are also enabled.

You can use the Local option, if you do not have an internet connection from the LMS server. The local
file is a text file with XML data in it.
Downloading the text file with XML data from Cisco.com
You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store
it in the local file location on the LMS server.
To download the text file with XML data from Cisco.com:
1.
Use a server other than LMS server with internet connection as the external server.
2.
From this external server, access the following link to download the XML data:
8-16
OL-25947-01
Chapter 8

For EoS/EoL Hardware Report:

1.
Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=
latest#
2.
Login to Cisco.com by entering the Cisco.com user name and password.
3.
Download the PSIRT_EOX_OFFLINE.zip file.
4.
Extract the text file with XML data to the external server.
5.
Copy the text file from the external server into the LMS Server under:
On Solaris/Soft Appliance,
/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
The text file with XML data gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
For EoS/EoL Software Report:
1.
Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=
latest#
2.
Login to Cisco.com by entering the Cisco.com user name and password.
3.
Download the EOX_SOFTWARE.zip file to the external server.
4.
Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under:
/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
Note
You must not extract the EOX_SOFTWARE.zip file in the LMS Server.
The EOX_SOFTWARE.zip file gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data
from the XML file.
To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1.
Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external
server which has internet connection.
2.
Store this retrieved XML information in the local file location.
3.
Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report.

For more information, see:
Downloading the text file with XML data from Cisco.com

OL-25947-01
8-17
Chapter 8

From the Admin tab in the mega menu you can administer the following features of VRF Lite:
Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings.
Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector.
Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and
Retries.
You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select
Admin > System > Debug Settings.
You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view
only VRF Lite jobs.
You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select
Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging
VRF Management Reports Jobs and Archived Reports.
Using VRF Lite Collector Settings
Scheduling VRF Lite Collector
Using VRF Lite Collector Settings

You can perform the following administrative tasks using the VRF Lite Collector Settings page:
Schedule VRF Lite Collector

You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite
Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and
VRF Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs.
To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link.
For details, see Scheduling VRF Lite Collector.
VRF Lite SNMP Timeouts and Retries Settings

You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular
device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries
Settings, click VRF Lite SNMP Timeouts and Retries Settings link.
For details, see Modifying VRF Lite SNMP Timeouts and Retries.
8-18
OL-25947-01
Chapter 8

Scheduling VRF Lite Collector

You can schedule the day and the time of VRF Lite Collection using this feature. You can add a new
schedule, edit or delete existing schedules.
To schedule VRF Lite Collector:
Step 1
Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule.
The VRF Lite Collector Schedule dialog box appears.
Step 2
Table 8-3
Enter the details as mentioned in Table 8-3.
VRF Lite Collection Schedule Settings
Field
Description
Usage Notes
Schedule
Run VRF Lite

Collector After
Every Data
Collection
Allows you to enable or disable VRF Lite

Collection after every Data Collection.
Enable: Check the check box to enable VRF Lite

Collection after every Data Collection and click Apply.
The VRF Lite Collection collects VRF

Lite-specific details.
Disable: Uncheck the check box to disable VRF Lite

Collection after every Data Collection and click Apply.
Job ID
Job ID of the VRF Lite Collector Schedule Display only.

job.
Schedule VRF Lite Collector
Days, Hour, Min
Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the
Lite collection is scheduled.
size of the network and the frequency of network changes.
By default, the VRF Lite collection process is scheduled to
run after the Data Collection process has completed.
Recurrence
Pattern
Select the days of the week on which VRF This field is available only when you are adding or editing a
Lite collection is to be scheduled.
schedule.
Job Description
Description of the VRF Lite Collector

Schedule job.
Step 3
Enter the description of the VRF Lite Collector Schedule job.
Select a schedule and click Edit to edit the schedule
Select a schedule and click Delete to delete the schedule
Click Add to add a new schedule
Click OK to save the details

Or
Click Cancel to exit the VRF Lite Collection Schedule dialog box.
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use
the filter to view VRF Lite Collector Schedule job.

OL-25947-01
8-19
Chapter 8

You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device
with SNMP timeout exceptions.
To modify SNMP timeouts and retries:
Step 1
Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries.
The VRF Lite SNMP Timeouts and Retries dialog box appears.
Step 2
Modify the SNMP settings as given in Table 8-4.

Table 8-4
Modify VRF Lite SNMP Timeouts and Retries
Field
Description
Target
IP address of the target device. For example, 10.*.*.*
Timeouts
Time period after which the query times out.

This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If Time out is increased, Discovery time could also increase. Enter the value
in seconds. The allowed range is 0-60.
For every retry, the Timeout value is doubled.
For example, If the Timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which Virtual
Network Manager stops querying the device.
Retries
Number of attempts made to query the device. The allowed range is 0-8.
Step 3
Click Add to add VRF Lite SNMP settings.
Step 4
Select a row and either:
Click Edit to edit the VRF Lite SNMP Timeouts and Retries value.
Or
Click Delete to delete the VRF Lite SNMP Timeouts and Retries value.

Step 5
Click Apply.
8-20
OL-25947-01
Chapter 8


If an SNMP query does not respond in time, Fault Management will time out. It will then retry contacting
the device for as many times as displayed when you select Admin > Network > Timeout and Retry
Settings > Fault Management SNMP Timeouts and Retries.
The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds
and the retries value is 3, LMS waits for 4 seconds before the first retry, 8 seconds before the second
retry, and 16 seconds before the third retry.
The SNMP timeout and retries are global settings.
The default values are:
Timeout4 seconds
Retries3
Note
Changing the settings on this page will modify the settings on all devices managed by LMS.
Note
Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
To modify the Fault Management SNMP timeout and retries:
Step 1
Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and
Retries. The SNMP Configuration page appears.
Step 2
Select a new SNMP timeout setting.
Step 3
Select a new Number of Retries setting.
Step 4
Click Apply.
Step 5
In the confirmation box, click Yes.

OL-25947-01
8-21
Chapter 8

Note
Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
LMS rediscovery probes the devices to discover their configuration and verify their manageable
elements in inventory.
LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you
cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional
schedules.
For more information, see
Suspending and Resuming a Rediscovery Schedule
Adding and Modifying a Rediscovery Schedule
Suspending and Resuming a Rediscovery Schedule

LMS includes a default rediscovery schedule, Default_Schedule. You cannot edit or delete
Default_Schedule, but you can suspend it. To completely suspend rediscovery for a period of time, you
may have to repeat this procedure to suspend multiple schedules.
To suspend and resume a rediscovery schedule:
Step 1
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
The Rediscovery Schedule page appears.
Step 2
You can either:
Select a schedule that does not have a Suspended status, and click Suspend.
The status for the schedule changes to Suspended and the schedule does not run until you resume
the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it.
Or
Select a schedule with a status of Suspended and click Resume.

The status for the schedule changes to Scheduled.
8-22
OL-25947-01
Chapter 8

Adding and Modifying a Rediscovery Schedule

See Performing Scheduling Tasks to plan the rediscovery schedule for maximum efficiency and
minimum system impact.
Performing Scheduling Tasks
You should plan the rediscovery schedule for maximum efficiency and minimum system impact.
When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are
scheduled by default to ensure that they do not run concurrently. You can configure the schedules for
these tasks to meet the requirements of your site. However, you should still avoid running them
concurrently.
Table 8-5
Scheduling Considerations
Configuration Task
Default Schedule
Comments and Notes
Database purging
Run daily at
midnight.
The amount of time it takes to purge the database

depends on the size of the database.
For more information on how to configure the Daily
Fault History Purging Schedule, see Configuring the
Daily Fault History Purging Schedule.
Rediscovery
Run weekly on
Monday at 2:00 a.m.
By default, rediscovery starts 2 hours after database

purging.
In addition to configuring schedules, a system administrator can schedule database backups. Be careful
while coordinating the database backup schedule to avoid running concurrently with the tasks listed in
Table 8-5.
To add or edit a rediscovery schedule:
Step 1
Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
Step 2
Select either:
Click Add.
Or
Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit
Default_Schedule.
Step 3
Enter a name for the schedule.
Step 4
Select how often the schedule should run:
Once
Daily
Weekly (default)
Monthly

OL-25947-01
8-23
Chapter 8
Step 5
Select the date, hour, and minute on which to start the rediscovery schedule and click Next.
Step 6
Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule
page appears, listing the new schedule.
Deleting a Rediscovery Schedule
To delete a rediscovery schedule:

Step 1
Select a rediscovery schedule and click Delete.

A confirmation dialog box appears.
Note
Step 2
You cannot delete Default_Schedule.
Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job
Browser.

Event Forensics refer to additional information related to the specific events that are polled by LMS
server. The polled data are stored on the server and you can use this for troubleshooting.
You must enable the Event Forensics collection feature on LMS server to start collecting the event
forensics data.
To enable collection of Event Forensics:
Step 1
Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event
Forensics Configuration page appears.
Step 2
Select the Event Forensics Enable check box to enable LMS to collect forensics data.
Step 3
Click Apply.
LMS polls for Event Forensics data for the following events only:
Device unavailability or unresponsiveness
Flapping
Operationally Down
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see
the event forensics results when you move your mouse over the Annotations in the Faults table of Fault
Monitor Device Fault Summary view tab.
8-24
OL-25947-01
Chapter 8


To rediscover and delete specific devices, select Admin > Collection Settings > Fault > Fault
Monitoring Device Administration.
The Fault Monitoring Device Administration page contains two panes.
The left pane displays a device selector, from which you select the device or group that you want to
rediscover or delete. The left pane includes a search option
The right pane displays the information for the selected object.
Click the Refresh button to refresh the view.
Note
If the IP addresses of the device and its components such as interface or port are added separately in
DCR then only device IP will be managed in fault Management and the components IP will not be
managed separately as the components are already managed under the device IP.
The devices that appear in the device selector are organized in folders by device state as shown in the
Table 8-6. The folders appear only if there is a device to go in the folder.
Table 8-6
Device Summary and Device States
Heading
Description
Status
Lists the state the devices are in, from the following possibilities:
Known
The device has been successfully imported, and is fully managed by Fault
Management.
Learning
Fault Management is discovering the device. This is the beginning state,

when the device is first added or is being rediscovered. Some of the data
collectors may still be gathering device information.
Questioned
Fault Management cannot successfully manage the device.
Pending
The device is being deleted. (Fault Management is waiting for

confirmation from all of its data collectors before purging the device and
its details.)
Unknown
IPv6 device or the selected algorithm is not supported in Fault

Management.
Rediscovering Devices
When rediscovery takes place, if there are any changes to a device or group configuration, the new
settings will overwrite any previous settings.
Rediscovery occurs only for managed devices, and not suspended devices.
Rediscovery also occurs when:
Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection
Settings > Fault > Fault Management Rediscovery Schedule)
A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured
to import that device type (or LMS automatically imports all DCR devices). Such DCR changes
include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type)
changed in the DCR.

OL-25947-01
8-25
Chapter 8
Note
A device is manually added to LMS using the Device Import page.
Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and
Rediscovery is a process that affects only the LMS inventory.
To rediscover devices:
Step 1
Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2
Select the device or group that you want to rediscover.

With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the device selector.
Note
Step 3
If you are connecting to the LMS server for the first time, a Security Alert window is displayed
after you select nearly any option. Do not proceed without viewing and installing the security
certificate. You should contact a user with System Administrator privileges to create a
self-signed security certificate, and then install it. If you do not install the self-signed security
certificate, you may not be able to access some LMS application pages.
Click Rediscover.
Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage
Device State.
Note
If the number of components managed by fault management exceeds 40000/domain then the remaining
devices will be moved to Question State with the error message Network Adapter Limit Exceeded.
Question State Device Report
Creating a question state device report involves the following steps:

Step 1
Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2
Click Question State Devie Report.

The question state device report containing the device name, device IP, discovery start time and error
details is displayed.

Till LMS 3.2 there were 8 different applications like Common Services, Portal and applications covering
functionalities in FCAPS model.
8-26
OL-25947-01
Chapter 8

LMS 4.2 removes application boundaries and provides tighter integration among the components. It
groups all the related functionalities in one place, thus making the product more user friendly.
LMS 4.2 consists of the following five functionalities:
Fault Management
To view the functionality settings:

Select Admin > System > Device Management Functions.
By default, all the functions will be enabled.
If you have a 10K license, only Inventory, Config and Image Management will function. You should
disable all functions except Inventory, Config and Image Management from this page.
Note
If you disable a function, the function will stop collecting device information. For IPSLA Management,
history data will be deleted.

Cisco Prime LMS allows you to configure the Performance Management SNMP timeout and SNMP
retries using the Poll Settings option. The Performance Management SNMP timeout and SNMP retries
are based on the device and network response time.
SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to
query the device again.
SNMP retry is the maximum number of times LMS retries to query the device.
You can also set the notification interval time in case of poller failures and the e-mail ID to which the
notification should be sent.
You can also configure Poll Settings to send the polling failure report as an e-mail.
To configure Poll Settings:
Step 1
Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP
timeouts and retry settings.
The Poll Settings dialog box appears.
Table 8-7 describes the fields in the Poll Settings dialog box.

OL-25947-01
8-27
Chapter 8
Table 8-7
Poll Settings Fields
Field
Description
Poll Details
SNMP Timeout
Specify the SNMP timeout interval in seconds.

The default SNMP timeout value is 3 seconds. You can change the default
SNMP timeout value to a value between 1 to 15 seconds.
SNMP Retries
Specify the SNMP retries count.

The default SNMP retry count value is 1. You can set the default SNMP retry
count to a value from 0 to 3.
Polling Failure
Notification Interval
Specify the polling failure notification interval.

You can select any of these predefined values. The default option is 6 hours.
01 - HourPolling failures notified every 1 hour.
06 - HoursPolling failures notified every 6 hours.
WeeklyPolling failures notified every week.
Polling failure notification report is generated periodically based on

notification interval. This report contains information on the SNMP polling
failures with device details.
E-mail ID
Enter the e-mail address.

The E-mail address must be in the format: user@domain.com.
The poll failure report is send to the E-mail address based on the Notification
Interval.
Step 2
Update the necessary fields in the following panes:
Poll Details
Polling Failure
See Table 8-7 for the description of fields that appear in the Poll Settings dialog box.
Step 3
Click Apply to update the poll settings or Reset to cancel the poll settings.
A message appears confirming that poll settings are updated successfully.

The IPSLA Application Settings page allows you to copy IP SLA (Internet Protocol Service Level
Agreement) configuration to running-config, and set managed source interface.
Managed Source Interface Setting
8-28
OL-25947-01
Chapter 8


You can see the IPSLA (Internet Protocol Service Level Agreement) probes for the collectors that you
configure in LMS at the command line interface of the router in the running configuration by selecting
the Copy IP SLA Configuration to running-config option on the Application Settings page.
This option is not selected by default. You cannot view the IPSLA probes in the running configuration
of the source router if this option is not set.
Note
The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and
saved the IP SLA probes of the LMS collectors in the startup configuration.
To view the configured collectors in the running configuration:
Step 1
Select Admin > Collection Settings > Performance > IPSLA application settings.
The IPSLA Application Settings page appears.
Step 2
Select the Copy IPSLA Configuration to Running-config check box.
Step 3
Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4
Click OK.
Managed Source Interface Setting

Managed Source Interface configures the source router with appropriate IP address for
sending/receiving the IPSLA (Internet Protocol Service Level Agreement) operation packets.
You can set a source interface address for the source router by selecting the Use Managed Source
Interface Address option on the Application Settings page. After this option is set, the source router uses
the managed interface address while configuring the collectors on the source device.
However, you can also specify a source interface address while configuring a collector. In this case, the
source router uses the specified interface. If the Use Managed Source Interface option is not set, then by
default, the source router selects the source interface for the collector from the Routing Table based on
the IP address of the destination.
To set a source interface address:
Step 1
Select Admin > Collection Settings > Performance > IPSLA application settings.
The Application Settings page appears.
Step 2
Select the Use Managed Source Interface Address check box.
Step 3
Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4
Click OK.

OL-25947-01
8-29
Chapter 8

You can move the directory for archiving the LMS device configuration and enable and disable the usage
of Shadow directory. You can also list the commands that need to be excluded while comparing
configuration
To do this select Configuration > Configuration Archive > Summary.
Preparing to Use the Archive Management
Entering Device Credentials
Modifying Device Configurations
Modifying Device Security
Moving the Configuration Archive Directory
Enabling and Disabling the Shadow Directory
Configuring Exclude Commands
Configuring Fetch Settings
Preparing to Use the Archive Management

Before you start using the Archive Management, you must:
Enter Device Credentials (See Entering Device Credentials for details)
Modify Device Configurations (See Modifying Device Configurations for details)
Modify Device Security (See Modifying Device Security for details)
Entering Device Credentials

Enter the following device credentials in the Device and Credentials window (Admin > Network >
Configuration Job Settings > Config Job Policies):
Read and write community strings
Primary Username and Password
Primary Enable Password
If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin >
Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs,
you are prompted for the following device credentials:
Login User name
Login Password
Enable Password
8-30
OL-25947-01
Chapter 8

The supported Device authentication prompts are:
Routers
Username:, Username:
Password:, Password:
Switches
username: , Username:
password: , "Password:
Cisco Interfaces and ModulesNetwork Analysis Modules

login:
Password: password:
Security and VPNPIX

username: , Username:
passwd: , password: , Password:
Content NetworkingContent Service Switch

Username: , username: , login: ,Username: , username: , login:
Password: , password: , passwd: ,Password: , password: , passwd:
Content NetworkingContent Engine

Username: ,login:
Password:
Storage NetworkingMDS Devices

Username:, Username:
Password:, Password:
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts,
you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more
information.
To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located
at:
NMSROOT/objects/cmf/data (on Solaris/Soft Appliance)
NMSROOT \objects\cmf\data (on Windows)
where NMSROOT is the location where you have installed Cisco Prime LMS.
The format of this ini file is:
[TELNET]
USERNAME_PROMPT=
PASSWORD_PROMPT=

OL-25947-01
8-31
Chapter 8
For example, if you have configured username and password prompts as MyUserName: and
MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini
file must be configured as:
[TELNET]
USERNAME_PROMPT=MyUsername:, Secret Username:
PASSWORD_PROMPT=MyPassword:, Secret Password:
Note
You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only
the custom prompts need to be added.
Modifying Device Configurations

To enable the configuration archive to gather the configurations, modify the device configurations for
the following:
Enabling rcp
Enabling scp
Enabling https
Configuring Devices to Send Syslogs
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your
device configurations.
Make sure the devices are rcp-enabled by entering the following commands in the device configurations:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
Where ip_address | host is the IP address/hostname of the machine where LMS is installed.
Alternatively, you can enter the hostname instead of the IP address. The default remote_username and
local_username are cwuser.
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS
server. To do this, use the command,
no ip rcmd domain-lookup for rcp to fetch the device configuration.
8-32
OL-25947-01
Chapter 8

Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your
device configurations.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
username admin privilege 15 password 0 system

ip ssh authentication-retries 4
ip scp server enable
To configure TACACS User name:

aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
User on the TACACS Server should be configured with priv level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify
your device configurations.
To modify the device configuration, follow the procedure as described in this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html
Configuring Devices to Send Syslogs

Configure your devices for Syslog Analysis if you want the device configurations to be gathered and
stored automatically in the configuration archive when Syslog messages are received.
After you perform these tasks and the devices become managed, the configuration files are collected and
stored in the configuration archive.

OL-25947-01
8-33
Chapter 8
Modifying Device Security

Configuration Management must be able to run certain commands on devices to archive their
configurations.
You must have the required permissions to run these Configuration Management commands:
Router Commands
Switches Commands
Content NetworkingContent Service Switch Commands
Content NetworkingContent Engine Commands
Security and VPNPIX Devices
For example, you can use the LMS server to access the devices using Telnet or SSH to archive their
configurations. Ensure that the user credentials provided by you in DCR has the required permissions to
access the devices and execute the above mentioned configuration CLI commands on the devices to fetch
the configurations.
These configuration information fetched from the devices by the LMS server is stored in the LMS
database.
Router Commands
Command
Description
terminal length 0
Sets the number of lines on the current terminal screen for the
current session
terminal width 0
Sets the number of character columns on the terminal screen for the
current line for a session
show privilege
Displays your current level of privilege
Show running
Gets running configuration.
Show startup
Gets startup configuration
Show running-brief1
Gets the running configuration in brief by excluding the encryption

keys.
1. This is applicable for the IOS release 12.3(7)T release or later.
The commands in the above tables also apply to the following device types:
Optical Networking
Broadband Cable
Voice and Telephony
Wireless
Storage Networking
8-34
OL-25947-01
Chapter 8

Switches Commands
The switches commands are:
Command
Description
set length 0
Configures the number of lines in the terminal display screen
set logging session

disable
Disables the sending of system logging messages to the current login

session.
write term
Content NetworkingContent Service Switch Commands

The Content Service Switch commands are:
Command
Description
no terminal more
Disables support for more functions with the terminal.
show running-config
Gets all components of the running configuration.
show startup-config
Gets the CSS startup configuration (startup-config).
Content NetworkingContent Engine Commands

The Content Engine commands are:
Command
Description
terminal length 0
Sets the number of lines on the current terminal screen for the current
session
show run
show config
Gets startup configuration.

The Network Analysis Modules commands are:
Command
Description
terminal length 0
Sets the number of lines on the current terminal screen for the current
session
show autostart
Displays autostart collections
show configuration

OL-25947-01
8-35
Chapter 8
Security and VPNPIX Devices

The PIX devices commands are:
Command
Description
terminal width 0
Sets the number of character columns on the terminal screen for the
current line for a session
show config
show running
show curpriv
View the current logged-in user.
no pager
Removes paging control
Moving the Configuration Archive Directory

You can move the directory where the configuration of the devices can be archived on the LMS server.
The default Configuration Archive directory is:
On LMS Solaris/Soft Appliance server,
/var/adm/CSCOpx/files/rme/dcma
On LMS Windows server,

NMSROOT\files\rme\dcma
Where NMSROOT is the Cisco Prime installed directory.
The new archive directory location should have the permission for casuser:casusers in Solaris and
casuser should have Full Control in Windows. The new archive directory location should not be the root
of any drive (F:\) and must be a subdirectory (F:\LMSarchives).
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for moving the configuration archive location:
Step 1
Stop the ConfigMgmtServer process. To do this:

a.

The Process Management dialog box appears.
Step 2
b.
Select the ConfigMgmtServer process.
c.
Click Stop.
Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3
Enter the new location in the Archive Location field, or click Browse to select a directory on your
system.
8-36
OL-25947-01
Chapter 8

Step 4
Click Apply.
A message appears confirming the changes.
Step 5
Restart the ConfigMgmtServer process. To do this:

a.

b.
c.
Click Start.
Enabling and Disabling the Shadow Directory

The configuration archive Shadow directory is an image of the most recent configurations gathered by
the configuration archive.
The Shadow directory contains subdirectories that represent each device class and the latest
configurations supported by the configuration archive.
Each file name is DeviceName.cfg, as defined in the Device and Credential Repository. Each time the
archive is updated, the Shadow directory is updated with the corresponding information.
The Shadow directory can be used as an alternative method to derive the latest configuration information
programmatically by using scripts or other means.
To access to the Shadow directory, you must be root or casuser on Solaris, or in the administrator group
for Windows.
You can find the Shadow directory in the following locations:
Note
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS

is installed (the default is C:\Program Files\CSCOpx).
You can enable or disable the use of Shadow directory by following this workflow:
Step 1
Stop the ConfigMgmtServer process. To do this:

a.

Step 2
b.
c.
Click Stop.
Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3
Select the Enable Shadow Directory check box.

OL-25947-01
8-37
Chapter 8
Step 4
Click Apply.
A message shows that the changes were made.
Step 5
Restart the ConfigMgmtServer process. To do this:

a.

b.
c.
Click Start.
Configuring Exclude Commands

You can list the commands that have to be excluded while comparing configuration. To do this select
Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
You can enter multiple commands separated by commas.
LMS provides default exclude commands for some Device Categories.
For example, the default exclude commands for Router device category are,
end,exec-timeout,length,width,certificate,ntp clock-period
You can specify Exclude Commands at all these levels:
Device Category (For example, Routers, Wireless, etc.)
Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
While comparing configurations, if you have specified exclude commands in the Device Type, Device
Family and Device Category, these commands are excluded only at the Device Type level. The
commands in the Device Family and Device Category are not excluded.
Example 1:
If you have specified these commands at,
Routers (Device Category) level

Cisco 1000 Series Routers (Device Family) level

banner incoming,snmp-server location
Cisco 1003 Router (Device Type) level

ip name-server,banner motd,snmp-server manager session-timeout
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are
excluded.
8-38
OL-25947-01
Chapter 8

Example 2:
If you have specified these commands only at Device Family and Device Category,
Routers (Device Category) level

Cisco 1000 Series Routers (Device Family) level

banner incoming,snmp-server location
Cisco 1003 Router (Device Type) level

No commands specified.
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands
are excluded.
If the commands are specified only at the Device Category level, these commands are applicable to all
devices under that category.
To configure Exclude Commands:
Step 1
Select Admin > Collection Settings > Config > Config Compare Exclude Commands
Configuration.
The Configure Exclude Commands dialog box appears.
Step 2
Step 3
Select one of these from the Device Type Selector pane:
Device Category (For example, Routers, Wireless, etc.)
Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
Enter the command in the Exclude Commands pane to add new commands.
You can enter multiple commands separated by commas.
You can also edit or delete the existing commands in the Exclude Commands pane.
Step 4
Click Apply.
A message appears, The commands to be excluded are saved successfully.

OL-25947-01
8-39
Chapter 8
Understanding Configuration Retrieval and Archival
Configuring Fetch Settings

You can configure the Job Result Wait Time per device for the Sync Archive Jobs. The default value is
120 seconds. The minimum value can be set to 60 seconds.
Job Result Wait Time is the maximum wait time that Archive Management waits to get the
configurations from the device during the sync-archive job execution.
To configure the Job Result Wait Time:
Step 1
Select Admin > Collection Settings > Config > Config Job Timeout Settings.
The Fetch Settings dialog box appears.
Step 2
Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device
(seconds) field.
Step 3
Click either of these:
Click Apply, if you want to submit the Job Result Wait Time entered.
Click Cancel if you want to cancel the changes made to the Job Result Wait Time.

LMS supports different ways to trigger the retrieval of configuration files from the device for archival
purposes.
Schedule Periodic Configuration File Archival
Schedule Periodic Configuration Polling
Manual Updates (Sync Archive function)
Using Version Summary
Timestamps of Configuration Files
How Running Configuration is Archived
Change Audit Logging
Schedule Periodic Configuration File Archival

LMS will archive both the startup and running configuration files for all devices at the scheduled time
(6-hourly, 12-hourly, daily, weekly, monthly), as configured by the user.
Since this method collects the full running configuration and startup configuration files for the entire
network, we recommend that you schedule this to run at no more than once per day, especially if the
network is large and outside the LAN.
See Defining the Configuration Collection Settings for further details.
8-40
OL-25947-01
Chapter 8

Schedule Periodic Configuration Polling

LMS can be configured to periodically poll configuration MIB variables on devices that support these
MIBs according to a specified schedule, to determine if either the startup or running configuration file
has changed.
If it has, LMS will retrieve and archive the most current configuration file from the device.
Polling uses fewer resources than full scheduled collection, because configuration files are retrieved
only if the configuration MIB variable is set.
On IOS devices the variables ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged
from the CISCO-CONFIG-MAN-MIB MIB, and on CATOS the variable sysConfigChangeTime from
CISCO-STACK-MIB are used to detect the change.
Any change in the value of these variables causes the configuration file to be retrieved from the device.
SNMP change polling works only in case of IOS and CATOS devices which support these MIBs.
If these MIBs are not supported on the devices, then by default, configuration fetch will be initiated
without checking for the changes.
By default, the Periodic Collection and Polling are disabled.
See Defining the Configuration Collection Settings for scheduling the periodic polling.
Note
The Syslog application triggers configuration fetch, if configuration change messages like
SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
Manual Updates (Sync Archive function)

This feature allows the LMS user to force the configuration archive to check specified devices for
changes to the running configuration file only. Use Sync Archive if you need it to synchronize quickly
with the running configuration.
You can also poll the device and compare the time of change currently on the device with the time of
last archival of the configuration to determine whether the configuration has changed on a device.
The Startup configuration is not retrieved during manual update archive operation. However, you can
retrieve the Startup configuration by enabling the Fetch startup Config option while scheduling Sync
Archive job. To use this function select Configuration > Configuration Archive > Synchronization.
Using Version Summary

You can trigger a configuration file retrieval by clicking on the Running or Startup configuration in the
Configuration Version Summary report (select Configuration > Configuration Archive > Views >
Version Summary).
After a configuration file is fetched from the device, as described above, LMS submits the configuration
file for archival.

OL-25947-01
8-41
Chapter 8
Timestamps of Configuration Files

These are timestamps of a running configuration file, or the change time (in change audit), indicate the
time at which LMS system archived the configuration file.
This is not the time at which the configuration actually changed on the device. If changes are detected
immediately using Syslog messages, the timestamp should be very close to the actual configuration
change time on the device.
Startup configurations are handled differently by LMS. Startup configs are simply saved into the system,
as they are retrieved from the device (unlike running configurations, which are compared and saved in
versioned archives, if different).
The timestamps of Startup Configuration files are just the archival times, and do not indicate the change
time.
In the version summary reports, the Running and Startup are links, which when clicked will retrieve in
real time, the respective configuration from the device. This column does not have a timestamp
associated with it.
In the Out-Of-Sync report (select Configuration > Compliance > Out-of-Sync Summary), the Startup
configuration column indicates the last archived startup configuration along with its timestamp, and the
Running configuration column indicate the last archived running config along with its timestamp.
How Running Configuration is Archived

The workflow for archiving the Running configuration is:
1.
If LMS detects an effective change, the new configuration is queued for Archival.
2.
The archiver, calculates the exact effective changes, assigns a new version number for the newly
collected archive, and archives it in the system.
3.
The archiver, at the end, logs a change audit record that the configuration of the device has changed,
along with other Audit information.
4.
If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select
Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration
file is also stored in a raw format for manual TFTP purposes to restore the configuration on the
device, in the directory location:
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which
LMS is installed (the default is C:\Program Files\CSCOpx)
Note
Startup configurations are not versioned and only one copy of the startup configuration of devices
(which supports startup configuration), is saved in the system. No change audit records are logged for
changes in the Startup Configuration files.
LMS first compares the collected configuration file, with the latest configuration in the archive, and
checks to see if there are effective configurations changes from what was previously archived.
8-42
OL-25947-01
Chapter 8

Change Audit Logging

Config change audit records include information about, who changed (which user) the configuration,
when the configuration change was identified by LMS, and other change information.
Any configuration change made through the LMS system (example, using Config Editor or
Netconfig), will have the user name of the user who scheduled the change job.
Any configuration change that was done outside of LMS and detected through the configuration
retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB
variable (ccmHistoryEventTerminalUser).
Changes identified through syslog messages, contain the user name identified in the Syslog
message, if present.

The configuration archive can be updated with configuration changes in two ways:
Periodic configuration archival (with and without configuration polling). To do this select Admin >
Network > Collection Settings > Config > Config Collection Settings.
Manual configuration archival. To do this select using Configuration > Configuration Archive >
Synchronization.
You can modify how and when the configuration archive retrieves configurations by selecting one or all
of the following:
Periodic Polling
The configuration archive performs a SNMP query on the device. If there are no configuration changes
detected in the devices, no configuration is fetched.
Periodic Collection
The configuration is fetched without checking for any changes in the configuration.
By default, the Periodic Collection and Polling are disabled.
Note
The following is the workflow for defining the configuration collection setting:
Step 1
Select Admin > Config > Config Collection Settings.

The Config Collection Settings dialog box appears.
Step 2
Select one or all of the following options:

Periodic Polling
a.
Select Enable for Configuration archive to performs a SNMP query on the device to retrieve
configuration.
b.
Click Schedule.
The Config Collection Schedule dialog box appears.

OL-25947-01
8-43
Chapter 8
c.
Field
Description
Scheduling
Run Type
You can specify when you want to run the configuration polling job.
To do this, select one of these options from the drop-down menu:
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
Date
You can select the date and time (hours and minutes) to schedule.
Job Information
Job Description
The system default job description, Default config polling job is displayed.
You cannot change this description.
E-mail
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d.
Click OK.
Periodic Collection
a.
Select Enable for Configuration archive to perform a periodic check on the device to retrieve
configuration.
b.
Click Schedule.
The Config Collection Schedule dialog box appears.
8-44
OL-25947-01
Chapter 8

c.
Field
Description
Scheduling
Run Type
You can specify when you want to run the configuration collection job.
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
Date
Job Information
Job Description
The system default job description, Default config collection job is displayed.
E-mail
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
d.
Click OK.
VLAN config Collection

a.
Check the Disable VLAN config collection check box.
b.
Click Apply.
The VLAN config collection will be disabled for both manual and system config collection jobs. By
default the Disable VLAN Config collection checkbox is unchecked.
Step 3
Either click Apply to accept the new values provided.

Or
Click Cancel if you want to discard the changes and revert to previously saved values.
If you had clicked Apply, a message appears:
New settings saved successfully.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

OL-25947-01
8-45
Chapter 8

You can set the protocol order for Configuration Management features such as Archive Management,
Config Editor, and NetConfig jobs to download configurations and to fetch configurations. For NetShow
and VLAN Fetch, you can set the protocol order to download configurations.
This setup allows you to use your preferred protocol order for fetching and downloading the
configuration.
The available protocols are:
Telnet
TFTP (Trivial File Transport Protocol)
RCP (remote copy protocol)
SSH (Secure Shell)
SCP (Secure Copy Protocol)
HTTPS (Hyper Text Transfer Protocol Secured)
This section also explains:
Requirements to Use the Supported Protocols
Defining the Protocol Order
Requirements to Use the Supported Protocols

If the following requirements are not met, an error message appears.
To use this
Protocols
You must...
Telnet
Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password.
TFTP
Know read and write community strings for device.
RCP
Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the
following commands in the device configuration:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default
remote_username and local_username are cwuser. For example, you can enter:
# ip rcmd remote-host cwuser 123.45.678.90 cwuser enable
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server.
To do this, use the command,
no ip rcmd domain-lookup for RCP to fetch the device configuration.
8-46
OL-25947-01
Chapter 8

To use this
Protocols
SSH
You must...
Know the username and password for the device. If device is configured for TACACS authentication, enter
the Primary Username and Primary Password.
Know password for Enable modes.
When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2.
If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the
device that is being accessed.
Some useful URLs on configuring SSHv2 are:
Configuring Secure Shell on Routers and Switches Running Cisco IOS:

http://www.cisco.com/warp/public/707/ssh.shtml
How to Configure SSH on Catalyst Switches Running Catalyst OS:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml
Configuring the Secure Shell Daemon Protocol on CSS:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/c
onfiguration/security/guide/sshd.html
Configuration Examples and TechNotes:

http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples
_list.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

OL-25947-01
8-47
Chapter 8
To use this
Protocols
You must...
SCP
Know the SSH username and password for the device.

To make sure the device is scp-enabled, enter the following commands in the device configuration.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username admin privilege 15 password 0 system

To configure TACACS User name:

aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
User on the TACACS Server should be configured with privilege level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
HTTPS
Know the username and password for the device. Enter the Primary Username and Password in the Device
and Credential Repository.
To enable the configuration archive to gather the configurations using https protocol you must modify your
device configurations:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html
This is used for VPN 3000 device.
The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family
devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and
Enable passwords.
8-48
OL-25947-01
Chapter 8

If you enabled TACACS for a device and configured custom TACACS login and passwords prompts,
you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom
Telnet Prompts.
For module configs, the passwords on the module must be same as the password on the supervisor.
This section also explains Supported Protocols for Configuration Management Applications.
Supported Protocols for Configuration Management Applications

For supported protocol at individual device-level, you can either see:
The LMS device packages Online help. You can launch the LMS device packages Online help using
Help > Device Packages.
or
The Supported Protocols for Configuration Management table on Cisco.com:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Defining the Protocol Order

The following is the workflow for defining the protocol order for Configuration Management
applications to perform either Config fetch or Config update:
Note
Step 1
Select Admin > Collection Settings > Config > Config Transport Settings.
The Config Transport Settings dialog box appears.
Step 2
Go to the first drop-down list box, select the application for which you want to define the protocol order.
Step 3
Select a protocol from the Available Protocols pane and click Add.
If you want to remove a protocol, select the protocol and click Remove.
The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of
protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons.
When a configuration fetch or update operation fails, an error message appears. This message displays
details about the supported protocol for the particular device and it modules, if there are any.
For the list of supported protocols, see Supported Device Table for Configuration Management
application on Cisco.com.
Step 4
Click Apply.
A message appears, New settings saved successfully.
Step 5
Click OK.

OL-25947-01
8-49
Chapter 8

Common Syslog Collector (CSC) is a service to receive, filter and forward syslogs to one or more Syslog
Servers, thus reducing traffic on the network as well as processing load on the server.
The Common Syslog Collector can be installed on the LMS Server, or on a remote UNIX or Windows
machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want
to run it on a remote UNIX or Windows server.
Common Syslog Collector is a service that runs independently, listens for syslogs and forwards them to
the registered applications after necessary filtering. This way, the parsing/filtering is taken away from
the applications and each device sends only one copy of the processed, valid syslogs to the Common
Syslog Collector. Although CSC runs independently, it can run either remotely or locally on the machine
where an application is running.
The LMS server and the Syslog Collector exchange updates such as status, and filters.
You can configure the service to read syslogs from a specified file. This can be provided in a properties
file located at:
NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/
Collector.properties
On Windows:
NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\
Collector.properties
See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details.
In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be
marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the
format is not correct.
The device considers day-light-saving settings appropriately while putting the timestamps. CSC
supports all the time zones that LMS supports, and alternatively you can provide the time zone
information. See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the
complete details.
After the Syslog Analyzer has been registered with the Collector, it:
Receives the filters it needs from the LMS server to filter Syslog messages.
Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from
the Analyzer, including the number of messages read, number of messages filtered, and number of
messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process.
If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the
Analyzer without filtering.
If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on
the current filters, it continues to filter the syslogs and stores them in a local file:
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server
name_port\DowntimeSyslogs.log
The Syslog Analyzer will automatically restore the connection after LMS server restart.
For the complete instructions on installing the Common Syslog Collector, see the Installing and
Migrating to Cisco Prime LAN Management Solution 4.2.
8-50
OL-25947-01
Chapter 8


Using the Syslog Collector Status dialog box you can:
Note
View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status)
Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog

Collector)
Test Syslog Collector Subscription (see Testing Syslog Collector Subscription)
Understanding the Syslog Collector Properties File
View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform this task.
Viewing Common Syslog Collector Status

To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to,
follow this procedure:
Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears, with this information:
Column
Description
Name
Hostname or the IP address of the host on which the Collector is installed.
Forwarded
Number of forwarded Syslog messages
Invalid
Number of invalid Syslog messages.
Filtered
Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network >
Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.)
Dropped
Number of Syslog messages dropped.
Received
Number of Syslog messages received.
Up Time
Time duration for which the Syslog Collector has been up.
Update Time Date and time of the last update.

Time and time zone are those of the LMS Server.
Test
Collector
Subscription
Click to test a Syslog collector thats already subscribed or thats going to be subscribed.
Subscribe
Click to subscribe a Syslog collector.
Unsubscribe
Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector.
If you want to refresh the information in this dialog box, click Update.

OL-25947-01
8-51
Chapter 8
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin >
Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze
processes come up. In this interval you may see the following message:
Collector Status is currently not available.
Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again.
To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common
Syslog Collector.
Subscribing to a Common Syslog Collector

Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met:
Check whether:
1.
The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on
both the servers.
2.
The Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa.
To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
See Setting up Peer Server Certificate for more information.
3.
The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server,
are restarted after Step 2.
4.
Both hosts are reachable by host name.
To subscribe to a Common Syslog Collector:

Step 1
The Collector Status dialog box appears. For the information in the columns in the dialog box, see
Viewing Common Syslog Collector Status:
Step 2
Click Subscribe.
The following message appears:
Check if:
Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa. You can perform this operation from Admin > System Administration >
Multiserver Management > Peer Server Certificate Setup screen.
2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this
server is restarted after step 1.
3. Both hosts are reachable by host name.
4. Certificates are valid.
The Subscribe Collector dialog box appears.
Step 3
Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to.
Step 4
Click OK.
The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.
8-52
OL-25947-01
Chapter 8

If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and
click the Unsubscribe button.
If you want to test the Syslog collector subscription, select the collector and click Test Collector
Subscription. For more information see Testing Syslog Collector Subscription.
Testing Syslog Collector Subscription

You can test the status of the Syslog Collector that you have already subscribed or that you are going to
subscribe using the Test Collector Subscription button.
To test a Syslog collector:
Step 1
Step 2
The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common
Syslog Collector Status.
Step 3
Either:
Select a Syslog collector and click Test Collector Subscription.
Test Collector Subscription popup window appears with the Syslog collector address.
Or
Step 4
Click Test Collector Subscription.
Enter the Syslog collector in the Test Collector Subscription popup window.
Click OK.
The Test Collector Subscription Status popup window appears, displaying the following status of the
Syslog collector:
SSL certificate statusStatus of the SSL Certificates. For example, SSL certificates are valid and
are properly imported. For more information see Syslog Collector Subscription Messages.
Collector statusStatus of the Syslog collector. For example, Collector is up and reachable. For
more information see Syslog Collector Subscription Messages.

OL-25947-01
8-53
Chapter 8
Syslog Collector Subscription Messages
The following table provides the Syslog collector subscription status messages shown when you test the
subscription of a Syslog Collector:
Subscription
Status
SSL Certification
Problem/Info
Message
When there is an
issue with SSL
Certificate
SSL certificate issue occurred, check if:
1.
The Self-signed Certificates are valid. For

example, Check the certificate expiry date on the
servers.
2.
The Self-signed Certificates of this server are

copied to the Syslog Collector server and
vice-versa.
To do this, go to Admin > System Administration >
Multiserver Management > Peer Server Certificate
Setup and add the certificate. See the
Administration User Guide for LMS for more
details.
Collector
3.
The SyslogCollector process on Syslog Collector

server and the SyslogAnalyzer process in the
current working server are restarted after Step
2.
4.
Both hosts are reachable by hostname.
When the SSL

certificates are
valid
SSL certificates are valid and properly imported.
When the
hostname is not
DNS resolvable
Unknown host address. Check if the host is DNS

resolvable.
If the
SyslogCollector
process is down
SyslogCollector process is down. Check if the

SyslogCollector process is running on the port
<<port number>>.
Cannot check SSL connectivity because the Syslog

If the Syslog
Collector is down Collector is down.
If the Syslog
Collector is
reachable
Syslog Collector <<collector name> is up and

reachable.
8-54
OL-25947-01
Chapter 8

Understanding the Syslog Collector Properties File

After installing the Syslog Collector on a remote system, you need to check the Syslog Collector
Properties file to ensure that the Collector is configured properly.
The Syslog Collector Properties file is available at this location:
$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.pr
operties
On Windows:
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.
properties
The following table describes the Syslog Collector Properties file:
Timezone-Related Properties
Description
TIMEZONE
The timezone of the system where the Syslog Collector is running. Enter
the correct abbreviation for the timezone. For example, the time zone for
India is IST.
For the correct Timezone abbreviation, see the Timezone file in the
following location:
/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/n
m/LMSng/fcss/data/TimeZone.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\LMSng\fcss\data\TimeZone.lst
See Timezone List Used By Syslog Collector.
COUNTRY_CODE
Country code for the Syslog Collector.

We recommend that you set the country code variable with the appropriate
country code, to make sure that the Syslog timestamp conversion works
correctly.
For example, if you are in Singapore, you must set the country code
variable as COUNTRY=SGP.

OL-25947-01
8-55
Chapter 8
Description
TIMEZONE_FILE
The path of the Timezone file. This file contains the offsets for the time
zones.
After installing the Syslog Collector, ensure that the offset specified in
this file is as expected. If it is not present or is incorrect, you can add the
Timezone offset as per the convention.
The default path is:
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/fcss/data/TimeZone.lst
On Windows,
\nm\rmeng\fcss\data\TimeZone.lst
General Properties
SYSLOG_FILES
Filename and location of the file from which syslog messages are read.
The default location is:
/var/log/syslog_info
On Windows:
%NMSROOT%\log\syslog.log
DEBUG_CATEGORY_NAME
Name Syslog Collector uses for printed ERROR or DEBUG messages.

The default category name is SyslogCollector.
We recommend that you do not change the default value.
DEBUG_FILE
Filename and location of the Syslog Collector log file containing debug
information:
The default location is:
/var/adm/CSCOpx/log/CollectorDebug.log
On Windows,
%NMSROOT%\log\CollectorDebug.log
DEBUG_LEVEL
Debug levels in which you run the Syslog Collector.

We recommend that you retain the default INFO, which reports
informational messages. Setting it to any other value might result in a
large number of debug messages being reported.
If you change the debug level, you must restart the Syslog Collector.
The values for the Debug levels are:
Warning
Debug
Error
Info
8-56
OL-25947-01
Chapter 8

Description
DEBUG_MAX_FILE_SIZE
Maximum size of the log file containing the debug information.

The default is set to 5 MB.
If the file size exceeds the limit that you have set, Syslog Collector writes
to another file, based on the number of backup files that you have
specified for the DEBUG_MAX_BACKUPS property.
For example, if you have specified the number of backups as 2, besides
the current log file, there will be two backup files, each 5MB in size.
When the current file exceeds the 5 MB limit, Syslog Collector overwrites
the oldest of the two backup files.
DEBUG_MAX_BACKUPS
The number of backup files that you require. The size of these will be the
value that you have specified for the DEBUG_MAX_FILE_SIZE
property.
Miscellaneous Properties
READ_INTERVAL_IN_SECS
Interval at which the Collector polls the syslog file.

The default is set to 1 second.
QUEUE_CAPACITY
Size of the internal buffer, for queuing syslog messages.

The default is set to 100000
PARSER_FILE
File that contains the list of parsers used while parsing syslog messages.
The default path of the parser file:
cisco/nm/LMSng/fcss/data/FormatParsers.lst
On Windows,
\nm\rmeng\fcss\data\FormatParsers.lst
SUBSCRIPTION_DATA_FILE
Syslog Collector data file that contains the information about the Syslog
Analyzers that are subscribed to the Collector.
The default path of the data file:
cisco/nm/rmeng/csc/data/Subscribers.dat
On Windows,
\nm\rmeng\csc\data\Subscribers.dat
FILTER_THREADS
Number of threads that operate at a time for filtering syslog messages. The
default is set to 1.
COLLECTOR_PORT
Default port of the Syslog Collector. The default is set to 4444.

The port where the collector listens for registration requests from Syslog
Analyzers.

OL-25947-01
8-57
Chapter 8
Timezone List Used By Syslog Collector

The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties
file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector
Properties File.
For the correct Timezone abbreviation, see the Timezone file in the following location:
$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.l
st
Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each
offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and
the corresponding entry here is 55.
You must use the same method while modifying it.
The following is the timezone list used by Syslog Collector:
Time Zone List Used by Syslog Collector
ACT=95
ADT=30
AET=100
AEST=100
AGT=-30
AHST=-100
ART=20
AST=-90
AT=-20
BET=-30
BST=10
BT=30
CAT=10
CCT=80
CDT=-50
CEST=20
CET=10
CNT=-35
CST=-60
CTT=80
EADT=-110
EAST=100
EAT=30
ECT=10
EDT=-40
EET=20
EST=-50
FST=-20
FWT=10
GMT=0
GST=100
HDT=90
HST=-100
IDLE=120
IDLW=-120
IET=-50
IST=55
JST=90
MDT=-60
MEST=-20
MESZ=-20
MET=10
MEWT=10
MIT=-110
MST=-70
MYT=80
NET=40
NST=120
NT=-110
NZDT=130
NZST=120
NZT=120
PDT=-70
PLT=50
PNT=-70
PRT=-40
PST=-80
SST=110
SWT=10
UTC=0
VST=70
WADT=-80
WAST=70
WAT=-10
YDT=-80
YST=-90
ZP4=40
ZP5=50
ZP6=50
8-58
OL-25947-01
CH A P T E R

Monitoring and Troubleshooting Settings in the Admin menu groups all the administrative tasks that you
need to perform to monitor and troubleshoot your network using LMS.
Loading MIB Files
Configuring RMON
Configuring Topology Settings

To display Fault Poller information in Topology Maps and N-Hop view portlet, you have to enable
polling as follows:
Step 1
Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology.
The Fault Monitor Poller Settings page appears.
Step 2
Select the Poll Fault Monitor Server for alerts check box.
If you try to apply the settings when Fault Monitor module is not installed on a local or remote server,
you will get an error message indicating the same.
If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.

OL-25947-01
9-1
Chapter 9
Loading MIB Files
You can enable this option, only if:

Fault Monitor module is installed in the local LMS Server or on a remote LMS Server in the
master slave mode.

AND
LMS has detected the Fault Monitor server.
If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart
ANI Server before enabling the above setting.
Step 3
Set the time interval at which the polling should occur.

Fault Monitor updates the latest event information every 6 minutes. So the time interval can be a value
between six minutes and fifty nine minutes, fifty nine seconds.
Step 4
Click Apply. The settings are saved to the server and polling starts within six minutes of the
configuration.
In addition to this, you can restrict the type of LMS event displayed in your machine. For example you
can choose to display only critical events in Topology maps.
The event information fetched from Fault Monitorserver can be launched from Topology Maps and
N-Hop view portlet, by right clicking on the required device.
Loading MIB Files

You can load a new MIB file into LMS using the Load MIB option. The new MIB file is compiled and
stored in LMS. You can use the new MIB file to create new templates by grouping MIB variables, to do
this select Monitor > Performance Settings > Setup > Templates. For more information, see Creating
a Template in Monitoring and Troubleshooting Online Help.
You can load MIB files with the file extension .my.
To load a MIB file:
Step 1
Select Admin > Network > Monitor / Troubleshoot > Load MIB.
The Load MIB dialog box appears.
Table 9-1 describes the field in the Load MIB dialog box.
Table 9-1
Load MIB Fields
Field
Description
MIB file
Use the Browse button to load a MIB file from a directory location.
For example, RFC1213-MIB.my
You are allowed to load a MIB file only from the following directory path:
In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs
In Solaris/Soft Appliance, $NMSROOT/hum/mibmanager/mibcompiler/mibs
$NMSROOT is the default Cisco Prime LMS installation directory.
9-2
OL-25947-01
Chapter 9

Loading MIB Files
Step 2
Click Browse to select the MIB file from a directory location.

The Server Side File Browser dialog box appears.
Step 3
Double-click the MIB file from the directory location.
Step 4
Click Apply to load the MIB file into LMS or Cancel to cancel the operation.
You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are
available in the directory location.
For example,
To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and
RFC-1212) must also be available at the same directory location. If the dependent MIB files are not
available, an appropriate error message is displayed and RFC1213-MIB does not compile.
The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same
as the MIB files names present in the definition files. Load only version2 MIB.
The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:
RMON2-MIB.my
BRIDGE-MIB.my
RFC-1215.my
INET-ADDRESS-MIB.my
P-BRIDGE-MIB.my
Q-BRIDGE-MIB.my
CISCO-NETFLOW-MIB.my
CISCO-STACK-MIB.my
TOKEN-RING-RMON-MIB.my
RFC-1212.my
RMOM-MIB.my
RFC1155-SMI.my
RFC1213-MIB.my
SNMP-FRAMEWORK-MIB.my
CISCO-SMI.my
ENTITY-MIB.my
FDDI-SMT73-MIB.my
CISCO-VTP-MIB.my
SNMPv2-TC.my
SNMPv2-SMI.my
SNMPv2-MIB.my
SNMPv2-CONF.my
IF-MIB.my
IANAifType-MIB.my
EXPRESSION-MIB
CISCO-CLASS-BASED-QOS-MIB

OL-25947-01
9-3
Chapter 9
Loading MIB Files
CISCO-VOICE-DIAL-CONTROL-MIB
CISCO-IPSEC-MIB
HOST-RESOURCES-MIB
CISCO-POP-MGMT-MIB
RMON-MIB
CISCO-PORT-QOS-MIB
DIAL-CONTROL-MIB
CISCO-DIAL-CONTROL-MIB
CISCO-VOICE-COMMON-DIAL-CONTROL-MIB
CISCO-VOICE-DNIS-MIB
PerfHist-TC-MIB
CISCO-QOS-PIB-MIB
INT-SERV-MIB
CISCO-ENERGYWISE-MIB
CISCO-FRAME-RELAY-MIB
CISCO-POWER-ETHERNET-EXT-MIB
CISCO-TC
CISCO-VTP-MIB
DS1-MIB
RFC1271-MIB
To view the list of more dependent MIBs go to:

http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file
appears in the Show MIB drop-down list in Select MIB Variables page.
9-4
OL-25947-01
Chapter 9

Configuring RMON
Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology.
Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth
utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best
estimate of the mean physical layer network utilization on the links, during the sampling time interval.
In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them.
You can customize the filters to display bandwidth utilization.
For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting
Online Help.
Note
Modifying the Parameters
Enabling RMON on All Ports in Selected Devices
Disabling RMON
LMS computes bandwidth utilization only on ethernet links, and not on any other type of link.
To compute bandwidth utilization in Campus Manager , you must enable Remote Monitoring (RMON).
Enabling RMON depends on two parameters.
Parameters to Compute Bandwidth Utilization
Enabling RMON depends on the following parameters:
Bucket SizeNumber of samples (incoming and outgoing packets) that will be examined for a
given point of time.
IntervalDuration for which samples are to be collected.
The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the
values through the user interface of Campus Manager , you can reconfigure these values through
command line interface. For more details see Modifying the Parameters.
Campus Manager computes bandwidth utilization only for those devices that have the same parametric
values as configured and displayed in the RMON Settings page. This application allows you to configure
only the same parametric values on all link ports. This is to avoid conflicts in computation.
Enabling RMON on Ports
LMS allows you to enable RMON on:
All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices
Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices
Campus Manager highlights links in the Topology Map even if the devices are managed by other
applications such as HPOV, or CiscoView.

OL-25947-01
9-5
Chapter 9
Configuring RMON
Modifying the Parameters

The default Bucket Size is 10 and the Interval is 300 seconds. Campus Manager does not compute
bandwidth utilization for the links whose ports have different Interval values.
You can configure new values for the parameters in the ANIServer.properties file. To reconfigure the
values, you must restart the ANI server so that the file takes the new value.
For computing bandwidth utilization, Campus Manager takes only the latest values in the
ANIServer.properties file. You must reconfigure the link ports according to the values set in the
properties file for Topology Map to highlight the links.
You must reconfigure the parametric values before you enable RMON on ports.
Note
You must configure the same value for Interval across the devices.
To reconfigure the values:
Step 1
Enter pdterm ANIServer at the command line to stop the ANI server.
Step 2
Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 3
Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket
Size.
The maximum value that you can enter for RMON.interval is 3600 seconds (One hour).
Step 4
Enter pdexec ANIServer at the command line to start the ANI server.
After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON
on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices.
You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for
the Interval in a range. This is a hidden property that creates a range for the Interval value.
The property adds a value to the current interval that forms the upper limit and subtracts a value from
the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the
interval.
For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330.
Thus, the samples are collected for the range of 270 to 330 seconds.
If you want to change this default value, you must:
Step 1
Stop the ANI server.
Step 2
Enter pdterm ANIServer at the command line to stop the ANI server.
Step 3
Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 4
Enter RMON.percentageTolerance=value.
Step 5
Start the ANI server.
Step 6
Enter pdexec ANIServer at the command line to start the ANI server.
9-6
OL-25947-01
Chapter 9

Configuring RMON
Enabling RMON on All Ports in Selected Devices

To enable RMON on all ports in selected devices:
Step 1
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices.
Step 2
Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization
across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3
Check the Configure on all links check box to configure all the ports of the selected devices in the
Device Selector.
Step 4
Click Configure to enable RMON on all the ports in the selected devices.
The following command is configured on the selected ports:
rmon collection history
integer owner ownername buckets bucket-number interval seconds
Example:
4 owner campusmanager buckets 10 interval 300

To enable RMON on selected ports in selected devices:
Step 1
Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays the list of devices.
Step 2
Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, Campus Manager collects 10 samples of bandwidth
utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3
Uncheck the Configure on all Links check box since it is checked by default.
Step 4
Click Select links to select the ports for which you want to enable RMON.
It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2.
The Select Links check box is enabled only when you uncheck the Configure on all links check box.

OL-25947-01
9-7
Chapter 9
Table 9-2
Select Links for RMON Configuration Column Description
Column
Description
Port
Name of the port.
Device Name
Name of the device where the port is connected.
Device Address
The IP address of the device.
isLink
True
is displayed for link ports and False for a non-link port.
Step 5
Select check boxes corresponding to the ports for which you want to enable RMON.
Step 6
Click Configure to enable RMON on the selected ports.

The following command is configured on the selected ports:
integer owner ownername buckets bucket-number interval seconds
Example:
4 owner campusmanager buckets 10 interval 300
Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line
Interface (CLI) only.
Commands to Disable RMON
For a device running Cisco IOS, enter the following command at the CLI prompt:
no rmon
For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable

You can configure the following Topology Settings:
Restrict Topology Maps to display only authorized devices.

For details, see Viewing Restricted Topology.
Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps.
For details, see Configuring Fault Poller Settings For Topology.
9-8
OL-25947-01
Chapter 9

Viewing Restricted Topology

Topology Maps display all the devices discovered by LMS.
To view the Restricted Topology:
Step 1
Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View.
The configuration screen is displayed.
Step 2
Select Display Only the Authorized devices in Topology Maps.
Step 3
Click Apply.
Topology Maps display only the devices you are authorized to view. If Topology Services is already
launched, close it and relaunch for the change to take effect.
Important Notes
If you change the management IP address of an authorized device:
It becomes an unauthorized device.
The device is not shown in Topology maps in the consecutive relaunches.
When the changed IP address is given as root in N-hop view portlet, it results in an error.

OL-25947-01
9-9
Chapter 9
9-10
OL-25947-01
CH A P T E R
10

The Notification and Action Settings groups all the administrative tasks involved in setting up
notification, syslog settings. You can also customize the names and event severity, create and activate a
notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs.
Configuring Event Sets and Notification Groups for Subscriptions
Managing Fault SNMP Trap Notifications
Managing Fault E-Mail Configurations
Managing Fault Syslog Notifications
Configuring Fault SNMP Trap Receiving and Forwarding
Performance Syslog Notification Groups
Defining Automated Actions
Defining Syslog Message Filters
Inventory and Config Collection Failure Notification

OL-25947-01
10-1
Chapter 10

To use Notification Services, you must create and activate a notification subscription. The subscription
requires a Notification group component. This component specifies the notification criteria (the devices
to monitor, how severe an event must be to be reported, and so forth).
Optionally the notification group can also contain an Event set listing the events you want to monitor;
this is useful when you do not want to monitor all events that occur on a device. Notification groups can
be static or dynamic. The Fault Management module in LMS 4. 0 can be set up to have either static
notification groups or dynamic notification groups.
If you work with static groups, no further devices can be added to those groups.
If you set up dynamic groups, then any device that fits the criteria for the groups will be added to
those groups.
After you have configured your subscription, you can name it according to your needs. Regardless of
whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a
subscription containing a notification group. The final step in configuring your notification subscription
is specifying the notification recipients.
Note
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
Notification Services tracks events on device types, not on device components.
For details on Notifications and Subscriptions, see the following topics:
Creating a Notification Subscription
Notification Types
Notification Replay
Subscriptions
Events
Creating a Notification Subscription
To create a notification subscription, perform the following steps:

1.
If you want to monitor a specific set of events, create an event set that contains the events you want
to monitor. Otherwise, all events will be monitored.
2.
Create a notification group that specifies the criteria the Fault Management module should use when
generating notifications:
One or more event sets (if no event set is specified, all events are monitored)
Devices, event severity and status
You can specify the notification group name, along with entering identifying information (using the
Customer ID and Customer Revision fields).
10-2
OL-25947-01
Chapter 10

3.
Create a subscription by doing the following:

a. Select the notification type (SNMP Trap, E-Mail, or Syslog).
b. Name the subscription and apply a notification group to it.
c. Specify the recipients (hostname, e-mail address).
d. Save the subscription. It will automatically start running.
4.
Customize the subject of the e-mail by doing the following:

a. Select the subject from the available list
b. Add to the selected list
c. Arrange the order of the subjects
d. Save the customization of the e-mail subject
Notification Types
The Fault Management module in LMS 4.2 provides three types of notifications:
SNMP Trap NotificationFault Management module generates traps with information about the
events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For
more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can
also generate SNMP trap notifications for specified events.
Using SNMP trap notification is different from forwarding raw traps to another server before they
have been processed by LMS.
E-mail NotificationLMS generates e-mail messages containing information about the events that
caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail
in text format. You can specify that you want the e-mail to only contain an informational subject
line or can customize the e-mail subject. For information on the customizing the e-mail subject, see
Managing Fault E-Mail Subject Customization.
Syslog NotificationLMS generates Syslog messages that can be forwarded to Syslog daemons on
remote systems.
All notifications have a default maximum message size of 250 characters. You can reset this variable to
any value between 250 and 1024 characters by editing the notification properties file.
To do this:
Procedure
Step 1
Open the configuration file NMSROOT/objects/nos/config/nos.properties.
Step 2
Locate the following lines and change the value to any value up to 1024 characters:
MAX_TRAP_DES=250
MAX_EMAIL_DES=250
MAX_SYSLOG_DES=250

OL-25947-01
10-3
Chapter 10
Step 3
Stop and restart the Cisco Prime daemon manager on the LMS server.
a.
Stop the daemon manager:

On Windows:
net stop crmdmgmt
b.
Restart the daemon manager:

On Windows:
net start crmdmgmt
Notification Replay
You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file
/opt/CSCOpx/objects/nos/config/nos.properties as follows:
To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to
the default value (0), the notifications will not be replayed.
Subscriptions
LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification
subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following
common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:
DevicesThe devices or device groups of importance to the recipients.
Event severity and statusOne or more event severity levels and status. You can also customize the
names of the events used by Notification Services, and Fault History. See Customizing LMS Events.
RecipientsOne or more hosts to receive SNMP traps or users to receive e-mail. For Syslog
notifications, the recipient would be the remote host containing a Syslog daemon configured to
listen for Syslog messages.
NameA user-defined name to identify the subscription.
Subscriptions are based on user-configured event sets and notification groups. See Configuring Event
Sets and Notification Groups for Subscriptions for more information.
Events
LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS
compares the device, severity, and state against subscriptions and sends a notification when there is a
match. Matches can be determined by user-configured event sets and notification groups.
The procedure for configuring notification groups is described in Configuring Event Sets and
Notification Groups for Subscriptions.
10-4
OL-25947-01
Chapter 10

LMS assigns one severity to each event and changes the state of an event over time, responding to user
input and changes on the device. Table 10-1 lists values for severity and explains how the state of an
event changes over time.
Note
You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Table 10-1
Event Severity and Status
LMS categorizes events by severity and status

Severity
Critical
Informational
Status
ActiveThe event is live.
ACKA user has manually acknowledged the event. A user can

acknowledge only active events.
ClearedThe event is no longer active.
Events that have been cleared either expire or, if associated with a suspended
device, remain in LMS until a user resumes or deletes the device.

Notification Services allows you to customize the names and event severity in LMS.
Customizing Names: When you customize an event name, that name is reflected in all notifications,
and in Fault History. The new event name is used for all instances of an event, regardless of the
component on which the event occurs. You can easily revert to the default event names as needed.
The Notification Customization page also lists the new name and default name, so you can easily
check which names have been changed.
Customizing Event Severity: The event severity can be customized using the New Event Severity
feature. You can select Critical or Warning or Informational from the drop-down list.
To customize names and event severity:

Step 1
Select Admin > Network > Notification and Action Settings > Fault Notification Customization.
The Notification Customization page appears.
Step 2
Select the event names you want to customize by clicking the check box beside each event name.
Step 3
Enter your new names in the New Event Description fields.
Step 4
Select the event severity from the New Event Severity drop-down list.
You can select Critical or Informational.
Step 5
Enter any notes for information in the Troubleshooting Information field.
Step 6
Click Save to save your changes locally.
Step 7
Click Apply for the saved settings to take effect.

The confirmation window appears.

OL-25947-01
10-5
Chapter 10
Step 8
Click Yes.
The changes are applied to LMS.
To revert to default event names:
a.
From the Notification Customization page, select the events you want to restore to their default
names, and click Restore factory settings.
b.
Apply your changes by clicking Yes when the confirmation window appears.
Configuring Event Sets and Notification Groups for

Subscriptions
Before you can create an SNMP trap or an e-mail or Syslog notification subscription, you must create a
notification group. Creating event sets is optional.
Event sets list the events you want monitored for notifications
Notification groups contain the criteria that LMS should use when generating a notification:
One or more event sets, or all events
Devices
Event status and severity
Fields for user-specified additional information you want to include with the subscription
Creating event sets and notification groups are described in the following topics:
Configuring Event Sets
Configuring Fault Notification Groups

Event sets are groups of the events you want to monitor. You can create up to nine event sets, labeled A
through I.
After you have created an event set, you can apply as many of them as you want to a notification group,
thereby tracking the specific events in which you are interested. If you do not specify an event set, LMS
will monitor all events for notifications.
Note
10-6
OL-25947-01
Chapter 10

To configure event sets:

Step 1
Select Admin > Network > Notification and Action Settings > Event Sets:
The Event Sets page appears. The page contains the following information:
Field
Description
Select/Unselect All for Event Set Select an Event Set from the drop-down list.
Step 2
Step 3
Event Code
Notification Services code for the event. This number cannot be

changed and is used to map default names to customized names.
Description
Event description (user-defined or default).
Severity
Event severity.
A-I
Event set label. If an X appears in this column, the corresponding

event belongs to that event set.
For each event set you want to configure, select events by doing either of the following:
Select specific events by clicking the editable field under the label, and selecting X.
Select or deselect all events for an event set using the Select or the Deselect button.
Click Apply.
If you want to create a notification subscription, first create a notification group that uses your event set.
See Configuring Fault Notification Groups.
Configuring Fault Notification Groups

When you set up a subscription, LMS lets you choose from existing notification groups. You can then
configure an SNMP trap or an e-mail or Syslog notification to use a specific notification group. The
notification groups contains the following information:
One or more event sets, if desired (otherwise, the notification group will contain all events)
Devices
Event status and severity
Fields for user-specified additional information you want to include with the subscription
Whether the group is static or dynamic
You can configure a maximum of 64 notification groups.

Notification Services will not refilter the devices if there is a change in the device list you may access.
This section contains: Setting Up a Fault Notification Group as Static or Dynamic
Note
You cannot delete a notification group that is being used by a running subscription.

OL-25947-01
10-7
Chapter 10
To configure Fault Notification groups:

Step 1
Select Admin > Network > Notification and Action Settings > Fault Notification Group.
Step 2
Click Add to create a notification group.

The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click
the appropriate button and follow the instructions.)
Step 3
Specify the devices, event sets (if desired), and event severity and status. Click Next.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the mega menu.
Step 4
Specify the notification group name, and enter any desired identifying information in the Customer ID
and Customer Revision fields.
For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the
notification.
For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any
notifications:
Customer ID: Customer Revision: *
Step 5
Click Next.
Step 6
Create the notification group by clicking Finish.
Step 7
To create a notification subscription, follow the instructions in one of these topics:
Adding an SNMP Trap Notification Subscription
Adding a Syslog Notification Subscription
Setting Up a Fault Notification Group as Static or Dynamic

Fault Notification groups in LMS can be static or dynamic. If you set up LMS to include static groups,
mappings between the list of the devices and the notification events for those devices are generated. You
cannot add devices to or delete devices from a static group.
If you set up LMS to have dynamic groups, then any device that fits the criteria for a group will be added
to that group. You can also delete devices from a dynamic group.
When a device is added to a group, all similar devices are also added. For example, if you have ten
routers in the network and create a dynamic group that contains five of these routers, when you add an
eleventh router, that router is added to the group along with the other five routers. The group would then
contain all eleven routers.
Note
Notification groups can be static or dynamic; you cannot have a mix of group types.
10-8
OL-25947-01
Chapter 10

To set up LMS to include dynamic groups, edit the file /opt/CSCOpx/objects/nos/config/nos.properties

and set the following value:
DYNAMIC_NOTIF_GROUPS=1
For additional information, see the following topics:

The SNMP Trap Notifications page displays the following information:
SubscriptionThe name of the user-defined request for notification.
StatusThe subscription status; can be either of the following:

RunningLMS is using the subscription while monitoring events to determine when to send a
notification.
SuspendedLMS will not use the subscription unless you resume it.
Notification GroupThe name of notification group that is applied to the subscription.
You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances.
From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.
Table 10-2
Task
SNMP Trap Notification Subscriptions
Sample Usage
Reference
Add
Add a subscription that will send SNMP trap notification Adding an SNMP Trap
for one device with an event of any severity (critical or Notification Subscription
informational) and any status (active, acknowledged, or
cleared).
Edit
View the notification group and hosts that comprise the

subscription.
Change the trap recipients/notification groups that

comprise the subscription.
Temporarily stop sending SNMP trap notifications to a

host.
Temporarily stop sending SNMP trap notifications about

a device group.
Start sending SNMP trap notifications to a host again.
Start sending SNMP trap notifications about a device

group using a previously suspended subscription.
Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap
Notification Subscription
longer useful.
Remove redundant SNMP trap notification

subscriptions.
Suspend
Resume
Delete
Editing an SNMP Trap

Suspending an SNMP
Trap Notification
Subscription
Resuming an SNMP Trap

OL-25947-01
10-9
Chapter 10
Adding an SNMP Trap Notification Subscription

After you add a subscription for SNMP trap notification, generated SNMP traps are forwarded to the
hosts you specify until you change, suspend, or delete the subscription.
Note
Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Before You Begin
You must create a notification group before you can create an SNMP trap notification subscription. Refer
to Configuring Fault Notification Groups.
To add an SNMP trap notification subscription:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2
Click Add.
Step 3
Complete the Trap Subscription Save: Add window:

a.
Enter a subscription name.
b.
Select a notification group.

If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)
c.
Step 4
Click Next.
Enter one or more hosts as recipients for traps:

a.
For each host, enter:
An IP address or DNS name for the hostname.

Restart the NOSServer to pick up the change in the host name when host name is used for the
trap server and there is a change in that host name.
b.
Step 5
A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 5.)
A comment. (This is optional).
Click Next.
Review the information that you entered and click Finish.

The SNMP Trap Notifications page is displayed, showing the new subscription.
Note
No information is saved until you complete Step 5.
10-10
OL-25947-01
Chapter 10

Editing an SNMP Trap Notification Subscription

You can edit an SNMP trap notification subscription regardless of its status (Running or Suspended).
After you edit an SNMP trap notification subscription, if the subscription status is Running, traps are
forwarded as specified until you edit, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.
Note
Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Step 1
Step 2
Select the subscription you want to edit by clicking the radio button beside it.
Step 3
Click Edit.
Step 4
Edit the Trap Subscription Save: Edit window:

a.
Change the subscription name.
b.
Select another notification group.

If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)
c.
Step 5
Add or delete a recipient host or change the port number for a host:
a.
Step 6
Click Next.
To add one or more recipients, for each host, enter:
A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 6.)
A comment. This is optional.
b.
To delete a recipient, delete the hostname, port number, and comment, if any.
c.
Click Next.
Review the information that you entered and click the Finish.
The SNMP Trap Notifications page is displayed.
Suspending an SNMP Trap Notification Subscription

After you suspend an SNMP trap notification subscription, LMS stops using the subscription to select
and forward traps. The subscription status changes to Suspended.
To do this:

OL-25947-01
10-11
Chapter 10
Step 1
Step 2
Select the subscription you want to suspend by clicking the radio button beside it.
Step 3
Click Suspend.
Step 4
Click OK in the confirmation dialog box.

The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.
Resuming an SNMP Trap Notification Subscription

You can resume an SNMP trap notification subscription only when the subscription status is Suspended.
After you resume a subscription, LMS starts using it to identify events for which to forward traps. The
subscription status changes to Running.
To do this:
Step 1
Step 2
Select the subscription you want to resume by clicking the radio button beside it.
Step 3
Click Resume.
Step 4

The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Running.
Deleting an SNMP Trap Notification Subscription

You can delete an SNMP trap notification subscription regardless of the subscription status. Deleting a
subscription removes it permanently from LMS.
Note
You can also suspend a subscription. Suspending a subscription causes the subscription to not be used
until a user resumes it.
To delete an SNMP trap notification subscription:
Step 1
Step 2
Select the subscription you want to delete by clicking the radio button beside it.
Step 3
Click Delete.
Step 4

The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.
10-12
OL-25947-01
Chapter 10


Managing Fault E-Mail Notification Subscriptions
Managing Fault E-Mail Subject Customization
You can use the E-Mail Configuration page to configure E-mail notification subscription and to
customize the E-mail subject.
The E-Mail Configuration page displays the following information:
Note
E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are
based on Notification Groups.
E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.
You may not be able to use some of these functions if you do not have the required privileges.
Managing Fault E-Mail Notification Subscriptions

The E-Mail Notification Subscription page displays the following information:

RunningLMS is using the subscription while monitoring events to determine when to send a
notification.
SuspendedLMS will not use the subscription unless you resume it.
You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.
Table 10-3
E-Mail Notification Subscriptions
Task
Sample Usage
Add
Add a subscription that will send e-mail notification to a user for one device with
an event of any severity (critical or informational) and any status (active,
acknowledged, or cleared).
See Adding and Editing an E-Mail Notification Subscription for more information.
Edit
Suspend
View the notification group and e-mail recipients that comprise the
subscription.
Change the e-mail recipients/notification group that comprise the subscription.
Temporarily stop sending e-mail notifications to a user.
Temporarily stop sending e-mail notifications about a device group.

OL-25947-01
10-13
Chapter 10
Table 10-3
E-Mail Notification Subscriptions (continued)
Task
Resume
Delete
Sample Usage
Start sending e-mail notifications to a user again.
Start sending e-mail notifications about a device group using a previously

suspended subscription.
Remove e-mail notification subscriptions that are no longer useful.
Remove redundant e-mail notification subscriptions.

After you add or edit a subscription for e-mail notification, LMS sends e-mail to the users you specify
whenever an event occurs that matches the subscription.
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin
You must create a notification group before you can create an E-Mail Notification subscription. Refer
To add or edit a subscription for e-mail notification:
Step 1
Select Admin > Network > Notification and Action Settings > Fault - Email notification.
The E-Mail Notification Subscriptions page appears.
Step 2
You can do one of the following:
Click Add.
Click Edit.
You can edit an e-mail notification subscription regardless of its status (Running or Suspended).
After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is
forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
Click Delete.
The E-Mail Subscriptions page appears. The subscription is no longer displayed.
Select the subscription you want to suspend by clicking the radio button beside it and click Suspend.
The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended.
After you suspend an e-mail notification subscription, LMS stops using the subscription to send
e-mail notification.
Select the subscription you want to resume by clicking the radio button beside it and click Resume.
10-14
OL-25947-01
Chapter 10

The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After
you resume an e-mail notification subscription, LMS starts using the subscription to determine when
e-mail notification should be sent in response to an event.
Step 3
When you add or edit a subscription for e-mail notification, a page appears with the following fields:
Field
Description
Subscription Name
Enter a subscription names.
Notification Group

If you are upgrading LMS and want to use the
e-mail recipients from an earlier configuration,
activate the Recipients from Upgrade check box.
(This choice is only available for systems that
have been upgraded from earlier versions of
LMS.)
Step 4
Click Next.
Step 5
Enter the following e-mail information:

Field
Description
SMTP Server
The name of the default Simple Mail Transfer Protocol (SMTP) server
may already be displayed. The server is specified using Admin >
System > SMTP Default Server. You may also enter a fully qualified
DNS name or IP address for an SMTP server.
To select from any non-default SMTP servers in use by existing
subscriptions, click the SMTP Servers button.
Sender Address
Enter the e-mail address that notifications should be sent from. If the
senders e-mail service is hosted on the SMTP server specified, you need
enter only the username. You do not need to enter the domain name.
Recipient Addresses
Enter one or more e-mail addresses that notifications should be sent to,
separating multiple addresses with either a comma or a semicolon. If a
recipients e-mail service is hosted on the SMTP server specified, you
need to enter only the username. You do not need to enter the domain
name.
By default, e-mail notification supplies a fully detailed e-mail message.
To omit the message body and send only a subject line, select the
Headers Only check box.
Headers Only (check box)
Step 6
Click the Next button located at the bottom of the page.
Step 7

The E-Mail Notification Subscriptions page is displayed, showing the new subscription.
Note

OL-25947-01
10-15
Chapter 10
Managing Fault E-Mail Subject Customization

You can use the E-Mail Subject Customization page to customize the e-mail subject for forwarded
events. You need to select the subject attributes and the order in which they are to be displayed. When
you apply and save the selections, the e-mails are sent in the customized order.
The E-Mail Subject Customization page displays the following information:
Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You
can use these subjects along with the default available subjects while sending e-mail notifications.
By default, following list of e-mail subject attributes are displayed in the Available Subjects for
E-Mail box:
ifAlias
sysLocation
sysContact
When you import devices from DCR, the subject information gets updated into LMS database and
they are displayed as available subjects for e-mails.
Selected Subjects for E-mail: The selected subjects including the default ones in the selected order
displayed by the side of the available subjects.
To customize the e-mail subject:

Step 1
Select Admin > Network > Notification and Action Settings > Fault - Email subject customization.
The available and selected lists of the subject attributes for e-mail are displayed.
To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list.
By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail
box.
Event ID
Device Name
Time
Severity
Event Name
Status
To add a subject:
a.
Select the subject attribute from Available Subjects for E-Mail.
b.
Click Add.
The selected subject attribute is added to the Selected Subjects for E-Mail list.
You can add a subject attribute only from the Available Subjects list to the Selected Subjects list.
You cannot add a subject attribute from the Selected subject list to the Available Subject list.
10-16
OL-25947-01
Chapter 10

To remove a subject attribute:

a.
Select the subject attribute from Selected Subjects for E-Mail.
b.
Click Remove.
The selected subject attribute is removed from the Selected list and added to the Available subjects
for E-Mail list.
You can remove a subject attribute only from the Selected Subjects list and not from the Available
Subjects list.
Step 2
Click Up or Down to rearrange the order of the selected e-mail subject attributes.
Step 3
Click Apply to save the customized e-mail subject attributes.

The Syslog Notifications page displays the following information:

RunningFault Management module is using the subscription while monitoring events to
determine when to send a notification.

SuspendedFault Management module will not use the subscription unless you resume it.
You are completely in control of subscriptions. Fault Management module does not change or delete
subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks
listed in Table 10-4.
Table 10-4
Task
Syslog Notification Subscriptions
Sample Usage
Reference
Add
Add a subscription that will send a Syslog notification to Adding a Syslog

a remote machine for one device with an event of any
severity (critical or informational) and any status (active,
acknowledged, or cleared).
Edit
View the notification group and Syslog recipient that

Change the Syslog recipients/notification group that

Temporarily stop sending Syslog notifications to a

remote host.
Temporarily stop sending Syslog notifications about a

device group.
Suspend
Editing a Syslog
Suspending a Syslog

OL-25947-01
10-17
Chapter 10
Table 10-4
Task
Syslog Notification Subscriptions (continued)
Sample Usage
Reference
Start sending Syslog notifications to a remote host again. Resuming a Syslog

Start sending Syslog notifications about a device group
using a previously suspended subscription.
Resume
Delete
Remove Syslog notification subscriptions that are no

longer useful.
Remove redundant Syslog notification subscriptions.
Deleting a Syslog
Adding a Syslog Notification Subscription

After you add a subscription for Syslog notification, LMS sends a Syslog message to the specified
remote hosts whenever an event occurs that matches the subscription.
Note
Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin
Step 1
You must create a notification group before you can create a Syslog Notification subscription. Refer
A remote machines Syslog daemon must be configured to listen on a specified port, and you must
enter this information in Step 3 of the following procedure. LMS uses the default port 514.
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2
Click Add.
a.
Enter a subscription name.
b.
c.
Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity are used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
Critical = 2
Information = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d.
Step 3
Click Next.
Enter one or more hosts as recipients for Syslog notifications.

a.
10-18
OL-25947-01
Chapter 10

b.
A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 5.)
Click Next.
Step 4
Enter the name of the subscription in the Save As field and click Next.
Step 5

The Syslog Notification Subscriptions page is displayed with the new subscription.
Note
Editing a Syslog Notification Subscription

You can edit a Syslog notification subscription regardless of its status (Running or Suspended).
After you edit a Syslog notification subscription, if the subscription status is Running, Syslog messages
are forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
Note
Step 1
Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Step 2
Select the subscription you want to edit by clicking the radio button beside it.
Step 3
Click Edit.
Step 4
Edit the Syslog Subscription Save: Edit window:

a.
Change the subscription name.
b.
Select a different notification group.
c.
Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity is used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
Critical = 2
Informational = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d.
Step 5
Click Next.
Add or delete a recipient host or change the port number for a host:
a.
To add one or more recipients, for each host, enter:

OL-25947-01
10-19
Chapter 10
A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 7.)
b.
To delete a recipient, delete the hostname, port number, and comment, if any.
c.
Click Next.
Step 6
Click the Next button located at the bottom of the page.
Step 7

The Syslog Notification Subscriptions page is displayed.
Suspending a Syslog Notification Subscription

After you suspend a Syslog notification subscription, LMS stops using the subscription to send Syslog
notifications. The subscription status changes to Suspended.
Step 1
Step 2
Select the subscription you want to suspend by clicking the radio button beside it.
Step 3
Click Suspend.
Step 4

The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.
Resuming a Syslog Notification Subscription

After you resume a Syslog notification subscription, LMS starts using the subscription to determine
when Syslog notifications should be sent in response to an event. The subscription status changes to
Running.
To resume a syslog notification subscription:
Step 1
Step 2
Select the subscription you want to resume by clicking the radio button beside it.
Step 3
Click Resume.
Step 4

The Syslog Notification Subscriptions page is displayed. The subscription status is Running.
10-20
OL-25947-01
Chapter 10

Deleting a Syslog Notification Subscription

You can delete a Syslog notification subscription regardless of the subscription status. Deleting a
subscription removes it permanently from LMS.
Note
You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes
it.
To delete a syslog notification subscription:
Step 1
Step 2
Select the subscription you want to delete by clicking the radio button beside it.
Step 3
Click Delete.
Step 4

The Syslog Subscriptions page appears. The subscription is no longer displayed.

LMS can receive traps on any available port and forward them to a list of devices and ports. This
capability enables LMS to work with other trap processing applications.
Enabling Devices to Send Traps to LMS
Enabling Cisco IOS-Based Devices to Send Traps to LMS
Enabling Catalyst Devices to Send SNMP Traps to LMS
Updating the SNMP Trap Receiving Port
Configuring SNMP Trap Forwarding
LMS will only forward SNMP traps from devices in the LMS inventory.
It will not change the trap formatit will forward the raw trap in the format in which the trap was
received from the device. However, you must enable SNMP on your devices and you must do one of the
following:
Note
Configure SNMP to send traps directly to LMS
Integrate SNMP trap receiving with an NMS or a trap daemon
The ports and protocols used by Cisco Prime are listed in Installing and Migrating to Cisco Prime LAN
Management Solution 4.2.

OL-25947-01
10-21
Chapter 10
Enabling Devices to Send Traps to LMS

Note
If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs.
Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your
devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must
be enabled and the device must be configured to send SNMP traps to the LMS server.
Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface
appropriate for your device:
10-22
OL-25947-01
Chapter 10


For devices running Cisco IOS software, enter the following commands:
(config)# snmp-server [community string] ro
(config)# snmp-server enable traps
(config)# snmp-server host [a.b.c.d] traps [community
string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
To enable Cisco IOS-Based devices to send traps to LMS:
Step 1
Log into Cisco.com.
Step 2
Select Products & Services > Cisco IOS Software.
Step 3
Select the Cisco IOS software release version used by your IOS-based devices.
Step 4
Select Technical Documentation and select the appropriate command reference guide.

For devices running Catalyst software, provide the following commands:
(enable)# set snmp community read-only [community string]
(enable)# set snmp trap enable all
(enable)# set snmp trap [a.b.c.d] [community string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
Step 1
Log into Cisco.com.
Step 2
Select Products & Services > Cisco Switches.
Step 3
Select the appropriate Cisco Catalyst series switch.
Step 4
Select Technical Documentation and select the appropriate command reference guide.

OL-25947-01
10-23
Chapter 10

You might need to complete one or more of the following steps to integrate SNMP trap receiving with
other trap daemons and other Network Management Systems (NMSs):
If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the
appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to Cisco
Prime LAN Management Solution 4.2. This guide also provides information on supported versions).
You do not need to install any adapters if HP OpenView or NetView is installed locally.
Add the host where LMS is running to the list of trap destinations in your network devices. See
Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another
NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS
will use by default.)
If your network devices are already sending traps to another management application, configure that
application to forward traps to LMS.
Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.
Table 10-5
Configuration Scenarios for Trap Receiving
Scenario
Advantages
Network devices send traps to port 162 of the host where

LMS is running. LMS receives the traps and forwards
them to the NMS.
NMS receives traps on default port 162 and forwards

them to port 162 on the host where LMS is running.
No reconfiguration of the NMS is required.
No reconfiguration of network devices is required.
LMS provides a reliable trap reception and forwarding

mechanism.
NMS continues to receive traps on port 162.
Network devices continue to send traps to port 162.
No reconfiguration of the NMS is required.
No reconfiguration of network devices is required.
LMS does not receive traps dropped by the NMS.
Updating the SNMP Trap Receiving Port

By default, LMS receives SNMP traps on port 162 (or, if port 162 is occupied, port 9000). If you need
to change the port, you can do so. LMS supports SNMP V1, V2, and V3 traps for trap receiving.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings.
Step 2
Enter the port number in the Receiving Port text box.
Step 3
Click Apply.
For a list of ports that are already in use, see Installing and Migrating to Cisco Prime LAN Management
Solution 4.2. If you have two instances of the DfmServer process running, traps will be forwarded from
the first instance to the second instance.
10-24
OL-25947-01
Chapter 10

Configuring SNMP Trap Forwarding

Note
Your login determines whether or not you can perform this task. View the Cisco Prime Permission
Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user
role.
LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap
formatit will forward the raw trap in the format in which it was received from the device. All traps are
forwarded in V1 (SNMP Version) format. In LMS 4.2, trap support is provided for SNMPv3 configured
devices, unknown devices and non-Cisco devices.
Step 1
Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
Step 2
Step 3
A port number on which the host can receive traps.
Click Apply.

Cisco Prime LMS allows you to create SNMP Trap Receiver Groups using the Trap Receiver Groups
option.This is group of hosts that receives specified trap notifications, when any TrendWatch or
Threshold violation occurs in LMS.
The Trap destination is defined by the IP address or it can be a host name. From the Trap Receiver
Groups page, you can create a Trap Receiver Group, modify the configuration of a Trap Receiver Group,
and delete a Trap Receiver Group.
To access the Trap Receiver Group page, Admin > Network > Notification and Action Settings >
Performance - SNMP Trap notification. The Trap Receiver Groups page appears.
Table 10-6 describes the fields in the Trap Receiver Groups.
Table 10-6
Trap Receiver Groups Fields
Field
Description
Trap Group Name
Name of the Trap Receiver Group.

Click on the Name hyperlink to view the details of the Trap Receiver Group
created.
Number of Receivers
Number of Trap Receivers added to the Trap Receiver Group.
Create
Creates a Trap Receiver Group. See Creating a Trap Receiver Group.
(button)
Edit
(button)
Modifies an existing Trap Receiver group. See Editing a Trap Receiver

Group.

OL-25947-01
10-25
Chapter 10
Table 10-6
Trap Receiver Groups Fields
Field
Description
Delete
Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver

Group.
(button)
Filter
Filters information based on the criteria that you select from the drop-down
(button)
list. The drop-down list contains the following criteria:

All
Group Name
See Filtering Trap Receiver Groups
You can perform the following tasks from the Trap Receiver Groups dialog box:
Creating a Trap Receiver Group
Editing a Trap Receiver Group
Deleting a Trap Receiver Group
Filtering Trap Receiver Groups
Creating a Trap Receiver Group

To create a Trap Receiver group
Step 1
Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups page appears.
Step 2
Click Create.
The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box.
Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Table 10-7
Trap Group Configuration
Field
Description
Group Name
Enter the name of the Trap Receiver Group. For example, Trap Receiver
Group 1.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host
Enter the host name or IP address. For example 10.77.201.52

Enter the IP address or hostname of the destination to which the trap message
should be delivered.
Port
Enter the Port Number on which Trap Receiver is listening for traps.
The default port value is 162. This field is optional.
10-26
OL-25947-01
Chapter 10

Table 10-7
Field
Description
Community
Enter the community string that appears in the trap message.

The default community string is public. This field is optional.
Create
Creates the Trap Receiver Group.
(button)
Add More
Adds more hosts to the present Group.
(button)
Cancel
Cancels the creation of Trap Receiver Group.
(Button)
Step 3
Enter a descriptive name for the Trap Group name in the GroupName field.
Step 4
Enter the IP address or hostname of the destination to which the trap should be delivered in the Host
field.
Step 5
Enter the Port Number on which Trap Receiver is listening for traps in the Port field.
Step 6
Enter the community string that appears in the trap message in Community field.
The community string will be displayed as asterisks.
Note
You can add as many as five hosts or devices to the Trap Group by default.
To add more than five hosts to the Trap Group,

Step 1
Click Add More to add another host information to the Trap Group. Go to Step 4 to continue.
Step 2
Click Create to create the Trap Group.

Or
Click Cancel to cancel the operation.
The Trap Receiver Group dialog box appears, displaying the Trap Groups.
Editing a Trap Receiver Group

You can edit a Trap Receiver Group to update or change the hosts, ports and community string of the
selected Trap Receiver Group using the Edit button in the List of Trap Receiver Groups.
You can edit only one Trap Receiver Group at a time. If you select multiple Trap Receiver Groups using
the check box, the Edit button is disabled. You cannot edit the Trap Receiver Group Name field.
To edit a Trap Receiver Group:

OL-25947-01
10-27
Chapter 10
Step 1
notification.
The Trap Receiver Groups dialog box appears.
Step 2
Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver
Group Name.
Step 3
Click Edit.
The Edit Trap Receiver Group dialog box appears, displaying the earlier settings.
Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Table 10-8
Field
Description
Group Name
Name of the Trap Receiver Group.

For example, Trap Receiver
Receiver Details
Host

Enter the IP address or hostname of the destination to which the trap message
should be delivered.
Port
Enter the Port Number on which Trap Receiver is listening for traps.
For example, 162
Community
Enter the community string that appears in the trap message.

The default community string is public.
Update
Updates the Trap Receiver Group.
(button)
Add More
(button)
Cancel
Cancels the modification of the Trap Receiver Group.
(Button)
Step 4
Make the necessary changes to the Receiver Details.

To add more receivers to the present configuration,
Step 1
Click AddMore in the Trap Group Configuration dialog box.
Step 2
Make necessary changes to the Receiver Details.
Step 3
Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver
Group.
Or
The Trap Receiver Group dialog box appears, displaying the Trap Groups.
10-28
OL-25947-01
Chapter 10

Deleting a Trap Receiver Group

You can delete one or more Trap Receiver Groups using the Delete button on the List of Trap Receiver
Groups dialog box.
You cannot delete a Trap Receiver Group that is associated with any Threshold or TrendWatch. If you
want to delete such Trap Receiver Groups, first remove the Trap Receiver Group from the associated
Threshold or TrendWatch.
Before a Trap Receiver Group is deleted, you are prompted to confirm the deletion because you cannot
restore a Trap Receiver Group that you have deleted from the database.
To delete a Trap Receiver Group:
Step 1
notification.
The List of Trap Receiver Groups dialog box appears.
Step 2
Select the Trap Group Name by checking the appropriate check box.
You can select multiple Trap Receiver Groups by checking their respective check boxes.
Step 3
Click Delete.
A message appears, prompting you to confirm the deletion,
Step 4
Click OK to delete the Trap Receiver Groups.

Or
If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully.
The Trap Receiver Groups dialog box appears.
Filtering Trap Receiver Groups

This section describes how you can use the filter option to display the Trap Receiver Group information
based on a specific criteria.
To filter a Trap Receiver Groups:
Step 1
notification.
The List of Trap Receiver Group dialog box appears.
Step 2
Select a criteria for filtering from the drop-down list.
Step 3
Enter the data to be filtered.
Step 4
Click Show.
The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information
based on the filter criteria.
Table 10-9 describes the criteria to filter.

OL-25947-01
10-29
Chapter 10
Table 10-9
Trap Receiver Groups Field Description
Filter Criteria
Description
Group Name
Select Group Name and enter the data. You can use either of the following
methods to filter by entering:
Complete Group name
Any wildcard characters of the Trap Receiver Group name (such as

*trap, trap*)
10-30
OL-25947-01
Chapter 10


Cisco Prime LMS allows you to create Syslog Receiver Groups using the Syslog Receiver Groups
option. Syslog Receiver Groups is a group of hosts that receives Syslog messages when any TrendWatch
or Threshold violation occurs in LMS.
From the Syslog Receiver Groups page you can create a Syslog Receiver Group, modify the
configuration of a Syslog Receiver Group, and delete a Syslog Receiver Group.
To access the Syslog Receiver Group page, select Admin > Network > Notification and Action
Settings > Performance - Syslog notification. The List of Syslog Receiver Groups dialog appears.
Table 10-10 describes the fields in the Syslog Receiver Groups.
Table 10-10
Syslog Receiver Groups Fields
Field
Description
Syslog Group Name
Name of the Syslog Receiver Group.

For example, Syslog Group
Number of Receivers
Number of Syslog Receivers added to the Syslog Receiver Group.
Create
Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group.
(button)
Edit
(button)
Delete
Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver

Group.
(button)
Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver

Group.
Filter
Filters information based on the criteria that you select from the drop-down
(button)
list. The drop-down list contains the following criteria:
All
Group Name
See Filtering Trap Receiver Groups

Update Facility
(button)
Sends the Syslog message to the receiver, based on the facility level selected
in the drop-down list. The drop-down list contains the following criteria:
local 0
local 1
local 2
local 3
local 4
local 5
local 6
local 7

OL-25947-01
10-31
Chapter 10
You can perform the following tasks from the Syslog Receiver Groups dialog box:
Creating a Syslog Receiver Group
Editing a Syslog Receiver Group
Deleting a Syslog Receiver Group
Filtering Syslog Receiver Groups
Creating a Syslog Receiver Group

To create a Syslog Receiver group:
Step 1
Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog appears.
Step 2
Click Create.
The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-11
Syslog Groups Configuration
Field
Description
Group Name
Enter the name of the Syslog Group name. For example, Syslog Group.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host

Enter the IP address or hostname of the destination to which the syslog
message should be delivered. This IP address should be DNS resolvable.
Port
Enter the Port Number on which Syslog Receiver is listening for syslog
messages.
The default port value is 514. This field is optional.
Create
Creates the Syslog Receiver Group
(button)
Add More
Adds more hosts to the present Group
(button)
Cancel
Cancels the creation of Syslog Receiver Group
(Button)
Step 3
Enter a descriptive name for the Syslog Group name in the GroupName field.
Step 4
Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in
the Host field.
Step 5
Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.
10-32
OL-25947-01
Chapter 10

Note
You can add as many as five hosts or devices to the Syslog Group by default.
To add more than five hosts to the Syslog Group,
Step 1
Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue.
Step 2
Click Create to create the Syslog Group.

Or
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Editing a Syslog Receiver Group

You can edit a Syslog Receiver Group to update or change the hosts and ports of the selected Syslog
Receiver Group using the Edit button in the List of Syslog Receiver Groups.
You can edit only one Syslog Receiver Group at a time. If you select multiple Syslog Receiver Groups
using the check box, the Edit button is disabled. You cannot edit the Syslog Receiver Group Name field.
To edit a Syslog Receiver Group:
Step 1
The Syslog Receiver Groups dialog box appears.
Step 2
Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver
Group Name.
Step 3
Click Edit.
The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-12
Field
Description
Group Name
Name of the Syslog Group name.

For example, Syslog Group.
Receiver Details
Host
Enter the host name or IP address. for example 10.77.201.52

Enter the IP address or hostname of the destination to which the Syslog
message should be delivered.
Port
Enter the Port Number on which Syslog Receiver is listening for Syslog
messages.
The default port number is 512.

OL-25947-01
10-33
Chapter 10
Table 10-12
Field
Description
Update
Updates the Syslog Receiver Group.
(button)
Add More
(button)
Cancel
Cancels the modification of the Syslog Receiver Group.
(Button)
Step 4

To add more receivers to the current configuration:
Step 1
Click AddMore in the Syslog Group Configuration dialog box.
Step 2
Step 3
Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver
Group.
Or
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Deleting a Syslog Receiver Group

You can delete one or more Syslog Receiver Groups using the Delete button on the List of Syslog
Receiver Groups dialog box.
You cannot delete a Syslog Receiver Group which is associated with any Threshold or TrendWatch. If
you want to delete such Syslog Receiver Groups, first remove the Syslog Receiver Group from the
associated Threshold or TrendWatch.
Before a Syslog Receiver Group is deleted, you are prompted to confirm the deletion because you cannot
restore a Syslog Receiver Group that you have deleted from the database.
To delete a Syslog Receiver Group:
Step 1
Step 2
Select the Syslog Group Name by checking the appropriate check box.
You can select multiple Syslog Receiver Groups by checking their respective check boxes.
Step 3
Click Delete.
A message appears, prompting you to confirm the deletion.
Step 4
Click OK to delete the Syslog Receiver Groups.

Or
10-34
OL-25947-01
Chapter 10


If you choose to click OK, a message appears that the Syslog Receiver Group is deleted successfully.
Filtering Syslog Receiver Groups

You can use the Filter option to display the Syslog Receiver Group information based on a specific
criteria.
To filter a Syslog Receiver Groups:
Step 1
The List of Syslog Receiver Group dialog box appears.
Step 2
Select a criteria for filtering from the drop-down list.
Step 3
Enter the data to be filtered.
Step 4
Click Show.
The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information
based on the filter criteria.
Table 10-13 describes the criteria to filter.
Table 10-13
Syslog Receiver Groups Field Description
Filter Criteria
Description
Group Name
Select Group Name and enter the data. You can use any of the following
methods to filter by entering:
Complete Group name
Any wildcard characters of the Syslog Receiver Group name (such as

*Syslog, Syslog*)

OL-25947-01
10-35
Chapter 10

You can create automated actions to be executed automatically whenever Syslog Analyzer receives a
specific message type.
Creating an Automated Action
Editing an Automated Action
Guidelines for Writing Automated Script
Enabling or Disabling an Automated Action
Exporting or Importing an Automated Action
Deleting an Automated Action
Automated Action: An Example
When you select Admin > Network > Notification and Action Settings > Syslog Automated Actions,
a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are
two system-defined automated actions (the rest are user-defined). The system-defined automated actions
are:
Inventory FetchTo fetch inventory from the device.
Config FetchTo fetch configuration from the device.
You can edit these system-defined automated actions, but you cannot delete them. These actions are
enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable.
Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating
system device. You can then edit Config Fetch automated action and you can delete
SYS-6-CFG_CHG-*SNMP* message type.
In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices
or not.
The columns in the Automated Actions dialog box are:
Column
Description
Name
Name of the automated action.
Status
Status of the automated action at creation timeEnabled, or disabled
Type
Type of automated actionE-mail, script or URL.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required
10-36
OL-25947-01
Chapter 10

Using the automated actions dialog box, you can do the following tasks:
Task
Button
Create an automated action (see Creating an Automated Action).
Create
Edit an automated action (see Editing an Automated Action).
Edit
Enable or Disable an automated action (see Enabling or Disabling an Automated Action)
Enable/Disable
Import or Export an automated action (see Exporting or Importing an Automated Action)
Import/Export
Delete an automated action (see Deleting an Automated Action).
Delete
If you are creating an automated action, see the example (Automated Action: An Example) of how to set
up an automated action that sends an e-mail when a specific Syslog message is received.
On Windows, you cannot set up an automated action to execute an.exe file that interacts with the
Windows desktop. For example, you cannot make a window pop up on the desktop.
Related Topics

To create an automated action:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can
choose whether to include interfaces of selected devices or not. For the description of the columns in the
Automated Actions dialog box, see Defining Automated Actions.
Step 2
Click Create.
A dialog box appears for device selection.
Step 3
Select All Managed Devices or Choose Devices.

If you select the All Managed Devices option:
You cannot select the individual devices or device categories from the device selector.
All managed devices are considered.
The syslog messages from the various device interfaces are considered for creating automated
actions.

OL-25947-01
10-37
Chapter 10
If you select Choose Devices option, you must select the required devices.
Step 4
Click Next.
A dialog box appears in the Define Message Type page.
Step 5
Enter a unique name for the automated action that you are creating.
Step 6
Select either Enabled or Disabled as the status for the action at creation time.
Step 7
Select the Syslog message types for which you want to trigger the automated action from the Define New
Message Type section of the dialog box.
Step 8
Click Next.
The Automated Action Type dialog box appears.
Step 9
Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.
If you select E-mail, enter the following information in the Automated Action Type dialog box:
Field
Description
Send to
List of comma separated e-mail addresses. Mandatory field.
Subject
Subject of the e-mail.
Content
Content that you want the e-mail to contain.
If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action
type dialog box. In the URL, you can use the following parameters:
$D (for the device)
$M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
The script files must be available at this location:
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
10-38
OL-25947-01
Chapter 10

To select the script file:

a.
Click Browse.
b.
Select the file (*.sh on Unix and *.bat on Windows).
Step 10
Click OK.
Step 11
Click Finish.
If the executable program produces any errors or writes to the console, the errors will be logged as Info
messages in the SyslogAnalyzer.log.
This file is available at:
On UNIX,
/opt/CSCOpx/log directory
On Windows,
NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).

To edit an automated action:
Step 1
A dialog box, displaying the list of automated actions, appears in the Automated Actions page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2
Select an automated action from the drop-down list and click Edit.
The Select Devices dialog box appears.
Step 3
Select the required devices and click Next.

This dialog box allows you to:
Change the Message Filter TypeFrom Enabled to Disabled, or vice, versa.
Add a message type
Edit a message type
Delete a message type
Select a message type from system-defined message types
Step 4
Click Next.
Step 5

This dialog box allows you to change the type of action. For example, you can change from E-mail to
URL or Script.
For E-mail, enter or change the following information in the Automated Action type dialog box:

OL-25947-01
10-39
Chapter 10
Field
Description
Send to
List of comma separated e-mail addresses.
Subject
Subject of the e-mail (optional).
Content

(Admin > System > System Preferences). When the job completes, an e-mail is sent with the
E-mail ID as the sender's address
For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you
select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type
dialog box. In the URL, you can use the following parameters:
$D (for the device)
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
a.
Click Browse.
The External Config Selector dialog box appears.
b.
Step 6
Select the file (*.sh on Unix and *.bat on Windows).
Click Finish.
The edited automated action appears in the dialog box on the Automated Action page.
10-40
OL-25947-01
Chapter 10


To write an automated script:
Step 1
Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.2 server and put this file in:
/var/adm/CSCOpx/files/scripts/syslog directory
For Windows:
NSMROOT/files/scripts/syslog
Step 2
Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory.
Here is an example shell script (called syslog-email.sh) for UNIX:
#!/bin/sh
/opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl
-text_message "MEssage:
$2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from
nobody@nowhere.com -smtp mail-server-name.nowhere.com
For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.

To enable or disable an automated action:
Step 1
A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the
description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Select the required automated action from the list in the dialog box.
Step 3
Click Enable/Disable to toggle its status.

The dialog box in the Automated Action page is refreshed and it displays the changed state for the
specified automated action.

You can export an automated action to a flat file and use this file on any Syslog Analyzer, using the
import option.
To export or import an automated action:
Step 1
A dialog box, displaying the list of automated actions, appears in the Automated Action page.

OL-25947-01
10-41
Chapter 10
Actions.
Step 2
Select an automated action. You can select more than one automated action.
If you do not select an automated action before clicking the Export/Import button, then only the Import
option will be available. The Export option will be disabled
Step 3
Click Export/Import.
The Export/Import Automated Actions dialog box appears with the Export or Import options.
Step 4
Select either Export or Import.
Step 5
Either:
Enter the location of the file to be exported or imported.
Or
Click Browse.
The Server Side File Browser appears. You can select a valid file, and click OK.
The file location appears in the Export/Import dialog box.

Step 6
Click OK.

To delete an automated action:
Step 1
A dialog box, displaying the list of automated actions, appears in the Automated Action page.
Actions.
Step 2
Select the required automated action from the list in the dialog box.
Step 3
Click Delete.
You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.

This is an example of how to set up an automated action that sends an e-mail when a specific Syslog
message is received. This example assumes that devices have been imported and are sending Syslog
messages to the LMS Server.
Note
View the Permission Report (Reports > System > Users > Permission) to check if you have the required
10-42
OL-25947-01
Chapter 10

Step 1
A dialog box, with a list of automated actions, appears in the Automated Action page. For the description
of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2
Click Create.
The Devices Selection dialog box appears.
Step 3

The Define Message Type dialog box appears.
Step 4
Enter a unique name for the automated action that you are creating.
Step 5
Select either Enabled, or Disabled as the status for the action at creation time.
Step 6
Click Select.
The Select System Defined Message Types dialog box appears.
Step 7
Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined
Message Types list, and click OK.
The dialog box on the Define Message Type page appears.
Step 8
Click Next.
Step 9
Select the type of actionE-mail, Script, or URL.

If you had selected Email in Step 9: Enter the following information:
Field
Description
Send to
List of comma-separated e-mail addresses.
Subject
Subject of the e-mail (optional).
Content

Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
(Admin > System > System Preferences). If a syslog is found with the matching type for managed
(normal) devices, an e-mail is sent with the E-mail ID as the sender's address. Then go to Step 10.
If you had selected Script in Step 9: Choose the appropriate bat file for Windows, or shell script for
Solaris, from the File Selector. For details about these files, see the topic Creating an Automated Action.
Then go to Step 10.
If you had selected URL in Step 9: Enter the URL to be invoked. If you select URL, enter the URL to
be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can
use the following parameters:
$D (for the device)
When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device

OL-25947-01
10-43
Chapter 10
When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and
$M is replaced with the URL-encoded syslog message.
Step 10
Click Finish.
Also see Verifying the Automated Action.
Verifying the Automated Action

To verify the automated action:
Step 1
Select a managed router that is already sending Syslog messages to the LMS server and generate a
SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:
a. Connect to the managed router using Telnet and log in.
b. In enable mode enter enable, then enter a password.
c. At the config prompt enter configure terminal.
d. Change the banner by entering:
banner motd z
This is a test banner z
end
e. Exit the Telnet session.

Step 2
Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows:
On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has
been configured to receive Syslog messages.
On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory.
Where NMSROOT is the LMS installation directory.
Step 3
Verify that there is a message from the managed router whose banner-of-the-day was changed.
This message appears at the bottom of the log.
If the message is in the file, an e-mail is mailed to the e-mail ID specified.
If the message is not in the file, the router has not been configured properly to send Syslog messages
to the LMS Server.

Creating a Filter
Editing a Filter
Enabling or Disabling a Filter
Exporting or Importing a Filter
10-44
OL-25947-01
Chapter 10

Deleting a Filter
You can exclude messages from Syslog Analyzer by creating filters.
Note
To launch the message filters dialog box:
Step 1
Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box appears in the Message Filters page.
A list of all message filters is displayed in this dialog box, along with the names, and the status of each
filterEnabled, or Disabled.
Step 2
Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either
Drop or Keep.
If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop
filters from further processing.
If you select Keep, Collector allows only the syslogs that match any of the Keep filters, for further
processing.
Note
Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Specify whether interfaces of selected devices should be included.

In the dialog box that displays the message filters, you can do the following tasks:
Task
Button
Create a filter (see Creating a Filter).
Create
Edit a filter (see Editing a Filter).
Edit
Enable or disable a filter (see Enabling or Disabling a Filter).
Enable/Disable
Export or import a filter. (see Exporting or Importing a Filter).
Export/Import
Delete a filter (see Deleting a Filter).
Delete
Creating a Filter
You can create a filter for Syslog messages by:
Step 1
A dialog box with a list of filters, appears in the Message Filter page.
Step 2
Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.

OL-25947-01
10-45
Chapter 10
If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop
filters from further processing.
If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further
processing.
Note
Step 3
The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Click Create.
The dialog box appears for device selection.
Step 4
Select All Managed Devices or Choose Devices.

If you select the All Managed Devices option:
You cannot select the individual devices or device categories from the device selector.
All managed devices are considered.
The syslog messages from the various device interfaces are considered for creating message filters.
If you select the Choose Devices option, you must select the required devices.
Step 5
Click Next.
.A dialog box appears in the Define Message Type page.
Step 6
Enter a unique name for the filter.
Step 7
Select either the Enabled, or the Disabled status for the filter at creation time.
Step 8
Select the Syslog message types for which you want to apply the filter.
Step 9
Click Finish.
The list of filters in the message filter dialog box on the Message Filters page is refreshed.
Editing a Filter
To edit a filter:
Step 1
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2
Select a filter by clicking on its check box, and click Edit.

The Select Devices dialog box appears.
Step 3

This dialog box allows you to:
Change the filter StatusFrom Enabled to Disabled, or vice, versa.
Add a message type
Edit a message type
Delete a message type
10-46
OL-25947-01
Chapter 10

Step 4
Select a message type from system-defined message types
Click Finish after you make all your changes.

The edited filter appears in the dialog box on the Message Filter page.
Enabling or Disabling a Filter

To enable or disable a filter:
Step 1
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2
Select the required filter from the list in the dialog box.
Step 3
Click Enable/Disable to toggle its status.

The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified
filter.
Exporting or Importing a Filter

You can export a filter to a flat file and use this file on any Syslog Analyzer, using the import option.
To export or import a filter:
Step 1
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2
Select a filter. You can select more than one filter.
Step 3
The Export/Import dialog box appears with the Export or Import options.
Step 4
Select either Export or Import.

OL-25947-01
10-47
Chapter 10
Step 5
Either:
Enter the location of the file to be exported or imported.

Or
a.
Click Browse.
The Server Side File Browser appears.
b.
Select a valid file location, and click OK.

The file location appears in the Export/Import dialog box.
Step 6
Click OK.
Deleting a Filter
To delete a filter:
Step 1
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2
Select the required filter from the list in the dialog box.
Step 3
Click Delete.
When you confirm the deletion, the filter is deleted.

Configuring Trap Notification Messages
Examples for Collection Failure Notification
Fields in a Trap Notification Message
You can use the Collection Failure Notification option to configure the destination Server and Port to
receive trap notification on Inventory Collection or Config Fetch failure. This failure trap is sent per
device from the LMS server whenever the collection does not happen.
Other network management stations can use this trap to know about LMS Inventory or Config collection
failure status. You can check or uncheck the options available in this page to enable or disable the
sending of trap notifications to other servers on Inventory Collection or Config Fetch failure.
10-48
OL-25947-01
Chapter 10

Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:
Table 10-14
Collection Failure Notification
Field
Description
All
Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap
notification to be sent to the listed servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Config Collection
Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed
servers.
Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed
servers.
Inventory
Collection
Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed
servers.
Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to
the listed servers.
Trap Destination Information
Server
The name or IP address of the destination server.
Port
The port number of the destination server.
List of
Destinations
The names of the destination servers along with their ports which are configured to receive the trap
notifications.
Buttons
Add
Use the Add button to add the destination server and port information. On clicking Add, the server and
port information get reflected in the List of Destinations list.
Delete
Use the Delete button to remove server and port information from the List of Destinations. To do so,
select one or more server and port entry from the list of Destinations list and click on Delete to remove
the entries from the list.
Apply
Click to accept the changes made.

OL-25947-01
10-49
Chapter 10
Configuring Trap Notification Messages

To configure the distribution of trap notification messages from LMS to the connected hosts:
Step 1
Select Admin > Network > Notification and Action Settings > Inventory and Config collection
failure notification.
The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog
box.
Step 2
Click Apply to accept the changes made.
Examples for Collection Failure Notification

Example for Config Fetch Failure
You are providing the following information in the Collection Failure Notification screen:
Destination Server: 10.77.153.47
Destination Port: 162
You are also enabling the Send Notification on Config Fetch Failure option. By enabling this option you
are allowing trap notifications to be sent to the specified destination server on Config Fetch Failure using
the specified port.
After that you add few new devices to LMS and schedule a job to fetch the configurations for all the
devices. There is a Config Fetch Failure as the scheduled job is unable to fetch the configurations for the
new devices. The server 10.77.153.47 receives trap notifications for each Config Fetch Failure per
device.
Example for Inventory Collection Failure
You are providing the following information in the Collection Failure Notification screen:
Destination Server: 10.77.153.47
Destination Port: 162
You are also enabling the Inventory Collection option. By enabling this option you are allowing trap
notifications to be sent to the specified destination server on Inventory Collection Failure using the
specified port.
After that you add few new devices to LMS and schedule a job to fetch the inventory information for all
devices. There is a Inventory Collection Failure as the scheduled job is unable to fetch the inventory
details for the new devices. The server 10.77.153.47 receives trap notifications for each Inventory
Collection Failure per device.

Table 10-15 lists the various fields that constitute a Configuration Fetch or Inventory Collection Failure
trap notification message.
10-50
OL-25947-01
Chapter 10

Table 10-15
Field
Description
Application Name LMS application that caused this change or identified the change and generated the notification.
Device Name
Network device for which the inventory or configuration collection has failed.
Collection Failure
Time
Time at which the inventory or configuration collection job failed.
Error Message
The message that describes the reason for the collection failure. Some examples of trap error messages:
Inventory Collection Failed due to SNMP TimeOut Exception.
Config Collection Failed due to authentication failure.

Syslog is a trap message that is sent from the device if any changes occur to the device. You can either
enable or disable the IPSLA Syslog. However the IPSLA Syslog can be configured only by a Network
Administrator or System Administrator.
The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any
Target devices.
To enable or disable IPSLA Syslog:
Step 1
Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration.
The IPSLA Syslog Configuration page appears.
Step 2
Click Enable
If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server. This enables the generation of the IPSLAs specific traps through the system
logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking
the link will display the Syslog details.
Or
If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server.
(LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS
server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display
the Syslog details.
Note
In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be
greater than LMS 4.2

OL-25947-01
10-51
Chapter 10
10-52
OL-25947-01
CH A P T E R
11
Administering Change Audit and Software

Management
Change Audit tracks and reports changes made in the network. Change Audit allows other LMS to log
change information to a central repository. Device Configuration, Inventory, and Software Management
changes can be logged and viewed using Change Audit.
LMS writes change records to Change Audit. Change Audit stores these records in the log tables
(summary and details) for later use with reports.
For example, Software Management records a change for each completed device upgrade. If a job has
ten devices, then Software Management writes ten entries to the Change Audit log, but the Change Audit
report shows only one job with ten devices. You can then access individual device information.
Each application writes its own change records to Change Audit. For example, in Inventory you can set
inventory change filters to filter out all kinds of information for different device types. Change Audit
record maintenance is controlled by the Change Audit Delete Change History option.
You can convert change records into SNMP V1 traps and forward them to a destination of your choice.
This allows system administrators to forward critical network change data to their own NMS.
You can define automated actions (e-mail and automated scripts) on creation of change audit record. The
automated action gets triggered on creation of the change audit record.
Performing Maintenance Tasks
Defining Exception Periods
Defining Change Audit Automated Actions
Software Management Administration Tasks

OL-25947-01
11-1
Chapter 11
You can use this feature to set up your editing preferences. Config Editor remembers your preferred
mode, even across different invocations of the application.
You can change the mode using the Device and Version, Pattern Search, Baseline or External
Configuration option but the changes do not affect the default settings.
To set up preferences:
Step 1
Select Configuration > Tools > Config Editor > Edit Mode Preference.
The User Preferences dialog box appears.
Step 2
Set the default edit mode:
Select Processed to display the file in the Processed mode.

The configuration file appears at the configlet level (a set of related configuration commands). The
default is Processed.
Select Raw to display the file in the Raw mode.

The entire file appears as shown in the device.
Step 3
Click Apply to apply the set preferences.

Change Audit allows you to:
Determine changes being made in the network during critical operations time
System administrators can define the start and end times during the day when network changes
should not be made. Based on this selection you can quickly see, for a given day, whether changes
were made when they should not be.
See Defining Exception Periods for defining the exception periods.
Define automated actions on creation of change audit record

Automated action gets triggered on creation of the change audit record. You can define any number
of automated actions. The supported automated actions are, E-mail, Traps, and Automated scripts
See Defining Change Audit Automated Actions for defining the Change Audit automated actions.
Monitor your software image distribution and download history for software changes made using
the Software Management application.
Software Management automatically sends network change data to the Change Audit summary and
details tables.
Track any configuration file changes

Device Configuration automatically sends data on configuration file changes to the Change Audit
log.
See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit
reports.
11-2
OL-25947-01
Chapter 11

Monitor inventory additions, deletions, or changes

Inventory tracks specific messages or monitors any and all changes in your network inventory. To
set inventory filters, use the Inventory Change Filter option.
reports.
View all the latest changes that occurred in the network over the last 24 hours
24-Hour Reports provides a quick way to access the latest changes in the Change Audit log.
reports.
Purging the Change Audit records

Frees disk space and maintains your Change Audit records at a manageable size. You can either
schedule for periodic purge or perform a forced purge of Change Audit data.
See Performing Maintenance Tasks for scheduling a periodic purge.
Generating change audit data in XML format

is a command line tool that also provides servlet access to change audit
data. This tool uses the existing Change Audit log data and generates the Change Audit log data in
XML format.
cwcli export changeaudit
Set the debug mode for Change Audit application

You can set the debug mode for Change Audit application in the Log Level Settings dialog box
(Select Admin > System > Debug Settings > Config and Image Management Debugging
settings; select Change Audit from the Application drop-down list.).
Generating 24 Hours and Standard Change Audit Reports
To generate 24 Hours and Standard Change Audit Reports:

Step 1
Select Reports > Audit.
Step 2
Select Change Audit from the first drop-down list box.
Step 3
Select Standard from the second drop-down list box.

You can either schedule for periodic purge or perform a forced purge of Change Audit data. This frees
disk space and maintains your Change Audit data at a manageable size.
You can perform these tasks:
Setting the Purge Policy
Performing a Forced Purge
Config Change Filter

OL-25947-01
11-3
Chapter 11
Setting the Purge Policy

You can specify a default policy for the periodic purging of Change Audit data.
Note
To set the Change Audit Purge Policy:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Purge Policy.
The Purge Policy dialog box appears in the Periodic Purge Settings pane.
Step 2
Field
Description
Purge change audit

records older than
Enter the number of days. Only Change Audit records older than the number of days that you
specify here, will be purged.
The default is 180 days.
Purge audit trail records

older than
Enter the number of days. Only Audit Trail records older than the number of days that you
specify here, will be purged.
The default is 180 days.
Scheduling
Run Type
You can specify when you want to run the Purge job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
The subsequent instances of periodic jobs will run only after the earlier instance of the job is
complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
Date
at
Enter the start time, in the hh:mm:ss format (23:00:00).
11-4
OL-25947-01
Chapter 11

Field
Description
Job Info
Job Description
The system default job description, ChangeAudit Records - default purge job is displayed.
E-mail
Enter e-mail addresses to which the job sends messages at the end of the job.
box (Admin > System > System Preferences). When the job starts or completes, an e-mail is
sent with the E-mail ID as the sender's address.
Caution
Step 3
You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes
made to a Purge policy.
Performing a Forced Purge

You can perform a Forced Purge of Change Audit, as required.
Note
To perform a Change Audit Forced Purge:
Step 1
Select Admin > Network > Purge Settings > ChangeAudit Force Purge.
The Purge Policy dialog box appears.
Step 2
Enter the information required to perform a Forced Purge:
Field
Description
Purge change audit

records older than
Enter the number of days. Only Change Audit records older than the number of days that you specify
here, will be purged.
Purge audit trail

records older than
Enter the number of days. Only Audit Trail records older than the number of days that you specify
here, will be purged.

OL-25947-01
11-5
Chapter 11
Field
Description
Scheduling
Run Type
You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
Date
ImmediateRuns this task immediately.
OnceRuns this task once at the specified date and time.
Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar
icon and select the date.
The Date field is enabled only if you have selected Once as the Run Type.
at

The At field is enabled only if you have selected Once as the Run Type
Job Info
Job Description
Enter a description for the job. This is mandatory.
E-mail
Enter e-mail addresses to which the job sends messages at the end of the job.
Step 3
Click Submit for the Forced Purge to become effective.
11-6
OL-25947-01
Chapter 11

Config Change Filter

You can use this option to enable or disable VLAN Change audit filtering. When there is a change to the
device configuration, a change record is created. By default, the VLAN change audit record is not
created for those devices that have a VLAN configuration.
To enable or disable the VLAN Change Audit Filter option:
Step 1
Select Admin > Network > Change Audit Settings > Config Change Filter.
The Config Change Filter dialog box appears.
Step 2
Step 3
Check or uncheck the Enable VLAN Change Audit Filter option.
Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created
for devices that have a VLAN configuration. By default, this option is checked.
Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for
devices that have VLAN configuration.
Click either Apply to apply the option or click Cancel to discard the changes.

An Exception period is a time you specify when no network changes should occur. This period does not
prevent you from making any changes in your network. The set of Exception periods is known as an
Exception profile.
You can have only one Exception period for a day.
You perform the following tasks for Exception profiles:
Tasks
Description
Creating an Exception Period
Creating an exception profile.
Enabling and Disabling an

Exception Period
Enabling and disabling a set of exception profiles.
Editing an Exception Period
Editing an exception profile.
Deleting an Exception Period
Deleting a set of exception profiles.

OL-25947-01
11-7
Chapter 11
Creating an Exception Period

To create an Exception profile:
Note
Step 1
Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2
Step 3
Select:
Days of the week from the Day drop-down list box
Start and end times from the Start Time and the End Time drop-down list box.
Click Add.
The defined exception profile appears in the List of Defined Exception Periods pane.
To enable the exception period, see Enabling and Disabling an Exception Period.
Enabling and Disabling an Exception Period

To enable and disable a set of exceptions periods:
Note
Step 1
Step 2
Select one or more exception profiles in the List of Defined Exception Periods pane.
Step 3
Click Enable/Disable.
If you have selected Enabled, then the exception period report is generated for that specified time
frame.
If you have selected Disabled, then the exception period report is not generated for that whole day.
For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then
there will not be any exception period report generated for Monday.
11-8
OL-25947-01
Chapter 11

Editing an Exception Period

To edit an exception profile:
Note
Step 1
Step 2
Select a day from the Day drop-down list box for which you want to change the exception period.
Step 3
Change the start and end times in the Start Time and the End Time drop-down list box.
If required you can also enable or disable the status for the exception period.
Step 4
Click Add.
The edited exception profile appears in the List of Defined Exception Period dialog box. This will
overwrite the existing exception profile for that day.
Deleting an Exception Period

To delete a set of Exceptions Periods:
Note
Step 1
Step 2
Select one or more exception profiles in the List of defined Exception Periods pane.
Step 3
Click Delete.

OL-25947-01
11-9
Chapter 11

You can define automated actions on creation of change audit record. This automated action gets
triggered on creation of the change audit record. You can define any number of automated actions. The
supported automated actions are:
E-mail
Traps
Automated scripts
Understanding the Automated Action Window
Enabling and Disabling an Automated Action
Exporting and Importing an Automated Action
Understanding the Automated Action Window

This window contains the following entries:
Field
Description
Name
Name of the automated action.
Status
Status of the automated actionEnabled, or disabled.
Type
Type of automated actionEmail, Script or Trap.
You perform the following tasks from this window:

Tasks
Description
Creating an automated action.
Enabling and Disabling an

Automated Action
Enabling and disabling a set of automated actions.
Editing an automated action.
This button gets activated only after selecting an automated

action.
action.
Exporting and Importing an

Automated Action
Exporting and importing a set of automated actions.
Deleting a set of automated actions.

action.
11-10
OL-25947-01
Chapter 11


To create an automated action:
Note
Step 1
Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions.
The Automated Action dialog box appears.
Step 2
Click Create.
The Define Automated Action dialog box appears.
Step 3
Step 4
Enter the following:

Field
Description
Name
Name for the automated action.
Status
Select either Enabled or Disabled For the automated action to trigger.
Application
Select the name of the application on which the automated action has to
be triggered.
Category
Select the types of the changes, for example, configuration, inventory, or

software on which the automated action has to be triggered.
Mode
Select the connection mode on connection modes on which the

automated action has to be triggered.
User
Select the user name on which the automated action has to be triggered.
Click Next.
Step 5
Field
Select either E-mail or Trap or Script. Based on your selection, enter the following data:
Description
If you have selected E-mail, enter:
Send To
Enter the E-mail ID for which the trigger has to be notified.

(Admin > System > System Preferences). You will receive the e-mail with the E-mail ID as the
sender's address.
Subject
Enter the subject of the e-mail.
Content
Enter the content of the e-mail.

OL-25947-01
11-11
Chapter 11
Field
Description
If you have selected Trap, perform:
Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit.
Ensure that you have copied these files:
CISCO-ENCASE-MIB.my
CISCO-ENCASE-APP-NAME-MIB.my
into the destination system to receive the traps.

These files are available in the following directories on LMS server:
On UNIX:
/opt/CSCOpx/objects/share/mibs
On Windows:
NMSROOT\objects\share\mibs. Where NMSROOT is the root directory of the LMS Server.
a.
Enter the Server and Port details in the Define Trap field.
b.
Click Add.
The server and port information appears in the List of Destinations text box.
If you want delete, the server and port information, select the server and port information from the List of Destinations
text box and click Delete.
If you have selected Script, enter...
You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have
only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The
other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute
from within the casuser account.
The following are the parameters for change audit automated action that will appear in the script:
Application Name
Category
User Name
Description
Connection Mode
Host Name

On UNIX:
/var/adm/CSCOpx/files/scripts/changeaudit
On Windows:
NMSROOT/files/scripts/changeaudit
a.
Click Browse.
The Server Side File Browser dialog box appears with the predefined location.
b.
Select the script file (*.sh on Unix and *.bat on Windows)
c.
Click OK.
11-12
OL-25947-01
Chapter 11

Step 6
Click Finish.
The Automated Action window appears with the defined automated action.

To edit an automated action:
Note
Step 1
Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
Step 2
Select an Automated Action.
Step 3
Click Edit. (See step 3 to step 5 in Creating an Automated Action.).
Step 4
Click Finish.
The Automated Action window appears with the updated data.
Enabling and Disabling an Automated Action

To enable or disable a set of automated actions:
Note
Step 1
Step 2
Select one or more Automated actions.
Step 3
Click Enable/Disable.

OL-25947-01
11-13
Chapter 11
Exporting and Importing an Automated Action

To export or import an automated action:
Note
Step 1
Step 2
If you want to export an Automated action, then select the automated actions else go to next step.
Step 3
The Export/Import dialog box appears.
Step 4
Select the task to be performedExport or Import.
Step 5
Either:
Enter the filename along with the absolute path.
Or
Click Browse,
Step 6
a.
Select a folder.
b.
Click OK.
c.
Enter the filename.
Click OK.

To delete a set of automated actions:
Note
Step 1
Step 2
Select a or a set of Automated actions.
Step 3
Click Delete.
11-14
OL-25947-01
Chapter 11


You can set your preference to download images. To do this, select Admin > Network > Software
Image Management.
The following section explains how to set the Software Management preferences:
Viewing/Editing Preferences
Viewing/Editing Preferences
Edit Preferences helps you to set or change your Software Management preferences.
The options you specify here are applicable to Software Management tasks such as image distribution,
image import, etc.
Note
Selecting and Ordering Protocol Order
To view and edit the preferences:
Step 1
Select Admin > Network > Software Image Management > View/Edit Preferences.
The View/Edit Preferences dialog box appears.
Step 2
Field
Enter the following:

Description
Usage Notes
New directory to store software

images.
If you enter a new name, all existing files are moved to this
directory. If the directory does not have enough space, the files are
not moved and an error message appears.
Repository Management
Image Location
By default the software images

are stored at this location:
/var/adm/CSCOpx/files/rme/
repository/
On Windows:
NMSROOT/files/rme/repository
If the specified directory does not exist, Software Management

creates a new directory before moving the files to the new
directory.
The new directory should be empty.
The new directory specified by you should have the permission for
casuser:casusers in Solaris/Soft Appliance and casuser should
have Full Control in Windows.
Where NMSROOT is the Cisco

Prime installed directory.

OL-25947-01
11-15
Chapter 11
Field
Description
Usage Notes
Distribution
Script Location
On UNIX, the scripts should have read, write, and execute

You can specify only shell
scripts (*.sh) on UNIX and batch permissions for the owner (casuser) and read and execute
permissions for group casusers. That is, the script should have 750
files (*.bat) on Windows.
permission.
The script files must be available
On Windows, the script should have read, write, and execute
at this location:
permissions for casuser/Administrator.
On UNIX:
The other users should have only read permission. You must
/var/adm/CSCOpx/files/scripts/
ensure that the scripts contained in the file have permissions to
swim
execute from within the casuser account.
On Windows:
This script is run before and after completing each device software
NMSROOT/files/scripts/swim
upgrade for all scheduled jobs.
a.
Click Browse.
The Server Side File
Browser dialog box appears
with the predefined location.
b.
Select the script file (*.sh on

Unix and *.bat on Windows)
c.
Click OK.
You can use Clear to clear your

selections for Script Location.
This clears all previous values.
Script Timeout
(seconds)
Number of seconds the users

script can run (default = 90).
Software Management waits for the time specified before

concluding that the script has failed.
Protocol Order
Specify an order of preferred

protocol for image
import/distribution. The
supported protocols are:
This preferred protocol order is followed only for those devices

that permit more than one protocol for image transfer.
RCP
TFTP
SCP
HTTP
See Selecting and Ordering

Protocol Order for further
details.
In devices, where multiple protocol option is not available for

image transfers, Software Management uses its own knowledge
and selects the relevant protocol to upgrade the device.
For fetching configuration from device, the protocol settings of
Configuration Management is used. Software Management uses
the same protocol for fetch and download of configurations.
You can set the Configuration Management protocol order using
Admin > Collection Settings > Config > Config Transport
Settings.
11-16
OL-25947-01
Chapter 11

Field
Description
Usage Notes
Use SSH for software

image upgrade and
software image
import through CLI
(with fallback to
TELNET).
Uses this protocol to connect to

the devices.
The device must support SSH for Software Management to use this
protocol.
By default, Telnet is used to

connect to the devices.
Software Management uses command line interface to upgrade

software images and to import software images.
If SSH fails, then Telnet is used

to connect to the devices.
When you select the SSH protocol for the Software Management,
the underlying transport mechanism checks whether the device is
running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it
connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the
device using SSHv2.
If a problem occurs while connecting to the device using SSHv2,
then it does not fall back to SSHv1 for the device that is being
accessed and Telnet is used to connect to the device.
See the Software Management Functional Supported Device tables
on Cisco.com for SSH and CLI device support information.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod
ucts_device_support_tables_list.html
Recommendation Filters (See How Recommendation Filters Work for an IOS Image.)
Include Cisco.com
images for image
recommendation
During image distribution,

recommend Cisco.com images
for Cisco devices.
Include General
deployment images
Includes only GD images.
Include latest
maintenance release
(of each major
release).
Includes the latest major releases For Cisco IOS devices only.
of IOS images.
For Cisco IOS devices only.
For example, if Release 12.2(5)

was latest maintenance version
in the 12.2 major release, the
recommended image is IOS
12.2(5).
Include images higher Includes the images that are

than running image.
newer than the images running
on your device.
For example, if the device is

running Release 11.2(3), the
recommended images are
11.2(4) and later.

OL-25947-01
11-17
Chapter 11
Field
Description
Usage Notes
Include same image

feature subset as
running image.
Include only images that have

the same feature subset as the
current image.
For example, if you want IOS

images with the ENTERPRISE
IPSEC feature, the
recommended images contain
the latest version. This version
contains feature subset that fits
the Flash.
Password Policy
Enable Job Based

Password
Enter a username and password

for running a specific Software
Management job.
If you enter a username and
password, Software
Management application uses
this username and password to
connect to the device, instead of
taking these credentials from the
Device and Credential
Repository.
If you have enabled User Configurable option, you can disable

this option while scheduling the distribution jobs.
If you have disabled User Configurable option, you must enter

the username and password while scheduling the distribution
jobs.
These passwords are used only to connect to devices for which

Software Management uses CLI, Telnet, and SSH.for software
upgrades.
See the Software Management Functional Supported Device tables
on Cisco.com for CLI, Telnet and SSH device support information.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod
ucts_device_support_tables_list.html
Step 3
Either:
Click Apply to save your changes.
Click Defaults to display the default configuration.
Click Cancel to discard the values entered and revert to previously saved values.
11-18
OL-25947-01
Chapter 11

Selecting and Ordering Protocol Order

In the View/Edit Preferences dialog box (Admin > Network > Software Image Management >
View/Edit Preferences) you can define the protocol order that Software Management has to use for
software image download.
Software Management tries to download the software images based on the specified protocol order.
While downloading the images, Software Management uses the first protocol in the list. If the first
protocol in the list fails, these jobs use the second protocol and so on, until Software Management finds
a transport protocol for downloading the images.
To Enable the Protocols:
Step 1
Select a protocol from the Available Protocols pane.
Step 2
Click Add or double click the mouse.
To Disable the Protocols:

Step 1
Select a protocol from the Selected Protocol Order pane.
Step 2
Click Remove or double click the mouse.
To Reorder the Protocols

Step 1
Select the protocol from the Selected Protocol Order pane.
Step 2
Click Up or Down to reorder the protocols.

OL-25947-01
11-19
Chapter 11

This section describes how the recommendation filters that you select in the View/Edit Preferences
dialog box (Admin > Network > Software Image Management > View/Edit Preferences) work for a
Cisco IOS image.
If you have selected the option, Include Cisco.com Images for image recommendation, Software
Management checks for the images that are available on Cisco.com and the Software repository.
If the same image is available in the Software repository and Cisco.com, the image is recommended from
the Software repository.
If you have not selected the option, Include Cisco.com Images for image recommendation, the Software
Management checks and recommends images only from Software repository.
Table 11-1
Option
Number
1
Recommending Images for an Cisco IOS Image
Include
General
Deployment
Images
Include
Latest
Mainten
ance
Release
(of Each
Major
Release)
Include
Images
Higher
Than
Running
Image
Include
Same
Image
Feature
Subset
as
Running
Image
Not
selected
Not
selected
Not
selected
Not
selected
Recommendation
The recommendation image list includes:
All available images.
In case of,
Multiple images with the same version as that of the running
image version are present, the image with a higher compatible

feature than the running image is recommended.
Similar images in Cisco.com and Software Management
repository, the image from the repository is recommended.
The image feature can be the same or a superset of the running

image.
If a higher version is not available, then no recommendation is made.

2
Not
selected
Not
selected
Not
selected
Selected The recommended list contains images that have the same feature set
as that of the running image.
The images with the highest version among the recommended image
list are recommended.
Not
selected
Not
selected
Selected Not
selected
The recommend list contains all types of releases (deployment status).

The images with the highest version among recommended image list
are recommended.
The feature set of the recommended image may be superior than the
running image.
Not
selected
Selected Not
selected
Not
selected
The latest maintenance version in each release is available in the

recommend image list. The latest image version is recommended.
11-20
OL-25947-01
Chapter 11

Table 11-1
Recommending Images for an Cisco IOS Image (continued)
Include
Latest
Mainten
ance
Release
(of Each
Major
Release)
Include
Images
Higher
Than
Running
Image
Include
Same
Image
Feature
Subset
as
Running
Image
Selected Not
selected
Not
selected
Not
selected
Selected Not
selected
Not
selected
Selected Same as option5. However, the recommended list contains images that
have the same feature set as that of running image.
Selected Not
selected
Selected Not
selected
Option
Number
Include
General
Deployment
Images
Recommendation
The images with deployment status identified as GD are available in
the recommended image list and other recommendation flow remains
the same as the option 1.
Same as option 5. However, the image with the highest version in the
recommended image list is recommended.
The feature set of the recommended image may be superior than the
running image.
Selected Not
selected
Selected Selected Same as option 6. However, the image with the highest version in the
recommended image list is recommended.
All recommend images will have the same feature subset as the
running image.
Selected Selected Not

selected
Not
selected
The images with the highest version among recommended image list
are recommended.
The images of GD types of releases are available in the recommended
image list.
10
Selected Selected Not

selected
Selected The images with the same feature as that of running image is available
in the recommended list and the latest maintenance version of all
release is available in the recommended list.
Only an image with higher version than running image is
recommended. The recommended images can have only GD status.
11
Selected Selected Selected Not

selected
Same as option 9. In addition to this, an image with the higher version

than running image is also recommended.

OL-25947-01
11-21
Chapter 11

Using the Inventory Change Filter dialog box, you can select the attributes that you do not wish to log
using Change Audit. The history of inventory changes are logged by and viewed through Change Audit.
The attributes that you select in the Inventory Change Filter dialog box, are monitored for Inventory
changes like other variables. However, they are not logged using Change Audit. Consequently, these
changes are not displayed in your inventory change reports.
For example, for Stack devices, if you do not want to log the operational status for changes in Change
Audit, select the Operational Status option in the Inventory Change Filter dialog box.
The Inventory Change Filter dialog box, displays each attribute group and the corresponding filters for
the attribute group, for your selection.
Note
To view all inventory change reports, select Reports > Inventory. In the Report Generator dialog
box, first select the application, Change Audit, and then select the Exception Period Report from the
respective drop-down lists.
To view inventory changes from the last 24 hours, select Reports > Inventory. In the Report
Generator dialog box, first select the application, Inventory, and then select report 24 Hour Inventory
Change report from the respective drop-down lists.
To set Inventory change filters:
Step 1
Select Admin > Network > Change Audit Settings > Inventory Change Filter.
The Inventory Change Filter dialog box appears.
Step 2
Select a group from the Select a Group drop-down list. See Table 11-2.
The dialog box refreshes to display the filters available for the attribute group that you selected.
Step 3
Select the attributes that you do not want to monitor for changes.
Step 4
Click Save.
A confirmation dialog box appears.
Step 5
Click OK to save the details.

You can use Reset All to reset your selections for all groups. This resets all previous values to blanks.
11-22
OL-25947-01
Chapter 11

Table 11-2
Inventory Change Filters
Report Inventory Group
Custom Report Group/Attribute
Description
Asset
Orderable Part Number
Orderable part number of asset.
Tag
Asset tag.
CLE Identifier
Represents CLIE (Common Language Equipment

Identifier) code for the physical entity.
Mfg Assembly Revision
Manufacturing assembly revision of asset.
Mfg Assembly Number
Manufacturing assembly number of asset.
Physical Index
Physical index of asset
Operational Status
Operational status of backplane.
Parent Relative Position
Indicates the relative position of this child component

among all its sibling components.
Manufacturer Name
Name of manufacturer.
Physical Entity Name
Name of physical entity.
Slot Configuration
Configuration of backplane slots
Model Name
Name of model.
Vendor Type
Type of vendor.
Serial Number
Serial number of backplane.
Description
Description of backplane.
Component Type
Type of component.
Index
Index of backplane.
Field Replaceable Unit
FRU of backplane. Field-replaceable unit is a

hardware component that can be removed and
replaced on site.
Alias Name
Alias name of backplane.
Bridge Type
Type of bridge.
Number of Ports
Number of ports in the bridge.
Base Bridge Address
Base address of bridge.
Back Plane
Bridge

OL-25947-01
11-23
Chapter 11
Table 11-2
Inventory Change Filters (continued)
Description
Chassis
Chassis Model Name
Name of the chassis model.
Chassis Serial Number
Chassis Vendor Type
Type of vendor.
Chassis Version
Report Published
Indicates whether Report is published or not.

Displays the value as True or False.
Description
Description of chassis.
FRU of chassis.
Component Type
Type of component.
Alias Name
Alias name of chassis.
Index
Physical index of chassis.

Free Slots
Free slots in chassis.
Slot Capacity
Slot capacity of chassis.
Power Available (Watts)
Power available at chassis level
Power Consumption (Watts)
Power consumption at chassis level
Power Consumption (%)
Percentage of power consumption at chassis level.
Power Remaining (Watts)
Power remaining at chassis level.
Operational Status
Operational status of chassis.
Manufacturer Name
Slot Configuration
Slot configuration of chassis.
Index
Physical index of component.
FRU of component.
Alias Name
Alias name of component.

Operational Status
Operational status of component.
Manufacturer Name
Name
Name of component.
Slots Configured
Slot configuration of component.
Model Name
Name of model.
Vendor Type
Vendor type of component.
Serial Number
Component serial number.
Description
Description of component.
Component Type
Type of component.
Component
11-24
OL-25947-01
Chapter 11

Table 11-2
Description
Container
Alias Name
Alias name of container.
Operational Status
Operational status of container.
Manufacturer Name
Name of manufacturer of container.
Slot Configuration
Slot configuration of container.
Container Model Name
Model name of container.
Container Vendor Type
Vendor type of container.
Parent Relative Position of container.
Container Serial Number
Serial number of container.
Physical entity name of container.
Description
Description of container.
Component Type
Type of container component.
Index
Index of container.
FRU of container.
Fan Model Name
Name of model of fan.
Fan Vendor Type
Vendor type of fan.
Parent Relative Position of fan.
Fan Serial Number
Serial number of fan.
Description
Description of fan.
Physical entity name of fan.
Component Type
Component type of fan.
Index
Index of fan.
FRU of fan.
Alias Name
Alias name of fan.
Operational Status
Operational status of fan.
Manufacturer Name
Name of manufacturer of fan.
Slot Configuration
Slot configuration of fan.
Module Index
Module index of flash.
Fan
Flash

OL-25947-01
11-25
Chapter 11
Table 11-2
Description
Flash Device
Removable
Indicates whether the flash device removable.
Jumper
Jumper of the flash device.
Controller
Flash device controller.
Chip Count
Flash device chip count.
Size (MB)
Total flash device size in MB.
Partition Count
Partition count of flash device.
Maximum Partitions
Maximum partitions in flash device.
Minimum Partition Size (MB)
Minimum partition size of flash device.
Name
Name of the flash device.
Index
Index of flash device.
Description
Description of flash device.
Index
Flash file index.
Status
Flash file status.
Checksum
Checksum of flash file.
Size (MB)
Size of flash file.
Name
Name of flash file.
Algorithm
Algorithm of the flash partition
Filename Length
Flash filename length.
Erase Needed
Whether an erase is needed.
Upgrade Method
Method of upgrade of flash partition.
Status
Status of flash partition.
Free (MB)
Free space in MB.
Size (MB)
Name
Name of flash partition.
Index
Flash partition index.
Flash File
Flash Partition
11-26
OL-25947-01
Chapter 11

Table 11-2
Description
IP Address
IP Address
IP Address of the device.
Index
IP Address index.
Address State
IP Address state.
Address Type
Type of IP Address.
Protocol of Address
Protocol of IP Address.
Max Re-assemble Size
Maximum re-assemble size.
Broadcast Address
Broadcast address.
Network Mask
Network mask of IP Address.
ROM Sys Version
ROM system software version.
ROM Version
Version of ROM.
System Boot Variable
System Boot Variable
System Image File
System image file.
Minimum Boot Flash (MB)
Minimum Boot Flash in MB.
Minimum NVRAM (MB)
Minimum NVRAM in MB.
Minimum DRAM (MB)
Minimum DRAM in MB.
Media
Media of image.
Feature
Image feature
Module
Image module.
Image
Software image present on the device.
Build Time
Build time of image.
Family
Image family.
System Description
Image system description.
Version
Version of the software image on the device.
Description
Description of image.
Processor Index
Processor index of image.
MTU
Maximum transmission unit. Maximum packet size,

in bytes, that this interface can handle.
Alias
Interface alias.
Last Changed
Time of last change.
Operational Status
Operational status of interface.
Admin Status
Administrative status of interface.
Speed (Mbps)
Speed of interface in Mbps.
Type
Type of interface.
Description
Description of interface.
Name
Name of interface
Physical Address
Physical address of interface.
Image
Interface

OL-25947-01
11-27
Chapter 11
Table 11-2
Memory
Memory Pool
Description
Index
Index of interface.
Identifier
Identifier of interface.
FlexLink Enabled
FlexLink status of the interface.
SPAN Enabled
Whether the interface is Span enabled
Processor Index
Processor index.
Total Memory (MB)
Total memory in MB.
Lowest Free Block (MB)
Lowest free block of memory in MB.
Largest Free Block (MB)
Largest free block of memory in MB.
Free (MB)
Free memory in MB
Used (MB)
Used memory in MB.
Validity
Validity of memory pool.
Alternate Pool
Alternate memory pool.
Name
Name of the memory pool.
Type
Memory pool type.
11-28
OL-25947-01
Chapter 11

Table 11-2
Description
Module
Parent Relative Position of module.
FRU of module.
Alias Name
Alias name of module.
Reset Reason
Module reset reason.
Admin Status
Administrative status of module
Additional Status
Additional status of module
Module IP Address
IP Address of module
Hardware Encryption
Hardware encryption of module
Slot Number
Slot number of module
Inline Power Capable
Inline power capability of module
Parent Type
Module parent type.
Multiservice
Is this a multiservice module
Parent Index
Parent index of module
Number of Slots
Number of slots in module
FW Version
Firmware version of module
SW Version
Software version of module
HW Version
Operational Status
Operational status of module
Manufacturer Name
Name of manufacturer of module
Physical entity name of module
Slot Configuration
Slot configuration of module
Model Name
Name of module.
Vendor Type
Vendor type of the module.
Serial Number
Serial number of module.
Description
Description of module
Component Type
Component type of module
Index
Index of module

OL-25947-01
11-29
Chapter 11
Table 11-2
Description
Port
Manufacturer Name
Port manufacturer name.
Slot Configuration
Slot configuration of port.
Port Model Name
Model name of port.
Port Vendor Type
Port vendor type.
Port Serial Number
Serial number of port.
Parent Relative Position of port.
Description
Description of port.
Component Type
Port component type.
Physical Entity Name of port.
Port Index
Port index.
FRU of port.
Alias Name
Alias name of port.
Status
Status of port
Operational Status
Operational Status of port
POE Admin Status
The POE Port Admin Status.
POE Power Allocated
The amount of power allocated from the Power

Sourcing Equipment (PSE) for the Powered device.
This is a POE device specific attribute.
POE Maximum Power
The maximum amount of power that the PSE makes

available to the Powered device connected to the Port
interface.
This is a POE device specific attribute.
Port Interface
Power Consumption (%)
Power consumption percentage of the port.
Power Consumption
Power consumption of the port.
Power Available
Power available for a powered device connected to the

port.
Power Remaining
Power remaining for a powered device connected to

the port.
Number
Port interface number.
11-30
OL-25947-01
Chapter 11

Table 11-2
Description
Power Supply
Parent Relative Position of power supply.
Physical Entity Name of power supply.
Admin Status
Administrative status of power supply.
Operational Status
Operational status of power supply.
Manufacturer Name
Manufacturer Name of power supply.
FRU of power supply.
Slot Configuration
Slot configuration of power supply.
Alias Name
Alias name of power supply.
Power Supply Model Name
Model name of power supply.
Power Supply Vendor Type
Vendor type of power supply.
Power Supply Serial Number
Serial number of power supply.
Description
Description of power supply.
Component Type
Component type of power supply.
Index
Index of power supply.

OL-25947-01
11-31
Chapter 11
Table 11-2
Description
Processor
Processor FRU.
Alias Name
Alias name of processor.
Slot Number
Slot number of processor.
Parent Type
Parent type of processor.
Parent Index
Parent index of processor.
Reboot Config Register Value
Reboot configuration register value.
Config Register Value
Configuration register value
NVRAM Used (KB)
Size of the processor NVRAM that has been utilized,

in KB.
NVRAM Size (KB)
Size of the processor NVRAM in KB.
RAM Size (MB)
Size of processor RAM in MB.
Operational Status
Operational status of processor.
Manufacturer Name
Manufacturer name of processor.
Slot Configuration
Slot configuration of processor.
Model Name
Name of the processor model.
Reset Reason
Processor reset reason.
Vendor Type
Processor vendor type.
Admin Status
Administrative status of processor.
Serial Number
Serial number of processor.
Additional Status
Additional status of processor.
Description
Description of processor.
Module IP Address
Module IP Address of processor.
Component Type
Component type of processor.
Hardware Encryption
Hardware encryption.
Index
Index of processor.
Inline Power Capable
Inline power capability of processor.
Multiservice
Multiservice.
Number of Slots
Number of slots in processor.
FW Version
Firmware version of processor.
SW Version
Software version of processor.
HW Version
Hardware version of processor.
Parent Relative Position of processor.
11-32
OL-25947-01
Chapter 11

Table 11-2
Description
Sensor
Parent Relative Position of sensor.
Name of physical entity of sensor.
Operational Status
Operational status of sensor
Manufacturer Name
Manufacturer name of sensor
FRU of sensor
Alias Name
Alias name of sensor
Slot Configuration
Slot configuration of sensor
Sensor Model Name
Model name of sensor
Sensor Vendor Type
Vendor type of sensor
Sensor Serial Number
Serial number of sensor
Description
Description of sensor
Component Type
Component type of sensor
Index
Index of sensor
Serial Number
Serial number of slot.
Description
Description of slot.
Component Type
Component type of slot.
Index
Index of slot.
Parent Relative Position of slot.
Physical Entity Name of slot.
Operational Status
Operational Status of slot.
Manufacturer Name
Name of manufacturer of slot.
FRU of slot.
Slot Configuration
Configuration of slot.
Alias Name
Alias name of slot.
Model Name
Model name of slot.
Vendor Type
Vendor type of slot.
FRU of stack.
Operational Status
Operational status of stack.
Alias Name
Alias name of stack
Manufacturer Name
Manufacturer name of stack
Slot Configuration
Slot configuration of stack
Stack Model Name
Model name of stack
Stack Vendor Type
Vendor type of stack
Stack Serial Number
Serial number of stack
Description
Description of stack
Parent Relative Position of stack
Slot
Stack

OL-25947-01
11-33
Chapter 11
Table 11-2
Sys Application
System
Description
Component Type
Stack component type.
Index
Index of stack.
Physical Entity Name of stack.
Index
Index of system application
Software Serial Number
Software serial number of system application.
Software Version
Software version of system application
Software Product Name
Name of software product.
Software Manufacturer
Software manufacturer of system application
SysUpTime
System Up Time.
Host Name
Host name of the system
Management Type
Management type of system.
Modular
Modularity of system.
OSI Layer Services
OSI layer services of system.
System Name
System name.
System Object ID
System Object ID of the device.
Last Updated At
Date and time of last system update.
Location
System location.
Contact
System contact.
Domain Name
Domain name of the system.
Description
11-34
OL-25947-01
CH A P T E R
12
Managing Jobs
In LMS, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs.
LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management
allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group
of users designated as job Approvers approves each job before it can run.
Using Job Browser
Configuring Default Job Policies
Configuring NetShow Job Policies
Job Approval Workflow
Using Device Selector
Using Job Browser

In LMS 4.0, there is a Job Browser which enables you to view the status of all the LMS admin-related
Jobs.
The job details that you can view here include the job ID, the job type, the job status, the job description,
the job owner, the time the job is scheduled to run at, the time of job completion, and the schedule type.
To open the job browser, select Admin > Jobs > Browser.
The Job Browser appears.

OL-25947-01
12-1
Chapter 12
Managing Jobs
Using Job Browser
Table 12-1 displays the fields in the LMS Job Browser.

Table 12-1
LMS Job Browser
Column
Description
Job ID
Unique number assigned to this task at creation time. This number

is never reused. There are two formats:
Job ID:
Identifies the task. This does not maintain a history. For
Example:1001
JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1001.1, 1001.2
Type
Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Run Status
Job states include:
Running
Waiting for approval
Scheduled (pending)
Succeeded
Succeeded with Info
Failed
Crashed
Cancelled
Suspended
Rejected
Missed Start
Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type
Once
Immediate
Periodic (calendar/time based).
Description
Run Sched
Schedule details of the job.
12-2
OL-25947-01
Chapter 12
Managing Jobs
Using Job Browser
Table 12-1
LMS Job Browser (continued)
Column
Description
Status
Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Owner
Scheduled At
Completed At
Filtering Jobs
You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria,
enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs
pertaining to that category are displayed.
Column
Description
All
Displays all jobs in Job Browser.

This is the default filter type.
Job ID
Unique ID of the job. For example, 1007.0.

Job IDs have N.x format, where x stands for the number of instances
of that job.
For example, 1007.4 indicates that the Job ID is 1007 and it is the
fifth instance of that job.
You should enter a valid Job ID as filter value. You can also:
Enter multiple Job IDs separated by commas
Include the wildcard character * (asterisk) in the Job ID value
Enter a range of Job IDs
Examples of valid Job IDs are:
Type
1002
1010.5
1004,1008.8, 1004
1007*
1001-1010
1019.20-1019.100
Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Filters and displays all jobs that match a job type value in Job
Browser.
You must select a job type from the list of available types.

OL-25947-01
12-3
Chapter 12
Managing Jobs
Using Job Browser
Column
Description
Run Status
Job states include:
Running
Waiting for approval
Scheduled (pending)
Succeeded
Succeeded with Info
Failed
Crashed
Cancelled
Suspended
Rejected
Missed Start
Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type
Description
Once
Immediate
Periodic (calendar/time based).

Filters and displays all jobs with a specified description.
You cannot leave the description field blank when you select this
filter type.
Owner

Filters and displays all jobs that are scheduled by a user.
You can select a user from the drop-down list of users as a filter
value.
Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs:
Stop buttonStops or cancels a running job. You will be prompted to confirm the cancellation of
the job. However, the job is stopped only after the devices currently being processed are successfully
completed. This is to ensure that no device is left in an inconsistent state.
Delete buttonDeletes the selected job from the job browser. You can select more than one job to
delete. You will be asked to confirm the deletion.
Note
You cannot delete a running job.
12-4
OL-25947-01
Chapter 12
Managing Jobs

Each Configuration Management job has properties that define how the job will run. You can configure
a default policy for these properties that applies to all future jobs. You can also specify for each property
whether users can change the default when creating a job.
You have the option of entering a username and password for running a specific Archive Management,
Config Editor, NetConfig, or NetShow job.
If you enter a username and password, Archive Management, Config Editor, or NetConfig applications
use this username and password to connect to the device, instead of taking these credentials from the
Device and Credential Repository.
While the job is running, the password is retrieved from the Device and Credential Repository for each
of the selected devices.
For example, if the TACACS server is managing the devices, the passwords in the TACACS server and
the passwords in the Device and Credential Repository should be synchronized (with every password
change).
This option of entering the username and password for running a job is useful in high security
installations where device passwords are changed at frequent intervals. In such instances, the passwords
may be changed every 60-90 seconds.
To use this option of entering a username and password for running a specific job, you should enable the
job password policy for Archive Management, Config Editor, NetConfig, or NetShow jobs.
You can do this by using the Enable Job Password option in the Config Job Policies window.
If you have enabled Enable Job Password option, you can enter these credentials while scheduling a job:
Login Username
Login Password
Enable Password
This section also explains about Defining the Default Job Policies.

OL-25947-01
12-5
Chapter 12
Managing Jobs
Defining the Default Job Policies

The following is the workflow for defining the default job policies for Configuration Management
applications like NetConfig, ArchiveMgmt, ConfigEditor, Netshow:
Note
Step 1
Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Config Job Policies dialog box appears.
Step 2
Step 3
Select one application from the drop-down list. You can select one of the following options:
NetConfig
ArchiveMgmt
ConfigEditor
Netshow
Based on your selection, enter the following information:
Field Name
Description
Failure Policy
Select what the job should do if it fails to run on the You can create rollback commands for a job in
device. You can stop or continue the job, and roll
the following ways:
back configuration changes to the failed device or to
Using a system-defined template.
all devices configured by the job.
Rollback commands are created
You can select one of the options:
automatically by the template.
Stop on failureStops the job on failure.
The Banner system-defined template does
Ignore failure and continueContinues the job

on failure.
Rollback device and stopRolls back the

changes on the failed device and stops the job.
This is applicable only to NetConfig application.
Rollback device and continueRolls back the

changes on the failed device and continues the
job. This is applicable only to NetConfig
application.
Rollback job on failureRolls back the changes

on all devices and stops the job. This is
applicable only to NetConfig application.
Note
Usage Notes
not support rollback. You cannot create

rollback commands using this template.
Creating a user template.

Allows you to enter rollback commands into
the template.
When you use the Adhoc and Telnet
Password templates, you cannot create
rollback commands.
This field appears only if you select either

Config Editor or NetConfig application.
12-6
OL-25947-01
Chapter 12
Managing Jobs
Field Name
Description
Usage Notes
E-mail Notification Enter e-mail addresses to which the job sends

messages at the beginning and at the end of the job.
Notification is sent when the job is started and

completed.
You can enter multiple e-mail addresses separated by Notification E-mails include a URL to enter to
display job details. If you are not logged in, do so
commas.
using log in panel.
Configure the SMTP server to send e-mails in the
View / Edit System Preferences dialog box
We recommend that you configure the E-mail ID in
the View / Edit System Preferences dialog box
When the job starts or completes, an e-mail is sent
with the E-mail ID as the sender's address.
Sync Archive
before Job
Execution
The job archives the running configuration before

making configuration changes.
Copy Running
Config to Startup
The job writes the running configuration to the

startup configuration on each device after
configuration changes are made successfully.
Note
Note
Enable Job
Password
None.
This field appears if you select either Config

Editor or NetConfig application.
Does not apply to Catalyst OS devices.
This appears if you select either Config

The Job Password Policy is enabled for all the jobs.
None.
The Archive Management, Config Editor, and

NetConfig jobs use this username and password to
connect to the device, instead of taking these
credentials from the Device and Credential
Repository.
You can use this option even if you have

configured only the Telnet password (without
configuring username) on your device.
These device credentials are entered while

scheduling a job.
You must enter a string in the Login Username

field. Do not leave the Login Username field
blank.
The Login Username string will be ignored while
connecting to the device since the device is
configured only for the Telnet password.
See Usage Scenarios When Job Password is
Configured on Devices.
Fail on Mismatch
of Config Versions
The job is considered a failure when the most recent None.

configuration version in the configuration archive is
not identical to the most recent configuration version
that was in the configuration archive when you
created the job.
Note
This appears if you select either Config

Delete Config after The configuration file is deleted after the download.
download
Note
This appears if you select Config Editor.

OL-25947-01
12-7
Chapter 12
Managing Jobs
Field Name
Description
Usage Notes
Execution Policy
Allows you to configure the job to run on multiple

devices at the same time (Parallel execution) or in
sequence (Sequential Execution).
If you select sequential execution, you can select

Device Order in the Job Schedule and Options
dialog box to set the order of the device.
1.
Select a device in the Set Device Order

dialog box.
2.
Either:
Click the Move Up or Move Down arrows to

change its place in the order. Click Done to
save the current order.
Or
Close the dialog box without making any

changes.
You cannot alter the device sequence for Archive

Management application jobs such as Sync
Archive, Check Compliance and Deploy, etc.
Sequential Execution is not supported for the
following jobs:
User Configurable
Step 4
Select this check box next to any field to make

corresponding policy user configurable.
Manual Sync Archive
Periodic Config Collection and Polling
cwcli config get
You can configure a user-configurable policy

while defining job. You cannot modify
non-user-configurable policies.
Click Apply.
A message appears, Policy values changed successfully.
Step 5
Click OK.
Usage Scenarios When Job Password is Configured on Devices
The following tables list the usage scenarios and their implications for Configuration application when
job password is configured on devices.
Table 12-2When Device Access is Only Through Job Password and No Access is Available
Through Regular Telnet/SSH and SNMP (Read or Write)
Table 12-3When Devices are Configured for Job Password and Access is Available Through SNMP
(Read or Write)
Table 12-4When Devices are not Configured for Job Password and Access is Available Through
Regular Telnet/SSH but no SNMP
Table 12-5When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled.
Access is Available Only Through SNMP (Read or Write)
12-8
OL-25947-01
Chapter 12
Managing Jobs
Table 12-2
When Device Access is Only Through Job Password and No Access is Available Through Regular
Telnet/SSH and SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Device is added into

LMS
Fails
Not applicable
Not applicable
Not applicable
Update archive request Fails

through user interface
Not applicable
Not applicable
Not applicable
Update archive request Not applicable

through command line
Fails
Not applicable
Not applicable
Config update when

Syslog message is
received
Fails
Not applicable
Not applicable
Not applicable
Config update through

periodic scheduled
process
Fails
Not applicable
Not applicable
Not applicable
Config update through

SNMP poller based
scheduled process
Fails
Not applicable
Not applicable
Not applicable
Config upload/restore
through cwcli config
Not applicable
Fails
Not applicable
Not applicable
NetConfig Job
Not applicable
Fails
Succeeds
Not applicable
Config Editor job
Not applicable
Not applicable
Not applicable
Succeeds
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Device is added into LMS
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Update archive request through user

interface
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Update archive request through

command line
Succeeds for
SNMP supported
devices
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Config update when Syslog message is

received
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Config update through periodic

scheduled process
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable

OL-25947-01
12-9
Chapter 12
Managing Jobs
Table 12-3
When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Config update through SNMP poller

based scheduled process
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Config upload/restore through cwcli
Not applicable
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
NetConfig Job
Not applicable
Fails
Succeeds
Not applicable
Config Editor job
Not applicable
Not applicable
Not applicable
Succeeds
config
Table 12-4
When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH
but no SNMP
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds
Not applicable
Not applicable
Not applicable

interface
Succeeds
Not applicable
Not applicable
Not applicable

command line
Succeeds
Succeeds
Not applicable
Not applicable

received
Succeeds
Not applicable
Not applicable
Not applicable

scheduled process
Succeeds
Not applicable
Not applicable
Not applicable

Succeeds
Not applicable
Not applicable
Not applicable
Succeeds
Succeeds
Not applicable
Not applicable
NetConfig Job
Not applicable
Not applicable
Succeeds
Not applicable
Config Editor job
Not applicable
Not applicable
Not applicable
Succeeds
config
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is
Available Only Through SNMP (Read or Write)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable

interface
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
12-10
OL-25947-01
Chapter 12
Managing Jobs
Table 12-5
When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is
Available Only Through SNMP (Read or Write) (continued)
Scenario
Archive Mgmt
cwcli config
NetConfig
Config Editor

command line
Succeeds for
SNMP supported
devices
Succeeds for
SNMP supported
devices
Not applicable
Not applicable

received
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable

scheduled process
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable

Succeeds for
SNMP supported
devices
Not applicable
Not applicable
Not applicable
Succeeds for
SNMP supported
devices
Succeeds for
SNMP supported
devices
Not applicable
Not applicable
config
NetConfig Job
Not applicable
Fails
Fails
Not applicable
Config Editor job
Not applicable
Not applicable
Not applicable
Fails

Each NetShow job has properties that define how the job runs. You can configure a default policy for
these properties that apply to all future jobs. For each job property you can specify whether users can
change the default property when creating a job.
NetShow supports the following Job Policies:
Defining Default Job Policies

The default job policies that NetShow support are E-Mail Notification, Enable Job Password, and
Execution Policy.

The Job Purge option provides a centralized location for you to schedule purge operations.
Defining Protocol Order

You can define the protocol order for NetShow through the Protocol Ordering option in the Config
Management feature in LMS.
This section also gives details on Masking Credentials

OL-25947-01
12-11
Chapter 12
Managing Jobs
Defining Default Job Policies

NetShow supports E-Mail Notification, Enable Job Password, and Execution Policy.
Note
To define these default Job Policies:
Step 1
Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Job Policy dialog box appears.
Step 2
Select NetShow from the Application drop-down list:
Step 3
Enter the following information in the Job Policy dialog box:
Field Name
Description
E-mail Notification Enter e-mail addresses to which the job sends messages at
the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by
commas.
Configure the SMTP server to send e-mails in the View / Edit
System Preferences dialog box (Admin > System > System
Preferences).
Usage Notes
Notification is sent when job is started
and completed.
Notification e-mails include a URL to
enter to display job details. If you are not
logged in, log in using the login panel.
We recommend that you configure the E-mail ID in the View

/ Edit System Preferences dialog box (Admin > System >
System Preferences). When the job starts or completes, an
e-mail is sent with the E-mail ID as the sender's address.
You can use this option even if you have
configured only the Telnet password
NetShow jobs use this username and password to connect to
(without configuring username) on your
the device, instead of taking these credentials from the
device.
Device and Credential Repository.
You must enter a string in the Login
These device credentials are entered while scheduling a job.
Username field. Do not leave it blank.
Enable Job
Password
The Job Password Policy is enabled for all the jobs.
The Login Username string is ignored

while connecting to the device since the
device is configured only for the Telnet
password.
Execution Policy
Allows you to configure the job to run on multiple devices at None.

the same time (Parallel Execution) or in sequence
(Sequential Execution).
12-12
OL-25947-01
Chapter 12
Managing Jobs
Step 4
Click Apply.
A message appears, Policy values changed successfully.
Step 5
Click OK.

The Job Purge option provides a centralized location for you to schedule purge operations for certain
Configuration Management jobs including NetShow jobs.
Select Admin > Network > Purge Settings > Config Job Purge Settings to invoke the Job Purge
option.
The Job Purge window contains the following information:
Column
Description
Application
Lists the application for which the purge is applicable.
Status
Whether a purge job is enabled or disabled.
Policy
This value is in days. Data older than the specified value, will be purged. You can change this
value as required. This is a mandatory field. The default is 180 days.
Job ID
Unique ID assigned to the job by the system, when the purge job was created. This Job ID does
not change even if you disable or enable or change the schedule of the purge job.
For the Purge Now task, a Job ID is not assigned. Also, if a Job ID already exists for that
application, this Job ID is not updated for the Purge Now tasks. That is, the job scheduled for
purging is not affected by the Purge Now task.
Scheduled At
Date and time that the job was scheduled at. For example: Nov 17 2004 13:25:00.
Schedule Type
Specifies the type of schedule for the purge job:
DailyDaily at the specified time.
WeeklyWeekly on the day of the week and at the specified time.
Monthly Monthly on the day of the month and at the specified time. (A month comprises
30 days).

OL-25947-01
12-13
Chapter 12
Managing Jobs
To purge Configuration Management Jobs:

Step 1
Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:
Button
Description
Schedule
Schedule a job purging.
Enable
Enable a job for purging after you schedule it.
Disable
Disable the purge after enabling a job for purging.
Purge Now
Purge a job immediately.
Defining Protocol Order

You can define the protocol order for NetConfig, Archive Mgmt, Config Editor, and NetShow through
the Protocol Ordering option in the Config Management feature in LMS.
Note
To define the protocol order for NetShow:
Step 1
Select Admin > Collection Settings > Config > Config Transport Settings.
The Transport Settings dialog box appears.
Step 2
Select NetShow from the Application drop-down list:
Step 3
Select a protocol from the Available Protocols pane and click Add.
NetShow supports only Telnet and SSH.
If you want to remove a protocol or change the protocol order, you can remove the protocol using the
Remove button and then add it again.
The protocols that you have selected appear in the Selected Protocol Order pane.
Step 4
Click Apply.
Step 5
Click OK.
The protocol used for communicating with the device is based on the order in which the protocols are
listed here.
12-14
OL-25947-01
Chapter 12
Managing Jobs
Masking Credentials
You can mask the credentials shown in the output of show commands. If you want to mask the credentials
of a particular command, you must specify the command in the
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre
dCmds.properties file.
In this file you can specify all the commands whose output should be processed to mask the credentials.
We recommend that you enter the complete command in the file. For example, you must enter show
running-config, not show run. This file contains some default commands like show running-config.

LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management
allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group
of users designated as job Approvers approves each job before it can run.
See Job Approval Workflow for more information.
Job Approval sends job requests through e-mail to users on a jobs Approver list. If none of the
Approvers approve the job before its scheduled run time, or if an Approver rejects the job, the job is
moved to the rejected state and will not run.
When Job Approval is enabled, applications that use it, require you to schedule the job to run in the
future, rather than immediately. Job approval cannot be enabled for jobs that run immediately.
A user with the appropriate privileges uses a Cisco Prime application to schedule jobs.
When you use Job Approval, different people can perform different tasks:
Note
required privileges to perform job approval tasks.
Role
Responsibilities
Creates and maintains the Approver lists
Approver
Approves/rejects a job, or changes the schedule for a job.

To select the log level settings for the Job Approval application, select Admin > System > Debug
Settings > Config and Image Management Debugging settings.
Job Approval is also referred to as Maker Checker in a few places within LMS. For example, in Loglevel
Settings and Permission Report (Reports > System > Users > Permission) it is mentioned as Maker
Checker.

OL-25947-01
12-15
Chapter 12
Managing Jobs

A typical job approval workflow may look like this:
A system administrator does the following:
1.
Specifies user/Approver information (see Specifying Approver Details.)
2.
Creates one or more job Approver lists (see Creating and Editing Approver Lists).
3.
Assigns Approver lists (see Assigning Approver Lists).
4.
Sets up Job Approval (see Setting Up Job Approval).
The planner analyzes the network and prompts the network engineer to schedule a job to perform a
needed network change.
The job creator uses a Cisco Prime application to create a job.The application must have an Approver
list assigned to it before Job Approval is enabled. Also, it must be scheduled to run in the future (not
immediately).
All Approvers on the Approver list receive an automatic email notification. The job Approvers approve
or reject the job (see Approving and Rejecting Jobs) and give their comments.
The job creator and all Approvers on the Approver list receive an automatic e-mail notification.
A job that is not approved or rejected before its scheduled time is automatically moved to the Rejected
state. E-mail notification is sent to all Approvers and the user who scheduled the job. If the job is
approved, it runs as scheduled.
Specifying Approver Details

Use the option, Approver Details, to maintain information about users with Approver roles.
Note
To specify Approver details:
Step 1
Select Admin > Network > Configuration Job Settings > Approver Details.
The Approver Details dialog box appears.
Step 2
Click Synchronize with Local User Database.

All the approvers in with valid E-mail IDs, will appear in theApprovers list. The E-mails of the approvers
will be the same as that added in LMS.
(You can create a valid Cisco Prime user using the Local User Setup option under Admin > System >
User Management > Local User Setup).
If you want to change the E-mail ID of any of the Approvers, select the Approver from the Approvers
list, and change specifying the new e-mail ID in the E-mail Address field. You can add more than one
e-mail, separated by commas
12-16
OL-25947-01
Chapter 12
Managing Jobs
Step 3
Click Save to save your changes.

All approvers, have to be manually added to LMS.
To do this, enter the name of the Approver that you want to add in the New Approver field, enter a valid
e-mail ID for that user in the E-mail Address field, and click Save.
The Approver that you added, appears in the Approvers box.
Creating and Editing Approver Lists

You can use the option Create/Edit Approver Lists to create, edit, or delete Approver lists. Before you
create an Approver list, ensure that users have been added, through the Approver Details option (see
Specifying Approver Details).
Note
To create and edit Approvers lists:
Step 1
Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists.
The Create/Edit Approver List dialog box appears.
Step 2
Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an
alphanumeric name.
Step 3
Click Add.
A message appears:
List
Step 4
Listname has no users. To save the list successfully, add users and click Save.
Click OK to proceed.
The newly-created list appears in the lists box.
(If previously-created lists exist, you can highlight a list to see the List Members in the Users group of
fields.)
Step 5
Add users to the newly-created list, by highlighting the list.

In the Users group of fields, the Available Users box lists users who have Approver permissions. Only
these users can be added to Approver lists to approve jobs.
To add a user to the Approver List, select the name from the Available Users list box, and click Add.
The name appears in the List Members list box.
To remove a user from the Approver list, select the name from the List Members list box, then click
Remove.
The name is removed from the List Members list box.
Step 6
Click Save.
The Approver Lists box displays the name of the new Approver list and the users on this list appear in
the box below Approver Lists.

OL-25947-01
12-17
Chapter 12
Managing Jobs
To edit an Approver List:

a.
Select the list.

The approvers of the list appear in the List Members list box.
b.
Add new approvers, or remove existing ones in using the Add and Remove buttons in the Users
group of fields.
To delete an Approver List:

a.
Select the list.
b.
Click Delete.
A message appears:
Are you sure you wish to delete? Approval will be disabled for applications to which
the Listname is assigned!
c.
Click OK to delete the list.
Assigning Approver Lists

You can assign an Approver list to each of the LMS applications, from the available Approver lists.
Note
To assign an Approver list:
Step 1
Select Admin > Network > Configuration Job Settings > Assign Approver Lists.
The Assign Approver Lists dialog box appears.
Step 2
Select the required Approver list from the drop-down list box for that application. Repeat this for each
of the applications listed here.
Step 3
Click Assign.
The selected Approver lists are assigned to the applications.
Setting Up Job Approval

The Approval Policies dialog box allows you to set up Job Approval for all applications for which you
can set up job approval. The applications are:
NetConfig
NetShow
Config Editor
Archive Management. See Using Job Approval for Archive Management for details.
Software Management. See Using Job Approval for Software Management for details
12-18
OL-25947-01
Chapter 12
Managing Jobs
Prerequisite
Make sure the approver list is assigned to the application, before you enable approval for the application.
Note
To set up Job Approval:
Step 1
Select Admin > Network > Configuration Job Settings > Approval Policies.
The Approval Policies dialog box appears. You can enable or disable Job Approval for the following
applications:
Step 2
Step 3
NetConfig
NetShow
Config Editor
Archive Management.
Software Management.
Set up Job Approval for the various applications that support job approval, by doing one of the following:
Select the Enable check box that corresponds to an application, to enable Job Approval.
Deselect the Enable check box that corresponds to an application, to disable Job Approval.
Select the All check box to enable Job Approval, for all applications to which it is applicable.
Deselect the All check box to disable Job Approval, for all applications to which it is applicable.
Click Apply to apply your changes.

After you enable Job Approval, two additional fields appear in the job schedule wizard of the
applications. These are:
Maker CommentsJob creators comments.
Maker E-mailJob creators e-mail address.
Using Job Approval for Archive Management
You can enable Job Approval for Archive Management tasks, (Admin > Network > Configuration Job
Settings > Approval Policies). This means all jobs require approval before they can run.
Only users with Approver permissions can approve Archive Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
For more details on enabling job approval see Setting Up Job Approval.
The following Archive Management tasks require approval if you have enabled Job Approval:
Out-of-Sync (Configuration > Compliance > Out-of-Sync Summary)
Sync Archive jobs do not have Job Approval enabled because this job only archives the configuration
from the device and there is no change to the device configuration.

OL-25947-01
12-19
Chapter 12
Managing Jobs
If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule
and Options dialog box:
Approval CommentApproval comments for the job approver.
Maker E-MailE-mail-ID of the job creator.
Using Job Approval for Software Management
You can enable Job Approval for Software Management tasks, (Admin > Network > Configuration Job
Settings > Approval Policies) which means all jobs require approval before they can run.
Only users with Approver permissions can approve Software Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
The following Software Management tasks require approval if you have enabled Job Approval:
Adding images to Software Repository (Configuration > Tools > Software Image Management >
Software Distribution) using:
Cisco.com
Device
URL
Network
Distribution software images (Configuration > Tools > Software Image Management > Software
Distribution) using any one of these methods:
Distributing by Devices [Basic]
Distributing by Devices [Advanced]
Distributing by Images
Remote Staging and Distribution
If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options
dialog box, you get these two options:
Maker CommentsApproval comments for the job approver.
Maker E-MailE-mail ID of the job creator.
Approving and Rejecting Jobs

Use the Approve or Reject Jobs option to approve or reject a job for which you are an Approver. The job
will not run until you or another Approver approves it. If no Approver approves the job by its scheduled
run time, or an Approver rejects it, the job is moved to the rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved all other
instances are considered approved, and vice-versa.
When a job for which you are an Approver is created, you are notified by email.
An Approver can edit the job schedule at the time of approving the job.
12-20
OL-25947-01
Chapter 12
Managing Jobs
The e-mail displays these details:

Details
Description
Job ID
ID of the job that has been put up for approval.
Job Description
Job Schedule
Date and time for which the job has been scheduled.
Server Name
Name of the server.
Server Time-zone:
Time zone of the server.
Maker Comments
Comments for the Approver, entered by the job creator.
URLS
Two URLs to launch dialog boxes for:
Viewing job details.
Approving or rejecting jobs.
required privileges to perform this task. You need to be a user with an Approver role.
Note
You will be able to select only those jobs for which you are a part of the Approver List. The other jobs,
for which you are not a part of the Approver List, will be disabled.
To approve or reject jobs:
Step 1
Select Admin > Jobs > Approval.

The Jobs Pending Approval dialog box appears with the following information about the scheduled jobs
on the system:
Column
Description
Job ID
Unique number assigned to the job when it is created.

For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x
represents the number of instances of the job. For example, 1001.3 indicates that this is the third
instance of the job ID 1001.
Click the Job ID hyperlink to view the details of the job.
Owner
Job owner.
Job Type
Application that registered job.
Scheduled to Run at
When job is scheduled to run.
Approver List
Name of Approver list whose members can approve job.
Description
Job description, entered by job creator.

You can filter the pending jobs by any specified criteria using the Filter By drop-down list. Select your
criteria and click Filter.

OL-25947-01
12-21
Chapter 12
Managing Jobs
Step 2
Either:
Select the job and click Approve to approve the job.

The job is approved.
Or
Select Next.
The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then
the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details
before approving or rejecting it.
Fields in the Job Details box are:
Field
Description
Job
ID
ID of the job (display only).

To see the detailed description of the job, click the View Job Details hyperlink.
Schedule Options
Run Type
Select the frequency at which the job should be run:
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the
next job will start only at 10:00 a.m. on November 3.
To change, select the required run type from the drop-down list.
12-22
OL-25947-01
Chapter 12
Managing Jobs
Field
Description
Current Schedule
Date
Scheduled date and time of the job. Click Change Schedule to change the schedule of the job.
You must click the Change Schedule button for the changed schedule to take effect. If you do not click
this button, the changed schedule will not be set.
Approver
Comments
Enter your comments. This field is mandatory only if you are rejecting a job.
Step 3
Click Approve.
The job is approved.
If you want to reject the job, enter comments in the Comments text box and then click Reject.

The Device Selector pane is used to select devices to perform LMS tasks. This pane lists all devices in
a group. The devices are listed in the appropriate groups based on Device type groups and User-defined
group rules.
The devices name that you see in this pane is the Device Name that you have entered at the time of adding
the devices in Device and Credential Repository.
You can use the following search options to search for devices:
Note
Using Simple Search
Using Advanced Search
Using the All Tab
Using the Search Results Tab
Using the Selection Tab
If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you
while performing the tasks are based on your role and associated privileges that are defined in Cisco
Secure ACS.
The Device Selector pane contains the following field/buttons:
Field/Button
Description
Search Input
Enter the search expression in this field.

You can enter single device names or multiple device names. If you are
entering multiple device names, separate them with a comma. You can
also enter the wildcard characters * amd "?".
For example: 192.168.10.1*, 192.168.20.*
Search
Use this icon to perform a simple search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Search, see Using Simple Search.

OL-25947-01
12-23
Chapter 12
Managing Jobs
Field/Button
Description
Advanced Search
Use this icon to perform an advanced search of devices based on the

search criteria you have specified in the Search Input text field.
For information on Advanced Search, see Using Advanced Search.
All
Lists all User-defined and System-defined groups for all applications that
are installed on LMS Server.
For more information, see Using the All Tab.
Search Results
Displays all the search results from Search or Advanced Search.

For more information, see Using the Search Results Tab.
Selection
Lists all the devices that you have selected in the Search Results or All
tab.
Using this tab, you can deselect devices from the list.
For more information, see Using the Selection Tab.
Figure 12-1 shows the new device selector.

Figure 12-1
Device Selector
Tool-tips are provided for long device names so that you do not have to scroll to see the complete device
name.
Using Simple Search

You can search for devices by entering the devices name in the Search Input field.
The search is based on the Device Name that you view in the Device Selector pane. This Device Name
is entered when you add devices to Device and Credential Repository.
Usage Notes
The following are the usage notes for Simple Search:
12-24
OL-25947-01
Chapter 12
Managing Jobs
You can enter multiple device names separated with a comma. You can also enter wildcard character,
* or ? for selecting multiple devices.
For example:
You can enter device names in these many ways to select multiple devices:
192.168.80.140, 192.168.135.101, rtr805
192.168.80.*, 192.168.*
192.168.22.?
You cannot enter multiple wildcard characters for selecting the devices
For example, 192.*.80.*. This is not allowed.
You must enter either the complete device name or enter the partial device name appended with
wildcard character *. That is,
No devices are selected, if you enter only 192.168 in the Device Name text box.
You have to enter either 192.168* or 192.168.10.10.
The search is not case-sensitive.
The devices that are selected is a unique list. There are no duplicate entries of devices.
For example:
If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20,
192.168.10.21, 192.168.10.30, and 192.168.10.31 then,
a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices
node.
b. Enter the search criteria 192.168.10.2*
c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30
in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node.
However, the selected devices count that is displayed in the Device Selector is only three and
not five.
The All Devices node is expanded without selecting any devices, if the search criteria is not
satisfied. The objects selected text displays 0 (zero) device selected.

You can use the Advanced Search icon to specify a set of rules for advanced search. Advanced search is
based on the Grouping Services attributes of Grouping Services Server. In the Advanced Search dialog
box, you can create rules to search for devices.

OL-25947-01
12-25
Chapter 12
Managing Jobs
Figure 12-2 shows the Advanced Search dialog box.

Figure 12-2
Device Selector Advanced Search
This dialog box contains the following fields and buttons (See Table 12-6):
Table 12-6
Advanced Search Dialog Box
Field/Buttons
Description
OR, AND, EXCLUDE
Logical operators.
ORInclude objects that fulfill the requirements of either

rule.
ANDInclude only objects that fulfill the requirements of

both rules.
This field appears only after a rule expression is added in the Rule
Text box.
Object Type
Type of object (device) that is used to form a group.

All rule expressions begin with the same Object Type,
RME:INVENTORY:Device.
Variable
Device attributes, based on which you can define the group.

See Advanced Search Rule Attribute.
Operator
Operator to be used in the rule. The list of possible operators

changes based on the Variable selected.
Value
The value of the rule expression. The possible values depend upon
the variable and operator selected. Depending on the operator
selected, the value may be free-form text or a list of values.
The wildcard characters are not supported.
Add Rule Expression
Rule Text
Displays the rule.
12-26
OL-25947-01
Chapter 12
Managing Jobs
Table 12-6
Advanced Search Dialog Box (continued)
Field/Buttons
Description
Check Syntax

Search
Used to search for devices based on the defined rule.
Usage Notes
The following are the usage notes for Advanced Search:
If you have not selected any device nodes, then advanced search is applied only for All Devices
node.
You can either enter the rules directly in the Rule Text field, or select the components of the rule
from the Rule Expression fields, and form a rule.
Each rule expression contains the following:
Object TypeThe type of object (device) that is used to form a group. All rule expressions begin
with the same Object Type, RME:INVENTORY:Device.
VariableDevice attributes, based on which you can define the group. See the Advanced Search
Rule Attribute.
OperatorOperator to be used in the rule. The list of possible operators changes based on the
Variable selected.
ValueValue of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-form text or a list of values.
If you are entering the rule expressions manually, the rule expression must follow this syntax:
If you are entering more than one rule expression, you must enter logical operators OR, AND or
EXCLUDE after every rule expression.
You must use Check Syntax button only when you add a rule manually or when you modify a rule
expressions in the Rule Text.
The advanced search operation is not case-sensitive.
To delete the rules in the Rule Text box, select the complete rule including the logical operator and
press the Delete key on your keyboard.
If you want to perform a new search, click Clear All before selecting any new devices.

OL-25947-01
12-27
Chapter 12
Managing Jobs
Advanced Search Rule Attribute
Table 12-7 lists the available device advanced search rule attributes that you can use for defining
advanced search.
Table 12-7
Advanced Search Rule Attribute
Attribute Group
Attribute Type
Description
Asset
CLE identifier of the asset.
Asset.Part_Number
Orderable part number of the asset.
Asset.User_Defined_Identifier
User-defined identifier of the asset
Chassis.Model_Name
Name of the model.
Number of slots in that chassis.
Chassis.Port_Count
Total port count of the chassis.
Chassis.Serial_Number
Chassis.Vendor_Type
Vendor type of the chassis.
Chassis.Version
Flash.File_Name
Name of the flash file.
Flash.File_Size
Flash file size in MB.
Flash.Model_Name
Model name of the flash device.
Flash.Partition_Free
Free space in MB.
Flash.Partition_Name
Flash partition name.
Flash.Partition_Size
Flash.Size
Total flash device size in MB.
Image.ROM_Sys_Version
ROM system software version
Image.ROM_Version
Version of ROM.
Image.Sys_Description
Image system description
Image.Version
Running image version.
IP.Address
Device IP address.
IP.Address_Type
Version of IP, IPv4 or IPv6
IP.Network_Mask
Network Mask address
Memory.Free
Free memory in MB.
Memory.Name
Name of the memory.
Memory.Size
Total RAM size in MB.
Memory.Type
Memory type.
Memory.Used
Used memory in MB.
Module.HW_Version
Module.Model_Name
Name of the model.
Module.Port_Count
Total ports on that module.
Module.Serial_Number
Serial number of the module.
Module.Vendor_Type
Vendor type for the module.
Chassis
Flash
Image
IP Address
Memory
Module
12-28
OL-25947-01
Chapter 12
Managing Jobs
Table 12-7
Advanced Search Rule Attribute (continued)
Attribute Group
Attribute Type
Description
Processor
Processor.Model_Name
Name of the model.
Processor.NVRAM_Size
Size of the processor NVRAM in MB.
Processor.NVRAM_Used
Size of the processor NVRAM that has been utilized, in

MB.
Processor.Port_Count
Total port count of the processor
Processor.RAM_Size
Size of the processor RAM in MB.
Processor.Serial_Number
Serial number of the processor.
Processor.Vendor_Type
Vendor type of the processor.
State
State
Device state such as Normal, Alias, etc.
System
System.Contact
Device contact person name.
System.Description
System.DomainName
Device domain name.
System.Location
Device location information.
System.SystemOID
System Object ID of the device (sysObjectID).
Using Advanced SearchAn Example
The following example describes the procedure for selecting devices whose IP address starts with
192.168 or Network Mask is 255.255.255.0. Also, these devices are assumed to be in Normal state.
The devices in your network are:
192.168.101.200 with network mask 255.255.255.128
Use the following procedure for advanced search:

Step 1
Click the Advanced Search icon in the Device Selector pane.

The Define Advanced Search Rule dialog box appears.
Step 2
Step 3
Select,
a.
State as Variable
b.
= as Operator
c.
Normal as Value


OL-25947-01
12-29
Chapter 12
Managing Jobs
Step 4
Step 5
Select,
a.
And as Logical Operator
b.
IP.Address as Variable
c.
Contains as Operator
d.
Enter 192.168.101 for Value.

Step 6
Step 7
Select,
a.
OR as Logical Operator
b.
IP.Network_Mask as Variable
c.
Equals as Operator
d.
Enter 255.255.255.0 for Value.

Step 8
Click Search.
The Device Selection dialog box appears.
The devices that satisfied the search condition are selected. That is these two devices are selected.
Using the All Tab

The All tab lists all the devices that are available in the LMS. The list is based on the Device Name that
you entered in the Device Properties dialog box when you added devices to Device and Credential
Repository.
List of Device Folders
The following is the list of device folders under the All tab:
The All Devices folder lists all devices. That is, this includes devices in Normal, Alias, Pending, and
Pre-deployed states. This folder does not include devices in Suspended and Conflicting states.
The Normal Devices folder lists devices that has been successfully contacted by LMS or the device
has contacted LMS at least once (polling, successful job completion, Syslog receipt etc.).
The Pre-deployed folder lists Device has never ever been reachable by LMS (by protocol such as
SNMP).
The Previous selection folder lists LMS devices that were selected in previous LMS task in the same
session.
Saved device list folder lists devices that are saved explicitly by you while generating the Inventory
Reports, View Credential Verification Report and Error Report.
12-30
OL-25947-01
Chapter 12
Managing Jobs
Only one Saved device list is created within the device selector. If concurrent users have created
Saved device list, only the last created Saved device list appears in the Device Selector. The previous
Saved device list is overwritten with the latest.
Note
You can use the Previous selection and Saved device groups only when you are working on a application.
You cannot use these device groups when you are working on another Cisco Prime application. That is,
if you are working on the Campus Manager application, these groups must not be used.
The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined
by you at the time of creating the User-defined groups.
Based on the applications that are installed on your LMS Server, you will also view device folders
related to other Cisco Prime applications:
CiscoWorks_ApplicationName@CiscoWorks_ServerHostName
For example: For Cisco Prime Common Services, you will see:
CS@CiscoWorks_ServerHostName.
In a stand-alone system, server name is not appended. For example, for Common Services, you will
see CS.
Other application folders are displayed in LMS based on the settings. For more details, see Common
Services Online Help.
In Device Selector, the other Cisco Prime application device folders will list only devices.
For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have
devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you
will view on device list, A, B, and C.
The device appears in a disabled (greyed out) state when:

Device type is Unknown in Device and Credential Repository. In all applications device is
shown as disabled except in Inventory job creation and reports.

Device type is known and correct in Device and Credentials (that is, the SysObjectID is correct
and is available in Device and Credentials). However, that device is not supported by
applications. (Inventory, Software Management, and Configuration Management).
There are two types of device selectors in LMS:
Single Device Selector
Multiple Device Selector
Single Device Selector
In the single device selector, you can select a device only at the leaf-level (device-level). The radio
buttons at the node-level (folder-level) are grayed out.

OL-25947-01
12-31
Chapter 12
Managing Jobs
Multiple Device Selector
In the multiple device selector, you can select devices at both the node-level and leaf-level.
The following are the usage notes for the multiple device selector:
If you select devices at the node-level, all devices listed under this node are selected.
For example, if you select the All Devices node, all devices under this node are selected.
If you expand a device node, you cannot select devices at the node-level. You need to select devices
individually at the leaf-level.
For example, if you expand the All Devices node, you cannot select devices at the All Devices
node-level (the check-box is grayed out). You need to select devices individually under the All
Devices node.
If you select devices at a node-level and expand that particular node, you can deselect the devices
only at the leaf-level and not at the node-level.
For example, if you select the Normal Devices node and expand the same, you can deselect the
devices only at the leaf-level. You cannot deselect all the devices at the Normal Devices node-level
(the check-box is grayed out), when it is expanded. However, you can use Clear All to deselect all
the devices.
You can select multiple device nodes to perform the tasks.

For example, you can select the Previous selection and the Saved device list nodes together to
perform the tasks.
Using the Search Results Tab

The Search Results Tab lists all the results of Simple search or advanced search operations. It displays
a flat list of devices and you can do a select all , clear all , or select a few devices from the list.
Using the Selection Tab

The Selection Tab serves as a repository of all the devices that you select from the Search Results tab or
the All Tab.
There are three ways to select devices in the Device Selector:
Selection Using All Tab
Selection Using Search
Selection Combining All and Search
Selection Using All Tab
You can select devices using the tree view in the All tab. This tab displays all devices that are available
in LMS.
Selection Using Search
You can search devices using Search or Advanced Search. The list of devices matching the search criteria
is shown under the Search Results tab. You can select the required devices from the Search Results tab.
The Selection tab reflects whatever you selected from Search Results.
If you click the All tab now, the devices selected from Search Results will be shown in the All Devices
group.
12-32
OL-25947-01
Chapter 12
Managing Jobs
Selection Combining All and Search
After you select devices using the All tab, you can add a few more devices using Search. You can enter
the search criteria and search using Search or Advanced Search and the Search Results tab displays the
devices matching the criteria.
You can select the required devices from the Search Results tab. The Selection tab displays the
accumulated list from both All and Search Results tabs. If you click the All tab, it displays the selected
devices from Search Results under the All Devices group also.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the All tab from the Selection tab, as you select more devices.
Note
The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of
devices you have selected. It launches the Selection tab when you click on it.
Editing Device Attributes

To edit the device attributes for a single device
Step 1
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
or
Select Admin > Collection Settings > Config > Edit the Inventory, Config Timeout, and Retry
settings.
The Edit Devices dialog box appears.
Step 2
Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information.
Step 3
Click Edit Device Attributes.

The Device Attributes dialog box appears.
Step 4
Click Inline Edit.

The Device Attributes Information dialog box appears.
Step 5
Select a device from the Devices pane.
Step 6
Edit the device attributes in the Device Information pane.

You can check the Apply to all Devices checkbox to apply the device attributes of one device to all other
devices that are listed in the Devices pane.
Step 7
Click Modify in the Device Attributes Information dialog box.
Step 8
Click Apply in the Device Attributes dialog box.
To edit the device attributes for the bulk of devices

Step 1
Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
The Devices dialog box appears.

OL-25947-01
12-33
Chapter 12
Managing Jobs
Step 2
Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information
Step 3
Click Edit Device Attributes.

The Device Attributes dialog box appears.
Step 4
Click Export.
The Export Device Attributes to File dialog box appears.
a.
Enter the folder name and the filename on the server.

or
Browse to select a folder on the server.

Select a folder and enter the filename on the server.
Click OK in the Server Side File Browser dialog box.
b.
Click OK in the Export Device Attributes to File dialog box.

The notification window displays Data exported successfully.
c.
Step 5
Click OK in the notification window.
Edit the exported file.

You can edit only the device attributes, Serial Number, SNMP Retry, SNMP Timeout, Telnet Timeout,
and Natted IP Address. You cannot edit the Device Name (device_identity) and add new device entries.
See Device Attributes Export File Format for more information.
Step 6
Click Import in the Device Attributes dialog box.

The Import Device Attributes to File dialog box appears.
We recommend that you import the same file that you have exported after editing. If any new device
entries are added, these device entries are ignored. Only device entries that match the existing device
entries are imported.
a.
Enter the folder name and the filename on the server.

or
Browse to select a folder on the server.

Select a folder and file on the server.
Click OK in the Server Side File Browser dialog box.
b.
Click OK in the Import Device Attributes to File dialog box.

The notification window displays Data imported successfully.
c.
Click OK in the notification window.
The Device Attributes window refreshes to display the updated device attributes.
While importing the edited device attributes file an error message may appear,
Attribute values for some selected devices are invalid. See Attribute Error Report for
details.
See Editing Device Attributes section to know the minimum and maximum values for the device
attributes. Also see Attribute Error Report for more information.
Step 7
Click Apply.
12-34
OL-25947-01
Chapter 12
Managing Jobs
The Devices window appears.
The device attributes are:
Device Name
Name of the device.
Serial Number
Cisco manufacturing serial number from chassis. You can enter alphanumeric characters up to 255.
The default value is Default Not Defined.
This attribute is available when you either export or edit the device attributes from the Devices
window.
SNMP Retry
Number of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero.
SNMP Timeout
Duration of time that the system should wait for a device to respond before it tries to access it again.
The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value
limit.
Changing the SNMP timeout value affects inventory collection.
Telnet Timeout
The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value
limit.
Note
The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH
Timeout.
Natted IP Address
The server ID. This is the translated address of server as seen from the network where the device
resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to
enable support for NAT. The default value is Default Not Defined.
TFTP Timeout
The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value
limit. This attribute is available only when you edit the device attributes from the Device Attributes
window.
Read DelayAmount of time the system will sleep in between each read iteration. Read Delay sets
the client to sleep for few milliseconds. During the delay time, the client accumulates the device
content in buffer and keeps it ready to be read. The default read delay is 10 milliseconds.
Transport TimeoutAmount of time the socket will be blocked for read operation. The client waits
for a response from the device after which it will get timed out. The default value is 45000
milliseconds.

OL-25947-01
12-35
Chapter 12
Managing Jobs
Login TimeoutAmount of time the system should wait for a clients input after which the client
gets disconnected from the device. The default value is 2000 milliseconds.
Tune SleepAmount of sleep time in milliseconds set before and after sending a new line to the
device. The default value is 50 milliseconds.
Delay After ConnectAmount of waiting time in milliseconds after initial socket connection. It will
wait for the set time before doing the next operation. The default value is 300 milliseconds.
Do any one of the following to edit the device attributes:
Note
Set the device attributes value for a single device using Admin > Collection Settings > Inventory
> Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline
Edit. See To edit the device attributes for a single device
Set the device attributes value for the bulk of devices using Admin > Collection Settings >
Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes >
Export. See To edit the device attributes for the bulk of devices
View Permission Report to check if you have the required privileges to perform this task.
Attribute Error Report

The Attribute Error report is generated when the attribute values imported for some selected devices are
invalid. This error occurs when the device attributes that are imported as a CSV file contain invalid
attributes.
You can click on the Attribute Error Report link that is displayed in the error message, to open the
Attribute Error Report.
You can also view the Attribute Error Report by clicking on the Attribute Error Report button from:
Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings
> Edit Device Attributes
Note
The Attribute Error Report link is available only if importing of device attributes causes error.
Device Attributes Export File Format

The device attributes are exported in CSV 3.0 format. The exported file format is:
; This file is generated by DM Export utility
Cisco Systems NM Data import, Source=DM Export; Type=DMCSV; Version=3.0
;
;Start of section 0 - DM Export
;
;HEADER:
device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,TFTPTimeout,Natt
edIPAddress,ReadDelay,TransportTimeout,LoginTimeout,TuneSleep,DelayAfter Connect
;
192.168.8.4,Default Not Defined,2,2,36,5,Default Not Defined,10,45000,2000,50,300
12-36
OL-25947-01
Chapter 12
Managing Jobs
;End of CSV file
Where,
device_identityDevice
Name of the device as entered in Device and Credential Repository.
serial_numberCisco manufacturing serial number from chassis. You can enter 0 to 255
alphanumeric characters. The default value is Default Not Defined.
SNMPRetryCountNumber of times, system should try to access devices with SNMP options. The
default value is 2. The minimum value is zero.
SNMPTimeoutDuration
of time the system should wait for a device to respond before it tries to
access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no
maximum value limit.
Changing the SNMP timeout value affects inventory collection.
TelnetTimeoutDuration of time the system should wait for a device to respond before it tries to
access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no
maximum value limit.
Natted IP Addressserver ID. This is the translated address of server as seen from the network
where the device resides. This is used when LMS tries to contact devices outside the NAT boundary.
The default value is not defined.
Read DelayAmount
of time the system will sleep in between each read iteration.
The default read delay is 10 milliseconds.
Transport TimeoutAmount
of time the socket will be blocked for read operation.
Login TimeoutAmount
of time in milliseconds after which it will start reading the user prompt.
Tune SleepAmount
of sleep time in milliseconds after sending tune command 3 to 4 times.
Delay After ConnectAmount
of waiting time in milliseconds after initial socket connection. It

will wait for the set time before doing the next operation.

OL-25947-01
12-37
Chapter 12
Managing Jobs
12-38
OL-25947-01
Chapter 12
Managing Jobs

OL-25947-01
12-39
Chapter 12
Managing Jobs
12-40
OL-25947-01
Chapter 12
Managing Jobs

OL-25947-01
12-41
Chapter 12
Managing Jobs
12-42
OL-25947-01
CH A P T E R
13

Software Center helps you to check for software and device support updates, download them to their
server file system along with the related dependent packages, and install the device updates.
Software Center allows you to look for software and device updates from Cisco.com, and download them
to a server location. You can install the updates from this location. In the case of device updates,
Software Center helps you to install the updates using a web based user interface, and command line
interface, wherever possible.
Most of the device family-based packages can be installed directly from the web interface while the
device support packages such as IDU have to be installed based on the installation instructions in the
respective Readme files.
You may also uninstall a device support package. Software Center does not support installation and
uninstallation of software updates.
To backup what is installed on the server, Software Center maintains a package and device map in the
installed packages directory of the respective applications. The package map is a list of all device
packages installed on the server and device map is a list of all the supported devices on the server.
Software Center also provides a Command Line Interface to download device updates and software
updates, and install or uninstall device packages.
Performing Software Updates
Performing Device Update
Point Patch Update
Using the Software Center CLI Utility

OL-25947-01
13-1
Chapter 13

You can view a list of all Cisco Prime related bundles and products currently installed on your system
using this option. For software updates the default site is Cisco.com.
The Software Updates link under Software Center takes you to the Software Updates page. The Software
Updates page has two dialog boxes:
Bundles Installed dialog box that lists the bundles installed.
Products Installed dialog box that lists the applications installed.
These dialog boxes display the bundle or product name, the version, and the date on which the software
was installed. To sort the table by version or date of installation, click on the Version / Installed Date link.
You can click the product name links to view the Applications and Packages Installed with the Product
page that gives the details of the installed applications, patches, and packages of the product. See
You can navigate further down for each product to get a detailed list of all individual OS level packages
installed on the system, along with the versions.
The Software Updates page provides two options:
Select Software Updates
Download Software Updates
Selecting Software Updates
Downloading Software Updates

You can view the information on all the applications, patches, and packages installed for a selected
product.
To do so:
Step 1
Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2
Go to the Products Installed dialog box and click the link provided on a product.
A new window displays the details of:
Patches InstalledProvides details about the patches installed on the product, the patch version and
the date on which the patches were installed.
Application InstalledProvides details of the applications installed, the application version, and the
date on which the applications were installed.
Packages InstalledProvides details about the packages installed on the product, the package
version with patch level, and the date on which the packages were installed.
13-2
OL-25947-01
Chapter 13

Selecting Software Updates

You can select new software packages to update the applications or products.To select updates from
Software Center:
Step 1
Step 2
Go to the Products Installed dialog box and select the check box corresponding to the product for which
you want to select update.
You can select multiple products by selecting the corresponding check boxes.
Step 3
Click Select Updates.

The Cisco.com and Proxy Server Credentials dialog box appears.
Step 4
Enter your Cisco.com username and password to connect to Cisco.com, for software updates.
If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server
Setup, you must enter the Proxy server username and password.
Step 5
Click Next.
A list of available Software Updates for the selected product appears.
Step 6
Select the Software Update you need to download and click Next.
You can filter the required images based on Type, Package Name, Product Name, and Available Version
With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the
filter pattern in the text box.
For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 7
Select a destination location or browse to the location and click Next.

The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub-directories.
By default, the destination location is:
/opt/psu_download (On Solaris/Soft Appliance)
System Drive:\psu_download (On Windows)
The Download Summary window appears.

Step 8
Click Finish to confirm download of the selected packages.

If you do not want to add the selected packages, click Back to reselect packages or click Cancel to exit.

OL-25947-01
13-3
Chapter 13

You can download the selected updates from Software Center.
To download updates from Software Center:
Step 1
Step 2
Go to the Products Installed table and select the check box corresponding to the product for which you
want to download the update.
You can select multiple products by selecting the corresponding check boxes.
Step 3
Click Download Updates.

The Cisco.com and Proxy Server Credentials dialog box appears.
Step 4
Enter your Cisco.com username and password. Both are mandatory.

Setup, you must enter Proxy server username and password.
Step 5
Select a destination location or browse to the location and click Next.

directory where you have installed Cisco Prime LMS, or any of its sub- directories.
Step 6
Click Finish to confirm the download operation.

To return to the Software Update page, click Cancel.

You can view a list of all Cisco Prime related devices packages on your system using this option. It
displays a count of devices supported for each product installed in the system. For device updates the
source location could be Cisco.com or the Server Side Directory.
The Device Updates link under Software Center takes you to the Device Updates page. The Device
Update page lists the product name and the device type count.
The default summary screen shows the number of devices supported for each product installed in the
system. You can view a package map and a device map for each product installed.
13-4
OL-25947-01
Chapter 13

You can also check for the device updates and delete the device packages using the Device Update page.
Viewing Package Map
Viewing Device Map
Checking for Updates
Deleting Packages
Viewing Package Map

A package map is a snap shot of the currently installed device packages for a Product. The
backup-restore framework uses Package map during data backup.
To view a package map for an installed product, click the product name link. A popup window appears
with the information on the packages installed. The package name, version, and description are
displayed.
You can filter the device packages based on Package Name and Version. To filter the packages, choose
the filter source from the drop-down list and specify the filter pattern in the text box.
For example, if you specify the Filter Source as Package Name and Pattern as Cat, all package names
starting with Cat will be listed.
A package name identifies the device package. For example, the package name AP350 represents Cisco
Aironet 350 Device Package. You have to use package name while specifying the download policy, and
while performing other Software Center operations where you have to specify the package name.
Viewing Device Map

To view a device map for an installed product, click the device type count link. A popup window appears
with the information on the devices installed. The device map lists the sysObjectID, Device Name,
Package Name, and Version.
You can filter the packages based on sysObjectID, DeviceName, Package Name, and Version. To filter
the packages, choose the filter source from the drop-down list and specify the filter pattern in the text
box.
For example, if you specify the Filter Source as sysObjectID and pattern as 1.3.6.1.4.1.9, details of all
devices with SysobjectID starting with 1.3.6.1.4.1.9 will be listed.

OL-25947-01
13-5
Chapter 13
Checking for Updates

You can check for updates using this option. To check for the updates:
Step 1
Select Admin > System > Software Center > Device Update.
The Device Updates page appears.
Step 2
Select the check box corresponding to the product for which you want to check for updates and click
Check for Updates.
The Source Location page appears. You can check for updates at Cisco.com or a server.
Step 3
To check for updates at Cisco.com, select the Cisco.com radio button.
To check for updates from a server, select the Enter Server Path radio button and enter the path or
browse to the location using the Browse tab.
Click Next.
The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for
updates at Cisco.com.
Step 4
Enter your Cisco.com username and password.

Setup, you must enter Proxy server username and password.
Step 5
Click Next.
The Available Packages and Installed Packages page appears. It displays:
Step 6
Package Name: Name of the package.
Type: Type of the update. For example, whether the update is a device package or IDU package.
Product Name: Product for which the update is available.
Installed Version: Current version of that product installed in the server.
Available version: Version of the product that is available (Other than the installed version).
Readme Details: Links to the Readme files associated with the update.
Posted date: Date on which the update was posted on Cisco.com.
Size: Size of the update.
Select the check box corresponding to the package that you wish to update and click Next.
The Device Update page appears. You can either install the device packages or download them.
To install device packages, select the Install Device Packages radio button.
To download device packages, select the Download Device Packages radio button.
13-6
OL-25947-01
Chapter 13

If you select Download Device Packages:

a.
Enter the folder in File Selection field or click Browse to select the destination directory.
b.
Set the frequency of downloads, select the run type from the Run Type drop-down list. The options
are:
Immediate
Once
If you choose any of the options other than Immediate, set the date and time.
Select the date from the date picker. The date picker displays the date from the client system.
Specify the time from the drop-down lists.
c.
Enter a description for the download job in the Job Description field. This is mandatory.
d.
Enter an e-mail ID in the E-mail field.

You can enter multiple e-mail addresses separated by comma.
e.
Click Next.
The Summary window displays the details.
f.
Click Finish to confirm.
If you select Install Device Packages:

a.
Click Next.
The Summary window displays the details.
b.
Click Finish to confirm.

A message that the daemons are restarted, appears.
Step 7
Click OK to continue.
Deleting Packages
You can also delete packages that are outdated or you no longer use.
To delete a package:
Step 1
Select Admin > System > Software Center > Device Update.
The Device Update page appears.
Step 2
Select the check box corresponding to the product and click Delete Packages.
The wizard displays a window that has the Package name, the Product name, and the Installed version
details.
Step 3
Select the check box corresponding to the Package you want to delete.

OL-25947-01
13-7
Chapter 13
You can filter the available device packages based on Package Name, Product Name, Installed Version.
To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in
the text box.
For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 4
Click Next.
The Summary window appears with the details of the Product and the Packages selected.
Step 5
Click Finish to confirm deletion.
To make changes in the previous windows, click Back.
To cancel the operation, click Cancel.
After you have confirmed the Delete Packages operation, a message that the daemons are restarted
appears.
Step 6
Click OK to continue.

You can schedule device package downloads and specify the time, frequency of the downloads.
You can also specify download policies. Software Center supports the following download policies:
Download all latest device packages of products installed in the machine.
Download newer versions of currently installed packages.
Download the specified packages (comma separated).
You have to provide your Cisco.com credentials and the location to which the packages should be
downloaded.
To schedule device package downloads:
Step 1
Select Admin > System > Software Center > Schedule Device Downloads.
The Schedule Device Downloads dialog box appears.
Step 2

Enter the Proxy server username and password only if you have configured proxy settings under Admin
> System > Cisco.com Settings > Proxy Server Setup.
Step 3
Enter the destination location, or browse to the location using the Browse tab.
13-8
OL-25947-01
Chapter 13

Scheduled Job
Step 4
Specify the download policy you require:
Download the latest versions of all packages
Download only the latest versions of currently installed packages
Download specified packages
You must enter the device package name without any filename extension. The package name is
case-sensitive.
Note
Step 5
Select the run type from the Run Type drop-down list, to set the frequency of downloads.
Step 6
Select the date from the drop-down calendar, and specify the time using the drop-down lists.
The calendar displays the date from the client system.
Step 7
Enter a description for the download job in the Job Description field. This is mandatory.
Step 8
Enter an e-mail ID in the E-mail field.

You can enter multiple e-mail addresses separated by comma.
Step 9
Click Apply to apply the changes.

Or
Click Cancel to exit without saving changes.
You can schedule only one download at a time.
Note
You can view the scheduled job status and details from the Job Browser window (Admin > Jobs >
Browser).
Scheduled Job
The Scheduled Job Details page displays the activities that are performed using Software Center. The
Scheduled Job table records and displays the downloads to the server. You can view the log from the
server or any client workstation.
To view Scheduled Job Details:
Select Admin > System > Software Center > Scheduled Job Details.
The Scheduled Job Details page appears with the following information:
JobJob ID of the job that is scheduled by Cisco Prime user.
DateTime and the date on which the job was run.
Applicable ProductsProducts to which the download is applicable.
You can delete the information on a job from the list.

To delete a job information, select a job from the list, and click Delete. The job information is deleted
only from this page. However, this remains in the Job Browser page.

OL-25947-01
13-9
Chapter 13
Event Log
Event Log
The Event log page displays the activities that are performed using Software Center. The Event Log table
shows the list of immediate downloads, installations and un-installations of device packages carried out.
You can view the log from the server or any client workstation.
To view the Event Log:
Select Admin > System > Software Center > Event Log.
The Event Log page appears with the following information:
Product NameName of the product.
DescriptionSummary of the activity.
DateDate and time when the operations were carried out.
Event TypeShows one of the following:

Device Package Downloads
Software Download
Install Device Packages / Uninstall Device Packages
StatusStatus of the event (Completed Successfully, Failed or Executed). Click on the Status link
to get more details on the operation.
You can delete either all the event logs or specific event logs from the list.
Select the log entries and click Delete to delete the selected entries.
Point Patch Update

The Point patch update allows you to download and install the point patches released after LMS 4.2.
To download the Point patches:
Step 1
Select Admin > System > Software Center > Point Patch Update.
The Point Patch Update page appears.
Step 2

Enter the Proxy server username and password only if you have configured proxy settings under Admin
> System > Cisco.com Settings > Proxy Server Setup.
Note
Step 3
The Download option in the Point Patch Update page will be enabled only after entering the
Cisco.com username and password.
Enter the download location, or browse to the location using the Browse tab.
By default, the download location is:
Step 4
Select Download Patches radio button.

or
13-10
OL-25947-01
Chapter 13

Select View the list of available point patches to download radio button.
A point patch list containing the defect ID, point patch revision number and patch description is
displayed.
Step 5
Click Download to download all the latest point patch versions that are not installed in your system.
Related Topics
Downloading Point Patch Updates
Installing Point Patch Updates

LMS provides a command line utility that supports most of the Software Center features.
The utility is available at NMSROOT/bin/, as:
PSUCli.bat (on Windows)
PSUCli.sh (on Solaris/Soft Appliance)
The utility helps you do the following:
Download Software Updates.
Download Device Package Updates.
Download Point Patch Updates.
Install Device Packages.
Uninstall Device Packages.
Query Updates on the LMS Server.
List Dependent Device Packages.
List Device Packages Version.
To install new device packages from Cisco.com, you have to first download the packages from
Cisco.com, save them to a directory in your computer, and then install them, specifying the directory.
To get help on command usage, enter:
NMSROOT\bin\PSUCli.bat -h (On Windows)
NMSROOT/bin/PSUCli.sh -h (On Solaris/Soft Appliance)
This lists the commands, options, and valid product names.

Querying Updates on the LMS Server
Installing Device Packages
Uninstalling Device Packages
Downloading Device Updates
Listing Dependent Device Packages

OL-25947-01
13-11
Chapter 13
Listing Device Packages Version
Querying Updates on the LMS Server

To get a list of installed packages, enter:
NMSROOT\bin\PSUCli.bat -p product -query [-src dir] {-all |PackageNames} (On Windows)
NMSROOT/bin/PSUCli.sh -p product -query [-src dir] {-all |PackageNames} (On Solaris/Soft
Appliance)
You have to use either the -all option or specify the package names.
product Product for which packages are to be downloaded. This must be short names of the
products. Invoking the CLI utility with the -h option lists the valid product names.
-p
-query (-q)
-allSelects
-src
PackageNamesNames of the device packages, for example Cat5000, Cat6000, AS5850
Lists the packages (default source location is installed repository of the product).
all packages available at the source location.
dirSource location of the packages
case-sensitive.
Note
Example
NMSROOT\bin\PSUCli.bat -p rme -q -all

This lists all the installed packages for LMS in the installed repository for LMS.
To list all packages in the specified directory for LMS, enter:
NMSROOT\bin\PSUCli.bat -p rme -src dir -q
Installing Device Packages

To install device packages from the directory you specify, enter:
NMSROOT\bin\PSUCli.bat -p product -install -src dir {-all |PackageNames}[-noprompt] (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -install -src dir {-all |PackageNames} [-noprompt] (On
You have use either the -all option or specify the package names.
products. Invoking the CLI utility with the -h option lists the valid product names.
-p
-install (-i)Installs
-allSelects
-src
packages (from user specified directory).
dirSource location of the packages
13-12
OL-25947-01
Chapter 13

case-sensitive.
Note
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -i -src dir Cat6000 Cat4000

This installs the specified packages (Cat6000, Cat4000) for LMS, from the specified directory.
Uninstalling Device Packages

To uninstall device packages, enter:
NMSROOT\bin\PSUCli.bat -p product -uninstall {-all |PackageNames} [-noprompt] (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -uninstall {-all |PackageNames} [-noprompt](On
products. Invoking the CLI utility with -h option lists the valid product names.
-p
-uninstall (-u)
-allSelects
case-sensitive.
Note
Uninstalls packages (from user specified directory).
-nopromptFlag
to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -u -all

This uninstalls all packages of LMS, from the installed repository.

To download the Software Updates, enter:
NMSROOT\bin\PSUCli.bat -p product -software -dst download directory {-all |PackageNames}
(On Windows)
NMSROOT/bin/PSUCli.sh -p product -software -dst download directory {-all |PackageNames}

OL-25947-01
13-13
Chapter 13
-p productSpecify the Product for which you want to download the Software Update. Invoking
CLI with -h option lists the valid product names.
-software (-s)
-dst download directorySpecify the directory to which you want to download the Software
Update.
Download Software packages for the specified product or products.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
-allSelects
PackageNamesNames of the software update package available on Cisco.com, for example,

cwcs3_0_4_win, cwcs3_0_6_sol_k9.
Note
all the available software updates on Cisco.com for download.
You must enter the software update package name without any extension. The package name is
case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any one of the OS
Downloading Device Updates

To download the Device Updates, enter:
NMSROOT\bin\PSUCli.bat -p product -download -dst download directory {-all |PackageNames}
(On Windows).
NMSROOT/bin/PSUCli.sh -p product -download -dst download directory {-all |PackageNames}
(On Solaris/Soft Appliance).
-p productSpecify the Product for which you want to download the Device Update. Invoking CLI
with -h option lists the valid product names.
-download (-d)Download
-dst
Device packages for the specified product or products.
download directorySpecify the directory to which you want to download the Device Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
-allSelects
PackageNamesNames of the device packages, for example Cat5000, Cat6000, AS5850.
Note
all available device packages for download from Cisco.com.
case-sensitive.
13-14
OL-25947-01
Chapter 13


To download the Point Patch Updates, enter:
NMSROOT\bin\PSUCli.bat -p product -pointpatch -dst download directory {-all
(On Windows).
|PointpatchName}
NMSROOT/bin/PSUCli.sh -p product -pointpatch -dst download directory {-all |PointpatchName}

(On Solaris/Soft Appliance).
productSpecify the Product for which you want to download the Point Patch Update. Invoking
CLI with -h option lists the valid product names.
-p
-pointpatch (-pp)Download
-dst download directorySpecify the directory to which you want to download the Point Patch
Update
Note
Point Patch for the specified products.
The directory name should not contatin spaces.
-allSelect
PointpatchNameName of the point patch updates, for example CSCto49627, CSCtw65965.
Note
all available device packages for download from Cisco.com.
You must enter the point patch update name without any filename extension and revision
number. The point patch update name is case-sensitive.
directories. Software Center does not support downloading device, point patch or software updates in
the same directory where you have installed Cisco Prime LMS, or any of its sub-directories.

To install point patch updates using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\PatchInstall.pl <source directory>
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/PatchInstall.pl <source directory>
Source directoryThe directory in which the point patches are available.
Note
The source directory name should not contatin spaces.

OL-25947-01
13-15
Chapter 13
The downloaded point patch revisions that are not installed in your system are installed and an
installation successful message is displayed.
Listing Dependent Device Packages

To list the dependent packages of one or more device packages, or all device packages, enter:
NMSROOT\bin\PSUCli.bat -p product -pkgDependents -src dir {-all |PackageNames} (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -pkgDependents -src dir {-all |PackageNames} (On
-p
-pkgDependents (-pdep)List
the base or dependent packages for the specified packages present
in the source location.
-allSelects
Note
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pdep Cat5000

This lists all dependent packages of LMS Cat5000 device package installed.
13-16
OL-25947-01
Chapter 13

Listing Device Packages Version

To list the versions of one or more device packages, or all device packages, enter:
NMSROOT\bin\PSUCli.bat -p product -pkgVersion -src dir {-all |PackageNames} (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -pkgVersion -src dir {-all |PackageNames} (On Solaris/Soft
Appliance)
-p
-pkgVersion (-pver)List
-allSelects
Note
theversions of all or specified packages present in the source location.
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pver Cat5000

This lists the version of the LMS Cat5000 device package installed.

OL-25947-01
13-17
Chapter 13
13-18
OL-25947-01
CH A P T E R
14

The Discrepancies Reporting module of LMS allows you to view the discrepancies and best practices
deviations in your network. This chapter contains the following:
Interpreting Discrepancies
Interpreting Best Practices Deviations

LMS provides reports on discrepancies, such as network inconsistencies and anomalies or
misconfiguration in the discovered network. This makes it easy to identify configuration errors such as
link-speed mismatches on either end of a connection. Discrepancies are computed at the end of each data
collection schedule.
LMS also reports Best Practices Deviations. These are variations from the normal or recommended
practices in a network. These do not have any serious impact on the functioning of the network.
LMS allows you to:
View Reports on Discrepancies. Select Reports > Fault and Event > Best Practices >
Discrepancies.
View Reports on Best Practices Deviations. Select Reports > Fault and Event > Best Practices >
Deviation.
Acknowledge Discrepancies.
Acknowledge Best Practices Deviations.
Resolve Discrepancies and Best Practices Deviations.
Customize Discrepancies Reporting. For details, see Customizing Discrepancies Reporting and
Syslog Generation.

OL-25947-01
14-1
Chapter 14
Fixing Discrepancies and Best Practices Deviations through LMS
The following Discrepancies can be fixed through LMS:
Link Duplex Mismatch
Link Speed Mismatch
Link Trunk/NonTrunk Mismatch
Port Fast Enabled on Trunk Port
The following Best Practices Deviations can be fixed through LMS:
BPDU Filter Disabled on Access Ports
BPDU-Guard Disabled on Access Ports
Loop Guard and Port Fast Enabled on Ports
UDLD Disabled on Link Ports
CDP Enabled on Access Ports
High Availability not Operational
This section contains information on each of the discrepancy reported in LMS. It describes the
discrepancy, the impact it has on the network, and ways to resolve it.
The user interface in LMS displays commands you can use to make configuration changes on devices to
resolve discrepancies.
Trunking Related Discrepancies
VLAN-VTP Related Discrepancies
Link Related Discrepancies
Port Related Discrepancy
Device Related Discrepancy
Spanning Tree Related Discrepancy
Trunking Related Discrepancies

The trunking related discrepancies that LMS reports are:
Trunk Negotiation Across VTP Boundary
Native VLANs Mismatch
Trunk VLANs Mismatch
Trunk VLAN Protocol Mismatch
14-2
OL-25947-01
Chapter 14

Trunk Negotiation Across VTP Boundary

LMS reports a discrepancy when the trunk mode on any end of the trunk link is set to Auto or Desirable.
Dynamic Trunking Protocol (DTP) cannot be used for trunk negotiation across VTP domain boundary.
This occurs when trunk mode on both sides has any of the following combinations:
On/Auto
On/Desirable
Desirable/Auto
Desirable/Desirable
Off/Desirable
Impact
Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of
different VTP domains) fails.
Fix
You cannot fix this discrepancy using LMS.

To fix the discrepancy on switches using Cisco IOS:
Step 1
Make sure that the Trunk mode is ON, on both sides of the link.
Step 2

switchport trunk encapsulation
dot1q | isl
switchport mode trunk

end
Step 3
Enter the following command to check the status:

show interfaces trunk
Or
show interface
mod interface_id trunk
To fix the discrepancy on switches using Catalyst operating system:

Step 1
Make sure that the Trunk mode is ON, on both sides of the link.
Step 2
.Enter the following command:

set trunk
Step 3
mod/port on Dot1Q | ISL
Enter the following command to check the status:

show trunk
mod/port

OL-25947-01
14-3
Chapter 14
Native VLANs Mismatch

LMS reports a discrepancy when the native VLANs of all ports in a trunk do not match.
This mismatch occurs when you have created a trunk port to connect another switch, and both ends are
in different native VLANs.
Note
This discrepancy is applicable only for trunks that use 802.1q encapsulation.
Impact
The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link
is affected. The trunk continues to remain operational.
Fix
If you have altered the default native VLAN configuration, ensure that all trunks have the same native
VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport
trunk native vlan command for Cisco IOS switches to specify the native VLAN.
You cannot fix this discrepancy through LMS.
Trunk VLANs Mismatch

LMS reports a discrepancy when the list of active or allowed VLANs between the two ends of a trunk
do not match.
Impact
The trunk remains operational but the network traffic across the link is affected.
Fix
You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and
ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.
Trunk VLAN Protocol Mismatch

LMS reports a discrepancy when different trunk encapsulations are set on the two ends of a trunk.
For example, when one end of a trunk is configured as ISL and the other as 802.1q, LMS reports a
discrepancy.
ISL and 802.1q are the different encapsulation types that you can configure in a trunk VLAN.
Impact
The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching
encapsulation types. However, the network traffic across the link is affected because of the mismatch.
Fix
Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy
through LMS.
14-4
OL-25947-01
Chapter 14

VLAN-VTP Related Discrepancies

The VLAN-VTP related discrepancies that LMS reports are:
VTP Disconnected Domain
VTP Disconnected Domain

LMS reports a discrepancy if the devices that are part of the same VTP domain have different VTP
configuration revision numbers. When a switch in the same VTP domain has a higher configuration
revision number compared to the other switches, it could overwrite your server-configured switch with
incorrect information.
Impact
The VLAN information is not dynamically shared across the VTP domain.
Fix
Ensure that you configure VTP Configuration Revision number consistently across devices of the same
VTP domain. You cannot fix this discrepancy through LMS.

LMS reports a discrepancy when there is no VTP Server configured in a VTP domain.
You can configure a switch to operate in any one of these VTP modesServer, Client, Transparent, and
Off. Primary and secondary servers are two types of servers that may exist on an instance in the VTPv3
domain.
A VTP client cannot store VLAN information. When a VTP client boots, it needs to reacquire the entire
configuration that is propagated by VTP.
The primary server can initiate or change the VTP configuration. The main purpose of a VTP secondary
server is to back up the configuration that is propagated over the network.
Impact
LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no
alternative or backup server.
This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when
the existing primary server or server mode device has gone down temporarily and if the server mode
device does not come up.
If you do not configure at least one server, the devices become unreachable. LMS discovers only the
client-mode devices in the domain and ignores the rest.
Fix
Configure at least one device as server in a VTP domain. If the device you have configured as server is
temporarily down, configure another device as server. You cannot fix this discrepancy through LMS.
For more information on VTP domain, see the document Configuring VTP at the following location:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html

OL-25947-01
14-5
Chapter 14
Link Related Discrepancies

The link related discrepancies that LMS reports are:
Link Speed Mismatch

LMS reports a discrepancy when there is a duplex mismatch between links.
Duplex mismatch on 10/100Mb Ethernet links occurs when one port on the link is operating at
half-duplex while the other port is operating at full-duplex.
This happens when one or both ports on a link are reset and the auto-negotiation process does not cause
both partners to have the same configuration. It also happens when you reconfigure one side of a link
and do not reconfigure the other side.
Impact
Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a
full-duplex device transmits whenever it has something to send, regardless of other devices.
If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will
consider this either a collision (during the slot time), or a late collision (after the slot time). Since the
full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet.
A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch
port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.
Figure 14-1
Duplex Mismatch
A (root)
Half-Duplex
Half-Duplex: Still
runs carrier sense
and collision
detection
Does not do
carrier sense
Collision
A
Full-Duplex
BPDU lost
to be retransmitted
130876
Fix
LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port
speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated
between devices.
14-6
OL-25947-01
Chapter 14

Step 1
Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
duplex auto
end
where auto enables the autonegotiation capability.

Step 2
Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.

OL-25947-01
14-7
Chapter 14
To fix the discrepancy on switches using Catalyst operating system:

Step 1
command:
set port speed
mod/port auto
where:
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2
Click Fix.
Link Speed Mismatch

LMS reports a discrepancy when there is a mismatch in the link speeds, that is, different link speeds on
either side of a link (for 10/100 ports or for any group of links).
The IEEE 802.3u autonegotiation protocol manages the switch settings for speed (10 Mbps or 100 Mbps)
and duplex (half or full). There are situations when this protocol can incorrectly align these settings,
reducing performance. A mismatch occurs under these circumstances:
A manually-set speed or duplex parameter is different from the manually set speed or duplex
parameter on the connected port.
A port is in Autonegotiate mode and the connected port is set to full duplex with no autonegotiation.
Impact
Link speed mismatch results in reduced performance of the link.

Fix
LMS displays commands to resolve link speed mismatch.

Step 1
command:
speed auto
end
where auto enables the autonegotiation capability.

Step 2
Click Fix.
14-8
OL-25947-01
Chapter 14

To fix the discrepancy on switches using the Catalyst operating system:

Step 1
command:
set port speed
mod/port auto
where:
mod/port refers to the number of the module and the port on the module
auto
specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2
Click Fix.

LMS reports a discrepancy when there are trunking ports and non-trunking ports on either side of a link.
This happens when one end of the trunk is set to On, and the other end is set to Off.
Impact
This results in the trunk not coming up, and there would be no traffic flow across the link.
Fix
LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode.
Step 1
command:
set trunk
mod/port desirable
where:
Step 2
causes the port to negotiate actively with the neighboring port to become a trunk link
desirable
mod/port specifies the number of the module and the port or ports on the module
Click Fix.

OL-25947-01
14-9
Chapter 14

Step 1
command:
switchport mode dynamic desirable
end
where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link.
Step 2
Click Fix.
Port Related Discrepancy

The port related discrepancy that LMS reports is Port is in Error Disabled State. See Port is in Error
Disabled State
Port is in Error Disabled State

LMS reports a discrepancy when one or more of the switch ports in the discovered network have a status
of errDisable.
Causes of errDisable
A port enters errdisable state for any of the following reasons:
Channel misconfiguration
Duplex mismatch
BPDU port-guard
UDLD
Impact
When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port.
The port LED is set to the color orange and when you enter the show port command, the port status
shows errdisable.
Fix
To recover from errDisable:

Step 1
Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so
on).
Step 2
Re-enable the port.
14-10
OL-25947-01
Chapter 14

You cannot fix this discrepancy through LMS.

For more information on the errDisable state, see the document Recovering From errDisable Port State
on the CatOS Platforms at the following location:
http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080093dcb.html
Device Related Discrepancy

The device related discrepancy that LMS reports is Devices With Duplicate Sysname. See Devices With
Duplicate SysName, page 14-11
Devices With Duplicate SysName

LMS reports a discrepancy when it discovers two devices with the same SysName. LMS stores the
device details of only one of the two devices.
Impact
LMS manages only one of these devices.

Fix
Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.
Spanning Tree Related Discrepancy

The spanning tree related discrepancy that LMS reports is PortFast Enabled on Trunk Port. See Port Fast
Enabled on Trunk Port
Port Fast Enabled on Trunk Port

LMS reports a discrepancy when PortFast is enabled on trunk ports.
PortFast causes a spanning tree port to immediately enter the forwarding state, bypassing the listening
and learning states.
You must disable STP PortFast for switch-switch links. This is because, if you enable PortFast on a port
that is connected to another Layer 2 device, such as a switch, you might create network loops.
Impact
If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge
Protocol Data Units (BPDUs) are being transmitted and received on those ports.

OL-25947-01
14-11
Chapter 14
Fix
LMS provides commands for disabling PortFast on ports.

Step 1
command:
set spantree portfast mod/port disable
where disable disables the spanning tree PortFast-start feature on the port.
Step 2
Click Fix.

Step 1
command:
no spanning-tree portfast
end
This command disables PortFast on the given port.

Step 2
Click Fix.

This section contains information on each of the Best Practice Deviation reported in LMS. It gives a
description of the Best Practice Deviation, the impact (if any) it has on the network, and ways to resolve
it.
The user interface in LMS displays commands to make configuration changes on devices, to resolve
some Best Practices deviations.
Channel Ports Related Best Practices Deviations
Spanning Tree Related Best Practices Deviations
Trunk Ports Related Best Practices Deviations
VLAN Related Best Practices Deviations
Link Ports Related Best Practice Deviation
Access Ports Related Best Practice Deviation
14-12
OL-25947-01
Chapter 14

Channel Ports Related Best Practices Deviations

The channel ports related best practices deviations that LMS reports are:
Non-channel Port in Desirable Mode
Channel Port in Auto Mode
Non-channel Port in Desirable Mode

LMS reports a Best Practice Deviation when a non-channel port is in the Desirable mode.
There are four user-configurable channel modes:
On
Off
Auto
Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable
modes. Ports configured in on or off mode do not exchange PAgP packets.
To form EtherChannel between, it is best to have both switches set to the Desirable mode. This gives the
most robust behavior if one side or the other encounters error situations or is reset. The default mode of
the channel is Auto.
Both Auto and Desirable modes allow ports to negotiate with connected ports to determine whether they
can form a channel. The determination is based on criteria such as port speed, trunking state, and native
VLAN.
Ports can form an EtherChannel when they are in different channel modes if the modes are compatible.
Examples of ports that can form an EtherChannel are:
A port in desirable mode can successfully form an EtherChannel with another port that is in
Desirable or Auto mode.
A port in the Auto mode can form an EtherChannel with another port in the Desirable mode.
A port in the Auto mode cannot form an EtherChannel with another port that is also in the Auto
mode, since neither port initiates negotiation.
A port in the On mode can form a channel only with a port in the On mode because ports in On mode
do not exchange PAgP packets.
A port in Off mode cannot form a channel with any port.
Impact
When a non-channel port is in the Desirable mode, the links will not be efficiently used.

OL-25947-01
14-13
Chapter 14
Fix
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1
Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel mod/port mode auto
Step 2
Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
To fix the Best Practice Deviation on switches using Cisco IOS:

Step 1
Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode auto
Step 2
Click Fix.
Channel Port in Auto Mode

LMS reports a Best Practice Deviation when a channel port is in Auto mode.
There are four user-configurable channel modes:
On
Off
Auto
Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable
mode. Ports configured in On or Off mode do not exchange PAgP packets.
For switches to which you want to form an EtherChannel, it is best to have both switches set to Desirable
mode. This gives the most robust behavior if one of the sides encounters error situations or is reset. The
default mode of the channel is Auto.
Both Auto and Desirable modes allow ports to negotiate with connected ports to determine if they can
form a channel. The determination is based on criteria such as port speed, trunking state, and native
VLAN.
Ports can form an EtherChannel when they are in different channel modes if the modes are compatible.
Examples of ports that can form an EtherChannel are:
A port in Desirable mode can successfully form an EtherChannel with another port that is in
Desirable or Auto mode.
A port in Auto mode can form an EtherChannel with another port in Desirable mode.
14-14
OL-25947-01
Chapter 14

A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since
neither port initiates negotiation.
A port in On mode can form a channel only with another port also in On mode, because ports in this
mode do not exchange PAgP packets.
A port in Off mode cannot form a channel with any port.
Impact
Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended
configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious
impact on the network.
Fix
To fix the Best Practise Deviation on switches using the Catalyst operating system:
Step 1
Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel
mod/port mode desirable
which sets the port to desirable mode.

Step 2
Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
To fix the Best Practise Deviation on switches using Cisco IOS:

Step 1
Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode desirable
which sets the port to desirable mode.

Step 2
Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Spanning Tree Related Best Practices Deviations

The spanning tree related best practices deviations that LMS reports are:
BackboneFast Disabled in Switch
UplinkFast not Enabled

OL-25947-01
14-15
Chapter 14

LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports.
Impact
BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to
an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding
state immediately, instead of going through the listening, learning, and forwarding states.
By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled.
BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies
to all PortFast-enabled ports on the switch.
When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled
port is also disabled.
Fix
LMS provides commands for enabling BPDU Filter on access ports.

Step 1
Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree bpdu-filter
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
enables BPDU packet filtering
Click Fix.

Step 1
following command:
spanning-tree bpdufilter enable
end
where enable enables BPDU Filtering on the particular interface.

Step 2
Click Fix.
14-16
OL-25947-01
Chapter 14


LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port.
BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is
received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the
interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state.
Impact
Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts).
The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU
is received on those ports.
BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies
to all PortFast-enabled ports on the switch.
Fix
LMS displays commands for enabling BPDU Filter on access ports.

Step 1
following command:
set spantree bpdu-guard
mod/port enable
where:
Step 2
mod/port specifies the number of the module and the port on the module
enable
enables BPDUGuard
Click Fix.

Step 1
following command:
spanning-tree bpduguard enable
end
where enable enables BPDUGuard on the particular interface.

Step 2
Click Fix.

OL-25947-01
14-17
Chapter 14
BackboneFast Disabled in Switch

LMS reports a Best Practice Deviation when BackboneFast is enabled on one of the switches and not
enabled on all other switches in a switch cloud.
Cisco recommends that BackboneFast be enabled on all switches running STP. It can be added without
disruption to a production network.
Impact
If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning
tree operation.
BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP,
you can reduce convergence times from the default of 50 seconds to 30 seconds.
Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects
directly to Switch B is in the blocking state.
Figure 14-2
BackboneFast Example Before Indirect Link Failure
Switch A
Switch(Root)
A
Switch B
L1
(Root)
Switch B
L1
L2
L3
Blocked port
Switch C
Switch C
11241
L3
Blocked port
11241
L2
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly
to link L1.
Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to
move immediately to the listening state without waiting for the maximum aging time for the port to
expire.
BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch
B to Switch A.
This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the
topology to account for the failure of link L1.
14-18
OL-25947-01
Chapter 14

Figure 14-3
BackboneFast Example After Indirect Link Failure
Switch A
(Root)
Switch B
L1
Link failure
L3
BackboneFast transitions port
through listening and learning
states to forwarding state
Switch C
11244
L2
Fix
Enable BackboneFast on all switches in a switch cloud.

To enable BackboneFast Globally on a Catalyst operating system:
Step 1
Enter the command:

set spantree backbonefast enable
Step 2
Enter this command to check the status:

show spantree backbonefast
To enable BackboneFast Globally on Cisco IOS:

Step 1
Enter the command:

spanning-tree backbonefast
Step 2

show spanning-tree backbonefast
You cannot fix this Best Practice Deviation through LMS.

For more information on Spanning Tree related configuration, see the document Configuring Spanning
Tree PortFast, UplinkFast, and BackboneFast at the following location:

OL-25947-01
14-19
Chapter 14
UplinkFast not Enabled

LMS reports a Best Practice Deviation when UplinkFast is not enabled on switches.
Note
This Best Practice Deviation is not applicable if the device is not an access layer switch.
Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access
layer. Do not use on switches without the implied topology knowledge of a backup root linktypically,
distribution and core switches in Cisco's multilayer design. It can be added without disruption to a
production network.
Impact
UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It
operates without modifying STP, and its purpose is to speed up convergence time in a specific
circumstance to less than three seconds, rather than the typical 30-second delay.
Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected
directly to Switch B is in the blocking state.
Figure 14-4
UplinkFast Example Before Direct Link Failure
Switch A
(Root)
Switch B
L1
L2
L3
Switch C
11241
Blocked port
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast
unblocks the blocked port on Switch C and transitions it to the forwarding state without going through
the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5
seconds.
14-20
OL-25947-01
Chapter 14

Figure 14-5
UplinkFast Example After Direct Link Failure
Switch A
(Root)
Switch B
L1
L2
L3
Link failure
Switch C
11242
UplinkFast transitions port

directly to forwarding state
Fix
Enable UplinkFast on all access layer switches.

To enable Uplink Fast on Catalyst operating system:
Step 1
Enter the command:

set spantree uplinkfast enable
Step 2

show spantree uplinkfast
To enable Uplink Fast on Cisco IOS:

Step 1
Enter the command:

spanning-tree uplinkfast
Step 2

show spanning-tree uplinkfast

For more information on Spanning Tree related configuration, see the document Configuring Spanning
Tree PortFast, UplinkFast, and BackboneFast at the following location:

OL-25947-01
14-21
Chapter 14

Loop Guard
Assume that a switch port is receiving BPDUs, and is in the blocking state. The port makes up a
redundant path. It is blocking because it is neither a Root Port nor a Designated Port. If, the flow of
BPDUs stops, the last known BPDU is retained until the Max Age timer expires.
When the Max Age timer expires, that BPDU is flushed, and the switch thinks there is no longer a need
to block the port. The port moves through the STP states until it begins to forward traffic. The switch
then forms a bridging loop. In its final state, the port becomes a Designated Port.
To prevent this situation, you can use the loop guard STP feature. When you enable this feature, loop
guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is
allowed to behave normally.
When BPDUs are missing, loop guard moves the port into the loop-inconsistent state. The port is
effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role.
After BPDUs are received on the port again, loop guard allows the port to move through the normal STP
states and become active. In this way, Loop Guard automatically governs ports without the need for
manual intervention.
STP PortFast
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes
up, STP calculation occurs on that port. The result of the calculation is the transition of the port into
forwarding or blocking state. The result depends on the position of the port in the network and the STP
parameters.
This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data
passes through the port. Owing to this, some user applications can time out during the period.
To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast
immediately transitions the port into STP forwarding mode upon linkup. This way the port still
participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP
blocking mode.
Impact
Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best
Practice Deviation.
Fix
If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port.
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1
following command:
set spantree portfast disable
Step 2
Click Fix.
14-22
OL-25947-01
Chapter 14


Step 1
Select Reports > Fault and Event.
Step 2
Select Best Practices Deviation Report from the TOC.
Step 3
Click the hyperlink in the Summary field.

following command:
spanning-tree portfast disable
Step 4
Click Fix.
Trunk Ports Related Best Practices Deviations

The trunk ports related best practices deviations that LMS reports are as follows:
Non-trunk Ports in Desirable Mode
Trunk Ports in Auto Mode
Non-trunk Ports in Desirable Mode

LMS reports a Best Practice Deviation when non-trunk ports are set to Desirable mode.
Impact
Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted
negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to
become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the
intended behavior.
Fix
To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports.
To fix it through LMS, on switches using the Catalyst operating system:
Step 1
Step 2
Step 3

following command:
set port host mod/port
Step 4
Click Fix.

OL-25947-01
14-23
Chapter 14
To fix it through LMS, on switches using Cisco IOS:

Step 1
Step 2
Step 3

following command:
switchport mode access
Step 4
Click Fix.
Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best
Practice Deviation.
Table 14-1
Trunking Configuration 1
Modes
On
Auto
Desirable
Nonegotiate
Off
On
None.
Reports
Best
Practice
Deviation.
None.
None.
(Trunking)
(Trunking)
Reports Best Practice

Deviation.
(Trunking)
(Not Trunking)
(Trunking)
Auto
Desirable
Reports Best None.

Practice
(Not
Deviation.
Trunking)
(Trunking)
Reports Best
Practice
Deviation.
Reports Best
Practice
Deviation.
(Trunking)
(Not Trunking)
None.
None.
Reports Best
Practice
Deviation.
(Trunking)
Reports
Best
Practice
Deviation.
(Trunking)
None.
(Not Trunking)

Deviation.
(Not Trunking)
(Not Trunking)
(Trunking)
Nonegotiate
None.
(Trunking)
Reports
Best
Practice
Deviation.
Reports Best
Practice
Deviation.
None.
(Trunking)

Deviation.
(Not Trunking)
(Not Trunking)
(Not
Trunking)
Off
Reports Best None.

Practice
(Not
Deviation.
Trunking)
(Not
Trunking)
Reports Best
Practice
Deviation.
Reports Best
Practice
Deviation.
(Not Trunking)
(Not Trunking)
None.
(Not Trunking)
1. Information in brackets indicate the trunking state of the interface.
14-24
OL-25947-01
Chapter 14

Trunk Ports in Auto Mode

LMS reports a Best Practice Deviation when trunk ports are set to Auto mode.
Impact
Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static
property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1
for different trunk mode combinations.
Fix
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1
Step 2
Step 3

following command:
set trunk mod/port desirable
Step 4
Click Fix.

Step 1
Step 2
Step 3

following command:
switchport mode dynamic desirable
Step 4
Click Fix.
VLAN Related Best Practices Deviations

The VLAN related best practices deviations that LMS reports are as follows:
VLAN Index Conflict
VLAN Name Conflict

OL-25947-01
14-25
Chapter 14
VLAN Index Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Index. A VLAN Index
conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices,
where a same VLAN index has different VLAN name in transparent and server mode devices in the
domain.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names
in transparent and server mode devices.
Fix
Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain.
VLAN Name Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Name. A VLAN Name
conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices,
where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of
the server mode device in the domain.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode
device in the domain has the same name as VLAN part of the server mode device in the domain.
Fix
Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the
server mode devices. You cannot fix this Best Practice Deviation through LMS.
Link Ports Related Best Practice Deviation

The link port related Best Practice Deviation that LMS reports is UDLD Disabled on Link Ports. See
14-26
OL-25947-01
Chapter 14


LMS reports a Best Practice Deviation if UniDirectional Link Detection (UDLD) is disabled on link
ports.
Impact
If you disable UDLD, it could result in Spanning Tree loops.

Unidirectional links are often caused by a failure not detected on a fiber link, or by a problem with a
transceiver.
Unidirectional Links
B
Blocking
BPDU lost this way
X
B unblocks its port and can forward
traffic this way......
130877
Figure 14-6
In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while
transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a
port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these
BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop.
To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented
the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or
unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports.
For maximum protection against symptoms resulting from uni-directional links, we recommend that you
enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the
message interval to the default 15 seconds.
Fix
LMS provides commands to enable UDLD on link ports.

Step 1
following command:
set udld enable mod/port
where enable enables the UDLD information display.

Step 2
Click Fix.

OL-25947-01
14-27
Chapter 14

Step 1
Step 2
Step 3

The Best Practice Deviation Details dialog box appears. The Recommended Fix displays the following
command:
udld port
end
This command enables UDLD in normal mode by default on all interfaces.

Step 4
Click Fix.
Access Ports Related Best Practice Deviation

The access ports related Best Practice Deviation that LMS reports is CDP Enabled on Access Ports. See

LMS reports a Best Practice Deviation when Cisco Discovery Protocol (CDP) is enabled on the access
port of a switch.
CDP is enabled by default and is essential to gain visibility of adjacent devices and for troubleshooting.
It is also used by network management applications to build Layer 2 topology maps.
Impact
In parts of the network where a high level of security is required (such as Internet-facing de-militarized
zones), you should turn off CDP.
14-28
OL-25947-01
Chapter 14

Fix
LMS provides commands to disable CDP on switches.

To fix the Best Practice Deviation on switches running Catalyst operating system:
Step 1
Step 2
Step 3

following command:
set cdp disable mod/port
Step 4
Click Fix.
To fix the Best Practice Deviation on switches running Cisco IOS:

Step 1
Step 2
Step 3

following command:
no cdp enable
Step 4
Click Fix.

The Cisco Catalyst 6000 devices related Best Practice Deviation that LMS reports is High Availability
not Operational. See High Availability not Operational
High Availability not Operational

Enabling High Availability on switches is applicable only for Cisco Catalyst 6000 devices. LMS reports
a Best Practice Deviation when there are two supervisor engines in Cisco Catalyst 6000 devices and
High Availability is not enabled.
Impact
High Availability:
Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum
productivity in a network.
Allows you to minimize the switch-over time from active supervisor engine to the standby
supervisor engine, if the active supervisor engine fails.

OL-25947-01
14-29
Chapter 14
Allows the active supervisor engine to communicate with the standby supervisor engine, keeping
feature protocol states synchronized.
Provides a versioning option that allows you to run different software images on the active and
standby supervisor engines.
You can enable High Availability using Command Line Interface (CLI).
Fix
As a general practice with redundant supervisors, we recommend that you enable High Availability
feature for normal operation.
LMS provides commands for enabling High Availability.
Step 1
following command:
set system highavailability enable
Step 2
Click Fix.
For more information on Supervisor engines and High Availability, see the document Configuring
Redundancy at the following location:

You can customize the Discrepancies Report and Best Practices Deviations Report to display only those
discrepancies and Best Practice Deviations about which you want to be notified.
To customize the reports:
Step 1
Select Admin > Network > Best Practices Deviation Settings.

The discrepancies page appears. You can view the list of Network discrepancies, and Discrepancies
configured to send Syslog messages by clicking the corresponding View Details link.
Step 2
Click Configure.
The Configuring Discrepancies dialog box appears.
To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it.
Checking all the check boxes results in a report displaying all discrepancies and Best Practice
Deviations in the network.
To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding
check box.
14-30
OL-25947-01
Chapter 14

Step 3
Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check
Configure Syslog and click Next.
A list of the selected Discrepancies and Best Practice Deviations appears.
Step 4
Check Send Syslogs and enter the name of the server in the Syslog Server field.
Step 5
Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages
and click Next.
A summary of the selected Discrepancies and Best Practice Deviations appears.
Step 6
Click Finish.
You can use the filters to display discrepancy reports for specific devices, link or network types. This
makes it easy to find a particular discrepancy for a particular type.
You can use more than one filter at the same time, but results will vary.
If you select more than one filter in the same top-level category, Boolean OR is used.
For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter
criteria will be displayed in the report.
If you select more than one filter from different top-level categories, Boolean AND is used.
For example, if you select both a Link type and a Port type filter from the discrepancy filter, any
link that fulfils both filter criteria will appear in the report.

OL-25947-01
14-31
Chapter 14
14-32
OL-25947-01
CH A P T E R
15
Report Setting
Describes how to configure some settings for generating reports and set a report publish location.
This section contains the following sections:

You can specify the intervals at which old reports and jobs are to be purged, using the Purge Policy
option. You can save the Purge Policy, so that the older jobs and archives are purged at the specified
interval.
To specify the Purge Policy:
Step 1
Select Admin > Network > Purge Settings > User Tracking Report Purge Policy.
The Report Settings dialog box appears.
Step 2
Check the relevant check box:
Purge Archives Older than
Purge Jobs Older than
You must specify in days, or weeks, or months the period for which you want to retain the report archives
or jobs.
Step 3
Click Save.

OL-25947-01
15-1
Chapter 15
Report Setting

You can specify the way in which domain names are to be displayed in User Tracking Reports, using the
Domain Name Display option.
To specify the Domain Name display:
Step 1
Select Admin > Network > Display Settings > Domain Name Display.
The Domain Name Display window appears.
Step 2
Select the format for displaying the domain names in User Tracking Reports. You can:
Show full domain name suffix
Hide full domain name suffix
Hide specified domain name suffix

If you want to hide the specified domain name suffix, enter the domain name suffix in the field.
Step 3
Click Save.

Cisco Prime LMS allows you to publish the PDF, HTML and CSV format of all the reports to a directory
location of your choice. This is done by setting a default directory path.
Note
Ensure that the casuser is assigned the required write permission to publish the PDF format of the report
to the directory path.
To set a report publish location:
Step 1
Select Reports > Report Settings > Report Publish Path.
Step 2
Select Report Location.

The Default Report Publish Location page appears, displaying Default Location Settings dialog box.
Table 15-1 describes the field in the Default Location Settings dialog box.
Table 15-1
Default Location Settings Fields
Field/Button
Description
Report Location
Directory path where the PDF format of the reports are published.
Use the Browse button to select a directory path.
The Server Side File Browser dialog box is launched. You can select the
directory path in this dialog box.
Step 3
Click Browse.
15-2
OL-25947-01
Chapter 15
Report Setting
Step 4
Select the directory path from the Server Side File Browser dialog box.
Step 5
Click OK.
The directory path is displayed in the Report Location field.
Step 6
Click Apply to save the default directory path settings or Cancel to reset the directory path.

OL-25947-01
15-3
Chapter 15
Report Setting
15-4
OL-25947-01
CH A P T E R
16
Purge Settings
Describes how to configure the purge settings of all modules in LMS.
This section contains the following sections:
Syslog Administrative Tasks
Setting the Syslog Purge Policy

You can purge Layer2 services jobs or report archives in LMS. By default, purging is disabled.
To enable the purge option for Layer2 services report jobs and archives:
Step 1
Select Admin > Network > Purge Settings > Layer2 Services Purge Settings.
The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the
Purge Policy for archives or jobs here.
Step 2
Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives.
For instance, if you select 44 days, LMS purges archives that are older than 44 days.
Step 3
Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks.
Step 4
Click Save.

OL-25947-01
16-1
Chapter 16
Purge Settings

You can purge VRF Management jobs or report archives in LMS. By default, purging is disabled.
To enable the purge option for VRF Management report jobs and archives:
Step 1
Select Admin > Network > Purge Settings > VRF Lite Purge Settings.
The Purge Settings dialog box appears.
Step 2
Specify the Purge Policy for archives or jobs.
Step 3
Check the Purge Archives Older Than to specify the periodicity at which to purge archives.
For instance, if you select 44 days, VRF Management purges archives that are older than 44 days.
Step 4
Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks.
Step 5
Click Save.

You can specify when to purge archived configurations. Purging archives frees disk space and keeps your
archive at a manageable size.
By default, the purging jobs are disabled.
You can purge configurations based on two criteria:
Number of versions to retain. Maximum number of versions of each configuration to be retained.

The oldest configuration is purged when the maximum number is reached. For example, if you set
the maximum versions to retain to 10, when the eleventh version of a configuration is archived, the
earliest (first version) is purged to retain total number of latest archived versions at 10.
Age. Configurations older than the number of days that you specify are purged.
The Labeled configuration files are not purged even if they satisfy either of the purge conditions
(Maximum versions to retain and Purge versions older than options in the Archive Purge Settings
window) unless you enable the Purge labeled files option in the Archive Purge Settings window.
The labeled files are purged only if they satisfy the conditions given in the Maximum versions to
retain and Purge versions older than options.
Archive Management will not purge the configuration files, if there are only two versions of these files
in the archive.
Archived configurations that match the purge criteria that you set are purged from the system. This purge
policy applies to Running configuration only.
Caution
Ensure that the configuration change detection schedule does not conflict with purging, since both
processes are database-intensive. Also backup your system frequently to prevent losing versions.
16-2
OL-25947-01
Chapter 16
Purge Settings
Note
The workflow to define the Configuration Archive purge policy is:
Step 1
Select Admin > Network > Purge Settings > Config Archive Purge Settings.
The Archive Purge Setup dialog box appears.
Step 2
Select Enable.
Step 3
Click Change to schedule a Purge job.

The Config Purge Job Schedule dialog box appears.
Step 4
Field

Description
Scheduling
Run Type
You can specify when you want to purge the configuration archive files.
MonthlyRuns monthly on the specified day of the month and at the specified time.
completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job
will start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) to schedule the job.
Job Information
Job Description
The system default job description, Default archive purge job is displayed.
E-mail
(Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from
the E-mail ID.

OL-25947-01
16-3
Chapter 16
Purge Settings
Step 5
Specify when to purge configuration files from the archive by selecting one or all of the following purge
policies:
Click Maximum versions to retain and enter the number of configurations to be retained.
Click Purge versions older than and enter the number of days, weeks, or months.
Click Purge labeled files to delete the labeled configuration files.

The Purge labeled files option must be used either with the Maximum versions to retain or Purge
versions older than options. You cannot use this option without enabling either Maximum versions
to retain or Purge versions older than options.
The labeled files are purged only if they satisfy the conditions given in the Maximum versions to
retain and Purge versions older than options.
The Labeled configuration files are not deleted even if they satisfy either of the purge conditions
(Maximum versions to retain and Purge versions older than) unless you enable the Purge labeled
files option.
These purge policies are applied sequentially. That is, if you have enabled all the three purge
policies, LMS applies the Purge policies in this sequence:
a.
Maximum versions to retain
b.
Purge versions older than
c.
Purge labeled files
Archive Management does not purge the configuration files, if there are only two versions of these files
in the archive.
Step 6
Click Apply.
Step 7
Click OK.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

You can perform the following Administrative tasks:
Note
Back up Syslog messages (see Setting the Syslog Backup Policy).
Purge Syslog messages (see Setting the Syslog Purge Policy).
Perform a Forced Purge (see Performing a Syslog Forced Purge).
16-4
OL-25947-01
Chapter 16
Purge Settings
Setting the Syslog Backup Policy

The Backup Configuration feature allows you to save the Syslog messages to a flat file. The syslog data
that is trimmed from the database will be moved to the flat file.
In Solaris/Soft Appliance, the backup file is created with -rw-r----- casuser casusers
irrespective of the permissions given to the directory for backup on purge.
In Windows, the backup file inherits the permission and ownership of the directory it is created in,
which is the directory selected as the backup location (on purge).
privileges required to perform this task.
To set up the backup policy:
Step 1
Select Admin > Network > Purge Settings > Syslog Backup Settings.
The Backup Policy dialog box appears.
By default, the backup policy is set to disabled.
Step 2
Select Enable to enable the backup process for Syslog messages, after configuring backup.
Step 3
Click Browse to select the backup file location.

In the Server Side File Browser dialog box:
a.
Specify the external directory.

The external directory must be under the syslog directory, or a sub-directory within the syslog
directory. For example, $NMSROOT/files/rme/syslog/sysbackup.
The external directory cannot be outside the syslog directory. If you attempt to navigate outside the
syslog directory, an error message appears.
b.
Select Directory Content,
c.
Click OK.
Step 4
Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB.
Step 5
Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter
multiple e-mail addresses separated with commas. This is a mandatory field.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
(Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail
ID.)
If you also want a notification to be sent when the backup is a success, select Also Notify on Success.
Step 6
Either click Save to save the backup configuration details that you have specified or click Reset to clear
the values that you specified and reset to the previously saved values in the dialog box.
If you have clicked Save, the backup will continue to save the data even after the data has exceeded the
specified size of the backup file. However, the system will send an e-mail asking you to cleanup the
backup file.

OL-25947-01
16-5
Chapter 16
Purge Settings

You can specify a default policy for the periodic purging of Syslog messages.
If you access a table either through immediate reports, report jobs or by any other means, the database
locks the table and therefore the table will not be successfully purged. However, during the successive
purge operations such a table will be purged.
A purge job is enabled by default, and is scheduled to run at 1:00 AM daily.
This section contains: Performing a Syslog Forced Purge
To specify your default purge policy:
Step 1
Select Admin > Network > Purge Settings > Syslog Purge Settings.
The Purge Policy dialog box appears.
Step 2
Specify the number of days in the Purge records older than field.
Only the records older than the number of days that you specify here, will be purged. The default value
is 7 days. This is a mandatory field.
Caution
You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any
other means, it will not be purged. However, during the successive purge operations this data will be
purged.
Step 3
Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly.
Step 4
Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For
example, 02-Dec-2004). This is a mandatory field.
Step 5
Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field.
The Job Description field has a default descriptionSyslog Records - default purge job.
Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can
enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP
server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System
Preferences).
(Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 6
Either click Save to save the purge policy that you have specified or click Reset. to clear the values that
you specified and reset the defaults in the dialog box.
You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).
16-6
OL-25947-01
Chapter 16
Purge Settings
Performing a Syslog Forced Purge

You can perform a forced purge of Syslog messages, as required.
If you access a table through Immediate reports, Report jobs, or by any other means, the database locks
the table and therefore the table will not be successfully purged. However, during successive purge
operations the locked table will be purged.
To perform a Forced Purge:
Step 1
Select Admin > Network > Purge Settings > Syslog Force Purge.
The Force Purge dialog box appears.
Step 2
Enter the information required to perform a Forced Purge:
Field
Description
Purge records older than
Enter the number of days. Only the records older than the number of days that you specify here,
will be purged. This is a mandatory field.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or
by any other means, it will not be purged. However, during the successive purge operations this
data will be purged.
Scheduling
Run Type
Specify whether the purge is to be Immediate or Once.
If you select Immediate, all the other options will be disabled for you.
If you select Once, you can specify the start date and time and also provide the job
description (mandatory) and the e-mail ID for the notification after the scheduled purge is
complete.
We recommend that you configure the E-mail ID in the View / Edit System Preferences
dialog box (Admin > System > System Preferences). When the job completes, an e-mail is
sent from E-mail ID.
Date
Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy
format, for example, 02-Dec-2004. This is a mandatory field.
The Date field is enabled only if you have selected Once as the Run Type.
at

The at field is enabled only if you have selected Once as the Run Type.

OL-25947-01
16-7
Chapter 16
Purge Settings
Field
Description
Job Info
Job Description
Enter a description for the forced purge job.

The Job Description field is enabled only if you have selected Once as the Run Type. This is a
mandatory field.
E-mail
Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You
can enter more than one e-mail ID separated by commas.
The e-mail field is enabled only if you have selected Once as the Run Type.
Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from
E-mail ID.
Step 3
Click Submit for the Forced Purge to become effective.

To clear the values that you specified and reset the defaults in the dialog box, click Reset.
You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).

You can periodically purge the Configuration Management jobs from Admin > Network > Purge
Settings > Config Job Purge Settings.
Scheduling a Configuration Management Purge Job
Enabling a Configuration Management Purge Job
Disabling a Configuration Management Purge Job
The Job Purge option provides a centralized location for you to schedule Purge operations for the
following Configuration Management jobs:
Credential Verification JobsPurge all Credential Verification jobs. This also includes credential
verification edit jobs.
Software Management JobsPurge all Software Management jobs such as Image Import, Image
Distribution, etc.
Netconfig JobsPurge all NetConfig jobs.
Archive Management JobsPurge Archive Management jobs such as Compliance Check, and
Deploy Compliance Results.
Archive Update JobsPurge Archive Management collection jobs, Default config collection job.
Archive Poller JobsPurge Archive Management polling jobs, Default config polling job.
Archive Purge Jobs--Purge Archive Management purge jobs, Default archive purge job.
16-8
OL-25947-01
Chapter 16
Purge Settings
Config Editor JobsPurge all Config Editor jobs.
CwConfig JobsPurge all cwcli config jobs such as Get Config, Put Config, etc.
TrustSec Jobs - Purge all TrustSec jobs.
Identity Jobs - Purge all Identity jobs.
Note
TrustSec was known as Identity in the versions of LMS earlier than 4.2. Identity jobs will be
available for purging only if they have been backed up from the versions of LMS earlier than 4.2
and restored.
Inventory Collector JobsPurge Inventory collection jobs.
Inventory Poller JobsPurge Inventory polling jobs.
Reports JobsPurge all Reports jobs
Reports Archive JobsAll reports that are archived are purged. You can view all reports that are
archived in the Archives window (Reports > Report Archives > Inventory and Syslog).
NetShow JobsPurge all NetShow jobs.
You cannot purge the jobs that are in the running state.
The Job Purge contains the following information:
Column
Description
Application
Lists the application for which the Purge is applicable.
Status
Whether a Purge job is enabled or disabled.
Policy
This value is in days. Data older than the specified value, will be purged. You can change this value
as required. This is a mandatory field. The default is 180 days.
Job ID
Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not
change even when you disable or enable or change the schedule of the Purge job.
For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the
job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge
Now task.
Scheduled At
Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00.
Schedule Type
Specifies the type of schedule for the Purge job:
MonthlyRuns monthly on the specified day of the month and at the specified time. (A month
comprises 30 days).
You can select the applications by checking the check boxes next to the application to perform the
following tasks using the Job Purge window:
Button
Description
Schedule
Schedules a Purge job.
Enable
After you schedule a job, you can enable Purge.

OL-25947-01
16-9
Chapter 16
Purge Settings
Button
Description
Disable
After you schedule a job, if you have enabled the Purge job, you can choose to disable it.
Purge Now
Perform Immediate Purge.

You can select more than one application to purge in a single step. After selecting the applications,
click on this button to purge jobs.
Scheduling a Configuration Management Purge Job

To schedule a Purge job:
Step 1
The Job Purge dialog box appears.
To create a Purge job,
Step 2
Select Schedule.
The Purge Schedule dialog box appears for the selected application.
Field
Description
Scheduling
Run Type
Select the frequency at which the job should be run:
MonthlyRuns monthly on the specified day of the month and at the specified time. (A month comprises
30 days).
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will
run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the
10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date
1.
Click on the date picker icon and select the date, month and year.
Your selection appears in the Date field in this format:
dd Mmm yyyy (example: 14 Nov 2004).
2.
Select the time (hh and mm) from the drop-down lists in the at fields.
Job Info
Days
The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged.
You can change this value as required. This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of days.
Job
Description
Based on the option that you selected, you see a default job description.
For example, for Software Management Purge jobs the default description is:
Purge - Software Management Jobs.
For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.
16-10
OL-25947-01
Chapter 16
Purge Settings
Step 3
Note
Click Done. The Purge job appears in the Job Purge dialog box.
Enabling a Configuration Management Purge Job

You can enable only a scheduled Purge job.
To schedule a Purge job, see Scheduling a Configuration Management Purge Job.
To enable a Purge job:
Step 1
Step 2
Click Enable.
There is a purge schedule and it is enabled.
Step 3
Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Disabling a Configuration Management Purge Job

You can only disable a Purge job that is scheduled and enabled.
To schedule a Purge job, see Scheduling a Configuration Management Purge Job and to enable a Purge
job, see Enabling a Configuration Management Purge Job.
To disable a Purge job:
Step 1
Step 2
Click Disable.
There is a purge schedule and it is disabled.
Step 3
Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.

OL-25947-01
16-11
Chapter 16
Purge Settings

Using this option you can purge application jobs immediately. That is, you can purge Configuration
Management jobs without scheduling and enabling the Purge job.
For the Purge Now task, the Job ID is not assigned. Also, if a Job ID already exists for that application,
the Job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge
Now task.
To perform an immediate purge:
Step 1
Step 2
Click Purge Now.

The Explorer User Prompt dialog box appears.
Step 3
Enter the number of days jobs that have to be purged.

The default setting for purging archived data is 180 days. That is, data older than 180 days will be
purged. You can change this value as required.
You can enter only whole numbers for days. You cannot enter fractions of days.
Step 4
Click OK.
The Purge Job Details window appears displaying the purged job details.
Note

You can configure LMS to periodically purge job data that you no longer need. This is done using Job
Purge.
Job Purge provides a centralized location for you to schedule purging for the following LMS jobs:
Quick Report JobsPurge all Quick Report jobs older than the specified number of days.
Custom Report JobsPurge all Custom Report jobs older than the specified number of days.
Threshold Report JobsPurge all Threshold Report jobs older than the specified number of days.
Poller Report JobsPurge all Poller Report jobs older than the specified number of days.
Failure Tracker JobsPurge all Failure Tracker jobs older than the specified number of days.
TrendWatch jobsPurge all TrendWatch jobs older than the specified number of days.
TrendWatch Summary jobsPurge all TrendWatch summary jobs older than the specified number
of days.
Summarizer JobsPurge all Summarizer jobs older than the specified number of days.
Data Purge jobsPurge all Data Purge jobs older than the specified number of days.
16-12
OL-25947-01
Chapter 16
Purge Settings
Job Purge jobsPurge all Job Purge jobs older than the specified number of days.
Maintenance jobsPurge all Maintenance jobs older than the specified number of days.
To schedule Job Purge:

Step 1
Select Admin > Network > Purge Settings > Performance Job Purge Settings.
Step 2
Select Job Purge.

The Job Purge Settings page appears, displaying Job Purge Schedule dialog box.
Table 16-1 describes the fields in the Job Purge Schedule dialog box.
Table 16-1
Field/Button
Job Purge Schedule Fields
Description
Scheduling
Run Type
Specify the type of schedule for job purge:
WeeklyRuns weekly on the specified day of the week and at the

specified time.
MonthlyRuns monthly on the specified day of the month and at the

specified time. (A month comprises 30 days).
For Daily jobs, the subsequent instances of jobs will run only after the earlier
instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November
1, the next instance of this job will run at 10:00 a.m. on November 2, only if
the earlier instance of the November 1 job has completed. If the 10.00 a.m.
November 1 job has not been completed before 10:00 a.m. November 2, then
the next job will start only at 10:00 a.m. on November 3.
Date
Specify the date and time for which the purge is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.
Purge Policy
Days
The default setting for purging archived job data is 30 days. That is, job data
older than 30 days will be deleted. You can change this value as required.
This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of
days.
Apply
(button)
Purge Now
(button)
Job purge is scheduled at the specified Run Type and Date for the job data
older than the days specified in the Days field.
Job purge is done immediately for the job data older than the days specified
in the Days field.

OL-25947-01
16-13
Chapter 16
Purge Settings
Step 3
Scheduling
Purge Policy
See Table 16-1 for the description of fields that appear in the Job Purge Schedule dialog box.
Step 4
Click Apply to schedule job purge or Purge Now to immediately perform job purge.
If you click Apply, a message appears confirming that the purge settings are applied successfully.
If you click Purge Now, a message appears confirming that purge is done successfully and the Job
ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
We recommend that you wait for any activity currently running in the system to stop before purging jobs.
By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.

You can configure LMS to periodically purge polled data that you no longer need in the database. You
can purge data records such as summarization records, Poller failure records, threshold violation records,
audit trail records.
Cisco Prime LMS polls the device and stores the polled data in the database. Over a period of time, the
polled data occupies a large amount of space in the database.
To prevent this, LMS stores only the last 24 hours data in the database. Background tasks in LMS
summarizes this polled data and categorizes the data as 5-minute summarization record, 30-minute
summarization record, 3-hour summarization record and 12-hour summarization record.
The summarization of polled data happens every one hour. The summarized data can be purged at regular
intervals using the Data Purge option.
Data Purge allows you to schedule purging for the following LMS data records:
30 Minute Summarization recordsPurge all 30-minute summarization data records older than the
specified number of days.
3 Hour Summarization recordsPurge all 3-hour summarization data records older than the
12 Hour Summarization recordsPurge all 12-hour summarization data records older than the
Poller failure recordsPurge all failure data records older than the specified number of days.
Threshold violation recordsPurge all threshold violation data records older than the specified
number of days.
Audit trail recordsPurge all audit trail data records older than the specified number of days.
TrendWatch violation recordsPurge all TrendWatch violation data records older than the specified
number of days.
Status change details recordsPurge all status change details data records older than the specified
number of days.
16-14
OL-25947-01
Chapter 16
Purge Settings
Note
It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running.
To schedule Data Purge:
Step 1
Select Admin > Network > Purge Settings > Performance data purge settings.
Step 2
Select Data Purge.

The Data Purge Settings page appears, displaying the Data Purge Schedule dialog box.
Table 16-2 describes the fields in the Data Purge Schedule dialog box.
Table 16-2
Field/Button
Data Purge Schedule Fields
Description
Purge Schedule
Run Type
Specify the type of schedule to perform Data Purge:
HourlyRuns hourly.
WeeklyRuns weekly on the specified day of the week and at the

specified time.
MonthlyRuns monthly on the specified day of the month and at the

specified time. (A month comprises 30 days).
By default, Daily is set as the default Run Type schedule for Data Purge.
For example, if you have scheduled Run Type as Daily for Data Purge job at
10:00 a.m. on November 1, the next instance of this Data Purge job will run
at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed.
If the 10.00 a.m. November 1 Data Purge job has not been completed before
10:00 a.m. November 2, then the next Data Purge job will start only at 10:00
a.m. on November 3.
Date
Specify the date and time for which the Data Purge job is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.

OL-25947-01
16-15
Chapter 16
Purge Settings
Table 16-2
Data Purge Schedule Fields (continued)
Field/Button
Description
Purge Policy
Days
The following are the default settings for purging the following data:
5 Minute's Summarization records3 days
30 Minute's Summarization records15 days
3 Hour Summarization records90 days
12 Hour Summarization records365 days
Poller failure records1 day
Threshold violation records180 days
Audit trail records90 days
TrendWatch violation records180 days
Status change details records15 days
The default data purge settings provides optimal performance of Cisco Prime
LMS. You can also change the default purge settings as required. However,
the performance of Cisco Prime LMS may not be as expected.
You can enter only whole numbers for days. You cannot enter fractions of
days.
This is a mandatory field.
Apply
(button)
Purge Now
(button)
Step 3
Data purge is scheduled at the specified Run Type and Date for the data older
than the days specified in the Days field.
Data purge is done immediately for the data older than the days specified in
the Days field.
Purge Schedule
Purge Policy
See Table 16-2 for the description of fields that appear in the Data Purge Schedule dialog box.
Step 4
Click Apply to schedule the data purge or Purge Now to immediately perform the data purge.
If you click Apply, a message appears confirming that data purge settings are applied successfully.
If you click Purge Now, a message appears confirming that purge is done successfully and the Job
ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note
By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.
16-16
OL-25947-01
Chapter 16
Purge Settings

Cisco Prime LMS allows you to view the details of the data purged using the option Purge Details.
To view Data Purge details:
Step 1
Select Admin > Network > Purge Settings > Performance Data Purge Summary.
Step 2
Select Purge Details.

The Purge Details page appears, displaying Show Purge Details dialog box.
Table 16-3 describes the fields in the Show Purge Details dialog box.
Table 16-3
Show Purge Details Fields
Field
Description
Details
Displays the purge details of the Data Purge job.

The following purge information is displayed:
Value
Next Data Purge Job scheduled at
No. of Poll Failure records purged
No. of Audit Trail records purged
No. of Threshold Violation records purged
No. of Polled records purged
Last Job Purge completed at
No. of TrendWatch violation records purged
Details the number of records purged and purge schedule.

OL-25947-01
16-17
Chapter 16
Purge Settings

The Purge Settings page allows you to set the Purge period for Historical and Audit reports. You can also
set the Purge period from the Setup Center.
To access Purge Settings page:
Select Admin > Network > Purge Settings > IPSLA data Purge Settings.
You can use the Purge Settings option to purge Historical data as well as Audit reports.
Purging Historical Data
LMS purges IPSLA-related historical data automatically everyday, based on the Purge period specified
on the Purge Settings page. It purges historical data that is older than the specified Purge period. If the
Purge period is not specified, it purges the historical data based on the default values.
The minute-based reports are purged daily by default.
To purge Historical reports:
Step 1
Select Admin > Network > Purge Settings > IPSLA data Purge Settings.
The Purge Settings page appears.
Step 2
Specify the Purge period. For more information, see Table 16-4.
Step 3
Click Apply.
A message appears that the Purge settings are updated successfully.
Step 4
Click OK.
16-18
OL-25947-01
Chapter 16
Purge Settings
Table 16-4
Purging Reports
Granularity
Purge Period
Minute
Specify the number of days for which you want to keep the
minute historical data in the database.
The default value is 1 day.
Hourly
hourly historical data in the database.
The default value is 32 days.
Daily
daily historical data in the database.
The default value is 180 days.
Weekly
Specify the number of weeks for which you want to keep the
weekly historical data in the database.
The default value is 12 weeks.
Monthly
Specify the number of months for which you want to keep the
monthly historical data in the database.
The default value is 12 months.
Audit Reports Purge Period
Allows you to purge the Audit reports.The audit reports older

than the number of days you specify will be purged. The
default purge period for Audit reports is 180 days. This frees
disk space and maintains your audit reports at a manageable
size.

OL-25947-01
16-19
Chapter 16
Purge Settings

Note
Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain
only 31 days of data. You can select the time of day that purging begins. By default, purging begins at
00:00.
Before You Begin
Review the information in Performing Scheduling Tasks to ensure that daily purging does not conflict
with the other scheduled jobs listed there.
Do not use the LMS Job Browser to manage Rediscovery Schedules; use the LMS Daily Purging
Schedule interface. If you suspend the Fault History:DataPurge job using the Job Manager, the job is
deleted from the LMS Daily Purging Schedule interface, which can be confusing to users.
Step 1
Select Admin > Network > Purge Settings > Fault History Purging Schedule.
Step 2
Select the Purge Time:
HourFrom 0 to 23
MinuteFrom 0 to 50 in ten-minute intervals
The default purge time is 00:00.

Step 3
Click Apply.
You can check the status of the Fault History data purge job from the Job Manager page each day after
the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type.
For more information, see Configuring Fault Management Rediscovery Schedules.
16-20
OL-25947-01
CH A P T E R
17
Debugging Options
Debugging Settings menu allows the administrator to set the debugging settings of various modules in
LMS.
Maintaining Log Files
Performance Debugging Settings
Configuring Logging
Setting Debugging Options for Topology and User Tracking
Setting VRF Lite Debugging Options

You can enable the debugging option for components or modules of LMS Device Discovery without
restarting the services. When you enable the debugging option for a selected component, the log levels
in the csdiscovery.properties file is changed to DEBUG and the debug messages are recorded into the
CSDiscovery.log file and ngdiscovery.log.
You can only enable or disable the debugging option. You cannot choose to set different log levels such
as INFO,WARNING, FATAL and ERROR.
The following Device Discovery components can be enabled or disabled for debugging:
Discovery Framework
Data Collector
Discovery Util
System Module
Cluster Module
ARP Module
AUS Module
Credential Module

OL-25947-01
17-1
Chapter 17
Debugging Options
Neighbor Module
Pingsweep Module
RouterPeer Module
RT Module
CSDiscoveryAdaptor
Discovery DeviceInfo
The debugging option for all the Device Discovery components is disabled by default.
To enable the debugging option for the LMS Device Discovery components:
Step 1
Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery
Logging Configuration page appears.
Step 2
Select one or more Discovery modules or components from the Disabled Modules list box.
Step 3
Click Add to add the components to the Enabled Modules list box.
Step 4
Click Apply.
Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will
come into effect after 60 seconds.
To disable the debugging option, move the selected component from the Enabled Modules list box to
Disabled Modules list box using the Remove button.

Log files can expand and fill up disk space. You must maintain the log files disk space usage by:
Deleting the unwanted log files from the Cisco Prime installation directory
Using the logrot functionality. See Configuring Log Files Rotation for more information.
Most log files are located in directories in the following locations:
Caution
On Solaris/Soft Appliancevar/adm/CSCOpx/log
On WindowsNMSROOT\log
As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To
prevent loss of data, make sure you are not running any critical tasks.
Maintaining Log Files on Solaris/Soft Appliance
Maintaining Log Files on Windows
About Cisco Prime Common Services Log Files
Viewing and Maintaining LMS Log File Details
17-2
OL-25947-01
Chapter 17
Debugging Options
Maintaining Log Files on Solaris/Soft Appliance

To maintain log files on Solaris/Soft Appliance:
Step 1
Make sure the new location has sufficient disk space.
Step 2
Step 3
Stop all processes, and enter /etc/init.d/dmgtd stop.
Step 4
Perform log maintenance by running logrot.

See Configuring Logrot Utility and Running Logrot Script for more information.
Step 5
Verify the procedure was successful by examining the contents of the log files in this location:
/var/adm/CSCOpx/log/*.log
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6
Restart the system, and enter /etc/init.d/dmgtd start
Step 7
Select Reports > System > Status > Log File to view your log changes.
Maintaining Log Files on Windows

To maintain log files on Windows:
Step 1
Make sure the new location has sufficient disk space.
Step 2
Go to the command line and make sure you have the correct permissions.
Step 3

net stop crmdmgtd
Step 4
Perform log maintenance by running logrot.

See Configuring Logrot Utility and Running Logrot Script for more information.
Step 5
Verify the procedure was successful by examining the contents of the log files in the following location:
NMSROOT\log\
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6
Restart the system by entering:

net start crmdmgtd
Step 7
Select Reports > System > Status > Log File to view your log changes.

OL-25947-01
17-3
Chapter 17
Debugging Options
About Cisco Prime Common Services Log Files

The table below lists the filenames and locations of all logs produced by components of Common
Services.
The normal top-level log file directories refer to /var/adm/CSCOpx/log on Solaris/Soft Appliance and
NMSROOT\log on Windows. For example, the path to license.log is C:\Program Files\CSCOpx\log on
Windows, /var/adm/CSCOpx/log on Solaris/Soft Appliance.
Paths to log files other than those in the normal log directories are listed relative to NMSROOT on each
platform. For example, the path to stdout.log is mentioned as /MDC/tomcat/logs/ in the table.
Component
/Module
Directory Path
File
Description
AAA Serivces
/MDC/log/
core*
Logs for Authentication,

Authorization and
Accounting process
Backup and
Restore
Normal top-level log directories
dbbackup.log,
restorebackup.log,
restorebackup.log.old
Backup and restore logs
Cico Prime
LMS General
Log Files
/MDC/Apache/logs/
error.log
Log for General Cisco Prime

LMS errors
perlerr.log
Log for Perl interpreter errors
Proxy.log
Log for Proxy activity
event.log
Log for Cisco Prime LMS

events
Cisco Prime
Syslog Service
Database
Services
Normal top-level Solaris/Soft Appliance log daemons.log

directory only
Log for all Daemon

Manager-controlled
processes (On Solaris/Soft
Appliance only).
Normal top-level Windows log directory

only
syslog.log
Syslogs received from

device/machine (On
Windows only).

only
syslog_debug.log
CRMLogger debugging
information and messages
from device/machine (On
Windows only).
CmfDbMonitor.log
Log for Sybase database

operations
dbpwdChange.log
Log for Database password

changes
dbrestoreorig.log
Log to restore the database to

factory settings
dmgtDbg.log
Log for Daemon Manager

interactions with Sybase
database
/objects/db/win32/
dbcond8.log
Database condition log
17-4
OL-25947-01
Chapter 17
Debugging Options
Component
/Module
Directory Path
File
Description
dcr.log
Logs for Device and

Credentials Administration
activities
DCRDevPoll.log
Logs to detect and delete

Unreachable devices
Device and
Credentials
Administration
Import and
Export Module
dcrimpexp.log,
DCRServer.log (Windows
Only),
daemons.log (Solaris/Soft
Appliance Only)
Logs to import and export

Device and Credentials
Administration
Device Center
SnmpWalk*
Log for SNMP Walk
SnmpSet*
Log for SNMP Set
CSDiscovery.log,
ngdiscovery.log
Device discovery logs
Device Selector Normal top-level log directories
CSDeviceSelector.log
Device Selector log file
Role
Management
/MDC/log/
cam.log
Role Management log file
Disk Space
Monitoring
Services
diskWatcher.log
Logs storing the disk space

information
Event
Distribution
Services
EDS-GCF.log, EDS.log
Logs for Event Distribution

Services activities
Event Services
ESS.log, JavaDebug.log
Logs for Event Services
Grouping
Service
CMFOGSClient.log
Log for Grouping Service

client
CMFOGSServer.log
Log for Grouping Service

server
JacORB

only
NameServiceMonitor.log,
NameServer.log
Logs for
NameServiceMonitor from
JacORB package
(On Windows only)
Job Services

only
daemons.log (Solaris/Soft
Appliance Only), jrm.log
(Windows Only)
Logs for various Jobs
Licensing
LicenseServer.log
License Server activity
license.log
Product license changes
lwms.log
Lightweight Messaging
Service activity
psu.log
Log for Software Center

related activities
Device and
Credentials
Administration
Device
Discovery
Messaging
Service
Software Center Normal top-level log directories

OL-25947-01
17-5
Chapter 17
Debugging Options
Component
/Module
Directory Path
File
Description
Web Services
/MDC/Apache/logs/
access.log, error.log,
mod_jk.log
Logs for Apache activity
ssl.log
Log for Apache activity
/MDC/tomcat/logs/
jasper-YYYYMMDD.log,
servlet-YYYYMMDD.log,
stderr.log, stdout.log,
Logs for all Tomcat activities
changeport.log
Port change information
CSRegistryServer.log
Log for CSRegistryServer

process
TomcatMonitor.log
Log for TomcatMonitor

process
Logs for
Common
Services
backend
processes
Viewing and Maintaining LMS Log File Details

Each LMS module writes log files within the NMSROOT/log folder. Table 17-1 lists the name of the log
file, LMS module for which log file is written, the location in Windows where log files is stored, the
location in Solaris/Soft Appliance where log files is stored and the purpose of the log file.
Table 17-1
List of Topology and Identity Services Log File Details
Location in
Windows
Location in
Solaris/Soft
Appliance
Log File
Module
Purpose
ani.log
Data Collection
NMSROOT/log/ani. /var/adm/CSCOpx/l Debugs Data

log
og/ani.log
Collection
process.
AniServer.log
ANIServer
NMSROOT/log/AN
IServer.log
/var/adm/CSCOpx/l Debugs
og/dmgtd.log
ANIServer
process
Campus.log
LMS
Configuration
and reports
NMSROOT/log/Ca
mpus.log
og/Campus.log
Topology and
Layer 2 Services
module of LMS
CampusOGSSer Topology and

NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
ver.log
Layer 2 Services mpusOGSServer.log og/CampusOGSSer Topology and
OGSServer
ver.log
Layer 2 Services
OGSServer
process
CampusOGSCli OGS client
ent.log
NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs

mpusOGSClient.log og/CampusOGSClie Topology and
nt.log
Layer 2 Services
OGSClient
17-6
OL-25947-01
Chapter 17
Debugging Options
Table 17-1
Log File
List of Topology and Identity Services Log File Details (continued)
Module
Location in
Windows
Location in
Solaris/Soft
Appliance
Purpose
campusportal.lo Portal
g
NMSROOT/log/cam /var/adm/CSCOpx/l Debugs the

pusportla.log
og/campusportal.lo Topology and
g
Layer 2 Services
portlets.
Cmapps.log
User Tracking
UI
NMSROOT/log/Cm
apps.log
macuhic.log
MACUHIC
NMSROOT/log/mac /var/adm/CSCOpx/l Debugs

uhic.log
og/macuhic.log
MACUHIC
process for
Dynamic UT
ut.log
User Tracking
NMSROOT/log/ut.l
og
utlite.log
UTLITE
NMSROOT/log/utlit /var/adm/CSCOpx/l Debugs UTLite

e.log
og/utlite.log.log
Server.
/var/adm/CSCOpx/l Debugs all the

og/Cmpapps.log
UI pages for
User Tracking
/var/adm/CSCOpx/l Debugs the User

og/ut.log
Tracking module
UTMajorAcquis User Tracking

ition.log
NMSROOT/log/
UTMajorAcquisitio
n.log
og/dmgtd.log
UTMajorAcquisi
tion process.
utm.log
UTManager
NMSROOT/log/
Utm.log
og/utm.log
UTManager
process of
Dynamic UT
Vnmclient.log
VRF Lite UI
NMSROOT/log/
Vnmclient.log
/var/adm/CSCOpx/l Debugs VRF

og/Vnmclient.log
Lite UI
Vnmcollector.lo VRF Lite

g
Collector
NMSROOT/log/Vn
mCollector.log

og/Vnmcollector.lo Lite Collector
process.
g
VNMDeviceSel VRF Lite

ector.log
Device selector
NMSROOT/log/Vn
mDeviceSelector.lo
g
/var/adm/CSCOpx/l Debugs the

og/VNMDeviceSele device selector
ctor.log
provided by VRF
Lite.
Vnmserver.log
VRF Lite Server NMSROOT/log/Vn

merver.log

og/Vnmserver.log
Lite Server
process
Vnmutils.log
VRF Lite UI and NMSROOT/log/Vn

Server
mutils.log
/var/adm/CSCOpx/
Vnmutils.log
Debugs utility
classes used by
VRF Lite client
and server.

OL-25947-01
17-7
Chapter 17
Debugging Options

Each Fault Management module writes log files to its own folder within the NMSROOT/log/dfmLogs
folder. Table 17-2 lists each Fault Management module, the name of the folder where the log files are
stored, the related log files, the maximum log size, and the number of backup logs that are saved.
Note
NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during
installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx.
When a log file reaches its maximum size, the module backs up the file and starts writing to a new log
file. The module appends a number to the backup file, until it reaches the maximum allowed backups.
In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file.
02:42 PM
10:22 AM
03:17 AM
4,481,607
5,120,447
5,120,105
TISServer.log
TISServer.log.1
TISServer.log.2
By default, Fault Management writes error messages only to log files. You can change the logging level
and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings.
If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.
Table 17-2
Fault Management Log Files by Module
Function/Module
Folder in
NMSROOT\log\dfmLogs Log Files
Maximum
Size (KB)
No. of
Backup
Files
Alerts and Activities Display
AAD
AAD.log
1000
Inventory Interactor
cfi
Interactor.log/Interactor1.log
1000
Inventory Collector
cfi
InventoryCollector.log/Inventory
Collector1.log
35000
Polling and Threshold Adapter
cfi
PollingThresholdAdapter.log/Poll 10000
ingThresholdAdapter1.log
Detailed Device View
DDV
DDV.log
1000
Daily Purging Schedule
DPS
DPS.log
100
Event Processing Adapters
epa
adapterServer.log/adapterServer1. 1000
log
dfmEvents.log/dfmEvents1.log
Event Promulgation Module
EPM
EPM.log
15000
Fault History
FH
FHCollector.log
1000
FHUI.log
Logging Services
LogService
DfmLogService.log
500
Processes with multiple threads
LogService
MultiProcLogger.log
10000
License (device limit)
license
licenseCheck.log
100
Notification Services
NOS
nos.log
5000
Fault Management Object Grouping

Service Server
N/A
DFMOGSServer.log
30000
2
2
152
17-8
OL-25947-01
Chapter 17
Debugging Options
Table 17-2
Fault Management Log Files by Module (continued)
Function/Module
Folder in
NMSROOT\log\dfmLogs Log Files
Maximum
Size (KB)
No. of
Backup
Files
Polling and Threshold Manager
PTM
1000
PTMClient.log
PTMServer.log

(database)
PTM
PTMDB.log
1000

(grouping services)
PTM
PTMOGS.log
1000
Polling and Threshold Manager (Polling PTM

and Threshold Adapter)
PTMPTA.log
1000
Rediscovery Schedule
Rediscovery
Rediscovery.log
100
Device and Credentials Repository

Adapter
TIS
DCRAdapter.log
1000
Device Management
TIS
DeviceManagement.log
1000
Inventory Service
TIS
TISServer.log
1000
View Group Management
VGM
vgm.log
1000
1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on
Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance.
2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.
Table 17-3
Incharge Log Files
Function/Module
Folder in NMSROOT\obj\smarts\local\logs
Log Files
Inventory
Incharge engine
DFM.log/DFM1.log

You can use this option to configure and manage log level settings in Device Performance Management
function of LMS. You can set log level modes (such as Fatal, Error, Warn, Info, Debug) either for all
Device Performance Management modules or at a module level.
Device Performance Management module log files are stored at these locations:
On Windows: $NMSROOT\log\, where $NMSROOT is the Cisco Prime LMS installation directory.
On Solaris/Soft Appliance: /var/adm/CSCOpx/log/
When a log file reaches its maximum file size of 10000 KB, the module backs up the file and starts
writing to a new log file. The maximum number of backup log files stored for each application is two.

OL-25947-01
17-9
Chapter 17
Debugging Options
This section contains IPSLA Debugging Settings

To set log levels:
Step 1
Select Admin > System > Debug Settings > Performance Debugging Settings.
Step 2
Select Log Level Settings.

The Set Application Logging Levels dialog box appears.
Step 3
Select the application module from the drop-down list.

The sub-module for the selected application module appear in the Module field.
Step 4
Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance
Management modules are logged with appropriate log level message. The logging levels are:
Fatal
Error
Warn
Info
Debug
The logging level is set as Info, by default.

Table 17-4 describes the fields in the Set Application Logging Levels dialog box and also provides
information on the files to which these logs are stored.
Table 17-4
Application Module
All
UI
Set Application Logging Levels Fields
Sub-module
Log File
Poller Management
Description
upm_ui.log
Template Management
Threshold Setup
Set logging level for the

entire system
Set logging level for Device
User Interface modules
TrendWatch Setup
Report Management
Report Job Browser
Admin Pages
Trap Group
Management
Syslog Group
Management
Live Graph
LMSLiveGraph.log
LMS Portlets
LMSPortal.log
Device Center
upm_ui.log
17-10
OL-25947-01
Chapter 17
Debugging Options
Table 17-4
Set Application Logging Levels Fields
Application Module
Sub-module
Log File
Description
UPMProcess
Polling Engine
upm_process.log

(UPMProcess) modules
Instance Querying
Threshold Monitor
Device Access Layer
Device Management
UPMProcess
UPMProcess.log
PollerUPMProcess
upm_process.log
TemplateUPMProcess
ThresholdUPMProcess
JOBS
IfAdmin Status
IfAdminStatus.log
Report Jobs
HumReportJob_<JobId>_<InstanceId>.log
Summarization Job

For example, HumReportJob_1003_479.log
Job modules
upm_summarizer.log
Purge Job
upm_purge.log
Failure Tracker Job
HumReportJob_<JobId>_<InstanceId>.log
For example, HumReportJob_1003_479.log
UPMCTMOperations
Step 5
UPM CTM Operations
upm_ctm.log
Set logging level for

UPMCTMOperations
modules
Click Apply to set the logging level or Reset to apply the default logging level.
A message appears confirming that the logging levels are successfully updated.
IPSLA Debugging Settings

You can use the Log Level Settings option to set the log levels for IPSLA Performance Management.
You can either set the log levels for all the modules at a time or individual modules in IPSLA
Performance Management. By default, the log level is INFO for all the modules after installation.
The log files are stored at the following location:
Windows: NMSROOT\log, where NMSROOT is the Cisco Prime installation directory.
Solaris/Soft Appliance: /var/adm/CSCOpx/log.
To set the log level:

Step 1
Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The Log Level Settings page appears.
Step 2
Select either All or Module Level from the Application drop-down list.

OL-25947-01
17-11
Chapter 17
Debugging Options
Step 3
Select the appropriate log level from the Logging Level drop-down list.
Step 4
Click Apply to set the log levels.

A message appears that the log levels have been successfully updated.
To clear the settings, click Cancel.
Step 5
Click OK.
Table 17-5
Field
IPSLA Log Level Settings
Description
Set Application Logging Levels

Module
Select one of the following from the drop-down list.
Logging Level
All
Module Level
Select one of the following logging levels from the drop-down list.
FATAL
ERROR
WARN
INFO
DEBUG
Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.
Table 17-6
Modules and Log File Names
Modules in IPSLA Performance Management
Log File Names
IPMCLI
ipmcli.log
IPMServer
ipmserver.log
IPMClient
ipmclient.log
IPMJob
jobid.log, jobid.subjobid.log
IPM OGS
collectorGroup.log, IPMOGSClient.log,
IPMOGSServer.log
IPM CTM Operations
ipm_ctm.log
IPMPortal
ipmportal.log
IPMPoller
ipmpoller.log
IPMBase
ipm_base.log
IPM TS
TS_IPSLA.log
17-12
OL-25947-01
Chapter 17
Debugging Options

You can use this option to set the logging levels for LMS packages. You can set the log levels for all
LMS packages, or at a package (application) level.
Log files are stored at these locations:
On Windows: NMSROOT/log, where NMSROOT is the Cisco Prime installation directory.
On Solaris/Soft Appliance: /var/adm/CSCOpx/log
To set the log levels:

Step 1
Select Admin > System > Debug Settings > Config and Image Management Debugging settings.
The Set Application Logging Levels dialog box appears.
Step 2
Select the Application from the drop-down list.
Step 3
Select the appropriate log level from the Logging Level drop-down list.
The fields in the Set Application Logging Levels dialog box are:
Application
Module
Log File Names
Description
All
Changes the logging level for the

entire system.
Changes the logging level for Archive
Management.
ArchiveMgmt
BugToolkit
ChangeAudit
CLIFramework
ConfigCLI
Archive Service
dcmaservice.log
Archive Client
dcmaclient.log
Bug Toolkit
bugtoolkit.log
Changes the logging level for Bug

Toolkit.
ChangeAudit.log
Changes the logging level for Change

Audit.
Change Audit
Change Audit User ChangeAuditUI.log

Interface
CLI Framework
Changes the logging level for Change

Audit UI.
cli.log
Changes the logging level for CLI

Framework.
Config CLI
ConfigCLI.log
Changes the logging level for Config

CLI.
Netconfig CLI
netcfgcli.log
Changes the logging level for

NetConfig CLI.
ConfigEditor
Config Editor
CfgEdit.log
Changes the logging level for Config

Editor.
ConfigJob
Config Jobs
logs under
%NMSROOT%\files\rme\jobs\Net
ConfigJob

Configuration Jobs.
ConfigJobManager
Config Job Manager
cjp.log

Configuration Job Browser.
This log file is used for config purge
jobs

OL-25947-01
17-13
Chapter 17
Debugging Options
Application
Module
Log File Names
Description
ContractConnection
Contract Connection
contractcon.log

Contract Connections
CTMJRrmServer
CTM Jrm Server
CTMJrmServer.log
Changes the logging level for CTM

JRM Server.
CRI
CRI
DeviceManagement
DeviceSelector
ICServer
Install
cri.log
criarvpurge.log
crijobpurge.log

Common reporting Infrastructure.
Device
Management User
Interface
EssentialsDM.log
Changes the logging level for Device

Management.
Check Device
Attributes User
Interface
cda.log
Changes the logging level for Check

Device Attributes User Interface
Device Credential
Verification Jobs
log files under

%NMSROOT%\files\rme\jobs\
cda\

Credential Verification jobs.
Device
Management
Operations
EssentialsDM_Server.log

Management Operations.
Device Selector
RMEDeviceSelector.log

Selector.
Inventory
Collection Service
IC_Server.log
Changes the logging level for the IC

Server.
Inventory
Collection User
Interface
ICServerUI.log

Inventory Collection User Interface.
Inventory
Collection Jobs

Creates job logs under
%NMSROOT%\files\rme\jobs\ICSe Inventory Collection jobs.
rver
Restore Config and CCRImport.log

Image Management
CCR
Config and Image

Management PSU
Adapter
Migration

Installation modules.
InventoryPoller
Inventory Poller
Creates job logs under

%NMSROOT%\files\rme\jobs\InvP Inventory Poller.
oller
InvReports
Inventory Reports
invreports.log

Inventory Reports.
MakerChecker
Maker Checker
MakerChecker.log
Changes the logging level for the Job

Approval module.
17-14
OL-25947-01
Chapter 17
Debugging Options
Application
Module
Log File Names
Description
NetConfig
Netconfig Client
netconfigclient.log

Netconfig client.
rmeextnserver.log
Tracks the backend functionalities
when VRF Lite or IPSLA
Performance Management invokes
the extension API.
NetShow
NetShow Client
NetShowClient.log

NetShow client.
Portlets
Config and Image

Management Portlets
RMEPortlets.log

Inventory, Config & Image
Management Portlets.
RMECommon
Common Config and

Image Management
Functions
rme.log

common Inventory, Config & Image
Management functions such as, Job
Management tasks, purge tasks, etc.
RMECSTMServer
Config and Image

Management CSTM
Server
rme_ctm.log
Changes the logging level for CSTM

Server.
SoftwareMgmt
SyslogAnalyzer
Software
Management User
Interface
swim_debug.log
Changes the logging level for the user

interface of Software Management
and the Software Management job
creation workflows.
Software
Management Jobs
swim_debug.log files under

%NMSROOT%\files\rme\jobs\swi
m folder

Software Management jobs.
Syslog Analyzer
SyslogAnalyzer.log
Changes the logging level for Syslog

Analyzer.
AnalyzerDebug.log
VirtualSwitch
SyslogAnalyzer.logfor
Windows
AnalyzerDebug.logfor
Solaris/Soft Appliance
Syslog Analyzer
User Interface
SyslogAnalyzerUI.log
Changes the logging level for Syslog

Analyzer User Interface.
Virtual Switch
Client
VirtualSwitchClient.log
Changes the logging level for Virtual

Switching System.

OL-25947-01
17-15
Chapter 17
Debugging Options
Application
Module
Log File Names
Description
EnergyWise
EnergyWise UI
EnergyWiseUI.log
Changes the logging level for the user

interface of EnergyWise
EnergyWise
Provisioning
EnergyWiseConfiguration.log
Log for provisioning EnergyWise

Device and EndPoints.
EnergyWise
Monitoring
EnergyWiseMonitoring.log
Log for EnergyWise Monitoring jobs.
EnergyWise Device EnergyWiseCollection.log

Endpoint, and
EnergyWiseNative.log
Domain collection
Log for EnergyWise Device

Endpoint, and Domain collection.
EnergyWise Policy
Compliance
EnergyWiseComplianceCheck.log
Log for EnergyWise Policy

Compliance check.
EnergyWise Data
Purge Settings
EnergyWise_Purge.log
Log for EnergyWise Data Purge

Settings
Applying
EnergyWise
Policies to
Endpoints
EnergyWiseNativePolicy.log
Log for applying EnergyWise to

Endpoints.
EnergyWiseNativeCompliance.log
To track the port and module group backend evaluation exceptions and changes, the following logs are
maintained:
PMCOGSServer.log
PMCOGSClient.log
Step 4
Click Reset to apply the default logging levels.
Step 5
Click Apply after you set the log levels,

A message appears, that the log levels have been successfully updated.
17-16
OL-25947-01
Chapter 17
Debugging Options
Configuring Logging
Configuring Logging
You can enable the debugging option LMS components without restarting the services. When you enable
the debugging option for the selected component, the log levels in the respective properties file is
changed to DEBUG and the debug messages are recorded in the corresponding log files
You can only enable or disable the debugging option. You cannot choose to set different log levels such
as INFO,WARNING, FATAL and ERROR.
To debug Faults, see Fault Debugging Settings
To enable the debugging option for the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box displays the following details:
Step 2
Item
Description
Component
List of components for which you can enable or disable the debug option
Log File(s) Location
Directory of the log files for the selected application
Description
Brief description about the selected application
Debug Mode
Option to enable or disable the debug mode
Select the component from the Component drop-down list box.

You can select to enable the debugging option for the available Common Services components. The
available components include:
CS Device Groups
CS Device Selector
CS Home
CS Portlets
This component is listed in the drop-down list box only when you have installed the LMS Portal
application in LMS Server.
Core Admin Module
DCR Bulk Import and Export
Device Center
Device and Credentials Repository
Home Page Admin
Licensing
LMS Setup Center
Getting Started
This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS
Server.
Product Instance Device Mapping
SMTP
Software Center

OL-25947-01
17-17
Chapter 17
Debugging Options
Step 3
Select the Enable option to enable debugging for the selected application. By default, the Debug Mode
is set to disabled.
Note
Step 4
You can only choose the enable or disable option. You cannot change the log levels to some other
value.

The changes will come into effect after 60 seconds.
You can enable the debugging option for only one component at a time.
To disable the debug mode for all the Common Services components:
Step 1
Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box appears.
Step 2
Click Reset All to disable the debug mode for all the Common Services components.
The log levels are restored as they are before enabling the debugging option.

Fault Management module writes application log files for all major functional modules. By default, Fault
Management writes only error and fatal messages to these log files; Fault Management saves the
previous three logs as backups. You cannot disable logging. However, you can:
Collect more data when needed by increasing the logging level
Return to the default logging level as the norm
This task can be performed by a user logged in to Fault Management in any of the following roles:
Network Operator
You can also enable debug of the Incharge engine, and execute Incharge Commands. See Enable
Incharge Debugging for more information.
To set the Fault Management debug settings:
Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings
page is displayed.
Note
You cannot disable logging. Fault Management will always write error and fatal messages to application
log files.
For each Fault Management functional module, the Error check box is always selected; you cannot
deselect it.
17-18
OL-25947-01
Chapter 17
Debugging Options
To set all modules to Error, the default logging level:

Step 1
Click the Default button.

A confirmation page is displayed.
Step 2
Click OK.
To change the logging level for individual modules:

Step 1
For each module that you want to change, select one (or deselect all) of the following logging levels:
WarningLog error messages and warning messages
InformationalLog error, warning, and informational messages
DebugLog error, warning, informational, and debug messages
Note
Step 2
Deselecting all check boxes for a module returns it to Error, the default logging level.
Review your changes.

To cancel your changes, click the Cancel button. Otherwise, click the Apply button.
When you click Apply it starts to reset the changed logging levels for the Fault Management functional
modules.
Enable Incharge Debugging
To do this:
Step 1
Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging
Settings page.
The Incharge Command Execution page appears.
Step 2
Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module
in LMS.
The logs are available at:
On Windows:
NMSROOT\objects\smarts\local\logs\DFM.log
NMSROOT\objects\smarts\local\logs\DFM1.log
/opt/CSCOpx/objects/smarts/local/logs/DFM.log
/opt/CSCOpx/objects/smarts/local/logs/DFM1.log

OL-25947-01
17-19
Chapter 17
Debugging Options
Step 3
You can execute any Incharge command in the Command text box, click Run and view the results in the
Result column.
Some sample commands that you can exceute are:
sm_server
brcontrol
dmctl s <domain name> geti Routers

If you face issues while running LMS, you can enable logging to debug the same. You can set debugging
options for the following functions:
Data Collection (see Setting up Debugging Options for Data Collection)
Configuration and Reports (see Setting up Debugging Options for Network Reports)
Device Groups (see Setting Debugging Options for Device Groups)
Topology (see Setting Debugging Options for Topology)
User Tracking Server (see Debugging Options for User Tracking Server)
Dynamic User Tracking (see Debugging Dynamic Updates)
User Tracking Reports (see Debugging Options for User Tracking Reports)
Dynamic User Tracking Console (see Debugging Options for Dynamic User Tracking Console)
CiscoView (see Debugging Options for CiscoView)
Setting up Debugging Options for Data Collection

You can set the trace, and debugging, for Data Collection as follows:
Step 1
Select Admin > System > Debug Settings > Data Collection.
The Debugging Options dialog box appears.
Step 2
Modify the debugging options as specified in Table 17-7.

Table 17-7
Data Collection Debugging Options for Data Collection
Field
Description
Usage Notes
Enable Debug
Select this option to enable You can select the modules for debugging
logging for Data Collection. only if you select this option.
Modules
Specify the modules on

which you need to enable
debugging.
Click Select to view the available modules

and select the modules in which you want to
enable debug.
For details on Debug modules, see Selecting
Data Collection Debug Modules
17-20
OL-25947-01
Chapter 17
Debugging Options
Table 17-7
Data Collection Debugging Options (continued) for Data Collection
Field
Description
Usage Notes
File Name
Name of the log file in

The default log file is NMSROOT\log\ani.log
which the trace messages are
to be recorded.
Maximum File Size

(lines)
Maximum size of the log file None

in lines
Enable Device Level Debugging
Device IP(s)
IP Addresses (IPv4 or IPv6

Addresses) of devices for
which you need to log
debugging messages.
This field is enabled only when the Device

Level Debugging option is enabled.
You can enter multiple IP

addresses, separated by
commas.
Step 3
Click Apply.

OL-25947-01
17-21
Chapter 17
Debugging Options
Selecting Data Collection Debug Modules

Table 17-8 describes the debug modules available for Data Collection in LMS.
Table 17-8
Module
framework
Data Collection Debug Modules
Description
Constructs and maintains data in the memory.
Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
topo
Provides network topology computation and layouts.

Enable debugging for this module if you have problems with Topology
computation of devices.
vlad
Discovers VTP domains, VLANs, port-in-VLAN configurations
Performs VLAN configuration tasks
Determines Spanning Tree state
Enable debugging for this module if you have problems with VTP, VLAN
reports, and configuration.
ccm
Discovers Cisco CallManager (CCM).

Enable debugging for this module if you encounter issues with data collected for
CCM.
vmpsadmin
Discovers end-user hosts on the network
Records end-user host information in the ANI database
Manages requests for scheduling user and host discoveries, ping sweeps,
database queries, and updates to user and notes information
Enable debugging for this module if you have problems with User Tracking.
dcrp
Provides computation of network discrepancies.

Enable debugging for this module if you have problems in Discrepancy reports.
status
Enables status polling on previously discovered devices.

Enable debugging for this module if you have problems with device and link
status polling.
apps
Discovers application hosts such as MCS.

Enable debugging for this module if you encounter issues with data collected on
application hosts.
stp
Discovers all STP related information from the network.

Enable debugging for this module if you have problems with STP reports and
configuration.
17-22
OL-25947-01
Chapter 17
Debugging Options
Table 17-8
Module
stpeng
Data Collection Debug Modules (continued)
Description
Performs STP configuration tasks
Provides basic STP analysis for migration from one STP type to another
Enable debugging for this module if you have problems with STP reports and
configuration.
devices
Provides specific information, if any, available for device categories.

Enable debugging for this module if you have problems specific to a particular
device type.
Click OK to save the selected modules or click Cancel to exit.
Setting up Debugging Options for Network Reports

If you need information on Network Reports in LMS, you can enable debugging for the same. To do this:
Step 1
Select Admin > System > Debug Settings > Layer2 Configuration and Reports
The debugging page appears.
Step 2
Select the level of debugging. It can be any one of the following:
INFO
Only informational messages are recorded in the log file.
DEBUG
All messages related to Configuration and Reports are recorded in the log file.
FATAL
Messages related to fatal errors are recorded in the log file. This is the default option.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\Campus.log
Step 3
Click Apply.

OL-25947-01
17-23
Chapter 17
Debugging Options
Setting Debugging Options for Device Groups

If there are errors related to System-defined or User-defined groups in LMS, you can enable debugging
for the same. Its done as follows:
Step 1
Select Admin > System Administration > Debug Settings > Device Groups.
Step 2
INFO
Only informational messages are recorded in the log file. This is the default option.
DEBUG
All client side messages are recorded in the log file.
FATAL
Messages related to fatal errors are recorded in the log file.
NMSROOT\log\CampusDeviceSelector.log
Step 3
Click Apply.
Setting Debugging Options for Topology

You can enable debugging for Topology Services client side activities. The debugging information will
be available in the Java Console.
To display Java Console:
Step 1
Select Start > Settings > Control Panel > Java.
Step 2
Select the Advanced tab.

The corresponding tree structure is displayed.
Step 3
Go to the tree and select Java Console > Show Console.
Step 4
Click Apply and then OK.

The Java console is displayed when you launch Topology Services.
Note
In case you close the Java Console, to reopen it, close the Topology window and relaunch it.
17-24
OL-25947-01
Chapter 17
Debugging Options
To enable debugging:
Step 1
Select Admin > System > Debug Settings > Topology.

Step 2
TRACE
Only informational messages are displayed in the Java Console.
DEBUG
All Topology Services client side messages are displayed in the Java Console.
ERROR
Messages related to all errors are displayed in the Java Console. This is the default option.
Step 3
Click Apply.
To change log level settings:

Step 1
Close the Topology Services window.
Step 2
Change the settings in the LMS Administration page.
Step 3
Re-launch Topology services.
Debugging Options for User Tracking Server

To debug events related to all User Tracking server side processes:
Step 1
Select Admin > System > Debug Settings > User Tracking Server.
The debugging page appears. See Table 17-9 for a description of the fields:
Table 17-9
User Tracking Server Side Debugging Options
Field
Description
Usage Notes
Enable Debug
Check this option to enable

logging for User Tracking
Server side activities.
You can select the modules for debugging

only after you select this option.
Modules
Specify the modules on

which you need to enable
debugging.
Click Select to view the available modules

and select the modules in which debug is to be
enabled. Table 17-8 lists the debug modules
available for User Tracking Server.
File Name
Name of the log file in

The default log file is NMSROOT\log\ut.log
which the trace messages are
to be recorded.

OL-25947-01
17-25
Chapter 17
Debugging Options
Table 17-9
User Tracking Server Side Debugging Options (continued)
Field
Description
Maximum File Size

(lines)
Maximum size of the file in

lines
Usage Notes
Enable Device Level Debugging
Device IP(s)
IP addresses of devices for

which you need to log
debugging messages.
This field is enabled only when the Device

Level Debugging option is enabled.
You can enter multiple IP

addresses, separated by
commas.
Step 2
Click Apply.
Selecting User Tracking Server Side Debug Modules

Table 17-8 describes the debug modules available for User Tracking Server in LMS.
Table 17-10
User Tracking Debug Modules
Module
Description
user tracking
Provides user tracking functionality. Enable debugging for this if user tracking
fails to discover end hosts as expected.
framework
Constructs and maintains data in the memory.
Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
devices
Provides specific information, if any, available for device categories.

Enable debugging for this module if you encounter issues specific to a particular
device type.
Click OK to save the selected modules or click Cancel to exit.
Debugging Dynamic Updates

You can set the debugging options required for Dynamic Updates. Enabling debugging, records all the
required information to the log files.
To enable debugging Dynamic Updates:
Step 1
Select Admin > System > Debug Settings > Dynamic User Tracking.
Step 2
Check Enable Debug to set the options.
17-26
OL-25947-01
Chapter 17
Debugging Options
Step 3
Select the Service Name from the drop down list in the Service Name field.
The framework modules appear in the Module Name column. The framework modules depend on the
service that you select.
Step 4
Select the debug level for each module.

The debug level options are INFO, DEBUG, and TRACE.
INFO logs minimum information required for debugging and is the default option. DEBUG is the next
level of debugging. TRACE provides complete debugging information and creates huge logs.
Step 5
Enter the filename for the log file in the Log Filename field.
The default log file for UT LITE is NMSROOT\log\utlite.log
The default log file for MACUHIC is NMSROOT\log\macuhic.log
The default log file for UTManager is NMSROOT\log\utm.log
The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647.
Giving zero or negative values or alphabets results in errors.
Step 6
Click Apply to save the settings.
Dynamic User Tracking modules available for debugging are explained in Table 17-11:
Note
Enabling debugging for these modules creates huge logs, which interferes with the Trap processing
capability of LMS. We recommend that you enable debugging for this module only when requested by
TAC.
Table 17-11
Module
Dynamic User Tracking Debug Modules
Description
UT Lite
control plane
Handles configuration events related to:
Log level Settings
Log file
Port number
For example:
If you changed the log file from X to Y, but logging still happens in X , enable debugging
for this module.
listener
Listens to data sent by the UTLite script installed in the Windows or Novell server.
Checks for the integrity of the data received.
execution framework
Handles code level execution of the data received.

Enable debugging for this module to debug Java related errors.
execution
Processes and validates the data received.

UTLite receives MACAddress, IPAddress and User logged in for the end host. This
information is updated to the database only if the endhost has been discovered in last UT
Major Acquisition cycle or through Dynamic User Tracking.

OL-25947-01
17-27
Chapter 17
Debugging Options
Table 17-11
Module
Dynamic User Tracking Debug Modules (continued)
Description
MACUHIC
control plane
listener
Log level Settings
Log file
Port number
Listens to SNMP traps sent by devices.

execution framework
Handles code level execution of data received by MACUHIC.

decoder
Validates the traps sent by devices by checking whether:
execution
The trap is sent by a device managed by LMS.
The SNMP version is correct
Checks whether:
The data received is duplicate data
If the data is sent by a Link port or Access port.
Dynamic UT does not process traps sent from link ports.

Updates the database with information received and forwards it to UTManager for further
processing.
UTManager
control plane
listener
Log level Settings
Log file
Port number
Listens to data sent by UTLite and MACUHIC.

execution framework
Handles code level execution of data received by UTManager.

decoder
Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping
MIB and the other data sent by external systems.
execution
Processes the data received and updates the database.
es framework
Handles queries sent to External Systems.
es.snmp
Handles SNMP queries sent to External Systems.
es.subnet
Performs subnet calculation based on the information sent by External Systems.
es.db
Handles database operations.
17-28
OL-25947-01
Chapter 17
Debugging Options
Debugging Options for User Tracking Reports

You can debug events related to User Tracking client side activities as follows:
Step 1
Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears.
Step 2
INFO
Only informational messages are recorded in the log file. This is the default option.
FATAL
Messages related to fatal errors are recorded in the log file.
DEBUG
All User Tracking client side messages are recorded in the log file.
NMSROOT\log\Cmapps.log
Step 3
Click Apply.
Debugging is enabled for UT client side activities and the messages are recorded in the corresponding
log file.
Debugging Options for Dynamic User Tracking Console

This feature helps you to troubleshoot Dynamic User Tracking updates in a detailed way. Dynamic UT
consists of three major processes:
UTLite
UTManager
MACUHIC
Each process monitors different error conditions using circular buffers in the memory. For each error
condition, the buffer will have the count of error occurrences and the conditions under which the error
occurred.
You can write this information from the memory to a file if you need to, and troubleshoot based on that.
To enable Dynamic User Tracking Console:
Step 1
Select Admin > System > Debug Settings > Dynamic User Tracking Console.
Step 2
Select the Service name from one of the following:
UTLite
UTM
MACUHIC
The error conditions related to that process are listed under the Error Details section.

OL-25947-01
17-29
Chapter 17
Debugging Options
Step 3
Select the error condition for which you need details and click Generate.
A new file is generated with all the error details and stored in the LMS server. It is also listed under the
File list pane.
Step 4
Select a file and:
Click View to see the file contents.
Click Download to save the file in your local machine.
Click Delete to delete the file from the server. You can delete multiple files at the same time.
Debugging Options for CiscoView

You can set an SNMP and activity trace and/or view the trace log. This option records trace information
into the cv.log file, which is located at %NMSROOT%/MDC/tomcat, where %NMSROOT% is the
directory in which CiscoView is installed.
Step 1
Select Inventory > Tools > CiscoView.
Step 2
Select a device from the device selector, and select Administration > Debug Options And Display
Log.
The Trace Settings dialog box appears.
Step 3
Step 4
Select either or both of the following and then click Apply:
SNMP Trace Displays SNMP request and response pairs, MIB instance ID, data value, data type,
request method, and time stamp.
Activity Trace Displays server activity such as which device and dialog boxes are open.
Click View Trace to see the trace activity in a separate window.

If you face issues while running VRF Lite, you can enable logging to debug the same. You can set
debugging options for the following functions:
VRF Lite Server (see VRF Lite Server Debugging Settings)
VRF Lite Collector (see VRF Lite Collector Debugging Settings)
VRF Lite Client (see VRF Lite Client Debugging Settings)
VRF Lite Utility (see VRF Lite Utility Debugging Settings)
You can click Reset All on the Debugging Settings page to reset the debug levels of functions listed.
17-30
OL-25947-01
Chapter 17
Debugging Options
VRF Lite Server Debugging Settings

VRF Lite Server is used to serve all the requests for VRF Lite configurations tasks. The VRF Lite Server
effectively controls and handles all VRF Lite configuration tasks that include deployment of VRF Lite
configuration details to the selected devices and interfaces using LMS. The VRF Lite Server also fetches
the data from the VRF Lite database for report generation.
To apply the debugging level to the VRF Lite Server:
Step 1
Select Admin > System > Debug Settings > VRF Lite Server Debugging.
The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite
Server Debugging Settings is NMSROOT\log\Vnmserver.log.
The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.
Table 17-12
Field
Settings in VRF Lite Server Debugging
Description
Debug Level
Step 2
INFO
DEBUG
All messages related to VRF Lite Server are recorded in the log file.
ERROR
Error is the default logging level. Messages related to fatal errors

are recorded in the log file. This is the default option.
Reset
Click Reset to reset the debug levels applied to VRF Lite Server, to
default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.

OL-25947-01
17-31
Chapter 17
Debugging Options
VRF Lite Collector Debugging Settings

VRF Lite Collector collects all the VRF Lite related information from the managed devices on your
network. You can get the information on readiness details of the devices on which VRF Lite can be
configured.
To apply the debugging level to the VRF Lite Collector:
Step 1
Select Admin > System > Debug Settings > VRF Lite Collector Debugging.
The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for
VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log.
The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:
Table 17-13
Field
Settings in VRF Lite Collector Debugging
Description
Debug Level
Step 2
INFO
DEBUG
All messages related to VRF Lite Collector are recorded in the log
file.
ERROR

are recorded in the log file.
Reset
Click Reset to reset the debug levels applied to VRF Lite Collector,
to default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.
17-32
OL-25947-01
Chapter 17
Debugging Options
VRF Lite Client Debugging Settings

VRF LiteVRF Lite Client refers to the Graphical User Interface (GUI) pages used to perform VRF Lite
tasks. When you use the GUI pages to perform a task, the logs specific to the tasks are recorded. The
recorded logs can be debugged using VRF Lite client debugging settings.
To apply the debugging level to the VRF Lite Client:
Step 1
Select Admin > System > Debug Settings > VRF Lite Client Debugging.
The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log.
The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:
Table 17-14
Settings in VRF Lite Client Debugging
Field
Description
Debug Level
Step 2
INFO
DEBUG
All messages related to VRF Lite Client are recorded in the log file.
ERROR

Reset
Click Reset to reset the debug levels applied to VRF Lite Client, to
default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.
VRF Lite Utility Debugging Settings

VRF LiteVRF Lite Client refers to the utility classes used in VRF Lite like DB, JRM and so on. When
the utility classes are executed, the logs specific to the utility classes are recorded. The recorded logs can
be debugged using VRF Lite utility debugging settings.
To apply the debugging level to the VRF Lite Utility:
Step 1
Select Admin > System > Debug Settings > VRF Lite Utility Debugging.
The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log.
The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:
Table 17-15
Field
Settings in VRF Lite Utility Debugging
Description
Debug Level
INFO

OL-25947-01
17-33
Chapter 17
Debugging Options
Table 17-15
Step 2
Settings in VRF Lite Utility Debugging (continued)
Field
Description
DEBUG
All messages related to VRF Lite Utility are recorded in the log file.
ERROR

Reset
Click Reset to reset the debug levels applied to VRF Lite Utility, to
default value.
Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.
17-34
OL-25947-01
CH A P T E R
18

This section briefly describes all the LMS tasks. See the Online help for further details.
This section explains the following LMS task groups:
Note
Understanding Admin Tasks
Understanding Report Tasks
Understanding Monitor Tasks
Understanding Inventory Tasks
Understanding Work Center Tasks
You should enable the Browse Jobs task to schedule any job across LMS.

This section explains the following Admin task groups:
Understanding System Tasks
Understanding Network Tasks
Understanding Collection Tasks
Light Weight Messaging System
Jobs
Getting Started
Manage Portal

OL-25947-01
18-1
Chapter 18
Understanding System Tasks

This section explains the following System task groups:
Log Rotation
Cisco.com Settings
Licensing
Software Center
Debug Settings
System Preferences/Device Management Functions
User Management
Server Monitoring
DBReader Access
Group Management
Backup
SMTP Default Server
Log Rotation
You can configure log rotation settings and schedule log rotation jobs.
Cisco.com Settings
You can configure Cisco.com Settings like:
Proxy Server Setup

You can update the proxy server configuration.
Apply Proxy Server Settings:
You can set up the proxy server details.

Remove Proxy Server Settings:
You can remove the proxy server settings that are already set up.
Cisco.com User Account Setup

You can add and modify Cisco.com user login names and password.
Licensing
You can register your software and obtain a product license.
18-2
OL-25947-01
Chapter 18

Software Center
This section explains the following Software Center task groups:
Schedule Device Downloads

You can schedule device package downloads and specify the time, frequency of the downloads, and
specify download policies if you have permissions.
Device Update
You can view a list of all Cisco Prime related devices packages on your system, and the count of
devices supported. The source location could be Cisco.com or the Server Side Directory.
Check For Updates
You can check for new device updates.

Delete Device Packages
You can delete packages that are outdated or no longer used.
Software Update
You can perform the following tasks:
Download Updates
You can download the selected updates from Software Center.

Select Updates
You can select new software packages to update the product.

Debug Settings
This section explains the following Debug Settings tasks:
Layer2 Configuration/Reports and User Tracking Debug Options

You can configure the debug options for Layer2 Configuration and Reports and User Tracking.
Config and Image Management debugging settings

Loglevel Settings - Defaults/Apply
You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual
Config and Image Management packages.
IPSLA Debugging Settings

You can view, set or reset the log levels for all the modules of IPSLA Performance Management.

OL-25947-01
18-3
Chapter 18
VRF Lite Debug Settings

You can set debugging options for:
VRF Lite Server
VRF Lite Collector
VRF Lite Client
VRF Lite Utility
Common Services Log Configurations

You can enable or disable the debugging option for Common Services components without
restarting the services.

You can change the logging level of all the functional modules of Fault Management.

You can configure and manage log level settings of Device Performance Management function of
LMS.
System Preferences/Device Management Functions
You can configure system-wide information on the LMS Server.

You can also enable or disable LMS functions like:
Fault Management
User Management
This section explains the following User Management tasks:
Local User Setup

Edit User
You can modify a local user in LMS Server, assign roles, and specify the authorization type.
Delete User
You can delete a local user profile from the LMS Server.
Modify My Profile
You can modify your local user profile in LMS Server.

Add User
You can add a local user in LMS Server.

Import/Export Users
You can import local users from the client or from ACS. You can import local users from ACS
only through CLI and not from the UI.
You can export the local users.
18-4
OL-25947-01
Chapter 18

Notify Users
You can broadcast messages to online users.
Local User Policy Setup

You can setup username and password policies for local authentication users in LMS.
Role Management Setup

The Role Management tasks are listed below:
Delete Role
You can delete user-defined roles.

Add Role
You can add user-defined roles.

Edit Role
You can edit user-defined roles.

Import/ Export Roles
You can import roles in the XML format from the client.You can export roles in the XML
format. The file will be saved in the client.
Copy Role
You can use this option to copy a role.

Default Role
You can set a role as a default role. When multiple roles are set as default role, the user will be
assigned with all the roles selected as default roles.
Server Monitoring
This section explains the following Server Monitoring task groups:
Process
Start Processes
You can start the Cisco Prime processes.

Stop Processes
You can stop the Cisco Prime processes.
Collect Server Information

Create Collect Server Information
You can get the required information about the server.

This includes system information, environment, configuration, logs, web server information,
device and credentials administration information, and grouping services information.
Delete Collect Server Information
You can delete the collected server information.
DiskWatcher Configuration
You can configure disk space threshold level.

OL-25947-01
18-5
Chapter 18
Selftest
You can view self test reports to test some basic functions of the server.
Create Self test
You can test the basic functions of server.

Delete Self test
You can delete the collected self test information.

DBReader Access
You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot
database issues.
Group Management
The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share
groups of devices. This section explains the following Group Management task groups:
Device Groups
Delete Group
You can delete a group from the Group Selector.

When you delete a group, all the child groups under the group are also deleted. You can also
delete the stale groups (groups that are belonging to users removed from Cisco Prime).
Edit Group
You can modify some of the device groups.

Export Group
You can export a selected group or all user-defined groups from all applications, to an output
file.
Group Refresh
You can recompute the membership of a group by re-evaluating the group's rule. The
membership of Automatic groups is recomputed dynamically.
Create Group
You can create device groups.

Import Group
You can import user-defined device groups from an input XML file.
Group Details
You can view the details of a group.

You can use your current authentication database for Cisco Prime authentication and select a login
module (Kerberos, TACACS+, RADIUS, and others), and set their options.
Backup
Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or
monthly automatic database backups.
18-6
OL-25947-01
Chapter 18

SMTP Default Server
You can specify the default SMTP server.

This section explains the following Trust Management task groups:
Multi Server
Local Server
Multi Server
You can perform the following multi-server management tasks:
Peer Server Certificate Setup

You can add the certificate of another LMS Server into its trusted store. This allows LMS Servers
to communicate with one another using SSL.
Delete Peer Certificate
You can delete the peer certificate.

View Peer Certificate
You can view the details of an existing peer certificate.

Add Peer Certificate
You can add the certificate of a peer LMS Server into its trusted store.
System Identity Setup

You can setup a System Identity user on servers that are part of a multi-server setup. This user
enables communication among servers that are part of a domain.
Peer Server Account Setup

You can create users who can log into LMS Servers and perform certain tasks.
Peer Server Accounts Delete
You can delete a secret user set up in the LMS Servers.

Peer Server Accounts Add
You can add a secret user who can programmatically login to multiple LMS Servers and perform
certain tasks.
Peer Server Accounts Edit
You can edit a secret user setup in the LMS Servers.

You can use your browser session to transparently navigate to multiple LMS Servers without
authenticating to each server.

OL-25947-01
18-7
Chapter 18
Local Server
Certificate Setup
You can create a self-signed certificate from the user interface.
Browser-Server Security Mode Setup

You can enable browser-server security.
Understanding Network Tasks

This section explains the following Network task groups:
Best Practices Deviation Settings
Monitor/ Troubleshoot
CAAM Policy and PSIRT/EOS and EOL Settings
Discovery Settings
Purge Settings
Resource Browser
Best Practices Deviation Settings
You can customize the Discrepancies Report and Best Practices Deviations Report to display only those
discrepancies and Best Practice Deviations about which you want to be notified.
Monitor/ Troubleshoot
This section explains the following Monitor and Troubleshoot tasks:
NAM Configuration
You can view, add, edit, or delete the NAM configuration details.
Load MIB
You can load a MIB file.
RMON Configuration
You can enable RMON on all ports in selected devices.
Fault Poller settings for topology

You can configure fault poller settings for Topology.
18-8
OL-25947-01
Chapter 18

This section explains the following Notification and Action Settings tasks:
Performance - Syslog notification

You can update, create, edit, or delete a syslog receiver group.

You can view, enable or disable IPSLA syslog configuration.
Performance - SNMP Trap notification

You can create, edit, or delete a trap receiver group.
Fault Syslog Notification

You can add, edit, suspend, resume, or delete a syslog notification subscription.
Fault - SNMP trap notification

You can add, edit, suspend, resume, or delete an SNMP trap notification subscription.
ChangeAudit Automated Actions

You can define automated actions on creation of change audit record. You can create, edit, delete,
enable, disable, export, or import an automated action.
Event Sets
You can configure a set of events that you want to monitor.
Fault - SNMP trap forwarding

You can forward SNMP traps from devices in the LMS inventory
Fault - SNMP trap receiving settings

You can update SNMP trap receiving port.
Fault - Email notification

You can add, edit, suspend, or resume a subscription for e-mail notification.
You can also delete e-mail notification subscriptions that are no longer useful or are redundant.
Syslog Message Filters

You can create, edit, delete, enable, disable, export, or import syslog message filter.
Fault Notification Customization

You can customize names and event severity.
Fault - Email subject customization

You can customize the e-mail subject for forwarded events.
Inventory and Config collection failure notification

You can configure the destination server and port to receive trap notification on inventory collection
or config fetch failure.
Syslog Automated Actions

You can create, edit, delete, enable, disable, export, or import a syslog automated action.
Fault Notification Group

You can add, edit, or delete fault notification groups.

OL-25947-01
18-9
Chapter 18
CAAM Policy and PSIRT/EOS and EOL Settings
This section explains the following CAAM Policy and PSIRT/EOS and EOL Settings task:
PSIRT/EOX reports option

You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or
End-of-Sale or End-of-Life report.
Discovery Settings
This section explains the following Discovery Settings tasks:
Settings
You can:
View Discovery Settings
You can view the summary of device discovery settings.

Configure Discovery Settings
You can configure the settings required to run a discovery job.

Discovery Status
You can view the status of device discovery.

Start Stop Discovery
You can also start or stop a device discovery.
Schedule
You can add a device discovery schedule.
Purge Settings
This section explains the following Purge Settings tasks:
Config Job purge settings

You can configure the following config job settings:
Job Purge - Schedule/Enable/Disable/Purge Now
You can schedule, enable, or disable purging of configuration management jobs.

You can also immediately purge the jobs.
Job Purge
You can purge the config jobs.
Syslog Backup Settings

You can set the syslog backup policy.
IPSLA data Purge Settings
18-10
OL-25947-01
Chapter 18

You can set the purge period for IPSLA historical data and for audit reports. You can configure the
following IPSLA data Purge settings:
Apply IPSLA Purge Settings
You can apply IPSLA purge settings.

IPSLA Purge Settings
You can view IPSLA purge settings

Default IPSLA Purge Settings
You can apply default IPSLA purge settings.
Syslog Force Purge

You can perform a forced purge of syslog messages
Performance Job Purge Settings

You can configure the following performance Job purge settings:
Do Immediate Job Purge
You can immediately purge the performance jobs.

Schedule Job Purge
You can schedule a performance job purge.
Fault History Purging Schedule

Configure the daily fault history purging schedule.
VRF Lite Purge Settings

You can purge VRF Lite jobs or report archives.
ChangeAudit Force Purge

You can perform a forced purge of change audit.
Config Archive Purge Settings

You can define the configuration archive purge policy.
ChangeAudit Purge Policy

You can set the change audit purge policy.
Performance data purge settings

You can configure the following performance data purge settings:
Do Immediate Data Purge
You can immediately purge the performance data .

Schedule Data Purge
You can schedule a performance data purge.
Syslog Purge Settings

You can specify a default policy for the periodic purging of syslog messages.
Layer2 Services and User Tracking Report Purge

You can purge Layer2 services jobs or report archives.

OL-25947-01
18-11
Chapter 18
This section explains the following Software Image Management task:
View/Edit Preferences
You can set or change software management preferences
This section explains the following Configuration Job Settings tasks:
Assign Approver Lists

You can assign an approver list to the applications
Create/Edit Approver Lists

You can create, edit, or delete approver lists
Approver Details
You can specify approver details
Approval Policies
You can set up job approval for the applications
Config Job Policies

You can define the default job policies for configuration management applications
This section explains the following Device Credential Settings tasks:
User Defined Fields

You can add, rename, or delete the user-defined fields used to store additional information about a
device.
Register/Unregister 3rd Party Application in DCR
You can register or unregister third party applications in DCR.

Add User Defined Fields in DCR
You can add a User Defined Field to to store the additional information about a device.
Rename User Defined Fields in DCR
You can rename a User Defined Field.

Delete User Defined Fields from DCR
You can delete a User Defined Field.
Mode Settings
You can change DCR mode settings to master, slave or standalone.
Verification Settings
You can select the credentials that need to be verified while adding devices.
18-12
OL-25947-01
Chapter 18

This section explains the following Network Administration tasks:
Inventory Change Filter

You can set inventory change filters.
Exception Period
You can specify the time when no network changes should occur.
Resource Browser
This section explains the following Resource Browser tasks:
Browse Resources
You can view the details of resources and manage resources.
Free Resources
You can free-up locked resources.
Understanding Collection Tasks

This section explains the following Collection task groups:
Inventory Collection Settings
Config Collection Settings
Data Collection Settings
Syslog Collection Settings
Performance Collection Settings
User Tracking Collection Settings
Fault Collection Settings
VRF Lite Collection Settings
Inventory Collection Settings
You can set the default values for inventory, config timeout, and retry settings. This section explains the
following Inventory Collection Settings tasks:
Inventory Jobs
You can view the Inventory job browser, and view, create, stop, delete, or edit an inventory collection
or polling job.
Inventory, Config Timeout and Retry Settings

You can edit the inventory, config timeout, and retry settings.

OL-25947-01
18-13
Chapter 18
This section explains the following Config Collection Settings tasks:
Config Archive settings

You can configure the Config Archive settings. You can move the configuration archive location,
archive the running configuration, or enable or disable the use of shadow directory.

You can define the configuration collection setting. You can modify how and when the configuration
archive retrieves configurations.
Secondary Credentials Settings

You can enable or disable the secondary credentials fallback.
Config Transport Settings

You can view or define the protocol order for configuration management applications
Config Job Timeout Settings

You can configure the Job Result Wait Time per device for the Sync Archive jobs.
Data Collection Settings
This section explains the following Data Collection Settings tasks:
Data Collection schedule

You can schedule the day and time of Data Collection.
Start Data Collection

You can start Data Collection.
Layer2 Administration Settings

You can configure Layer2 administration settings.
Syslog Collection Settings
This section explains the following Syslog collection tasks:
Subscribe/Unsubscribe Collector
You can subscribe or subscribe to a Common Syslog Collector.
Collector Status/Update
You can view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed
to.
18-14
OL-25947-01
Chapter 18

Performance Collection Settings
This section explains the following Performance collection tasks:
IPSLA application settings

You can configure the following IPSLA application settings:
Copy IPSLA Configuration to Running-config
You can view the configured collectors in the running configuration. You can also retain the
default settings.
Set a source interface address
You can set a source interface address for the source router. You can also retain the default
settings.
Performance Management SNMP timeouts and retry settings

You can configure the Performance Management SNMP timeout and SNMP retries. You can also
configure other Poll Settings.
User Tracking Collection Settings
This section explains the following User Tracking collection tasks:
User Tracking device trap configuration

You can configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when
a host is connected to or disconnected from that port.
User Tracking Acquisition Action

You can trigger the following acquisitions:
Device based Acquisition
Subnet based Acquisition
IP Phone Acquisition
User Tracking trap listener configuration

You can configure the trap listener to direct the traps through HP Open View (HPOV) or LMS Fault
Monitor.
User Tracking Acquisition Settings

You can configure User Tracking Acquisition settings to collect usernames during UT Major
Acquisition and update the UT table.
User Tracking Acquisition Schedule

You can modify UT acquisition schedule.
User Tracking Administration Settings

You can configure the various User Tracking administration settings.

OL-25947-01
18-15
Chapter 18
Fault Collection Settings
This section explains the following Fault collection tasks:
Fault Management Rediscovery Schedule

You can suspend, or resume the Fault Management rediscovery schedule, and add, modify, or delete
additional schedules.

You can rediscover specific devices.
Fault Management SNMP timeouts and retries

You can modify the Fault Management SNMP timeout and retries.

You can view the report of successful and failed devices for fault discovery in this portlet.
Fault Event Forensics Configuration

You can enable the Event Forensics collection feature on LMS server to start collecting the event
forensics data.
VRF Lite Collection Settings
This section explains the following VRF Lite collection tasks:
VRF Lite SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular
device with SNMP timeout exceptions.
VRF Lite Collector Schedule

You can schedule the VRF Lite Collector process to run after every Data Collection. You can also
add, edit and delete VRF Lite Collector Schedule jobs.
Light Weight Messaging System
The Light Weight Messaging system allows you to perform the following task:
Event Listener
You can use this tool to send and receive events.
Jobs
You can perform the following Job tasks:
Browse Jobs
You can use the job browser and view the details of individual jobs.
Note
You should enable the Browse Jobs task to schedule any job across LMS.
Delete Job
You can use the job browser to delete the jobs.
Stop Job
You can stop the jobs using the job browser.
18-16
OL-25947-01
Chapter 18

Getting Started
You can perform the Getting Started tasks.

Manage Portal
You can manage all the portlets.

This section explains the following Report task groups:
Understanding Fault and Event Report Tasks
Understanding Report Archives Tasks
Understanding Report Designer Tasks
Understanding Inventory Report Tasks
Understanding Audit Report Tasks
Understanding Technology Report Tasks
Understanding Performance Report Tasks
Understanding System Report Tasks
Understanding Switch Port Report Tasks
Schedule Reports in Layer2 Services and User Tracking
User Tracking Job Archives
Layer2 Services Job Archives
Inventory/Syslogs/Change Audit Generate Reports
Inventory/Syslogs/Change Audit View All Reports
Inventory/Syslogs/Change Audit View Own Reports

OL-25947-01
18-17
Chapter 18
Understanding Fault and Event Report Tasks

This section explains the following Fault and Event report task groups:
Threshold Violation
Best Practices
Syslogs
History
Threshold Violation
You can generate this report which displays threshold violations details for each device based on the
polled data.
Thresholds
You can create reports based on the threshold configured for the MIB variable. You can create, or
view reports for specific threshold MIB variables. These reports are called IPSLA Threshold
Violation reports.
TrendWatch Summary
You can create consolidated reports based on the TrendWatches configured for the MIB variable.
You can create, view summary reports of TrendWatch MIB variables.
Best Practices
You can generate the following Best Practices and Discrepancy reports:
Acknowledge/Unacknowledge Discrepancy
You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices.
You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best
Practise Deviations Report.
Discrepancies
You can fix the discrepancies detected in the network.
Fix Best Practice Deviation

You can the fix Best Practice Deviation detected in the network.
Fix Discrepancy
You can the fix discrepancies detected in the network.
Deviation
You can view best practice deviation report.
Syslogs
You can use Custom Reports along with Syslogs to generate GOLD test reports.
You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.
18-18
OL-25947-01
Chapter 18

History
You can search fault history database for device issues.
Event History
You can view the fault history report for a given event ID.
Event Monitor/ Device Fault

You can view information on events in device for the past 31 days.
Event Monitor is a centralized place where in you can view the event details of all devices and device
groups.
Understanding Report Archives Tasks

This section explains the following Report Archives task groups:
IPSLA
Inventory and Syslog
Layer2 Services and User Tracking
IPSLA
You can manage IPSLA archived reports. You can perform the following tasks:
List Report Archives

You can list the IPSLA report archives.
Delete Report
You can delete the IPSLA report archives.
Inventory and Syslog
You can view the list of the completed report jobs that you own or all report jobs.
Layer2 Services and User Tracking
You can view and delete archived Layer2 Services and User Tracking reports.
Understanding Report Designer Tasks

You can view, modify, or create new report templates for:
User Tracking
Syslog and Inventory
User Tracking
Custom Layouts
You can view the list of Custom layouts.
Custom Reports
You can customize the layout and columns displayed in the UT reports to suit your needs.

OL-25947-01
18-19
Chapter 18
Syslog and Inventory
Custom Report Template

You can create new report templates customized according to your requirements. You can also view,
add and edit, delete existing custom templates, view your own templates or view all templates.
Understanding Inventory Report Tasks

You can generate inventory reports and this section explains the following Inventory Report task groups:
Device Attributes
User Tracking
Management Status
Device Attributes
You can view device attributes report.

User Tracking
You can create, schedule, and view various UT reports like:
End Host History

You can view the login and logout information of the endhosts
User Tracking System and Custom Reports

You can view User Tracking system and custom reports
Management Status
You can generate device credentials, device and credentials admin reports, and inventory and config
Collection Status report.
Inventory and Config Collection Status

You can generate the Inventory and Config Collection Status Report which helps you to identify
possible causes for Inventory and Configuration collection failure and take timely corrective action.
Understanding Audit Report Tasks

You can generate audit reports like:
System
Performance
Inventory and Config
System
You can generate system audit report.
18-20
OL-25947-01
Chapter 18

Performance
You can generate performance audit report.

Inventory and Config
You can generate inventory and config audit report.
Understanding Technology Report Tasks

You can generate the following technology reports:
VLAN
VRF Lite
VLAN
You can generate VLAN reports for devices, switch clouds, or VTP domains.
VRF Lite
You can generate the following VRF Lite Reports:
VRF Lite and VRF Lite Readiness report

You can generate Device Based VRF-Lite reports and VRF Based reports. You can also generate the
VRF Lite Readiness report which provides the devices details that comply with the basic hardware
and software support available, in contrast to the required support on the devices to configure VRF.
Understanding Performance Report Tasks

This section explains the following Performance Report task groups:
Create Performance Report
View Performance Report
Poller
Device
Create IPSLA Report
View IPSLA Job Details
View IPSLA Report
Custom
Create Performance Report
You can generate, or view performance reports like:
Interface Report
Displays the Interface availability information of a device during the last 24 hours. It also displays
Interface utilization and error rate information for a device interface during the last 24 hours.
IPSLA Detailed Report

You can generate various IPSLA detailed reports.

OL-25947-01
18-21
Chapter 18
IPSLA Summary Report

You can generate system reports for all collectors based on the report types and granularity after the
consolidation of the statistical data.
EnergyWise Device Power Usage

Displays the power usage data for each device that is polled for the EnergyWise Device Power Usage
template.
EnergyWise Port Power Usage

Displays the power usage data for each port that is polled for the EnergyWise Port Power Usage
template.
PoE Port Utilization Report

Displays the port level utilization for each device polled for the Power Over Ethernet (PoE) Port
Utilization template.
PSE Consumption report

Displays the power utilization and losses for each device polled for the Power Over Ethernet PSE
Consumption template.
IPSLA Audit report

Displays all IPSLA related audit changes that occurred in the network during a specified time
period.
View Performance Report
You can view performance reports like:
Interface Report
IPSLA Detailed Report
IPSLA Summary Report
EnergyWise Device Power Usage
EnergyWise Port Power Usage
PoE Port Utilization Report
PSE Consumption report
IPSLA Audit report
Poller
You can:
View Poller Report

You can view Poller Reports based on the template added in a given Poller.
Create Poller Job

You can create Poller Reports based on the template added in a given Poller.
Device
You can view device availability and performance parameters of a device.
Device Performance
You can view performance parameters of a device.
18-22
OL-25947-01
Chapter 18

Create IPSLA Report
You can create IPSLA Reports and IPSLA Threshold Violation Reports. You can also reset the values
you entered.
View IPSLA Job Details
You can view details of IPSLA jobs.

View IPSLA Report
You can view IPSLA Reports, IPSLA Report Archives and IPSLA Threshold Violation Reports.
You can list and create IPSLA Audit Report.
Custom
You can create, or view custom reports.
Understanding System Report Tasks

You can generate administration and system reports. This section explains the following System task
groups:
Data Collection Metrics and Device Support
Users
ANI Server Analysis
Status
Data Collection Metrics and Device Support
You can view the duration of each data collection, and the device count. You can also view the icon,
name, and object ID of the supported devices.
Users
You can view information about users currently logged into LMS.
Who is Logged on
You can view information on users currently logged into LMS.
Permission Report
You can view information on roles and privileges.
ANI Server Analysis
You can analyze the ANI server performance.

Status
You can view the status of the processes running on the LMS Server.
Log File
You can view information on log file size and file system utilization.
Process
You can view the status of the processes running on the LMS Server.

OL-25947-01
18-23
Chapter 18
Understanding Switch Port Report Tasks

You can generate reports based on switch port status. This section explains the following Switch Port
Report task groups:
User Tracking Switch Port Usage
Ports
User Tracking Switch Port Usage
You can view reports on:
Connected PortsThe ports that are administratively UP and are connected to a device will be listed
here.
Free PortsThe Ports that are administratively UP but are not connected to a device will be listed
here.
Free Down PortsThe ports that are administratively down will be listed here.
You can also view the following reports:
Switch Port Capacity Report

Lists switches that have crossed utilization threshold limits, along with the value of percentage port
utilization.
Recently Down Ports

Displays:
Link ports that were connected to a device in the previous Data collection, but found
unconnected in the current Data Collection.

Access ports that were connected to an endhost in the last UT Major Acquisition cycle, but
found unconnected in the current Data Collection
Reclaim Unused Down Ports Report

Displays ports that have been in Unused Down state for a specified interval of time.
Reclaim Unused Up Ports Report

Displays ports that have been in Unused Up state for a specified interval of time.
Switch Port Summary Report

Displays the number of Connected, Free, and Free down ports in each switch.
Ports
You can view status of the ports.
Port Attributes
You can view information about the status of ports in the network
Schedule Reports in Layer2 Services and User Tracking
You can schedule reports of the Network, Layer 2, and User Tracking function of LMS.
User Tracking Job Archives
You can view archived reports of UT jobs.
18-24
OL-25947-01
Chapter 18

Layer2 Services Job Archives
You can view archived reports of Layer 2 services jobs.

Inventory/Syslogs/Change Audit Generate Reports
You can generate all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View All Reports
You can view all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View Own Reports
You can view all Inventory, Syslog, and Change Audit reports which you have generated.

This section explains the following Configuration task groups:
Understanding Configuration Archive Tasks
Understanding Configuration Tools Tasks
Understanding ConfigCLI Tasks
Understanding Configuration Workflows Tasks
Understanding Configuration Job Browsers Tasks
Understanding Compliance Tasks
Understanding Configuration Archive Tasks

This section explains the following Configuration Archive tasks:
Label Configs
Summary
Views
Label Configs
You can select configuration files from different devices, group and label them. You can manage Label
Configs.
Summary
You can view the configuration archival status and summary.

OL-25947-01
18-25
Chapter 18
Views
You can search archives using version tree and version summary. The tasks in Views are the following:
Custom Queries
You can create a custom configuration query that searches information about the specified
configuration files.
Search Archive
You can search the archive for configuration containing text patterns for selected devices.
Version Summary
You can view all archived configurations for selected devices.
Understanding Configuration Tools Tasks

This section explains the following Configuration Tools tasks:
NetConfig/Template Center
Config Editor
Software Repository
You can view, add, delete, or update the images that are available in the Software Management
repository.
Repository Synchronization
You can update the software repository.
Software/Patch Distribution
You can distribute software images in the network. You can also distribute patches simultaneously
to applicable devices.
Jobs
You can check the status of a scheduled Software Image Management job. You can view, edit, stop,
delete, retry or undo the job.
Upgrade Analysis
You can analyze images before distribution.
18-26
OL-25947-01
Chapter 18

NetConfig/Template Center
This section explains the following NetConfig and Template Center tasks:
Assign Tasks
You can assign tasks to a valid Cisco Prime user.
User Defined Tasks

You can create and edit user-defined tasks.
Adhoc Configuration-Template Center

You can deploy and import Adhoc Configuration template.
Jobs
View
You can view all NetConfig and Template Center jobs.

Create/Configure/Deploy/Import
You can deploy and import configuration templates in LMS. You can also create NetConfig
jobs.
Config Editor
This section explains the following Config Editor tasks:
Private Configs
You can view changes made to a configuration file in the private work area.
Edit Private Configs

You can save an edited configuration file in the private work area on the server and retrieve the saved
file when required.
Edit Public Configs

You can save an edited configuration file in the public work area on the server and retrieve the saved
file when required.
Delete Private Configs

You can remove a configuration file from the private work area on the server.
Delete Public Configs

You can remove a configuration file from the public work area on the server.
Public Configs
You can view changes made to a configuration file in the public work area.
Edit Mode Preference

You can set up the default editing mode.
Config Editor
You can open, edit, or print configuration files.
Jobs
You can create, edit, delete, copy, or stop Config Editor jobs.

OL-25947-01
18-27
Chapter 18
Understanding ConfigCLI Tasks

This section explains the following ConfigCLI tasks:
Delete
You can delete configurations older than a specified date from the configuration archive.
Compare With Baseline and Deploy
You can create a job that compares the given Baseline template with the latest version of the
configuration for a device and download the configuration to the device if there is a non-compliance.
List Version
Lists the different versions of configuration files archived in the archival system.
Create Parameter file
You can create a parameter file if the Baseline template containing the parameters is specified.
Compare With Baseline
You can compare the given Baseline template with the latest version of the configuration for a device.
Deploy Baseline
You can deploy the given Baseline template to a device.

Reload
You can reboot the devices, to load the running configuration with their startup configuration.
Get Configuration
You can retrieve the running configuration from the devices and push it to the configuration archive if
the running configuration is different than the latest version in the archive.
Run2Start
You can create a job that overwrites the startup configuration of device with running configuration.
Get Change Audit Data
You can get Change Audit data.

Write2Run
You can compare the latest running configuration for the device in the configuration archive with the
configuration in the file, to generate a new configuration that is downloaded to the device, so that the
configuration specified in the file is available on the running configuration of the device.
Export Configuration
You can retrieve the configuration for a device from the archive and write it to a specific file.
Compare
You can list the difference between versions of a device configuration.
18-28
OL-25947-01
Chapter 18

write2Start
You can erase the contents of the device's startup configuration and then write the contents of the given
file as the device's new startup configuration.
Export Configuration-xml
You can retrieve the configuration for a device from the archive and write it to a XML file.
Import Configuration
You can retrieve the configuration from a file, and push it to the device, adding to the device's running
configuration.
Get Inventory Data
You can get the inventory data for the devices.

Start2Run
You can merge the running configuration of any devices with their startup configuration to give a new
running configuration.
Put Configuration
You can retrieve the configuration from the configuration archive and push it to the device.
Understanding Configuration Workflows Tasks

This section explains the following Configuration Workflows tasks:
VLAN
VRF Lite
VLAN
This section explains the following VLAN Workflows tasks:
Configure Port Assignment

You can manage ports on your network VLAN.
Create/Delete Private VLAN

You can create and delete private VLANs
Configure Promiscuous Ports

You can configure a promiscuous port
Create/ Modify Trunk

You can create a trunk for a port, or modify trunk attributes.
Configure/ Delete VLAN

You can create and delete VLANs configured on the devices in the network.
VRF Lite
This section explains the following VRF Lite Workflows tasks:
VRF Configuration
You can create, edit, extend, delete and assign Edge VLAN to VRF.

OL-25947-01
18-29
Chapter 18
Understanding Configuration Job Browsers Tasks

This section explains the following Configuration Job Browsers tasks:
Job Approval
NetConfig
Config Editor
Job Approval
You can approve or reject a job for which you are an Approver. The job will not run until you or another
Approver approves it.
NetConfig
You can manage NetConfig jobs.

Config Editor
You can manage Config Editor jobs.
Understanding Compliance Tasks

This section explains the following Configuration Compliance tasks:
Out-of-Sync Summary
Compliance Templates
Out-of-Sync Summary
You can generate Out-of-Sync report for device groups.

Compliance Templates
This section explains the following Compliance Templates tasks:
Compliance Check
You can run a compliance check.
Direct Deploy
You can deploy a baseline template using a file system or UI.
Templates
You can manage a baseline template.
18-30
OL-25947-01
Chapter 18


This section explains the following Monitor task groups:
Understanding Performance Settings Tasks
Understanding Fault Settings Tasks
Understanding Threshold Settings Tasks
Understanding Troubleshooting Tools Tasks
Understanding Monitoring Tools Tasks
Understanding Performance Settings Tasks

You can configure performance settings like:
IPSLA
Setup
IPSLA
You can manage IPSLA devices, collectors, operations and outage settings
Devices
You can add devices to manage IPSLA functionality. You can:
Enable IPSLA Responder
You can enable IPSLA responder for the selected devices.

Update IPSLA Config
You can update the IPSLA responder enable or disable status. You can also save the latest
information configured in a device to the database.
View Devices
You can view all the IPSLA devices managed by LMS.

Edit Device Attributes
You can edit the device attributes like SNMP Retry and SNMP Timeout.
Delete devices
You can delete Adhoc target devices.

Add Adhoc Target
You can add adhoc target devices to the IPSLA Performance Management function in LMS if
you want to manage devices from an external source. The Adhoc devices may be either Cisco
devices or devices with a unique IP address.
Collectors
You can create, edit, delete, monitor, start, list, view, or stop collectors.
When you have the authorization to create collectors you can import, export and reconfigure
collectors.

OL-25947-01
18-31
Chapter 18
Operations
You can analyze IP service levels for IP applications and services. You can view operation details,
list, create, edit, or delete operations.
Outage Settings
You can view, list, create, edit, or delete planned outages.
Setup
You can setup auto monitoring, poller and template management
Automonitor
You can change the polling intervals.
Pollers
You can create and manage pollers. You can:
Edit Poller
You can edit pollers.

Clear Failures
You can clear all the failures recorded in the database for a Poller.
Clear Missed Cycle
You can clear all the polling interval cycles missed for a Poller.
Activate and Deactivate Poller
You can activate an inactive Poller to poll, or stops a Poller from polling.
View Failures
You can view failures that occurred during polling.

Create Poller
You can create a Poller.

List Performance Devices
You can view performance devices.

Delete Poller
You can delete a Poller.

Debug Performance Polling Engine
You can debug performance polling engine.

List / View Pollers
You can list or view Pollers.
Templates
You can create, copy, edit, list, delete, export, or import templates to monitor performance
parameter.
Device Performance Management Summary

You can view the Device Performance Management Summary portlet details. To access any custom
role, you should select Device Performance Management Summary.
18-32
OL-25947-01
Chapter 18

Understanding Fault Settings Tasks

You can set up the following fault settings tasks:
Setup
You can setup polling parameters, group priorities, and view device fault details.
Apply Changes
You can apply polling and threshold changes.

Polling Parameters
You can configure polling parameters.

Fault Device Details
You can view component details of a device.

Priority Settings
You can set priority for polling and thresholds.
Understanding Threshold Settings Tasks

You can configure pollers, manage templates, configure trendwatch.
This section explains the following Threshold Settings tasks:
TrendWatch
Performance
Fault
TrendWatch
You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.
Performance
You can create, edit, delete, access, or, list and view thresholds for a MIB variable.
Fault
You can view the thresholds that are associated with device groups, trunk port groups, access port
groups, and interface groups.

OL-25947-01
18-33
Chapter 18
Understanding Troubleshooting Tools Tasks

You can troubleshoot network devices using various tools like NetShow and VRF-Lite. This section
explains the following Troubleshooting Tools tasks:
VRF Lite
NetShow
Connectivity Tools
Troubleshooting Workflows
VRF Lite
Ping and Traceroute/Show Commands

You can troubleshoot VRFs using Ping or Traceroute, or view the result of the VRF-specific show
commands
NetShow
Job Operations
You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying
failed jobs, stopping jobs, and deleting jobs.
Command Set Operations

You can create, edit, or delete user-defined Command Sets.
Assigning Command Sets

You can assign command sets to network operators.
Command Sets
You can view the details of an existing Command Set.
NetShow Jobs/Show Commands

You can run NetShow commands and view NetShow jobs.
Connectivity Tools
You can use the following tools:
Device Center
You can launch the troubleshooting page by clicking device IPs.
Packet Capture
You can capture live data from the Cisco Prime machine to aid in troubleshooting.
SNMP Walk
You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering
information about a certain device.
SNMP Set
You can set an SNMP object or multiple objects on a device for controlling the device.
Troubleshooting Workflows
You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network
connectivity problems, or diagnose devices.
18-34
OL-25947-01
Chapter 18

Understanding Monitoring Tools Tasks

You can use fault and event monitor tools like:
Fault Monitor
Configure Inter-VLAN Routing
View Link Bandwidth utilization
Configure EtherChannel
Device Operation Discover Devices
View Trunk Attributes
Time Domain Reflectometer Report
Device Operation Delete Link
Spanning Tree Reports
Device Operation Delete Devices
Topology Services
Spanning Tree Configuration
Device Operation Change management IP
View Data Extraction Engine
Fault Monitor
You can view all the faults in a common place. It collects information of fault in devices in real-time and
display the information by a selected group of devices. You can clear or annotate faults.
It allows you to own the fault or clear them.
Configure Inter-VLAN Routing
You can configure Inter-VLAN Routing.

View Link Bandwidth utilization
You can view bandwidth utilization across links, in the Topology maps.
Configure EtherChannel
You can configure EtherChannel.

View Devices at Fault and Event Monitor
You can view devices available at Fault and Event Monitor.

Device Operation Discover Devices
You can discover devices for device operation.

View Trunk Attributes
You can view trunk attributes.

Time Domain Reflectometer Report
You can generate the TDR report that detect faults in a cable. TDR checks and locates open circuits, short
circuits, sharp bends, crimps, kinks, impedance mismatches, and other such defects.

OL-25947-01
18-35
Chapter 18
Device Operation Delete Link
You can remove a link from the Network Topology View.

Spanning Tree Reports
You can generate Spanning Tree reports

Device Operation Delete Devices
You can delete devices.

Topology Services
You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains
discovered in your network, and you can filter, access, or view network information or status.
Spanning Tree Configuration
You can configure Spanning Trees on the network.

Device Operation Change management IP
You can set a preferred management address to be used by LMS for devices which can have multiple IP
addresses.
View Data Extraction Engine
You can view Data Extraction Engine.

This section explains the following Inventory task groups:
Understanding Group Management Tasks
Understanding Job Browsers Tasks
Understanding Device Administration Tasks
Understanding Inventory Tools Tasks
Understanding Group Management Tasks

You can create and manage fault groups, IPSLA collectors groups, or ports and modules groups.
Fault groups
You can view, create, edit, delete fault groups, or refresh groups.
IPSLA Collector
You can view, create, edit, delete or refresh IPSLA collector groups.
18-36
OL-25947-01
Chapter 18

Understanding Job Browsers Tasks

You can view, create, edit, stop, retry, or delete device credentials verification jobs. You can also verify
device credentials.
Understanding Device Administration Tasks

You can manage devices and auto update the server. This section explains the following Device
Administration tasks:
Add / Import / Manage Devices
Add Managed Devices
Manage Device State
Device Allocation Policy
Add / Import / Manage Devices
You can manage devices in DCR. You can:
View Credentials
You can view device information for a single device or for multiple devices.
Export Devices
You can export a list of device and their credentials.
View Reports
You can generate the following reports:
Unreachable Devices
Displays the list of devices that are unreachable.

To generate this report, select Reports > Inventory > Management Status > Unreachable
Devices.
Excluded Devices
Displays the list of devices that should not be added in DCR.

To generate this report, select Reports > Inventory > Management Status > Excluded
Devices.
Imported Device Status
Displays the information about the devices that are imported into DCR.
To generate this report, select Reports > Inventory > Management Status > Imported Device
Status.
Known Device List
Displays the complete list and information of all devices in the repository.
To generate this report, select Reports > Inventory > Management Status > Known Device
List.
Device Administration
Displays the complete device list in DCR.

To generate this report, select Reports > Audit > Device Administration.

OL-25947-01
18-37
Chapter 18
Add Devices
You can add devices, device properties or attributes, and device credentials to the DCR.
View Devices
You can view devices in DCR.
Delete Devices
You can delete devices from DCR. You can also schedule device polling job and view the
Unreachable device report.
Bulk import
You can import multiple devices into DCR. You can also view the Imported device report.
Edit Devices
You can edit device information for a single device or for multiple devices.
Add Managed Devices
You can manually add managed devices without using the Device Allocation Policy.
Manage Device State
You can view the states of the devices.

Device Allocation Policy
You can configure the device management policy for Device Management.
Understanding Inventory Tools Tasks

You can use tools like:
CiscoView
Provides real-time views of networked Cisco Systems devices
Mini-RMON
Provides web-enabled, real-time, remote monitoring (RMON) information to users to facilitate
troubleshooting and improve network availability.

This section explains the following Work Center task groups:
Understanding Smart Install Tasks
Understanding Auto Smartports Tasks
Understanding Identity Tasks
Understanding EnergyWise Tasks
18-38
OL-25947-01
Chapter 18

Understanding Smart Install Tasks

You can configure and manage images using this plug-and-play configuration and image management
feature that provides zero-touch deployment for new switches.
Jobs
You can view the status, delete, stop or manage Smart Install jobs.
Readiness Assessment
You can assess the readiness of your network for Smart Install.
Getting Started
You can provision Smart Install for Day 1 operations.
Configure
You can configure, and manage the Smart Install director.
Understanding Auto Smartports Tasks

You can configure, apply and manage Auto Smartports macros on the ASP-capable devices
Getting Started
You can provision Auto Smartports for day 1 operations.
Jobs
You can view the status, delete, stop or manage Auto Smartport reports.
Configure
You can configure, and enable Auto Smartports on selected interfaces.
You can view Auto Smartports based device details after assessing the network.
Understanding Identity Tasks

You can create authentication, access control, and user policies to secure network resources and
connectivity.
Configure
You can configure Identity on Identity-capable devices.
Jobs
You can view the status, delete, stop or manage Identity jobs.
Reports
You can generate Identity reports.
Getting Started
You can provision Identity for Day 1 operations.
You can view Identity-based device details after assess the network.

OL-25947-01
18-39
Chapter 18
Understanding EnergyWise Tasks

You can manage and automate the energy management lifecycle of network.
You can view EnergyWise-based device details after assessing the network.
Jobs
You can view the status, delete, stop or manage EnergyWise jobs.
Getting Started
You can provision EnergyWise for Day 1 operations.
Reports
You can generate EnergyWise reports like:
Power Usage
You can generate EnergyWise power usage report.

Cost Savings
You can configure EnergyWise cost savings.
EnergyWise portlets
You can view EnergyWise portlets like:
EnergyWise Savings Trend Graph
EnergyWise Total Savings Graph
EnergyWise Power Consumption Graph
Manage Domains/General Settings

You can manage the configured EnergyWise domains.
You can configure the time to perform EnergyWise device collection, EnergyWise endpoint
collection, and EnergyWise compliance check.
Configure
You can configure energy management policies on devices and configure endpoints.
Manage Policies
You can manage the EnergyWise policies.

Manage Endpoint Groups
You can create an endpoint group of IP phones.

Configure Attributes on Endpoints
You can configure EnergyWise attributes.
Settings
You can configure EnergyWise collection, cost settings, and data purge settings.
Cost Savings
You can configure EnergyWise cost savings.

Purge
You can configure EnergyWise data purge settings.
18-40
OL-25947-01
Chapter 18


OL-25947-01
18-41
Chapter 18
18-42
OL-25947-01
Chapter 18


OL-25947-01
18-43
Chapter 18
18-44
OL-25947-01
Chapter 18


OL-25947-01
18-45
Chapter 18
18-46
OL-25947-01
A P P E N D I X
CLI Tools
This section explains all the CLI utilities that are available for the administrator in LMS 4.2.
Setting Up Local Users Through CLI
Managing Processes Through CLI
Using LMS Server Hostname Change Scripts
Using DCR Features Through CLI
User Tracking Command Line Interface
Understanding UTLite
User Tracking Debugger Utility
Administration Command Line Interface

OL-25947-01
A-1
Appendix A
CLI Tools

You can set up the local users through CLI. This feature helps you in:
Adding Local Users
Importing Local Users
Adding Local Users

You can add bulk local users through CLI. This feature allows you to specify a file that has information
about the local users as an input. The input file you use should be a plain text file.
Note
You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
Username Local username. The local username is case-insensitive.
Password Password for the local user account name.

You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.
E-mail E-mail address of the local user.

This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.
Roles Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
Help Desk
Approver
Network Operator
Super Admin
DeviceUnameDevice login username
DevicePasswordDevice login password
DeviceEnPassword Device enable password.
The following is an example of local user information to be represented in input text file:
A-2
OL-25947-01
Appendix A
CLI Tools
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes

OL-25947-01
A-3
Appendix A
CLI Tools
To add local users through CLI, enter the following commands:
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft

Appliance)
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows)
where,
Filename Absolute path of the filename containing local users information.
Password Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.
For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin
Even if you have entered password for the local users in the localuser.txt file, the local users are added
with the password mentioned in the command line.
Importing Local Users

This feature allows you to import local user information to the local server from a remote LMS Server.
You can import local users from ACS through CLI. See, Importing Users From ACS for more
information.
You should have the privileges to import local users from remote LMS Server through CLI.
Before you import users from a remote server, you should install the peer certificate of the remote server
in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate
To import users from a remote server, enter the following commands:
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber

Username Password (on Solaris/Soft Appliance)
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber

Username Password (on Windows)
where,
Protocol Protocol of the remote LMS Server.

The supported values are HTTP or HTTPS.
Hostname Hostname or IP Address of the remote LMS Server.
Portnumber Port Number of the remote LMS Server.
Username Remote LMS Server Login Username.
Password Remote LMS Server Login Password.
A-4
OL-25947-01
Appendix A
CLI Tools
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin

To import users from ACS through CLI, enter the following commands:
NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on

NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on

Windows)
where,
Filename Ouput of executing CSUtil.exe.
Password ACS password which is the default password assigned to all users.

To migrate user details from LMS 3.2 to LMS 4.x:
Step 1
Enter the command given below:

For Solaris and Soft Appliance:
/NMSROOT/lib/jre/bin/java -cp
/NMSROOT/lib/classpath:/NMSROOT/www/classpath:/NMSROOT/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar:/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration <cwpass file location> <output file name with .xml
extension>
where, NMSROOT is the directory where you have installed Cisco Prime.
Example:
/opt/CSCOpx/lib/jre/bin/java -cp
/opt/CSCOpx/lib/classpath:/opt/CSCOpx/www/classpath:/opt/CSCOpx/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar:/opt/CSCOpx/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration /cwpass /output.xml
For Windows:
/NMSROOT/lib/jre/bin/java -cp
/NMSROOT/lib/classpath;/NMSROOT/www/classpath;/NMSROOT/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar;/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration <cwpass file location> <output file name with .xml
extension>

OL-25947-01
A-5
Appendix A
CLI Tools
Example:
C:/Progra~1/CSCOpx/lib/jre/bin/java -cp
C:/Progra~1/CSCOpx/lib/classpath;C:/Progra~1/CSCOpx/www/classpath;C:/Progra~1/CSCOpx/MD
C/tomcat/shared/lib/castor-0.9.5-xml.jar;C:/Progra~1/CSCOpx/MDC/tomcat/shared/lib/
castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration C:/cwpass C:/output.xml
Step 2
Move the output file to the client machine to import the user details.
Step 3
Go to Admin > System > User Management > Local User Setup.
Step 4
Click Import Users.
Step 5
Click Browse and select the output file from the client machine.
Step 6
Click Submit.
Migrating User Details using Selective Backup Method
The user details can be migrated from LMS 3.2 to LMS 4.x versions by remote upgrade procedure. The
inline upgrade does not support the direct migraiton of user details from LMS 3.2 to LMS 4.2.
Step 1
Take selective backup from LMS 3.2 using the command given below:
NMSROOT\bin>perl NMSROOT\bin\backup.pl
-dest=
<Backup Directory> system
Step 2
Move the backup to LMS 4.x server where data has to be restored.
Step 3
Stop the daemons on 4.x server
Step 4
Restore backup using the command given below:

NMSROOT\bin>perl NMSROOT\bin\restorebackup.pl
-d
<Backup Directory>
Step 5
Check for any errors on Restorebackup.log
Step 6
Start the daemons and check the user details once all the processes are up.
Note
Selective backup includes system settings, user details and jobs.

You can change the Cisco Prime user password using the Cisco Prime user password recovery utility.
To change the user password on Solaris/Soft Appliance:
Step 1
Enter /etc/init.d/dmgtd stop to stop the Daemon Manager.
Step 2
Set the LD_LIBRARY_PATH manually. The path is to be set as follows:

setenv LD_LIBRARY_PATH /opt/CSCOpx/MDC/lib:/opt/CSCOpx/lib
This environment variable set is applicable to the current working shell only.
A-6
OL-25947-01
Appendix A
CLI Tools
Now, you can change the password using the Cisco Prime user password recovery utility.
Step 3
Enter NMSROOT/bin/resetpasswd username at the command prompt.

Here NMSROOT refers to the Cisco Prime Installation directory.
A message appears:
Enter new password for username:
Step 4
Enter the new password.
Step 5
Enter /etc/init.d/dmgtd start to start the Daemon Manager.

OL-25947-01
A-7
Appendix A
CLI Tools
To change the user password on Windows:

Step 1
Enter net stop crmdmgtd to stop the Daemon Manager.
Step 2
Enter NMSROOT\bin\resetpasswd username at the command prompt.

A message appears:
Enter new password for username:
Step 3
Enter the new password.
Step 4
Enter net start crmdmgtd to start the Daemon Manager.

You can also manage the Cisco Prime processes through CLI. You can perform the following activities
through CLI:
Starting a Process
Stopping a Process

The pdshow command displays the details of the specified processes or all processes in the CLI prompt.
To display the details of all processes, enter:

/opt/CSCOpx/bin/pdshow (on Solaris/Soft Appliance)
pdshow (on Windows)
To display the details of one or more specified processes, enter:

/opt/CSCOpx/bin/pdshow ProcessName1 ProcessName2 (on Solaris/Soft Appliance)
pdshow ProcessName1 ProcessName2 (on Windows)
where ProcessName1 and ProcessName2 are the name of the processes.

The command displays the process details of one or more processes. See Viewing Process Details for
description of each of these items.
Process Name
Process State
Process ID
Process Return Code
Process Signal Number
Process Start Time
Process Stop Time
A-8
OL-25947-01
Appendix A
CLI Tools
The pdshow command additionally displays the following process details.

Process Details
Description
Core
Not applicable means the program is running normally.

CORE FILE CREATED means the program is not running normally and the
operating system has created a file called core*.
The core file stores important data about processes.
core* refers to the name of the core file.
The core file name contains the executable file name of the program and the process
ID.
For example, the name of the core file created for the Perl module is:
core.perl.51234
Information
Describes what the process is doing and how it is started.

Not applicable means the program is not running normally.
During the startup of Daemon Manager, sometimes the pdshow command may display information
message requesting you to wait and enter the command again.
This happens particularly when the Daemon Manager is busy in running the tasks one by one in the
queue. You must enter the command again to view the process details.

The pdshow -brief command displays the brief status of all processes or specified processes in tabular
format in the CLI prompt.
To display the brief details of all processes, enter:

/opt/CSCOpx/bin/pdshow -brief (on Solaris/Soft Appliance)
pdshow -brief (on Windows)

/opt/CSCOpx/bin/pdshow -brief ProcessName1 ProcessName2 (on Solaris/Soft Appliance)
pdshow -brief ProcessName1 ProcessName2 (on Windows)

The command displays the following details in tabular format:
Process Name
Process State
Process ID
For example, if you enter /opt/CSCOpx/bin/pdshow -brief Tomcat Apache in the command prompt,
the following output is displayed:
ProcessStatePid
***************
Tomcat
Program Started - No mgt msgs received13824
Apache
Running normally
13847

OL-25947-01
A-9
Appendix A
CLI Tools

The pdshow -stat command displays the statistics of all processes or specified processes in tabular
format.
You can enter this command only on Solaris systems.
Note
To display the brief details of all processes, enter:

/opt/CSCOpx/bin/pdshow -stat
(on Solaris/Soft Appliance)

/opt/CSCOpx/bin/pdshow -stat
ProcessName1 ProcessName2 (on Solaris/Soft Appliance)

The command displays the following details in tabular format in the command line.
Process Details
Description
Pid
Process ID
%CPU
CPU usage of a process at a particular time expressed in terms of percentage
RSS
Resident set size displayed in terms of KB
VSZ
Virtual memory size of process displayed in terms of KB
%MEM
Ratio of resident set size and physical memory expressed in terms of

percentage
NLWP
Number of light weight processes of the specified process
Process
Name of the process
Starting a Process
You must enter the following commands to start a process through CLI:
/opt/CSCOpx/bin/pdexec
pdexec
ProcessName (on Solaris/Soft Appliance)
ProcessName (on Windows)
The dependent processes are started first before the specified process is started.
If the process is being restarted after a shutdown, any dependent processes registered with the Daemon
Manager is not automatically restarted. Dependent processes are automatically restarted only when the
Daemon Manager itself is restarted.
Stopping a Process
You must enter the following commands to stop a process through CLI:
/opt/CSCOpx/bin/pdterm
pdterm
ProcessName (on Solaris/Soft Appliance)
ProcessName (on Windows)
The dependent processes are also shut down using this CLI command.
A-10
OL-25947-01
Appendix A
CLI Tools

Cisco Prime provides an option to use security certificates issued by third party certificate authorities
(CAs). You may want to use this option in cases where your organizational policy prevents you from
using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a
particular CA.
You can use these certificates to enable SSL when you need secure access between LMS Server and your
client browser. You can do the following:
Uploading Third Party Security Certificates to LMS Server
Uploading Third Party Security Certificates to LMS Server

You can upload Third Party Security Certificates using the SSL Utility Script.
Note
Cisco Prime does not support third-party certificates with Subject Alternative Names.
This utility is available at:
Note
NMSROOT\MDC\Apache (On Windows)
NMSROOT/MDC/Apache/bin (On Solaris/Soft Appliance)
The maximum supported public key value is 1024 bits.

This utility has the following options:
Number Option
1
Display LMS Server

certificate
information
What it Does...
For third party issued certificates, this option displays the details
of the server certificate, the intermediate certificates, if any, and
the Root CA certificate.
Display the input

certificate
information
Displays the Certificate details of the LMS Server.
Verifies if the certificate is valid.
This option accepts a certificate as an input and:
Verifies whether the certificate is in encoded X.509 certificate

format.
Displays the subject of the certificate and the details of the

issuing certificate.
Verifies whether the certificate is valid on the server.
Generates a list of all Root CA Certificates.

Display Root CA
certificates trusted by
LMS Server

OL-25947-01
A-11
Appendix A
CLI Tools
Number Option
What it Does... (continued)
Verifies whether the server certificate issued by third party CAs, can
be uploaded.
Verify the input

certificate or
certificate chain
When you choose this option, the utility:
Verifies if the certificate is in Base64 Encoded X.509Certificate

format.
Verifies if the certificate is valid on the server
Verifies if the server private key and input server certificate

match.
Verifies if the server certificate can be traced to the required

Root CA certificate using which it was signed.
Constructs the certificate chain, if the intermediate chains are

also given, and verifies if the chain ends with the proper Root
CA certificate.
After the verification is successfully completed, you are prompted to

upload the certificates to LMS Server.
The utility displays an error:
If the input certificates are not in required format
If the certificate date is not valid or if the certificate has already

expired.
If the server certificate could not be verified or traced to a root

CA certificate.
If any of the intermediate Certificates were not given as input.
If the server private key is missing or if the server certificate that

is being uploaded could not be verified with the server private
key.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates to Cisco Prime.
A-12
OL-25947-01
Appendix A
CLI Tools
Number Option
You must verify the certificates using option 4 before you select this
option.
Upload single server

certificate to LMS
Server
Select this option, only if there are no intermediate certificates and

there is only the server certificate signed by a prominent Root CA
certificate.
If the Root CA is not one trusted by Cisco Prime, do not select this
option.
In such cases, you must obtain a Root CA certificate used for signing
the certificate from the CA and upload both the certificates using
option 6.
When you select this option, and provide the location of the
certificate, the utility:
Verifies whether the certificate is in Base64 Encoded X.509

certificate format.

Verifies whether the certificate is valid on the server.
Verifies whether the server private key and input server

certificate match.
Verifies whether the server certificate can be traced to the

required Root CA certificate that was used for signing.
After the verification is successfully completed, the utility uploads

the certificate to LMS Server.
If the input certificates are not in required format

expired.

CA certificate.

key.
problems before you upload the certificates in Cisco Prime again.

OL-25947-01
A-13
Appendix A
CLI Tools
Number Option
You must verify the certificates using option 4 before you select this
option.
Upload a certificate
chain to LMS Server
Select this option, if you are uploading a certificate chain. If you are
also uploading the root CA certificate also, you must include it as
one of the certificates in the chain.
When you select this option and provide the location of the
certificates, the utility:
Verifies whether the certificate is in Base64 Encoded X.509

Certificate format.

Verifies whether the certificate is valid on the server
Verifies whether server private key and the server certificate

match.
Verifies whether the server certificate can be traced to the root

CA certificate that was used for signing.
Constructs the certificate chain, if intermediate chains are given

and verifies if the chain ends with the proper root CA certificate.
After the verification is successfully completed, the server

certificate is uploaded to LMS Server.
All the intermediate certificates and the Root CA certificate are
uploaded and copied to the Cisco Prime TrustStore.
If the input certificates are not in required format.

expired.

CA certificate.
If any of the intermediate certificates were not given as input.

key.
problems before you upload the certificates in Cisco Prime again.
7
Modify Certificate
This option allows you to modify the Host Name entry in the LMS
Certificate.
You can enter an alternate Hostname if you wish to change the
existing Host Name entry.
A-14
OL-25947-01
Appendix A
CLI Tools
To upload the certificates:
Step 1
Stop the Daemon Manager from the Cisco Prime CLI:

On Windows:
Step 2
Navigate to the directory where the SSL Utility script is located.

On Windows:
a.
Go to NMSROOT\MDC\Apache
b.
Enter NMSROOT\bin\perl SSLUtil.pl
a.
Go to NMSROOT/MDC/Apache/bin
b.
Enter NMSROOT/bin/perl SSLUtil.pl
Step 3
Select option 4, Verify the input Certificate or Certificate Chain.
Step 4
Enter the location of the certificates (server certificate and intermediate certificate).
The script verifies if the server certificate is valid. After the verification is complete, the utility displays
the options.
If the script reports errors during validation and verification, the SSL Utility displays instructions to
correct these errors. Follow the instructions to correct those errors and then try to upload the certificates.
Step 5
Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed
by a Root CA certificate.
Or
Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and
intermediate certificates.
Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime
Daemon Manager.
The utility displays a warning message if there are hostname mismatches detected in the server
certificate being uploaded, but you can continue to upload the certificate.
Step 6
Enter the following required details:
Location of the certificate
Location of intermediate certificates, if any.
SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime
requirements for security certificates.
Step 7
Restart the Daemon Manager for the new security certificate to take effect.
Enable SSL to establish a secured connection between LMS Server and your client browser, if you have
not enabled already.

OL-25947-01
A-15
Appendix A
CLI Tools
Note
Note
Cisco Prime does not support third-party certificates with Subject Alternative Names.

Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft
Appliance Platforms
Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms
Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft
Appliance Platforms
Enabling Browser-Server Security From the Command Line Interface (CLI) On

Windows Platforms
To enable Browser-Server Security from CLI:
Step 1
Step 2
Navigate to the directory NMSROOT\MDC\Apache.
Step 3
Enter NMSROOT\bin\perl ConfigSSL.pl -enable
Step 4
Press Enter.
Step 5
If you have the required security certificates available on the server, Cisco Prime enables SSL.
If you do not have the security certificates on the server, Cisco Prime prompts you to create your
own self-signed certificate and enter the details required to create a self-signed certificate.
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA).
The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS
Server from your client browser.
Step 6
Step 7
Step 8
a.
b.
A-16
OL-25947-01
Appendix A
CLI Tools
changes:
If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
Enabling Browser-Server Security From the Command Line Interface (CLI) On

Solaris/Soft Appliance Platforms
To enable Browser-Server Security from CLI:
Step 1
Step 2
Navigate to the directory NMSROOT\MDC\Apache\bin.
Step 3
Enter ./ConfigSSL.pl -enable
Step 4
Press Enter.
Step 5
If you have the required security certificates available on the server, Cisco Prime enables SSL.
If you do not have the security certificates on the server, Cisco Prime prompts you to create your
own self-signed certificate and enter the details required to create a self-signed certificate.
Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA).
The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS
Server from your client browser.
Step 6
Step 7
Step 8
a.
b.

changes:
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the integration utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see the Integration Utility Online Help.

OL-25947-01
A-17
Appendix A
CLI Tools
Disabling Browser-Server Security From the Command Line Interface (CLI) On

Windows Platforms
To disable Browser-Server Security from CLI:
Step 1
Step 2
Navigate to the directory NMSROOT\MDC\Apache.
Step 3
Enter NMSROOT\bin\perl ConfigSSL.pl -disable
Step 4
Press Enter.
Step 5
Step 6
Step 7
a.
b.

following changes:
The port numbers mentioned above are applicable for LMS Server running on Windows.
Disabling Browser-Server Security From the Command Line Interface (CLI) On

Solaris/Soft Appliance Platforms
To disable Browser-Server Security from CLI:
Step 1
Step 2
Navigate to the directory NMSROOT\MDC\Apache\bin.
Step 3
Enter ./ConfigSSL.pl -disable
Step 4
Press Enter.
Step 5
Step 6
Step 7
a.
b.

following changes:
A-18
OL-25947-01
Appendix A
CLI Tools
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see Integration Utility Online Help.

OL-25947-01
A-19
Appendix A
CLI Tools

To back up data using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl BackupDirectory [LogFile]
email=[comma_separated_email_ids] [Num_Generations]
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl BackupDirectory [LogFile]
email=[comma_separated_email_ids] [Num_Generations]
where,
BackupDirectoryDirectory that you want to be your backup directory. This is mandatory.
LogFile Log file name that contains the details of the backup
comma_separated_email_idsEmail IDs seperated by comma
Num_GenerationsMaximum backup generations to be kept in the backup directory.
To back up only selective data using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl -dest=BackupDirectory -system
[-log=LogFile] -gen=Num_Generations]
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl -dest=BackupDirectory -system
[-log=LogFile] [-gen=Num_Generations]
where,
-dest=BackupDirectoryDirectory
-systemCommand
-log=LogFile
-gen=Num_GenerationsMaximum
where the backed up data to be stored. This is mandatory.
line option that allows you to back up only the selected system configurations
from all applications instead of backing up the complete databases. This is mandatory.
Log file name that contains the details of the backup.
backup generations to be retained in the backup directory.

When you change the hostname of the LMS Server, you need to change the hostname related entries in
the Cisco Prime directories and files, registry entries, and databases.
LMS provides a CLI utility to update the new hostname information in the LMS related directories and
files, registry entries, and databases, after you have changed your hostname.
You can use the hostnamechange.pl script to update the hostname changes in all files, database entries
and registry entries.
Caution
Make sure that you run this command after you have changed your hostname and the appropriate entries
specific to the operating system are updated.
A-20
OL-25947-01
Appendix A
CLI Tools
Prerequisites
Before running the hostname change script, you should do the following:
Step 1
Update the hostname entries specific to operating system in your machine.

On Solaris:
/etc/hosts - Modify loghost to the new hostname.
/etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname.
/etc/nodename or the appropriate interface file - Modify nodename to the new hostname.
For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses
pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you
through the server-renaming process. You can also do this when you change the hostname in the
hosts, hostname.hme0, and nodename files in the /etc directory.
On Soft Appliance:
To change the hostname in Soft Appliance operating system:
a.
Login to vSphere client.
b.
Select the server where you want to Run hostnamechange.pl.
c.
Login to the selected server as system admin.
d.
Stop the daemons before changing the hostname in CARS CLI, by runing the command
/etc/init.d/dmgtd stop in shell mode.
e.
Enter config terminal in the console.

Config prompt appears. Enter hostname <new host name>
f.
Exit from the configure prompt.
g.
Enter write memory.
On Windows:
To change the hostname in Windows operating system:
a.
Right-click the My Computer icon from the desktop and click System Properties.
Or
Click Start > Settings > Control Panel > System.
The System Properties dialog box opens.
Step 2
b.
Click the Computer Name tab.
c.
Click Change... on the Windows 2008 machine to open the Computer Name Changes dialog box.
d.
Enter the new hostname in the Computer Name field.
e.
Click OK to go back to System Properties dialog box.
f.
Click Apply to apply the changes.
Restart the machine.

You must restart the machine when you:
Step 3
Update the operating system specific hostname entries.
Stop the Daemon Manager by entering the following commands:

OL-25947-01
A-21
Appendix A
CLI Tools
net stop crmdmgtd
(on Windows)
Step 4
Run the hostname script without command line options. See Running the Hostname Change Script for
more information.
Step 5
Start the Daemon Manager by entering the following commands:
net start crmdmgtd
(on Windows)
A-22
OL-25947-01
Appendix A
CLI Tools
Running the Hostname Change Script

You can either:
Run the hostname change script without specifying any command line options
After you have restarted your system, ensure that you stop the Daemon Manager and then enter the
following command to run the hostname change CLI utility.
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl (on Windows)
NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl (on Solaris/Soft Appliance)
Or
Run the hostname change script with command line options

Use this option to change the hostname only if the previous attempt of running this script had failed
and the hostname changes were unsuccessful.
You need not restart your machine to run the hostnamechange.pl CLI utility with command line
options
Enter the following command to run the hostnamechange.pl CLI utility:
NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl -ohost Old_ Hostname -nhost
New_Hostname -domain Domain (on Windows)

NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl -ohost Old_Hostname -nhost
New_Hostname -domain Domain (on Solaris/Soft Appliance)

where,
Old_ Hostname Old Hostname of the LMS Server
New_Hostname New Hostname of the LMS Server
Domain Domain name of the LMS Server. Entering domain name is optional.
The hostnamechange.pl script performs the following:
1.
Updates the new hostname of LMS Server in the following files:

/opt/CSCOpx/lib/classpath/md.properties (on Solaris/Soft Appliance)
/var/sadm/pkg/CSCOmd/pkginfo (on Solaris)
NMSROOT\lib\classpath\md.properties (on Windows)
2.
Changes ASName to the new hostname of LMS Server in the following files:
/opt/CSCOpx/lib/classpath/sso.properties (on Solaris/Soft Appliance)
NMSROOT\lib\classpath\sso.properties (on Windows)
3.
Updates the hostname in the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager\CurrentVersion\Environment
The CLI utility looks for all the instances of hostname under these registry entries, and replaces
them with the new hostname.
4.
Changes the hostname in regdaemon.xml (NMSROOT/MDC/etc/regdaemon.xml).
5.
Changes the hostname in web.xml (NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml).

OL-25947-01
A-23
Appendix A
CLI Tools
6.
Creates a file NMSROOT/conf/cmic/changehostname.info, with the information on the updated

hostname in the format:
OldhostName:NewhostName
OldhostNamePrevious hostname as registered with CCR(regdaemon.xml)
NewhostNameCurrent hostname as registered with CCR(regdaemon.xml)
The entries for hostname in regdaemon.xml and changehostname.info should be identical.
The changehostname.info file resides in the LMS Server until you restart the Daemon Manager. This
file will not be available in LMS Server after the Daemon Manager is restarted.
7.
Deletes NS_Ref file on the following directories:

NMSROOT\lib\csorb (on Windows)
/opt/CSCOpx/lib/csorb (on Solaris/Soft Appliance)
The NS_Ref file is restored in LMS Server after the Daemon Manager is restarted.
8.
Starts the LMS 4.0 database and updates the database table entries with the new hostname. After
updating the database table entries, it stops the LMS 4.0 database.
9.
Detects and displays the details of the certificate in the LMS Server.
If the certificate is a third party certificate, you should regenerate your certificate with the new
hostname.
Or
If the certificate is a self-signed certificate, the script allows you to regenerate the certificate.
You can enter y to re-generate the certificate with the new hostname or n to re-generate the
certificate later. See Creating Self Signed Certificates for details.
After you have completed running the script, ensure that you:
Start the Daemon Manager by entering the following commands:

/etc/init.d/dmgtd start (on Solaris/Soft Appliance)
net start crmdmgtd (on Windows)
Redo the integration, if you have integrated any third party network management application to
Cisco Prime, using Integration Utility.
Re-import the certificates and redo the Multi-Server setup if the machine is part of a Multi-Server
setup.
For example, if you are changing the hostname of a machine that is configured as a Slave, then it
needs to reregister with the Master. If you are changing the hostname of a machine that is configured
as a Master, then all its Slaves need to be updated with the new Master hostname.
If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some
cases.
A-24
OL-25947-01
Appendix A
CLI Tools

Using Command Line Interface, you can add, delete, and modify devices, and change the DCR modes.
You can also view the list of attributes that can be stored in DCR, and view the current DCR mode. The
dcrcli provided with LMS helps you perform these tasks using CLI.
The Device Name and the Host Name/Domain Name combination must be unique for each device in
DCR. A device will be considered duplicate if:
The Device Name of a device is the same as that of any other device
The Host Name/Domain Name combination of a device is the same as that of any other device
Auto Update Device ID is the same as that of any other device (in case of AUS managed device)
Cluster and Member Number, together is same as that of any other device (in case of Cluster
managed device)
dcrcli operates in both the Shell and Batch modes. The Shell mode is interactive whereas the Batch mode
runs the specified command and exits to the prompt after the command is run.
You can set DCRCLIFILE environment to point to the file where LMS password is present. If you set
DCRCLIFILE variable, password will not be asked when you run dcrcli in shell or batch mode.
The password file should contain an entry in the format username password. Make sure that there is only
one blank space between the username and the password in the password file. For example, if admin is
the username and the password for the Cisco Prime user, the password file must contain the following
entry:
admin admin
This section has the following:
Viewing Device Details
Changing DCR Mode Using CLI

To view the current DCR mode in Shell mode:
Step 1
Enter NMSROOT/bin/dcrcli -u username.
Step 2
Enter the password corresponding to the username.
Step 3
Enter lsmode
It lists the DCR ID, the DCR Group ID, the current DCR mode, and the associated Master and Slaves.
To view the current DCR mode in Batch mode:

Step 1
Go to NMSROOT/bin
Step 2
Enter dcrcli -u Username cmd=lsmode

OL-25947-01
A-25
Appendix A
CLI Tools
Viewing Device Details

To view device details using dcrcli in Shell mode:
Step 1
Step 2
Enter the password corresponding to the username.
Step 3
Enter details id=DeviceID

This lists all the details about the device with the ID you have specified. For example,
detail id=54341
lists the details for the device with device ID 54341.
To view device details using dcrcli in Batch mode:

Step 1
Go to NMSROOT/bin
Step 2
Enter dcrcli -u Username cmd=detail id=DeviceID
Changing DCR Mode Using CLI

To change mode to Master in Shell mode:
Step 1
Step 2
Enter the password corresponding to the username
Step 3
Enter setmaster
The DCR mode gets changed to Master.
To change mode to Master in Batch mode:

Step 1
Go to NMSROOT/bin
Step 2
Enter dcrcli -u Username cmd=setmaster
To change mode to Standalone in Shell mode:

Step 1
Step 2
Step 3
Enter setstand
The DCR mode gets changed to Standalone.
A-26
OL-25947-01
Appendix A
CLI Tools
To change mode to Standalone in Batch mode:

Step 1
Go to NMSROOT/bin
Step 2
Enter dcrcli -u Username cmd=setstand
To change mode to Slave in Shell mode:

Step 1
Step 2
Step 3
Enter setslave master=value

You have to specify the Master for this slave.
The DCR mode gets changed to Slave. For example,
setslave master=1.2.1.3 port=443
To change mode to Slave in Batch mode:

Step 1
Go to NMSROOT/bin
Step 2
Enter dcrcli -u Username cmd=setslave master=value

You can use OGSCli command line utility to:
Export Groups to an output XML file
Import Groups to Grouping Server from an input XML file
You should have Network Administrator, System Administrator, or Super Admin privileges to use
OGSCli command line utility.
OGSCli runs in only Batch mode. It runs the specified command and exits to the prompt after the
command is run.
Exporting Groups Through CLI

OL-25947-01
A-27
Appendix A
CLI Tools
Exporting Groups Through CLI

To export groups through CLI:
Step 1
Step 2
Enter either one of the following:
NMSROOT/bin/OGSCli.sh -u CiscoPrime_Username (on Solaris/Soft Appliance)
Or
NMSROOT\bin\OGSCli -u CiscoPrime_Username (on Windows)
where,
CiscoPrime_Username is the login username of a Cisco Prime user.
For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems.
The system prompts you to enter your Cisco Prime password.
Step 3
Enter your Cisco Prime password.

The system prompts you to enter a task name, import or export. The default task is export.
Step 4
Enter export.
The system prompts you to enter an output file name.
Step 5
Enter a file name for export output file with its absolute path name.
If you do not enter file name with its absolute path name, the export file will be stored on \nmsroot\bin.
A warning message appears indicating that the selected file will be overwritten with the new information
on exported groups.
The system uses the file name that you have entered to generate the output XML file irrespective of
whether the file exists on the server.
You should have the required directory-level permissions where you want to save the output XML file.
You must either enter y to continue or n to exit.
The system prompts you to enter an export group hierarchy.
Step 6
Enter All or the export group hierarchy name.

Default value is All.
For example, you can enter the group hierarchy name as /CS@doc-pc2/User Defined Groups/Group1.
The system generates an export format XML file and stores on the specified directory on the server.
A-28
OL-25947-01
Appendix A
CLI Tools

To import groups through CLI:
Step 1
Step 2
Enter either one of the following:
NMSROOT/bin/OGSCli.sh -u CiscoPrime_Username (on Solaris/Soft Appliance)
Or
NMSROOT\bin\OGSCli -u CiscoPrime_Username (on Windows)
where,
CiscoPrime_Username is the login username of a Cisco Prime user.
For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems.
The system prompts you to enter your Cisco Prime password.
Step 3
Enter your Cisco Prime password.

The system prompts you to enter a task name, import or export. The default task is export.
Step 4
Enter import.
The system prompts you to enter the input XML filename.
Step 5
Enter the input XML filename with its absolute path name.
The system lists the groups to be imported from the source XML file.
Step 6
Enter your choices using the item numbers displayed for the listed groups.
You can enter one or more item numbers separated by comma.
The system lists the Grouping Server locations where you can import the groups.
Step 7
Enter your choices using the item numbers displayed for the listed Grouping Servers.
You can enter one or more item numbers separated by comma. You must enter 1 to import the selected
groups to all listed servers.
A message appears indicating whether the import of groups is successful.
See Exporting Groups for the possible causes for the import groups job to fail.

OL-25947-01
A-29
Appendix A
CLI Tools

You can delete groups that belonged to users removed from Cisco Prime. To delete a stale group, you
must run the DeleteStaleGroups utility.
To run the DeleteStaleGroups utility:
On Windows:
Step 1
Enter NMSROOT\bin
Step 2
Enter DeleteStaleGroups -user username -pfile passwordfile -staleuser StaleUser
Step 1
Enter NMSROOT/bin
Step 2
Enter DeleteStaleGroups.sh -user username -pfile passwordfile -staleuser StaleUser
The explanation for these optional entries are as follows:

-user:
Current user who has the necessary privileges to delete groups.
-pfile:
Absolute Path of the text file with Cisco Prime login password of the current user, in one line.
-staleuser:
The user whose group has to be deleted.
If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale
groups will be deleted.

You can run User Tracking commands from the command line in Solaris/Soft Appliance and
Windows 2000.
Enter ut -cli options -u username -p password.
The options can be one or more of those shown in Table A-1.
Use the -prompt command if you do not want to enter your password from the command line. Using
-prompt prevents other users from running ps and seeing your password.
The -host option is required when you run the CLI command on a remote LMS Server.
A-30
OL-25947-01
Appendix A
CLI Tools
Table A-1
User Tracking CLI Commands
Option
Arguments
Function
-prompt
No keywords or
arguments.
This command is required if you do not enter your

password from the command line.
If -prompt is specified, User Tracking prompts you to
enter your password.
-help
No keywords or
arguments.
Prints the command line usage.
-ping
{enable | disable}
Enables the Ping Sweep option so that the ANI Server

pings every IP address on known subnets before
discovery. The default is the last setting used.
User Tracking does not perform Ping Sweep on large
subnets, for example, subnets containing Class A and B
addresses.
Hence, ARP cache might not have some IP addresses
and User Tracking may not display the IP addresses.
In larger subnets, the ping process leads to numerous
ping responses that might increase the traffic on your
network and result in extensive use of network
resources.
To perform Ping Sweep on larger subnets, you can:
Configure a higher value for the ARP cache

time-out on the routers.
To configure the value, you must use the
arp time-out interface configuration
command on devices running Cisco IOS.
Use any external software, which will enable you to

ping the host IP addresses.
This ensures that when you run User Tracking
Acquisition, the ARP cache of the router contains
the IP addresses.
-performMajorAcquisition
No keywords or
arguments.
Acquires data about all users and hosts on the network

and updates the LMS database.
This option starts an acquisition but does not wait for it
to complete.

OL-25947-01
A-31
Appendix A
CLI Tools
Table A-1
User Tracking CLI Commands (continued)
Option
Arguments
Function
-query
This option takes one of Queries the Topology and Layer 2 services module
the following
database and updates the User Tracking table.
arguments:
all
Gets all User Tracking entries. Similar to All Host

Entries or a simple query in the GUI.
name
Runs the named advanced or simple query, created

earlier in the GUI.
dupMAC
Finds duplicate MAC addresses.
dupIP
Finds duplicate IP addresses.
hub
Finds ports with multiple MAC addresses (hubs).
all
Gets all IP Phone entries.
name
Runs the named advanced query, created earlier in the

GUI.
-layout
layout_name
Uses the specified main table layout while performing a

query to fetch User Tracking display entries.
-layoutPhone
layout_name
Uses the specified IP phone table layout while

performing a query to fetch IP phone display entries.
-host
ANI Server device name Specifies the host name or IP address of the LMS
or IP Address
Server.
-queryPhone
Use this argument when you need to run the CLI

command on a remote LMS Server.
-port
ANI Server web port

number
Specifies the web server port number of the ANI Server.

The default is 1741.
-export
filename
Exports data to a text file.

You must first specify the -query option to fetch the
data that you want to export.
-import
filename
Imports lost or deleted UserName and Notes fields from

the last exported file.
-importMACToAcceptableOUI
filename
Imports MACs and converts them to OUI and adds the

MACs to the Acceptable OUI List.
For example:
cd NMSROOT/bin ut -cli
-importMACToAcceptableOUI filename -u username
-p password
-stat
No keywords or
arguments.
Displays statistical information, such as time of last

acquisition, acquisition status, number of records in the
User Tracking database, and so on.
-debug
No keywords or
arguments.
Enables trace and debug messages for the

User Tracking client application.
A-32
OL-25947-01
Appendix A
CLI Tools
Table A-1
User Tracking CLI Commands (continued)
Option
Arguments
Function
-wireless
No keywords or
arguments.
Displays detailed information on Wireless clients

connected to the network.
If you enter this option along with the export option,
data can be exported to a text file.
For example:
NMSROOT/campus/bin ut -cli -wireless -export
c:/sample -u username -p password
-switchPortCapacity
For complete details on this, see Exporting Switch Port Usage Report.
-switchPortreclaimreport
For complete details on this, see Exporting Switch Port Usage Report
-switchPortSummary
For complete details on this, see Exporting Switch Port Usage Report
For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility

OL-25947-01
A-33
Appendix A
CLI Tools
Exporting Switch Port Usage Report

Switch Port Capacity report lists switches whose utilization percentage falls in the specified range.
Switch Port Reclaim reports lists:
Ports that are administratively up or down

and
Ports that were previously connected to an endhost or a device but are unconnected at least for a
period of one day.
Switch port usage reports can be generated from the command prompt as given in Table A-2:
Table A-2
Switch Port Reports from the Command Prompt
Purpose
Command
Switch Port Capacity Report

To generate reports where the utilization is
less than the specified percentage (for all
devices managed by LMS)
less than the specified percentage (for
specific devices)
greater than the specified percentage (for all
devices managed by LMS)
greater than the specified percentage (for
specific devices)
NMSROOT/campus/bin ut -cli
60 -devices all
-switchPortCapacity lessthan
-export
60 -devices
10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
username -p password
-switchPortCapacity lessthan
60 -devices all
-switchPortCapacity greaterthan
-export
-switchPortCapacity greaterthan 60 -devices
10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli

between the specified range (for all devices -switchPortCapacity between 10 60 -devices all
managed by LMS)
-export c:/sample -u username -p password
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli
between the specified range (for specific
-switchPortCapacity between 10 60 -devices
devices)
10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
A-34
OL-25947-01
Appendix A
CLI Tools
Table A-2
Switch Port Reports from the Command Prompt
Purpose
Command
Switch Port Reclaim Report
Generates reports for unused ports that are in up or

down state.
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli

(for all devices managed by LMS)
-switchPortReclaimReport type up days 2
-devices all -export c:/sample -u username -p
password
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli
(for specific devices)
-switchPortReclaimReport type up days 2
-devices 10.77.1.2,10.77.3.4 -export c:/sample -u
To generate Reclaim Unused Down Ports
report (for all devices managed by LMS)
2
c:/sample -u username -p
-switchPortReclaimReport type down days

-devices all -export
password
To generate Reclaim Unused Down Ports
report (for specific devices)
2
10.77.1.2,10.77.3.4 -export c:/sample -u
-switchPortReclaimReport type down days
-devices
Switch Port Summary Report
Generates reports that gives the number of Connected,

Free, and Free down ports in each switch.
To generate Switch Port Summary report for

all devices
-switchPortSummary -devices all -export

To generate Switch Port Summary report for
select devices
-switchPortSummary -devices 10.77.1.2,10.77.3.4
-export c:/sample -u username -p password
where NMSROOT is the directory where you installed Cisco Prime.
Note
The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in
Windows, replace all forward slash (/) with reverse slash (\).
The report generated by the above options is saved as a file in the CSV format, at the specified location.
You can generate various Switch Port Usage reports, select Reports > Switch Port.

Lookup Analyzer is a utility used to analyze the performance of DNS servers and provide the following
information:
DNS Server Efficiency for each DNS Server
Overall Summary of DNS Servers

OL-25947-01
A-35
Appendix A
CLI Tools
Namelookup related settings in ut.properties file
Issues found and recommendations to overcome them

The utility file is NMSROOT/campus/bin/LookupAnalyzer.sh
If dir is the directory where the file is present, run the following command to run the utility:
dir# ./LookupAnalyzer
For Windows:
The utility file is NMSROOT\campus\bin\LookupAnalyzer.bat
If dir is the directory where the file is present, run the following command to run the utility:
dir> LookupAnalyzer
Example output of the Lookup Analyzer script:
Host IP: 172.20.123.74, DNS Server: 64.104.76.247, Time taken: 35, Status: FAILURE
Host IP: 172.20.123.74, DNS Server: WINS, Time taken: 22, Status: FAILURE
Host IP: 10.77.209.254, DNS Server: 64.104.128.248, Time taken: 18, Status: FAILURE
..
..
DNS Server
: 64.104.128.248
Success Count: 12
Failure Count: 76
Failure %
: 86 %
Total Time
: 1 secs 561 ms
Min Time
: 0 ms
Max Time
: 52 ms
Avg Time
: 17 ms
Server Efficiency(successCount/totalTime): 7.0
-------------------------------DNS Server
: 64.104.76.247
Success Count: 0
Failure Count: 76
Failure %
: 100 %
Total Time
: 2 secs 729 ms
Min Time
: 0 ms
Max Time
: 61 ms
Avg Time
: 35 ms
-------------------------------DNS Server
: WINS
Success Count: 0
Failure Count: 76
Failure %
: 100 %
Total Time
: 750 ms
Min Time
: 0 ms
Max Time
: 23 ms
Avg Time
: 9 ms
-------------------------------Overall Summary
----------------Success Count: 12
Failure Count: 76
Failure %
: 86 %
----------------Current Namelookup Related Settings
--------------------------------UTMajorUseDNSSeperateThread: false
UT.nameResolution: both
A-36
OL-25947-01
Appendix A
CLI Tools
UT.nameResolution.threadCount: 1
UT.nameResolution.winsTimeout: 2000
UT.nameResolution.threadThresholdPercentage: 10
UT.nameResolution.dnsTimeout: 2000
UTMajorUseDNSCache: false
nameserver.usednsForUT: true
DB.dsn: ani
--------------------------------ISSUES/RECOMMENDATIONS
----------------------Issue #1: Failure Percent is greater than 20%
Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured
Issue #2: DNS reverse lookup is NOT done as separate process
Recommendation: Enable UTMajorUseDNSSeperateThread=true in ut.properties
Issue #3: Name Resolution DNS server order is not optimal
Recommendation: Change dns server order as 64.104.128.248=7.0, 64.104.76.247=0.0,
WINS=0.0,
Other Recommendations:
* If hostnames in your network are less likely to change often, set
UTMajorUseDNSCache=true
* If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout,
UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage
* Optimal timeout values are: UT.nameResolution.winsTimeout=0,
UT.nameResolution.dnsTimeout=48
The script can also be run by setting properties in the ut.properties file.
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at
the rate of 150 traps per second, with a default buffer size of 76800.
If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400.
To increase the buffer size:
Step 1
Enter pdterm UTLITE at the command line to stop the UTLite process.
Step 2
Open utliteuhic.properties located at

NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\
Step 3
Set Socket.portbuffersize=102400
Step 4
Enter pdexec UTLITE at the command line to start the UTLite process.
Caution
Increasing the buffer size beyond 102400 results in performance degradation of UTLite.

OL-25947-01
A-37
Appendix A
CLI Tools
To receive UTLITE events:

Step 1
Open utliteuhic.properties located at

NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\
Step 2
Change the property of URTlite state by changing the value from "URTlite.state=disable" to
"URTlite.state=enable".
Or
You can change the property of URTlite state by launching LMS. Select the Acquisition Settings option
from Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings
page appears. In the Acquisition Settings page, check the Get user names from hosts in NT and NDS
domains and click Apply.
Note
The servers should be DNS resolvable to get the events from the clients. Else we have to make entry in
%WINDIR%\system32\drivers\etc\hosts.
The UTLite script is supported on these platforms:
Windows NT
Windows 2000
Windows XP
Windows 2003
Windows Vista
Novell Directory Services (NDS)
Windows 7 (Client OS support)
The UTLite script is not supported on these UNIX hosts:
Solaris
HP-UX
AIX
Installing UTLite Script on Active Directory/Windows
Installing UTLite Script on NDS
Uninstalling UTLite Scripts From Windows
Uninstalling UTLite Scripts From Active Directory
Uninstalling UTLite Scripts From NDS
Installing UTLite Script on Active Directory/Windows

You must install the UTLite script on the Active Directory server and update the servers logon script
to get user logon information from Active Directory hosts.
A-38
OL-25947-01
Appendix A
CLI Tools
You must have Administrator privileges on the Active Directory server to install the UTLite logon
script. To install the script:
Step 1
Copy the required files to the Active Directory server:

a.
Log into the Active Directory server as Administrator.
b.
Obtain the UTLite files from the Server Configuration:

NMSROOT\campus\bin\UTLite33.exe
NMSROOT\campus\bin\UTLiteNT.bat
where NMSROOT is the directory in which you installed Cisco Prime.
c.
Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder.
NETLOGON is located at:
%SystemRoot%\sysvol\sysvol\domain DNS name\scripts,
where %SystemRoot% is usually c:\winnt and domain DNS name is the DNS name of the domain
Note
Step 2
For Windows 2000 and NT servers, the NETLOGON folder is located at:
%SYSTEMROOT%\system32\Repl\Import\Scripts
Edit the UTLiteNT.bat file:
a.
Open the UTLiteNT.bat file.
b.
Locate the following line and replace domain and ipaddress with the domain name of the Windows
domain controller and IP address of the computer running the Campus Manager server:
start
%WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236
For example:
start %WINDIR%\UTLite33 -domain cdiclab.cisco -host 192.168.152.228 -port 16236
If port 16236 is already in use, enter a different number. This port number must match the number
that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page
(Select Admin > Collection Settings > User Tracking > Acquisition Settings).
For more details, see Modifying UT Acquisition Settings.
Step 3
Edit the user profile on the Active Directory server to run the UTLiteNT.bat file when users log in to the
network by editing the profile of the user as shown in Figure A-1:

OL-25947-01
A-39
Appendix A
CLI Tools
Figure A-1
Active Directory User Profile
Here, in the User profile section of the window, the Profile path is set to be:
C:\windows\sysvol\sysvol\domain\scripts
The Logon script is set to be:
UTLiteNT.bat
Step 4
Update the domain controller logon script for each Windows domain that you add.
The first time users log into the network after you edit this script, UTLite33.exe is copied to the local
WINDIR directory on their Windows client system.
Installing UTLite Script on NDS

You must install the UTLite script on the Novell Server and update the domain controller logon script,
to get user logon information from Windows hosts. You only need to do this once for each domain.
You must have ZenWorks installed and running on the Novell Server, and you must be using NDS 5.0
or later.
To install the script:
Step 1
Copy the required files to the Novell Server.
Step 2
Log into the Novell Server as Administrator.
A-40
OL-25947-01
Appendix A
CLI Tools
Step 3
Obtain the UTLite files from the LMS Server:
NMSROOT\campus\bin\UTLite33.exe
NMSROOT\campus\bin\UTLiteNDS.bat
where NMSROOT is the directory in which you installed Cisco Prime.
Step 4
Create a folder in \\Novell Server Name\SYS\public and copy UTLiteNDS.bat and UTlite33.exe to the
folder.
Step 5
Edit the UTLiteNDS.bat file:
Step 6
Open the UTLiteNDS.bat file.
Step 7
Locate the following line and replace domain and ipaddress with the domain name of the Windows
domain controller and IP address of the computer running the LMS server:
start
%WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236
If port 16236 is already in use, enter a different number. This port number must match the number
that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page
(Select Admin > Collection Settings > User Tracking > Acquisition Settings).
For more details, see Modifying UT Acquisition Settings.
Edit the logon scripts.
Step 8
Enter \\Novell_Server_Name\SYS\public\NaL.exe at the command prompt.
Step 9
Click NWAdmin32 to run the Novell Netware Administrator program.
Step 10
Right-click on the users or organizational units whose logon scripts you want to modify and select
Details.
Step 11
Click Login Script and enter:

@\\%FILE_SERVER%\sys\public\your_folder_name\UTLiteNDS.bat where your_folder_name is
the name of the folder you created in Step 1.
Uninstalling UTLite Scripts From Windows

If you choose not to have LMS server automatically collect user names, follow these instructions to
properly remove the UTLite scripts. To uninstall the script:
Step 1
Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller.
Step 2
Remove the call to run UTliteNT.bat from users' logon scripts.
Step 3
Delete UTLite33.exe from the WINDIR directory of all Windows clients.

To quickly locate the WINDIR directory, enter set windir from a command prompt window on each
client.
Uninstalling UTLite Scripts From Active Directory

If you choose not to have LMS server automatically collect user names, follow these instructions to

OL-25947-01
A-41
Appendix A
CLI Tools
Step 1
Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server.
Step 2
Remove the call to run UTliteNT.bat from users' logon scripts.
Step 3
Delete UTLite33.exe from the WINDIR directory of all Windows clients.

client.
Uninstalling UTLite Scripts From NDS

If you choose not to have LMS server automatically collect user names, you must perform these steps to
Step 1
Remove UTLiteNDS.bat and UTLite33.exe files from the Novell Server.
Step 2
Remove the line added to the login scripts for all users and organizational units.
Step 3
Delete UTLite33.exe from the WINDIR directory of all clients.

client.

The User Tracking Debugger Utility is a command line tool to help debug common problems with User
Tracking. This section contains:
Understanding Debugger Utility
Using Debugger Utility
Understanding Debugger Utility

The utility displays a report on the reasons why User Tracking failed to discover end hosts on specific
ports.
In many cases, User Tracking may not perform as expected. This may be because of problems in other
LMS applications. For instance LMS Server may have devices that are not discovered or inadequate
VLAN discovery in Topology Services.
You can run the utility to troubleshoot problems, or provide the report and log generated by the utility
when you contact TAC for help in diagnosing problems.
The debugger utility uses the data collected by LMS Server and reports the reasons for the missing ports
in User Tracking.
This tool also has an SNMP component embedded which runs an SNMP query for the table as a part of
verification for SNMP failure. For example, SNMP bugs in Catalyst operating system because of which
User Tracking may fail to discover devices.
This generates an Action Report that you can use to analyze the data.
A-42
OL-25947-01
Appendix A
CLI Tools
The Debugger Utility:

1.
Checks the switch ports in a sequential order.
2.
Reports violation of basic rules for each of the missing ports such as link ports and trunk ports.
3.
Checks for SNMP retrieval of data, if the ports pass the validity check.
4.
Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.
Using Debugger Utility

The Debugger Utility is available at $NMSROOT/campus/bin/ (where $NMSROOT is the directory
where you have installed Cisco Prime).
To run the Debugger Utility, run the command:
utdebug -switch
switch-ip -port port1[,port2 ...] [-export filename]
where,
switch is the switch to which the end hosts are connected.
ports are the ports on the switch which have missing end hosts User Tracking.
filename specifies that the debug messages be stored in the file specified. If this option is not
used, the messages are displayed on the console.
-export
For example,
utdebug -switch 10.29.6.12 -port 5/12
utdebug -switch 10.29.100.10 -port Fa0/10
utdebug -switch 10.29.6.14 -port Gi6

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a
host is connected to or disconnected from that port. Even if the device is managed with SNMPv3,
Network Topology, Layer-2 Services, and User Tracking, it processes only SNMPv1/SNMPv2 traps.
You can configure the ports only through Command Line Interface (CLI). If you do not have
Configuration Management functionality enabled on your LMS Server, you have to manually configure
the switches for the switches to send MAC Notifications to the LMS server. Ensure that you have
configured System Identity User under Admin > Trust Management > Multi Server > System
Identity Setup and the same username and password is configured under Admin > System > User
Management > Local User Setup.
For a list of commands to be run on each device, see the Appendix Commands to Enable MAC
Notification Traps on Devices.
For complete list of devices supported by LMS, see
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/device_suppo
rt/table/lms42sdt.html

OL-25947-01
A-43
Appendix A
CLI Tools

This section describes how to administer LMS database from the command line. This is explained in the
following topics:
Replacing Corrupted Database
Re-initializing the Database
Deleting all Active Entries from User Tracking, and Restarting Servers
Deleting all Inactive Entries from User Tracking, and Restarting Servers
Deleting all History Entries from User Tracking, and Restarting Servers
Deleting all User Tracking Entries, and Restarting Servers
Restoring the Original Data in the Server
Restoring Data from Another Server
Performance Tuning Tool
This section also explains SNMP Configuration on Devices

Replacing Corrupted Database
If you have a corrupted database, you can use the database administration tools to restore the database
from a previous backup. However, if you do not have a previous backup, you must re-initialize the
database.
When you run this command, if Data Collection is running, it is automatically stopped and then restarted
when the database initialization is complete.
Caution
Note
If you re-initialize the database, information from discovered devices will be lost. However, user and
host information is retained. Replace the database only if recommended by a Cisco technical
representative.
Your login determines whether you can use this option.

Re-initializing the Database
From the command prompt or shell window, enter:
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl
On Windows: perl NMSROOT\campus\bin\reinitdb.pl

The following message appears:
This will erase all data from the database. Are you sure [y/n] ?
If you enter y, it erases all data (database tables Wbu*...) from the server.
A-44
OL-25947-01
Appendix A
CLI Tools
Deleting all Active Entries from User Tracking, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -active
On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -active
where active entries are hosts that are currently logged in

Deleting all Inactive Entries from User Tracking, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -inactive
On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -inactive
where inactive entries are hosts that are currently not logged in
Deleting all History Entries from User Tracking, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -history
On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -history
where history entries are complete entries. That is, hosts that have a login and logout in the past.
Deleting all User Tracking Entries, and Restarting Servers
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -all
On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -all
Restoring the Original Data in the Server
Note
On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -restore
On Windows: perl NMSROOT\campus\bin\reinitdb.pl -restore
Before executing the -restore command, you should stop the daemon manager and start again
manually. For details, see Using Daemon Manager.
Restoring Data from Another Server
When you take database backup for LMS in one server and restore it in another server, the NMSROOT
logfile location may not be the same in both servers.
In that case, LMS will log messages to the log file stored in the default NMSROOT location in the
restored machine.

OL-25947-01
A-45
Appendix A
CLI Tools
Performance Tuning Tool
When you get out of memory errors in LMS, the following command can be used to tune the
performance:
NMSROOT/bin/perl NMSROOT/campus/bin/CMPTT.pl ProcessName HeapSize MaxPermSize
ProcessName should be either one of the following:

ANIServer
UTMajorAcquisition
Heap size should be multiples of 512 and should not exceed 1536 MB.
Ensure you have enough swap space in the server before tuning the heap size.
MaxPermSize will set the JVM MaxPermSize option to 64m.
SNMP Configuration on Devices

SNMP v3 Device Configuration Settings
LMS supports the following Authentication protocols for SNMP v3:
md5
SHA
LMS supports the following Privacy protocols for SNMP v3:
des
3des
aes128
aes192
aes256.
For using various LMS features in devices running SNMPv3, you must make specific configurations on
the devices. The commands that need to be configured are:
Configuring MIB Views
Configuring Access Groups
Configuring Device with Context Name
Configuring a New User
Configuring Password for a User
Relating a User to a Group
Configuring Privacy Protocol
Configuring MIB Views
For Catalyst devices, enter the following command:

set snmp view campusview 1.3.6.1 included nonvolatile
For IOS devices, enter the following command:

snmp-server view campusview
oid-tree included
A-46
OL-25947-01
Appendix A
CLI Tools
Configuring Access Groups
You must set the access rights for a group with a certain security model in different security levels.
set snmp access campusgroup security-model v3 authentication read campusview write
campusview nonvolatile

snmp-server group campusgroup v3 auth read campusview write campusview access
access-list
Configuring Device with Context Name
For Catalyst devices, enter the following commands:

campusview context vlan- prefix nonvolatile
Context exact is also supported. The following is an example:

campusview context vlan-1 exact nonvolatile

snmp-server group campusgroup v3 auth context vlan-1 read campusview write campusview
IOS image versions prior to12.4 support only exact context name.
IOS image versions 12.4 or higher, support both exact or prefix context names.
You need to configure the device with and without context name, since Data Collection manages the
device without context name and User Tracking requires context name to contact the device.
Configuring a New User

set snmp user campususer authentication md5

snmp-server user campususer campusgroup v3 auth md5 password1
Configuring Password for a User

set snmp user campususer authentication md5 password1

snmp-server user campususer campusgroup v3 auth md5 password1

OL-25947-01
A-47
Appendix A
CLI Tools
Relating a User to a Group
Using a specified security model you can relate a user to a group.

set snmpw group campusgroup user campususer security-model v3 nonvolatile

snmp-server user campususer campusgroup v3
Configuring Privacy Protocol
For Catalyst devices:

set snmp user campususer authentication md5 password1privacy des password2
For IOS devices:

snmp-server user campususer campusgroup v3 auth md5 password1 priv des password2
Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs
Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for
fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In
order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device,
associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS.
You can enable it by creating a view and by including and excluding MIBs. To create a SNMP view:
Step 1
Create a SNMP view as follows in device x:

snmp-server view <view-name> iso included
snmp-server view <view-name> internet included
snmp-server view <view-name> internet.6.3.15 excluded
snmp-server view <view-name> w1 internet.6.3.16 excluded
snmp-server view <view-name> internet.6.3.18 excluded
snmp-server view <view-name> cTapMIB excluded
snmp-server view <view-name> internet.6.3.16.1.1 included
Step 2
Associate the view with SNMP v2 RO community string.

snmp-server community <community string> view <view-name> RO
Step 3
Shut down a vlan in device x.
Step 4
In ANIServer.properties, set vacmContextNameEnabled=1 and restart ANIServer.
Step 5
Run DC for device x.
Note
During data collection LMS is quering vacmContextName variable of SNMP-VACAM-MIB. From this
MIB variable LMS can find out which vlans are in shut down state so that LMS will try to connect to
that vlan context. This MIB will be not supported by the device by default.
A-48
OL-25947-01
Appendix A
CLI Tools
In LMS, by default the property vacmContextNameEnabled in ANIServer.properties under

NMSROOT/campus/ect/cwsi has the value 0. This value has to be changed to 1 and then restart the
daemons.
Note
The device side configuration has to be done on all the devices in the network before changing the
property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.

OL-25947-01
A-49
Appendix A
CLI Tools
A-50
OL-25947-01
A P P E N D I X

This section provides the following information for the Administration module of LMS:
Troubleshooting Guidelines
Frequently Asked Questions
This section provides guidelines on the following:

Use the information in Table B-1 to troubleshoot the User Tracking application.
Table B-1
Symptom
Probable Cause
Possible Solution
User Tracking cannot discover any There may not be information in the
LMS database.
users or hosts
or
User Tracking cannot display any
IP phones.
User Tracking cannot discover
certain users or hosts.
The device might not be part of DCR and

you must run Device Discovery and
Data Collection.
The LMS server might not have
discovered one or more devices to which
users and hosts are connected.
For more details, see
Discovering Devices in Inventory

Management with Cisco Prime LAN
1.
Check the Topology services for the

missing devices
2.
Ensure that CDP and SNMP are enabled

on the devices, rediscover these devices,
3.
Verify that they appear on the topology

view.

OL-25947-01
B-1
Appendix B
Table B-1
Troubleshooting User Tracking (continued)
Symptom
Probable Cause
User Tracking cannot discover

certain IP phones.
The LMS server might not have

discovered the specific Media
Convergence Server (MCS) that runs the
instance of Cisco CallManager to which
the IP phones are registered.
User Tracking table does not

contain device name, IP address,
and subnet information for some
hosts.
User Tracking cannot find the most

recent network information.
Network changes are not currently
reflected in ARP information (routers)
or bridge tables (switches).
User Tracking does not perform Ping
Sweep on large subnets; for example,
subnets containing Class A and B
addresses.
Possible Solution
1.
Check the Topology services for the

missing MCS that runs the instance of
Cisco CallManager to which the phones
are registered.
2.
Ensure that Cisco CallManager is shown

as a service running on the MCS and is
discovered by the LMS Server.
3.
Rediscover all IP phones.
Enable Ping Sweeps when User Tracking

performs Discovery. Ping Sweeps are enabled
by default.
To perform Ping Sweep on larger subnets, you
can either:
To configure the value, you must use the

arp time-out interface configuration
command on devices running Cisco IOS.
Hence, ARP cache might not have some

IP addresses and the User Tracking may
not display the IP addresses.
In larger subnets, the ping process leads
to numerous ping responses that might
increase the traffic on your network and
result in extensive use of network
resources.
You have:
A complete Device Discovery process

has not run since you added your
Made changes to the network.
changes.
Run User Tracking Major
User Tracking Major Acquisition is not
Acquisition.
a full network discovery. The process
The changes do not appear in discovers only the user and host data in
the User Tracking display.
your network.
Configure a higher value for the ARP

cache time-out on the routers.
Or
Use any external software, which will

enable you to ping the host IP addresses.
This will ensure that when you run User
Tracking Acquisition, the ARP cache of
the router contains the IP addresses.
1.
Run Device Discovery.
2.
Run a complete Data collection.
3.
Generate a new report after data

collection is complete to see the changes.
Changes that you make to your network

might not appear after a User Tracking
Major Acquisition.

Use these tools and suggestions to diagnose problems with the Cisco Prime LMS server:
Verifying Server Status
Troubleshooting Suggestions
B-2
OL-25947-01
Appendix B

Verifying Server Status

There are several tools that enable you to gather and analyze information about your Cisco Prime LMS
Server. See Table B-2 and Table B-4.
Table B-2
Server Status
Task
Purpose
Action
Administrative Tasks
Perform self test.
Runs self-tests and

Select Admin > System > Server Monitoring >
generates a report with the Selftest.
results.
All Users
Check process
status.
Checks whether back-end Select Admin > System > Server Monitoring >
processes are in an interim Processes.
state.
Collect server
information.
Provides system
information, environment,
configuration, logs, and
web server information.
Select Admin > System > Server Monitoring >

Collect Server Information
Or
NMSROOT\bin\perl
NMSROOT\bin\collect.info (on Windows)
NMSROOT/bin/perl
NMSROOT/bin/collect.info (on
where NMSROOT is the directory where you

installed Cisco Prime.

OL-25947-01
B-3
Appendix B
Table B-2
Server Status
Task
Purpose
Action
MDC Support
The MDC Support utility

collects:
For Windows go to,
Log files
NMSROOT\MDC\bin and run the command:

MDCSupport.exe
Configuration settings The utility creates a tar file in NMSROOT\MDC\etc

directory.
Memory information
If \etc directory is full, or if you want to preserve the
Complete system
data collected previously by not over writing the tar
related information
file, you may create another directory by running the
Process status
following command:
Host environment
MDCSupport.exe Directory
information
For Solaris/Soft Appliance,
It also collects any other
1. Set the LD_LIBRARY_PATH environment
relevant data, into a
variable to /opt/CSCOpx/MDC/lib:
deliverable tar
/opt/CSCOpx/lib:
(compressed form) file to
support the MDCs
2. Go to /opt/CSCOpx/MDC/bin and run the
installed.
command:./mdcsupport
The MDC Support utility

also queries CCR for any
other support utilities
registered, and run them.
Other MDCs need to
register their own support
utilities that will collect
their relevant data.
The utility creates a tar file in

CSCOpx/MDC/etc directory.
If \etc directory is full, or if you want to preserve the
data collected previously by not over writing the tar
file, create another directory by running the
following command:
./mdcsupport
Directory
Before you close the command window, ensure that

the MDC Support utility has completed its action.
If you close the window prematurely, the subsequent
instances of MDCSupport Utility will not function
properly.
If you happen to close the window, delete the
mdcsupporttemp directory from
NMSROOT\MDC\etc directory, for subsequent
instances to work properly.
B-4
OL-25947-01
Appendix B

Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.
Table B-3
Symptom
Probable Cause
Possible Solutions
Authorization
Incompatible browser
causing cookie failure
(unable to retrieve
cookie).
Verify that you have Accept all cookies enabled. Refer to the installation
documentation for supported Internet Explorer and Mozilla Firefox
software and setup procedures.
Daemon Manager
could not start.
The port is in
use.
The operating system has

not yet reallocated the
port.
Make sure all Cisco Prime processes are terminated (/usr/ucb/ps -auxww
| grep CSCO). Wait five to ten minutes, then try to restart the Daemon
Manager.
User has forgotten

his password.
LMS cannot recover

forgotten passwords.
A system administrator-level user must either change the password or

delete the user account and add it again.
required. Please
log in with your
username and
password.
You are logged out of Changes in the login

the Cisco Prime
module configuration file
Server.
might not be correct.
1.
Log into Cisco Prime LMS Server.
2.
Enter the following commands:

NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl
Authentication server
might be down and there
were no fallback logins
set.
The Log File Status Files need to be backed up
so that file size will be
window displays
files that exceed their reset to zero.
limit.
(on Windows)
NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

3.
Restart Daemon Manager.
1.
Stop all processes.
2.
Enter the log file maintenance commands:

NMSROOT\cgi-bin\admin\ (on Windows)
NMSROOT/cgi-bin/admin/ (on Solaris/Soft Appliance)
Error message in the

logfile: Connection
Refused. Check the
Device is SSH
Device is not SSH enabled

or the server is not
authorized to initiate SSH
connection.
3.
Restart all processes.
1.
Check whether the device is up or not.
2.
Try connecting to the device with a commercial SSH client.

If you are able to connect, go to step 3.
supported or not.
If you are not able to connect, check whether the device is running
SSH enabled (K2 or K9) image.
3.
If it is not the correct image, download the appropriate image to

the device.
If you have the correct image, check whether you have created
RSA key pairs in the device. Creating RSA keys will enable SSH
in the device.
Check whether your server or network is authorized to initiate SSH

connections to device.

OL-25947-01
B-5
Appendix B
Table B-3
Troubleshooting Suggestions (continued)
Symptom
Probable Cause
Possible Solutions
While launching the The Group Administration Start the Group Administration server from the user interface or from the
server is either not running CLI.
Group
Administration page, or yet to be up.
To start the server from the user interface:
the following error
1. Select Admin > System > Server Monitoring > Processes.
message is
displayed:
The Process Management Dialog Box appears.
Error in
communicating with
Group
Administration
Server.
2.
Check the CMFOGSServer check box in the Process Management

dialog box
3.
Click Start.
To start the server from the CLI, enter:

NMSROOT/bin/pdexec CMFOGSServer
where NMSROOT is the Cisco Prime LMS Installation directory.
DCRServer is down
and services are not
starting properly.
Check wheter
ctm_config.txt file is
corrupted.
Make sure the following two files have proper content by checking the
contents with the sample ctm_config.txt:
/NMSROOT/MDC/tomcat/shared/lib/ctm_config.txt
/NMSROOT/MDC/tomcat/webapps/cwhp/WEB-INF/lib/ctm_config.t
xt
where NMSROOT is the Cisco Prime LMS Installation directory.

Sample ctm_config.txt
SERVER_PORT=40050
MAX_VM_PORTS=20
MAX_THREADS=100
CTM_SSL=1
CTM_URL=:443/cwhp/CTMServlet
MAX_VM_CLIENT_CONNECTION=25
REGISTRY_LOCATION=NMSROOT\\MDC\\tomcat\\webapps\\cwhp\\W
EB-INF\\lib
See Installing and Migrating to Cisco Prime LAN Management Solution 4.2 for troubleshooting tips on
Cisco Prime installation.

This section provides FAQs on the following:
User Tracking FAQs
VRF Lite FAQs
Cisco Prime LMS Server FAQs
Fault Management FAQs
B-6
OL-25947-01
Appendix B

Device Performance Management FAQs
IPSLA Performance Management FAQs
User Tracking FAQs

This section lists the FAQs on User Tracking:
Q.Why are outdated entries appearing in my User Tracking table?
Q.How does User Tracking acquisition process differ from that of the LMS Server?
Q.How does User Tracking user and host acquisition process work?
Q.Why is User Tracking not performing Ping Sweeps on some subnets?
Q.How long does User Tracking maintain data?
Q.Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
Q.Where does User Tracking log errors?
Q.Why am I getting a parse error when trying to parse some of the output files?
Q. Why are outdated entries appearing in my User Tracking table?

A. Outdated entries result when:
A user or host is assigned to new VLAN/port/VTP domain.
A power failure occurred.
A workstation has been switched off or removed from the network.
User Tracking does not automatically delete outdated end-user host entries. To delete these entries:
Manually delete selected entries.
Or
Configure delete interval for purging old records more than the given number of days.
Select Admin > Network > Purge Settings > User Tracking Purge Policy
Q. How does User Tracking acquisition process differ from that of the LMS Server?
A. User Tracking is a LMS client application. The LMS Server provides several types of global
discoveries, including:
Device and physical topology acquisition, resulting in baseline network information such as
device identity, module and port information, and physical topology. This type of acquisition is
required for logical, user, and path acquisition.
User acquisition, resulting in information about users and hosts on the network.
The LMS Server stores this information in the database. User Tracking discovers the host and user
information in the LMS server database, correlates this information, and displays it in the User
Tracking Reports.
For more information about the various acquisition processes, see Various Acquisitions in User
Tracking.

OL-25947-01
B-7
Appendix B
Q. How does User Tracking user and host acquisition process work?
A. Before collecting user and host information, LMS must complete Data Collection. After the
completion of Data Collection User Tracking performs steps described in Table B-4.
Table B-4
User Tracking User and Host Acquisition Process
Process
Description
Performs Ping Sweeps
Pings all IP addresses on all known subnets, if you have Ping Sweeps
enabled (the default).
This process updates the switch and router tables before User Tracking
reads those tables. This ensures that User Tracking displays the most
recent information about users and hosts.
Obtains MAC addresses from Reads the switch's bridge forwarding table.
switches
The bridge forwarding table provides the MAC addresses of end
stations, and maps these MAC addresses to the switch port on which
each workstation resides.
Obtains IP and MAC
addresses from routers
Reads the Address Resolution Protocol (ARP) table in routers to

obtain the IP and corresponding MAC addresses.
Obtains hostnames
Performs a Domain Name Service (DNS) lookup to obtain the

hostname for every IP address.
Obtains usernames
Attempts to locate the users currently logged in to the hosts and tries
to obtain their username or login ID.
Records discovered
information
Records the discovered information in the LMS database.
Q. Why is User Tracking not performing Ping Sweeps on some subnets?

A. The criterion for whether or not User Tracking performs Ping Sweeps on a subnet is the number of
hosts in the subnet:

You must check if you have excluded the subnets from Ping Sweep.
If a subnet has 256 or fewer hosts, User Tracking performs Ping Sweeps on that subnet. User
Tracking does not perform Ping Sweeps on the subnets, which have more than 256 hosts.
If Ping Sweeps are not performed, User Tracking still obtains information from the router and switch
mapping tables during a discovery. For more details on Ping Sweep, see Notes on Ping Sweep
Option.
Q. How long does User Tracking maintain data?
A. It depends on the delete interval you have set. For more details, see Deleting User Tracking Purge
Policy Details.
Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in
the network connected to non-CDP devices.
B-8
OL-25947-01
Appendix B

Q. Where does User Tracking log errors?

A. User Tracking major acquisition errors are logged in the User Tracking error log. Data Collection
errors are logged in the respective log file. The log files are located at
Solaris/Soft Appliance : /var/adm/CSCOpx/log
Windows: NMSROOT\log
Where NMSROOT is the directory where you have installed Cisco Prime.
Q. Why am I getting a parse error when trying to parse some of the output files?
A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most
of the XML parsers do not support these characters and hence fail to parse them.
To overcome this, you have to manually search for those elements with special characters and
append CDATA as given in the example below:
If there is an element
<checksum> o </checksum>
Change it to:
<checksum> <![CDATA[o ]]> </checksum>
VRF Lite FAQs

This section lists the FAQs on VRF Lite:
Q.What is VRF Lite ?
Q.What is Network Virtualization?
Q.What are the pre-requisites to manage a device using VRF Lite?
Q.The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
Q.What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
Q.Sometimes, while performing VRF Lite configuration, I get the following message:
Q.What are the details of the VRF Lite log files? In which location are the VRF Lite log files
located?
Q.When is the VRF Lite Collection process triggered?
Q.After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?
Q.How can I configure SNMP timeout and retries details for VRF Lite?
Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in
the Create VRF Lite and Extend VRF Lite workflows ?
Q.How do I enable the debug messages for Virtual Network Manager?
Q.Why are some port-channels not discovered in VRF Lite?
Q.What are the processes newly introduced for VRF Lite ?
Q.What is tested number of devices support in VRF Lite?
Q.What are the property files associated with VRF Lite?

OL-25947-01
B-9
Appendix B
Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow,
why are values for the IP Address and SubnetMask fields empty?
Q.What is protocol order for configuration workflows?
Q.What is protocol ordering for troubleshooting?
Q.If you configure commands to be deployed to two different devices, will the commands be
deployed parallelly or serially?
Q.Which VRF Lite configuration jobs that are failed can be retried?
Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?
Q. What is VRF Lite ?

A. Virtual Routing and Forwarding Lite (VRF Lite) is the one of the simplest form of implementing
virtualization technology in an Enterprise network. A Virtual Routing and Forwarding is defined as

VPN routing/forwarding instance. A VRF Lite consists of an IP Routing table, a derived forwarding
table, a set of interfaces that use the forwarding table and set of routing protocols that determine
what goes into the forwarding table. VRF Lite is an application that allows you to pre-provision,
provision and monitor Virtual Routing and Forwarding-Lite (VRF Lite) technology on an enterprise
network.
Q. What is Network Virtualization?
A. Virtualization deals with extending a traditional IP routing to a technology that helps companies
utilize network resources more effectively and efficiently. Using virtualization, a single physical
network can be logically segmented into many logical networks. The virtualization technology
supports multiple virtual routing instances of a routing table to exist within a single routing device
and work simultaneously.
Q. What are the pre-requisites to manage a device using VRF Lite?
A. The pre-requisites to manage a device in VRF Lite are:
1.
The device must be managed by LMS.
2.
The device must either be L2/L3 or L3 device
3.
The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite.
The device must have the necessary hardware support. For more information on hardware support,
see
http://www.cisco.com/en/US/products/sw/cscowork/ps563/products_device_support_tables_list.ht
ml.
If the device hardware is not supported then the device will be classified as Other devices
4.
If a device supports MPLS VPN MIB, it is classified as a capable device.
5.
VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB,
VRF Lite will not manage VTP Clients.
B-10
OL-25947-01
Appendix B

Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN
Configuration.
A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as
mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management
with Cisco Prime LAN Management Solution 4.2.
If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN
Configuration then a device will not be listed in the Device Selector, if a device is not participating
in the selected VRF Lite.
In the Readiness Report, a device listed as a supported device may be because it is not managed by
LMS. You can check if a device is managed by using the Device Management State Summary
(Inventory > Device Administration > Manage Device State).
In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not
participating in the selected VRF Lite.
In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3
devices that are not participating in the selected VRF Lite.
Q. What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
A. Virtual Network Manager identifies the devices based on the minimum hardware and software
support required to configure VRF Lite on the devices.

Based on the available hardware and software support in the devices, Virtual Network Manager
classifies the devices into following categories:
VRF Lite Supported Devices Represents the devices with required hardware and software
support available to configure VRF Lite on the devices.

VRF Lite Capable Devices Represents the devices with required hardware support available.
But the device software must be upgraded to support MPLS VPN MIB. For information on the
IOS version that supports MPLS VPN MIB, refer
http://tools.cisco.com/ITDIT/MIBS/MainServlet.
VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite
Capable devices as these devices do not have the required MPLS VPN MIB support.
Other Represents the devices without required hardware support to configure VRF Lite.
SysOID of the device needs to be checked.

OL-25947-01
B-11
Appendix B
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with device name(s) are already locked as they are used by configuration workflows.
You cannot configure these devices. Wait for some time Or Ensure the devices are not used by
configuration workflows and free the devices from Admin > Network > Resource Browser.
Or
Selected Device(s) are locked as they are used by configuration workflows. You cannot configure
these devices. Wait for some time OR Ensure the devices are not used by configuration workflows
and free the devices from Admin > Network > Resource Browser.
Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations.
Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located?
A. The following are the details of the VRF Lite log files:
1.
Vnmserver.log This log file logs the messages pertaining to the VRF Lite Server process.
2.
Vnmcollector.log This log file logs the messages pertaining to the VRF Lite collection.
3.
Vnmclient.log This log file logs the messages related to the User Interface.
4.
Vnmutils.log This log file logs the messages pertaining to the utility classes used by VRF Lite
client and server.
The above-mentioned VRF Lite log files are located in the following location:
In Solaris/Soft Appliance : /var/adm/CSCOpx/log/
In Windows: NMSROOT\logs
Q. When is the VRF Lite Collection process triggered?
A. Manually:
You can manually schedule to run the VRF Lite Collection process by:
Providing the setting details using Admin > Collection Settings > VRF Lite > VRF Lite Collector
Schedule option.
Automatically:
If you enable the Run VRF Lite Collector After Every Data Collection in the VRF Lite Collector
Schedule page. The VRF Lite Collection process will be automatically triggered after the
completion of Data Collection.
You can reach the VRF Lite Collector Schedule page using Admin > Collection Settings > VRF
Lite > VRF Lite Collection Settings page.
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?

A. Check if the Run VRF Lite Collector After Every Data Collection option is enabled in the VRF
Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin >
Network > VRF Lite Collection Settings page.
Q. How can I configure SNMP timeout and retries details for VRF Lite?
A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF
Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six
seconds and retry attempt of 1 second.
B-12
OL-25947-01
Appendix B

Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the
Create VRF Lite and Extend VRF Lite workflows ?

A. The VLAN to VRF Lite Mapping page lists the links connecting the source and the destination
device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping
page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the
following procedure
1.
An SVI, VRF Lite searches for free VLANs in the range 1- 1005
2.
An SI, VRF Lite searches for free VLANs in the range 1006-4005
Q. How do I enable the debug messages for Virtual Network Manager?

A. You can enable the debugging levels for a particular module using
Admin > System > Debug Settings > VRF Lite Client Debugging Options.
Admin > System > Debug Settings > VRF Lite Collector Debugging
Admin > System > Debug Settings > VRF Lite Server Debugging
Admin > System > Debug Settings > VRF Lite Utility Debugging
You can manually change the name and the size of the log file. The configuration log files are
available under NMSROOT/MDC/tomcat/webapps/vnm/WEB-INF/classes. The changes made will
be reflected after approximately 60 seconds.
Q. Why are some port-channels not discovered in VRF Lite?
A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only
802.1Q
Q. What are the processes newly introduced for VRF Lite ?
A. To run VRF Lite , VRF Lite Server process is newly introduced in the application. The VRF Lite
Collector process is executed as a Job.

Q. What is tested number of devices support in VRF Lite?
A. In an Enterprise network, VRF Lite is tested to support the configuration of 32 VRFs with VRF Lite
configuration supported in 550 devices in your network. However, at a given time, you can select up
to 20 devices and configure VRF Lite using the Create, Edit and Extend VRF Lite workflow.
Q. What are the property files associated with VRF Lite?
A. The following property files are associated with VRF Lite:
1.
NMSROOT/vnm/conf/VNMClient.properties This property file is used to provide the settings for

Purge and Home page auto Refresh
2.
NMSROOT/vnm/conf/VNMServer.properties This property file is used to provide the SNMP and

VRF Lite Server settings.
3.
NMSROOT/vnm/conf/VRFCollectorSnmp.conf This property file stores the SNMP Timeout and

Retries that you have configured.
Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why
are values for the IP Address and SubnetMask fields empty?

A. If the physical interface that links two devices is not configured with an IP Address, then the IP
Address and the SubnetMask fields are empty.

OL-25947-01
B-13
Appendix B
Q. What is protocol order for configuration workflows?

A. Configuration workflow uses the protocol order similar to ordering used by NetConfig in Resource
Manager Essentials.
Choose the NetConfig as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. What is protocol ordering for troubleshooting?
A. Troubleshooting VRF Lite workflow uses the protocol ordering similar to ordering used by NetShow
in Resource Manager Essentials.

Choose the NetShow as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. If you configure commands to be deployed to two different devices, will the commands be deployed
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
with-in a single device, will be deployed in serial manner.

Q. Which VRF Lite configuration jobs that are failed can be retried?
A. You can retry all the VRF Lite Configuration jobs which are failed. VRF Lite Configuration jobs are
the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration
workflow.
Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management.
This button is enabled only when IPSLA Performance Management is enabled in the local server.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite?
A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF
Lite wont put the list of VLANs allowed on a trunk

The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the
selected devices.
Cisco Prime LMS Server FAQs

The following sections lists the Frequently Asked Questions (FAQs) of Cisco Prime LMS application.
General
Security
Important URLs
Software Center
Backup and Restore
Database
Apache and Tomcat
B-14
OL-25947-01
Appendix B

General
The section lists you the general FAQs on LMS:
Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly?
Q.Why cannot I start my Cisco Prime application?
Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
Q.Do I need to change the Cisco Prime configuration after changing the IP address?
Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running
it for a while?
Q.How do I change the port for osagent in Windows?
Q.How do I change port for osagent in Solaris?
Q.How do I ensure that jrm is running fine?
Q.How do I change the casuser password in Windows?
Q.How do I change the Cisco Prime user password?
Q.How do I enable debugging for Session Management Services?
Q.What does a diskWatcher process do?
Q.Cisco Prime Time is not synchronized with System time. What should I do?
Q.How do I change the configuration details of the server after installing LMS Soft Appliance?
Q.How can I increase the timeout value of Cisco Prime LMS user interface?
Q.How should I change the syslog port of Cisco Prime from 514 to another number?
Q.What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
Q.What are the specific ports required for Internet HTTP features?
Q.Why is the device name not available in the home page after importing?
Q.How do you ensure to register using a template and launch the links properly?
Q.I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
Q.What should I do when the TAC Service Requests feature that displays my current Cisco.com
TAC tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
Q.I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?
Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
A. You can change the IP address on the server, and then access it using the new IP address.

OL-25947-01
B-15
Appendix B
To change the IP address on Windows:

Step 1
Click Start > Settings > Network and Dial-up Connections > Local Area Connection.
The Local Area Connection Status dialog box appears.
Step 2
Click Properties.
The Local Area Connection Properties dialog box appears.
Step 3
Select Internet Protocol (TCP/IP) and click Properties.

The Internet Protocol (TCP/IP) Properties dialog box appears.
Step 4
Select the radio button Use the following IP address.
Step 5
Change the IP address as required, in the IP address field.

For the subnet mask and default gateway values, enter the ipconfig command at the command prompt.
The subnet mask and default gateway values appear.
Step 6
Enter these values in the Subnet mask and Default gateway fields.
Step 7
Click OK to go back to Local Area Connection Status dialog box.
Step 8
Click OK.
Step 9
Restart the server.
To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP
address of the required interface.
For example, at the command prompt, you can enter:
ifconfig
interfacename inet ipv4address
where the variable interfacename represents the name of the interface and ipv4address represents the
new IP address.
Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE.
To do so:
Step 1
Launch Internet Explorer and click Tools > Internet Options.
Step 2
Click the Security tab and select Trusted Sites.
Step 3
Add the Cisco Prime LMS Server to the trusted zone.
Step 4
Clear the selection in Require server verification for all sites in this zone.
Step 5
Click OK to return to the Security tab.
Step 6
Click the Custom level button from the Security level for this zone panel.
Step 7
Select the Enable option for scripting of Java applets.
Step 8
Click OK to return to the Security tab.
Step 9
Click Apply.
B-16
OL-25947-01
Appendix B

Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by
default. To re-enable the Telnet protocol:

Step 1
Click Start > Run. The Run dialog box opens.
Step 2
In the Open box, enter: Regedit, then click OK. The Registry Editor opens.
Step 3
Go to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl.
Step 4
Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Main\FeatureControl, create a new key named
FEATURE_DISABLE_TELNET_PROTOCOL.
Step 5
Add a DWORD value named iexplore.exe and set the value to 0 (decimal).
Step 6
Close the Registry Editor.
Step 7
Restart the browser, the Telnet protocol is enabled
Q. What are the specific ports required for Internet HTTP features?
A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and
Cisco.com, including the Software Center interactions.

Q. Why is the device name not available in the home page after importing?
A. The probable causes for this problem could be:
There is a mismatch between the hostname in the template imported and the hostname specified
in the UI during importing.

The application imported from a remote server does not belong to the server from which it is
imported.
Q. How do you ensure to register using a template and launch the links properly?
A. Before you register through a template, you should ensure that:
The host is reachable.
Port information specified is correct and reflects the current port of the bundle.
The application is available and can be launched by entering the application URL in the browser.
Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly?
A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We
recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function
properly.

OL-25947-01
B-17
Appendix B
Q. Why cannot I start my Cisco Prime application?

A. If you cannot start your Cisco Prime application and see error messages, it may be because the web
server may not be running. This may occur although pdshow indicates that those processes are
running. You need to check how your machine resolves its server name and IP address.
The Cisco Prime CORBA applications require name resolution to work properly. Domain Name
Service (DNS) is mandatory for Cisco Prime CORBA applications to work properly.
Configure the name resolution mechanism and restart the Cisco Prime LMS Server to access the
application correctly.
Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH
tag is disabled in the browser.

To enable the META-REFRESH tag in the browser:
Step 1
Click Tools > Internet Options. The Internet Options dialog box opens.
Step 2
Click the Security tab.
Step 3
Select the Internet zone.
Step 4
Click Custom level... The Security Settings dialog box opens.
Step 5
In the Miscellaneous options, select the Enable option for Allow Meta Refresh field.
Step 6
Click OK, and then Apply to update the settings.
Step 7
Close the IE 7 or IE 8 open windows.
Step 8
Launch a new IE 7 or IE 8 window and login into LMS.
Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
A. There are several reasons why you are locked out. It is probably caused by the changes made using
the Select Login Module option. You must replace the incorrect login module with a default
configuration, log into Cisco Prime, and return to the login module to correct one or more of the
following:
Session Time out
Change from SSL mode to non-SSL mode
Change from non-SSL mode to SSL mode
Log out from any other Cisco Prime application
Visit other sites and then return to Cisco Prime
Do not alter the existing technologies in the default configuration file.

If all of the parameters listed are correct, see Troubleshooting Suggestions.
Q. Do I need to change the Cisco Prime configuration after changing the IP address?
A. You need not change the Cisco Prime configuration whenever you change the IP address. Cisco
Prime uses hostname for most of the communication. Only devices need to point to the new IP
address. However, after changing the IP address, you must reboot the system on a Solaris server and
restart the Daemon Manager on a Windows server. This is to make the changes effective.
B-18
OL-25947-01
Appendix B

Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it
for a while?
A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and
windows registry entries.

You can use the hostnamechange.pl CLI utility to update the new host name information in files and
windows registry entries.
See Using LMS Server Hostname Change Scripts for more information.
Q. How do I change the port for osagent in Windows?
A. Before you change the port for osagent in Windows:
Ensure that the daemons are not running.
Enter the following command to stop the Daemon Manager:

net stop crmdmgtd
Backup your Windows registry.
To change the port for osagent in Windows, run the following script at the command prompt:
NMSROOT\bin\perl NMSROOT\bin\ChangeOSAGENTPort.pl Port_Number
where, Port_Number refers to any unused port number between 1026 to 65535.
The script completes the following:
Updates the value of the following registry entries with the new port numbers.
HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current
Version > Daemon > RmeOrb

Version > Daemon > RmeGatekeeper

Version > Environment
Changes the value of the port number to new port number in NameServer and NameServiceMonitor
processes.
Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file
with the new port numbers.
Reboot the server and start the Daemon Manager after you have completed running the script.
Q. How do I change port for osagent in Solaris?
A. Before you change the port for osagent in Solaris:
Ensure that the daemons are not running.
Enter the following command to stop the Daemon Manager:

Make sure that no CSCO processes are running.

Back up NMSROOT/objects/dmgt/dmgtd.conf file.
To change the port for osagent in Solaris, run the following script at the command prompt:
NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_Number
where, Port_Number refers to any unused port number between 1026 to 65535.

OL-25947-01
B-19
Appendix B
The script completes the following:
Changes the value of the port number to new port number in NameServer and NameServiceMonitor
processes.
Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file
with the new port numbers.
Updates the new port number in /etc/services file.
Updates the entry in /var/sadm/pkg/CSCOmd/pkginfo file.
Reboot the server and start the Daemon Manager after you have completed running the scripts.
Q. How do I ensure that jrm is running fine?
A. To check whether jrm is working on Windows, at the command prompt enter:
cwjava -cw
NMSROOT com.cisco.nm.cmf.jrm.jobcli
To check whether jrm is working on Solaris, at the command prompt enter:

cwjava -cw
NMSROOT com.cisco.nm.cmf.jrm.jobcli
If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are
running.
If you do not get the above message, contact the technical assistance center with the error
message.
If your jrm in down or inaccessible, youll get a message while accessing the UIs.
Q. How do I change the casuser password in Windows?
A. You can change the casuser password using resetCasuser.exe. It can be run only by an administrator
or casuser. To change the casuser password:

Step 1
Enter NMSROOT\setup\support resetCasuser.exe at the command prompt

You can:
Step 2
1.
Randomly generate the password
2.
Enter the password
3.
Exit.
Enter 2, and press Enter.

It prompts you to enter the password.
Step 3
Confirm the password.
Note
You must know the password policy. If the password entered does not match the password policy,
it exits.
Q. How do I change the Cisco Prime user password?

A. See Changing Cisco Prime User Password Through CLI for details.
B-20
OL-25947-01
Appendix B

Q. How do I enable debugging for Session Management Services?

A. To enable debugging for Session Management Services:
Step 1
Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml.
You should edit the following section of the file:
<context-param>
<param-name>DEBUG</param-name>
<param-value>false</param-value>
<description>mice debug enabling</description>
</context-param>
Step 2
Change <param-value>false</param-value> to <param-value>true</param-value>.
Q. What does a diskWatcher process do?

A. The diskWatcher process monitors disk space availability on the Cisco Prime LMS Server.
This process calculates the disk space information of a drive (in Windows machine) or a file system
(in Solaris machine) at regular intervals and stores them in diskWatcher.log file.
See Configuring Disk Space Threshold Limit for more information.
Q. Cisco Prime Time is not synchronized with System time. What should I do?
A. You should complete the following:
a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine.
b. Set the TZ=standard_timezone. For example, you can specify TZ=MET.
c. Save the TIMEZONE file.
d. Reboot the machine.
Now the system displays the modified time zone information. If you need to change the time zone
to daylight, you change only the time and date but not the TIMEZONE.
Q. How can I increase the timeout value of Cisco Prime LMS user interface?
A. You can configure the timeout value in the following file.
NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml
You should change the value of an XML tag by name session-timeout. You should specify the value
in minutes. The default timeout value is set to 2 hours.
You cannot disable this option as this may increase the load in the server.
Q. How do I change the configuration details of the server after installing LMS Soft Appliance?
A. To change the configuration details of the server after installation:
Step 1
Login with Soft Appliance console administrator user account.

This is the sysadmin username that you provided during installation.
Step 2
Enter the password.

OL-25947-01
B-21
Appendix B
Step 3
Enter the command shell.
Step 4
Enter the following command to stop the Daemons:
Step 5
Enter exit to go to the sysadmin mode.
Step 6
Enter the following command, in sysadmin view:
<HOSTNAME>/sysadmin# config terminal

Enter the configuration commands, one per line. End with CNTL/Z.
In all the examples, sysadmin represents the sysadmin username that you provided during installation.
Step 7
Change the required configuration details of the server.

You can change the hostname, Default DNS Domain, IP Address, IP Netmask, IP Default Gateway,
Primary Name Server, Primary NTP Server, Time Zone, Username or Password. See Table B-5 for more
details.
Step 8
Enter the command end. The following will be displayed:
Step 9
Enter the following command to update the changes:
<HOSTNAME>/sysadmin#
<HOSTNAME>/sysadmin# write memory
Step 10
Right-click the server and select Power > Reset to start the server.
Or
<HOSTNAME>/sysadmin# reload
Save the Current ADE-OS running configuration ?(yes/no)[yes]?yes
Note
You should reboot the server only if you change the following configuration details:
Hostname
Default DNS Domain
IP Address, IP Netmask
IP Default Gateway
Primary Name Server
Primary NTP Server
Time Zone
The Daemons Manager will start automatically.

Step 11
Enter the following command to run the hostnamechange file:

<HOSTNAME>/sysadmin# shell
Enter shell password:
[<HOSTNAME>/root-ade ~]# /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/hostnamechange.pl
-ohost <OLD_HOST_NAME> -nhost <NEW_HOST_NAME>
B-22
OL-25947-01
Appendix B

Note
Step 12
You should execute this command only when you change the hostname. Each time you change the
hostnameof the server, you must perform, steps 1 to 9 to reflect the hostname changes in LMS.
Enter the following command to start the Daemons:
sysadmin#/etc/init.d/dmgtd start
Note
You must restart the Daemon Manager before and after you change the hostname.
Note
You must change the server configuration details only through Soft Appliance admin console.
Table B-5 lists the examples of how to change the Soft Appliance server configuration details.
Table B-5
Soft Appliance Server Configuration Details
Tasks
Configuration Details
Change the HostName
<OLD HOSTNAME>/sysadmin(config)# hostname <NEW HOSTNAME>

Changing the hostname may result in undesired side effects
on any installed application(s).
Are you sure you want to proceed? [y/n] y
LNX-LMS-05/admin(config)#
Change the Domain,

Gateway and Name server
LNX-LMS-05/sysadmin(config)# ip domain-name <DOMAIN NAME>

Changing the domain name may result in undesired side effects
on any installed application(s).
Are you sure you want to proceed? [y/n] y
LNX-LMS-05/sysadmin(config)# ip default-gateway
<DEFAULT_GATEWAY_ADDRESS>
LNX-LMS-05/sysadmin(config)# ip name-server
<PRIMARY_NAME_SERVER>
Change the NTP Server
LNX-LMS-05/sysadmin(config)# ntp server <PRIMARY_NTP_SERVER>
Change the IP address and

Subnet Mask
LNX-LMS-05/sysadmin(config)# interface GigabitEthernet 0

LNX-LMS-05/sysadmin(config-GigabitEthernet)#
LNX-LMS-05/sysadmin(config-GigabitEthernet)# ip address
<IP_ADDRESS> <MASK_ADDRESS>
Change the TimeZone
LNX-LMS-05/sysadmin(config)# clock timezone

<TIME_ZONE_VALUE>
See Supported Server Time Zones and Offset Settings for more details.
Change the Username/
Password
LNX-LMS-05/sysadmin(config)# username <USERNAME> password

plain <PASSWORD> role admin
LNX-LMS-05/sysadmin(config)# end
Q. How should I change the syslog port of Cisco Prime from 514 to another number?
A. You can change the syslog port by modifying the value of CrmLogPort registry key located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters.

OL-25947-01
B-23
Appendix B
After you have changed the syslog port, you need to restart the syslog service.
B-24
OL-25947-01
Appendix B

Q. What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
A. Sometimes, Windows may prevent to run some processes for security reasons.
You should do the following on a Windows 2003 Operating system:

Step 1
Right-click the My Computer icon on your desktop and click Properties to open the System Properties
dialog box.
Step 2
Click the Advanced tab.
Step 3
Click Settings from the Performance panel to open the Performance Options dialog box.
Step 4
Click the Data Execution Prevention tab.
Step 5
Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove
the programs from the blocked list.
Step 6
Click OK to close the Performance Options dialog box.
Step 7
Click OK to close the System Properties dialog box.
Step 8
Reboot the server.
Q. I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available
in the following directory: $NMSROOT/objects/cmf/data

To change the default timeout and delay values:
Step 1
Go to the directory $NMSROOT/objects/cmf/data
Step 2
Open the cmdsvc.properties file.

Various timeout and delay values are listed in the file.
Step 3
Remove the Hash symbol (#) to uncomment a particular timeout or delay value.
Step 4
Remove the existing timeout or delay value.
Step 5
Enter new timeout or delay value.
Step 6
Save the cmdsvc.properties file.
Q. What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC
tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
A. Check whether the following production urls are reachable in the server, where product is installed.
SASI_SERVERhttps://wsgx.cisco.com
RSR_SERVERhttps://wsgx.cisco.com
CSC_SERVERhttps://supportforums.cisco.com
CCOLOGINURLhttps://sso.cisco.com/autho/apps/nmtgSSapp/index.html
CCOLOGOUTURLhttps://sso.cisco.com/autho/logout.html

OL-25947-01
B-25
Appendix B
CASE_QUERY_URLhttps://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest&method=doQueryByCase&SRNumber=
LOGIN_REDIRECT_URLhttps://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.
com&TargetResource=
CSC_REDIRECT_URLhttps://supportforums.cisco.com
Q. I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?

A. You are not able to access LMS in IE because of the cache issue. Clear the browser cookies and
cache from IE.
Important URLs
Q. What are the URLs that are most commonly used in LMS?
A. The following URLs are most commonly used in LMS and should be added in the proxy server:
General
http://www.cisco.com
Device update/Software update/Point Patch update
http://tools.cisco.com/software/catalog/swcs/softwaremetadata
http://tools.cisco.com/software/catalog/swcs/image
http://www.cco.cisco.com
IOS image download
http://www.cisco.com/cgi-bin/smarts/swim/crmiosbridge.pl
http://www.cisco.com/techsupport
Smart Services
SASI_SERVERhttps://wsgx.cisco.com
RSR_SERVER https://wsgx.cisco.com
CSC_SERVERhttps://supportforums.cisco.com
CCOLOGINURLhttps://sso.cisco.com/autho/apps/nmtgSSapp/index.html
CCOLOGOUTURL https://sso.cisco.com/autho/logout.html
CASE_QUERY_URLhttps://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest
LOGIN_REDIRECT_URLhttps://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.
com
CSC_REDIRECT_URLhttps://supportforums.cisco.com
PSIRT
EoS/EoL Hardware Reporthttp://www.cisco.com/cisco/software/release.html?mdfid=282253606

&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE
&rellifecycle=&reltype=latest#
EoS/EoL Software Reporthttp://www.cisco.com/cisco/software/release.html?mdfid=282253606

&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&
rellifecycle=&reltype=latest#
B-26
OL-25947-01
Appendix B

Bug Toolkit
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do??method=getAllBugs
http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getAffectedBugdata&b
ugid=
http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getBugsReport
Contract Connection
http://www.cisco.com/cgi-bin/front.x/cconx/conx_userinfo.pl
https://www.cisco.com/cgi-bin/front.x/cconx/conx_recv_data.pl
https://www.cisco.com/cgi-bin/front.x/cconx/conx_sortdetail_js.pl
Compliance and Audit Management
Download Contractshttps://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do
?method=viewContractMgr
Download Compliance Policy Updateshttp://www.cisco.com/cisco/software/release.html?mdfid

=284259296&flowid=31102&softwareid=284270571&release=1.0.0&relind=AVAILABLE&
rellifecycle=&reltype=latest
Security
The following are the FAQs on LMS Security:
Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
Q.My server certificate for Cisco Prime has expired. What should I do?
Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
Q.What are the minimum and maximum length of user account names? How do I control them?
Q.What are the rules to enter a valid username and password?
Q.Where is the SSL log present?
Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
A. Yes. You have the following options:
If you are using Self-signed certificates in Internet Explorer, install the certificate in the
browsers trusted certificate stores, if you are confident about the identity of the server.
Use a server certificate issued by a prominent third party certificate authority (CA).
Configure the hostname in your server certificate properly, and use the same hostname to invoke
Cisco Prime.
Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?

OL-25947-01
B-27
Appendix B
A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior
(Microsoft Internet Explorer or Mozilla Firefox), to ensure proper security.

This appears if any of the following conditions is not satisfied:
The certificate of the server (Cisco Prime Server in this case) must be issued by trusted
Certificate Authority.
The date of the certificate must be valid. (Each certificate is assigned a validity period. It can
range from 21 days to 5 years).

The name of the certificate and name of the page (or the name typed in the address bar of the
browser) are the same.

To view the certificate information:
Click View Certificate, in the alert box for Internet Explorer.
Click Examine Certificate in the alert box for Mozilla Firefox.
The server should be invoked with the name same as the Issued to' field of the certificate.
To install the certificate in Internet Explorer:
Step 1
Click View Certificate in the alert box.

The Certificate dialog box displays the Certificate information.
Step 2
Click Install Certificate.
Q. My server certificate for Cisco Prime has expired. What should I do?
A. If you are using a self-signed certificate, you can create a new certificate using the Create Self
Signed Certificate option. For more information, see Creating Self Signed Certificates.
If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew
the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.
Note
Before you perform any certificate management operationscreating or modifying certificates, back up
the certificate files, the server private key in particular, and keep them in a safe location.
Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this:
Step 1
Login as Admin.
Step 2

The Select Login Module dialog box appears.
Step 3
Select a login module from the Available Login Modules list box and Click on Edit Options.
The Login Module Options dialog box appears.
Step 4
Select the radio button True and click Finish.

This enables the Debug option. Enabling debug mode allows the login module to add the detailed
progress and failure information to log files. The log files are located at:
B-28
OL-25947-01
Appendix B

NMSROOT/MDC/Tomcat/logs/stdout.log
For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the
failure.
For example, if the Usersroot configuration is incorrect, then the login module cannot match the
complete DN string with any entries in the Active Directory database.
It indicates which portion of the DN matched and which portion did not match. You can verify your
Active Directory setup and the entries for the Usersroot.
In some cases, the log file contains error messages with NameError. This indicates that either you
entered a wrong user ID or there is some spelling error in the Usersroot configuration.
Q. What are the minimum and maximum length of user account names? How do I control them?
A. The minimum length of a user account name is 5 characters. The maximum length of a user account
name is 255 characters.

You can control the length of user account names using the Local User Policy Setup page. See
Setting up Local User Policy for more information.
Q. What are the rules to enter a valid username and password?
A. The username can contain the alphabets in lower and upper cases, numerals, hyphens (-),
underscores (_), periods (.), tilde (~), commercial At character (@), number sign (#),
Apostrophe ('), solidus or leading slash (/), trailing slash (\), and space.
The username should start with alphabets, numerals and underscore characters.
The password can contain the alphabets, numerals, leading and trailing spaces, and any special
characters.
The length of username and password can span from 5 to 256 characters.

OL-25947-01
B-29
Appendix B
Q. Where is the SSL log present?

A. The SSL log is present in the NMSROOT directory, where NMSROOT is your Cisco Prime
Installation directory.
Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
A. You should check whether the casuser is assigned with the required local security policies.
To check whether the casuser is assigned with the required policies:

Step 1
Click Start > Settings > Control Panel> Administrative Tools.
Step 2
Click the Local Security Policy shortcut from the Administrative Tools folder.
The Local Security Policy window opens.
Step 3
Click Local policies > User Rights Assignment in the Local Security Policy window.
Step 4
Check whether the casuser is assigned with the following privileges:
Access this computer from the network
Log on as a batch job
If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again.
Enter the following commands to run the resetCasuser utility:
NMSROOT/CSCOpx/setup/support/resetCasuser (On Solaris/Soft Appliance)
NMSROOT\CSCOpx\setup\support\resetCasuser.exe (On Windows)
where NMSROOT refers to the Cisco Prime Installation directory.

The other possible solutions are:
Remove or disable the anti-virus software
Restart Daemon Manager
Uninstall or disable IIS
Log on as a batch job
Disable Cisco Security Agent
Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so,
kill the stray processes from the Task Manager or stop them from the Services panel.
Ensure that the casuser or administrator has the read permission for the CSCOpx,
CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.
Software Center
The following are the FAQs on Software Center:
Q.How do I find out which devices are supported by a particular application?
Q.What are the prerequisites for downloading Software Updates from Cisco.com?
Q.Does the Software Center list only the software updates that are not installed in this machine?
Q.What should I do if I see errors when using Software Center or having issues with LMS not
correctly working with supported devices?
B-30
OL-25947-01
Appendix B

Q. How do I find out which devices are supported by a particular application?

A. Select Admin > System > Software Center > Software Update. Under Applications Installed,
click the application name to see a list of the supported devices.

See Selecting Software Updates for more information.
Q. What are the prerequisites for downloading Software Updates from Cisco.com?
A. You should check for the following:
Valid Cisco.com credentials are configured during Server administration
Valid proxy details are configured and Cisco Prime support basic authentication of proxy server.
See Downloading Software Updates for more information.

Q. Does the Software Center list only the software updates that are not installed in this machine?
A. The Software Center module lists all software updates including those that are installed. However,
it performs the filtering for device updates.

Q. What should I do if I see errors when using Software Center or having issues with LMS not correctly
working with supported devices?

A. Under rare circumstances, internal LMS files that contain information on which device support
packages are installed and which devices are supported, become corrupted.
If such files become corrupted, you may notice one or more of the following symptoms:
"HTTP 500" error occurs while trying to view package information from Admin > System >
Software Center > Device Update. One possible exception is:

java.util.NoSuchElementException at
java.util.StringTokenizer.nextToken(StringTokenizer.java:259) at
com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.getPackageMap(Unknown Source) at
com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.perform(Unknown Source)
The following errors will be seen in NMSROOT\log\psu.log:
[ <date time > ] ERROR
[CreateMaps : removeDupEntries]
:String index out of
range: -1
Devices shown as supported in "Supported Devices Table for Cisco Prime LAN Management
Solution" and may have been working previously, show as not supported/unknown and displays
device icons in Device Selectors with a question mark (?) in one or more areas of LMS.
Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards
> Device Status > Collection Summary) fails for all devices of a particular model, but
succeeds for other devices with identical configuration, yet different models.
Specific models of devices are not available in Device Selectors to have reports, jobs or other
functionality run on them, however Inventory Collection and/or Config Archive has succeeded
for them. This is frequently seen with Configuration related functionality.
To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files
which store information on which device support packages are installed and devices they support.
Run the following script:
NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance)
or
NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)

OL-25947-01
B-31
Appendix B
where NMSROOT is your Cisco Prime installation directory.

If issues persist after running this script, contact the Cisco Technical Asssistance Center for further
assistance.

The following are the FAQs on Event Distribution Services and Event System Services:
Q.How do I change the ESS port?
Q.Why do the EDS process is not starting?
Q.How should I configure EDS in a multi-homed machine?
Q. How do I change the ESS port?

A. You can change the ESS port by running the following commands:
NMSROOT/objects/ess/conf/Ports2Alternate.pl
NMSROOT/objects/ess/conf/Ports2Primary.pl
where NMSROOT is the default installation directory of Cisco Prime.

Q. Why do the EDS process is not starting?
A. You should check:
If the hostname is correct and is not changed recently.
If the osagent is in use in port 42342.
B-32
OL-25947-01
Appendix B

If the osagent is not in use, you should:

Step 1
Stop the Daemon Manager.
Step 2
Run the ChangeOSAGENTPort.pl script to change the port number. Enter the following command:
NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_number
where,
NMSROOT Cisco Prime Installation directory
Port_number Osagent port
Step 3
Restart the Daemon Manager.
Q. How should I configure EDS in a multi-homed machine?

A. To run Cisco Prime LMS and configure EDS on a multi-homed machine, you must all the IP
Addresses in DNS.
Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other
network?
A. This could because the domain name of the Cisco Prime LMS server may not be resolved.
To access the CORBA services in a server that is not DNS resolvable, you must:
Step 1
Change the value of attribute jacorb.dns.enable in orb.properties file from on to off.
Step 2
Regenerate the self-signed certificate with IP address instead of hostname.
Step 3
Restart the Daemon Manager.
Backup and Restore

The following are the FAQs on Backup and Restore:
Q.What kind of directory structure does Cisco Prime use when backing up data?
Q.What should I do when backup fails and displays a Backup.LOCK file exists error
message?
Q.Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
Q. What kind of directory structure does Cisco Prime use when backing up data?
A. Cisco Prime uses a standard database structure for backing up all suites and applications. See
Table B-6 for a sample directory structure on Cisco Prime LMS Server.
Table B-6
Sample Backup Directory
Directory Path
Description
Usage Notes
/tmp/1
Number of backups
1, 2, 3...
/tmp/2/cmf
Application or suite
Backs up Cisco Prime LMS Server applications.

OL-25947-01
B-33
Appendix B
Table B-6
Sample Backup Directory (continued)
Directory Path
Description
Usage Notes
/tmp/1/cmf/fileb Cisco Prime LMS Server

ackup.tar
application tar files
Application data is stored in the datafiles.txt which are

compiled into the tar file.
/tmp/1/cmf/data
base
Includes the following files for each database:
Cisco Prime LMS Server

database directory
xxx_DbVersion.txt
xxx.db (database files)
xxx.log (database log files)
xxx.txt (database backup manifest file)
where xxx is the name of the database.

Q. What should I do when backup fails and displays a Backup.LOCK file exists error message?
A. You should try removing the Backup.LOCK file from the Cisco Prime installation directory and start
backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI
Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the
Daemon Manager to run the backup.pl scripts.

See Backing up Data Using CLI and Restoring Data for more information.
Database
The following are the FAQs on Database:
Q.How can I find the version of a Sybase Database?
Q.What if the database is inaccessible?
Q. How can I find the version of a Sybase Database?

A. Run the following command:
opt/CSCOpx/objects/db/bin64/dbsrv10 v
Q. What if the database is inaccessible?

A. If the server is not able to connect to the database, the database might be corrupt or inaccessible.
This can occur if processes are not running. Try the following:
Step 1
Log in to Cisco Prime LMS server as admin.
Step 2

A list of Cisco Prime back-end processes appears.
You can check if there are any failed process appear in the list.
Step 3
Select Admin > System > Server Monitoring > Selftest.
Click Create to create a report.
Click Display to display the report.
B-34
OL-25947-01
Appendix B

Step 4
Step 5
Click Product Database Status to get detailed database status.
Step 6
Contact the Cisco TAC or your customer support to get the information you need to access the database
and find out details about the problem.
After you have the required information, perform the following tasks for detecting and fixing database
errors.
Depending upon the degree of corruption, the database engine may or may not start. For certain
corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed.
Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires
the database engine to be running.
To detect database corruption:
Step 1
Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows).
Step 2
Stop the Daemon manager if it is already running:
Step 3
net stop crmdmgtd
(on Windows)
Make sure no database processes are running and there is no database log file.
For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is
/opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Step 4
Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris
machines. If not, change the ownership of these files to user casuser and group casusers.
Step 5
Run the commands on the command prompt:

cd
NMSROOT/objects/db/conf
NMSROOT/bin/perl configureDb.pl action=validate dsn=cmf

The dbvalid command displays a list of tables being validated. The Validation utility scans the entire
table, and looks up each record in every index and key, defined on the table. If there are errors, the utility
displays a message such as:
Validating DBA.xxxx
run time SQL error -- Foreign key parent_is has invalid or duplicate index
entries 1 error reported
If the above command reports any error, you may try:
Restoring from a previous good backup

or
Reinitializing database
Caution
All the current data will be lost.
To do this, you have to run the following command:

NMSROOT\bin\perl NMSROOT\bin\dbRestoreOrig.pl dsn=dsn dmprefix=dmprefix

OL-25947-01
B-35
Appendix B
For LMS, dsn is cmf and dmprefix is Cmf.
Apache and Tomcat

The following are the FAQs on Apache and Tomcat:
Q.How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
Q.Why does the Apache process not come up after installation or why does the process go down
suddenly?
Q.How do I change web server port numbers?
Q.How should I enable or disable web server SSL mode from the command line?
Q.How do I increase Tomcat heap size?
Q.How do I validate a Server certificate?
Q.How do I modify a certificate which is not self-signed?
Q.What is the maximum number of connections allowed by Cisco Prime to access the web interface?
Q.What version of Tomcat is installed on my server?
Q.Why does Apache server does not start during reboot process?
Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
A. The new installer detects IIS web server running on the machine and prompts you to enter a different
port number for Cisco Prime LMS Server to avoid the conflict.
Q. Why does the Apache process not come up after installation or why does the process go down
suddenly?
A. This could be a problem with the Apache configuration syntax or the validity of the server
certificate. You should first check the Apache configuration syntax.

To do this:
On Windows:
Go to NMSROOT\MDC\Apache\bin and run the command Apache.exe -t -d .
Note
Do not omit the .

Go to NMSROOT/MDC/Apache/bin and run the command ./web_server t
If the Apache configuration syntax is correct, a message appears:
Syntax OK
If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL
Utility Script.
B-36
OL-25947-01
Appendix B

Q. How do I change web server port numbers?

A. To change the web server port numbers, you must run separate commands for both Windows and
Solaris.
On Solaris:
You can change the web server port numbers for the webservers. You can also change both the HTTP
and HTTPS port numbers. To change the port numbers you must login as Cisco Prime LMS Server
administrator, and run the following command at the prompt:
NMSROOT/MDC/Apache/bin/changeport
If you run this command without any command line parameter, Cisco Prime displays:
*** CiscoWorks Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where
port numberThe new port number that should be used
-sChanges
-fForces
Note
the SSL port instead of the default HTTP port
port change even if Daemon Manager detection FAILS.
Do not use this option by default. Use it only when Cisco Prime instructs you to.
For example, you can enter:

changeport 1744Changes
the Cisco Prime web server HTTP port to use 1744.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number.
If you change the port after installation, Cisco Prime will not launch from Start menu
(Start > Programs > Cisco Prime).
You have to manually invoke the browser, and specify the URL, with the changed port number.
The restrictions that apply to the specified port number are:
Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number.
The specified port should not be used by any other service or daemon. The utility checks for active
listening ports, and ports listed in /etc/services. If there is any conflict, it rejects the specified port.
The port number must be a numeric value in the range 1026 65535. Values outside this range, and
non-numeric values are not allowed.
If port 443 is specified for any of the web servers, that web server process is started as root. This is
because ports lower than 1026 are allowed to be used only by root in Solaris.
However, according to Apache behavior, only the main web server process run as root, and all the
child processes run as casuser:casusers. Only the child processes serve the external requests.
The main process that runs as root monitors the child processes. It does not accept any HTTP
requests. Owing to this, Apache ensures that a root process is not exposed to the external world, and
thus ensures security.
If you do not want Cisco Prime processes to run as root, do not use the port 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.

OL-25947-01
B-37
Appendix B
This utility lists all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed
port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.
This utility lists out all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file index.txt. This text file contains information about the changed port and a
list of all files that are backed up and their actual location in the Cisco Prime directory.
A sample backup maybe similar to:

/opt
|
`--/CSCOpx
|
`--/conf
|
`--/backup
|
|--README.txt (Note the purpose of this directory as it is initially empty)
|
`--/AAAtpaG03_Ciscobak (Autogenerated unique backup directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml (Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
|--rootapps.conf (CiscoWorks daemons using privileged ports)
|--services (The system /etc/services file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note
All of the above files and the unique directories are stored with read only permission to casuser:casusers.
To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write
permissions.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
/var/adm/CSCOpx/log/changeport.log
This file contains the date and time stamps to indicate when the log entries were created.
On Windows:
You can change the web server port numbers for the LMS Webserver. You can also change both the
HTTP and HTTPS port numbers.
To change the port numbers you must have administrative privileges. Run the following command at the
prompt:
NMSROOT\MDC\Apache\changeport.exe
B-38
OL-25947-01
Appendix B

If you run this utility without any command line parameter, Cisco Prime displays the following usage
text:
*** Common Services Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where:
port numberThe new port number that should be used
-sChange
-fForce
Note
the SSL port instead of the default HTTP port
port change even if Daemon Manager detection fails.
Do not use this option by default. Use it only when Cisco Prime instructs you to.
For example, you can enter:

changeport 1744To
change the Cisco Prime web server HTTP port to use 1744.
Or,
changeport
port number -sChanges the Cisco Prime web server HTTPS port to use the specified port
number.
If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs
> Cisco Prime). You have to manually invoke the browser and specify the URL, with the changed port
number.
The restrictions that apply to the specified port number are:
Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number.
The specified port should not be used by any other service or daemon. The utility checks for active
listening ports, and if any conflict is found, the utility rejects the specified port.
There is no reliable way to determine whether any other service or application is using a specified
port. If the service or application is running and actively listening on a port, it can be easily detected.
However, if the service is currently stopped, there is no way that the utility can determine what port
it uses. This is because on Windows there is no common port registry equivalent to /etc/services as
in Solaris.
The port number must be a numeric value in the range 1026 65535. Values outside this range, and
non-numeric values are not allowed.
When you run the utility with the appropriate options, it displays messages on the actions it is
performing.Cisco Prime
It lists out all the files that are being updated. Before updating, the utility backs up all the affected files
in CSCOpx\conf\backup, and creates, appropriate, unique, sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed port,
a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
A sample backup may be similar to:
[drive:]
|
`--\Program Files
|
`--\CSCOpx
|
`--\conf
|

OL-25947-01
B-39
Appendix B
`--\backup
|
|--README.txt (Notes the purpose of this dir as it is initially empty)
|
`--\skc03._Ciscobak (Autogenerated unique backup directory).
|
|--index.txt
(The backup file list)
|--httpd.conf
(Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml
(Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note
All the above files and the unique directories are stored with read only permissions. Only the
administrator and casuser have write permissions, to ensure the security of the backup files.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
NMSROOT\log\changeport.log
This log file contains the date and time stamps to indicate when the log entries were created.
Q. How should I enable or disable web server SSL mode from the command line?
A. To enable or disable the web server SSL mode:
Step 1
Step 2
Run the ConfigSSL.pl script. Enter the commands:
Step 3
NMSROOT/bin/perl ConfigSSL.pl -enable (to enable the web server SSL mode from the
command line)
NMSROOT/bin/perl ConfigSSL.pl -disable (to disable the web server SSL mode from the
command line)
Start the Daemon Manager.
Q. How do I increase Tomcat heap size?

A. To increase Tomcat heap size:
Step 1
Run /etc/init.d/dmgtd stop
On Windows:
Run net stop crmdmgtd
Step 2
Run NMSROOT/bin/perl NMSROOT/bin/ModifyTomcatHeap.pl max heap in MB
B-40
OL-25947-01
Appendix B

Step 3
Start the Daemon Manager.
Run /etc/init.d/dmgtd stop
On Windows:
Run net start crmdmgtd
If Tomcat is already configured for higher memory than what you specify when you run the command,
the following message is displayed:
INFO: Tomcat is already configured with a higher heap value.
Q. How do I validate a Server certificate?

A. To do this:
Step 1
Navigate to the directory where the SSL Utility Script is located.

On Windows:
a.
Go to NMSROOT\MDC\Apache
b.
Enter NMSROOT\bin\perl SSLUtil.pl
a.
Go to NMSROOT/MDC/Apache/bin
b.
Enter NMSROOT/bin/perl SSLUtil.pl
After you have entered this command, the system displays a set of options.
Step 2
Select the fourth option Verify the input Certificate/Certificate Chain by entering 4.
Step 3
Enter the location of the server certificate NMSROOT/MDC/Apache/conf/ssl/server.crt

The script verifies if the server certificate is valid. If the script reports errors during validation and
verification, you have to regenerate the certificate by running SignTool.pl from the above directory.
Step 4
Note
Enter NMSROOT/bin/perl SignTool.pl [-SSL=true | -SSL=false]
NMSROOT is the directory where Cisco Prime is installed.
Q. How do I modify a certificate which is not self-signed?

A. LMS does not allow modifying certificates other than the self-signed certificates.
Q. What is the maximum number of connections allowed by Cisco Prime to access the web interface?
A. Tomcat, the servlet engine, shipped with Cisco Prime handles a maximum of 500 connections or http
requests.

OL-25947-01
B-41
Appendix B
Q. What version of Tomcat is installed on my server?

A. To find out the version of Tomcat installed on your server, you should:
Step 1
Navigate to the NMSROOT/MDC/tomcat/server/lib directory.
Step 2
Unzip the catalina.jar file available in this directory.
Step 3
Navigate to the location where you have extracted this jar file.
Step 4
Open the Serverinfo.properties file under the orgapachecatalinautil directory.

This file displays the version of Tomcat installed on the Cisco Prime LMS Server.
Q. Why does Apache server does not start during reboot process?
Anti-virus causes the processes to come up slowly after reboot. Delay the anti-virus during startup to
solve the issue. Ensure that the NMSROOT folder is excluded correctly from anti-virus and reboot the
server after shutting down the anti-virus completely.
Fault Management FAQs

The following section lists the frequently asked questions about Fault Management.
Q.How do I enable Incharge debugging, and execute Incharge commands?
Q.What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap
alert/event Trap Forwarding? Does LMS support both of these methods?
Q.How can I receive Syslog messages from the LMS server?
Q.How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
Q. How do I enable Incharge debugging, and execute Incharge commands?

A. Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging
Settings page appears. Click the Enable Incharge Debugging, and execute Incharge Commands
link. See, Enable Incharge Debugging for more information.
Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event
Trap Forwarding? Does LMS support both of these methods?

A. Yes, LMS supports both ways of Trap forwarding.
Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process
it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action
Settings > Fault - SNMP trap forwarding.
When LMS receives certain SNMP traps, it analyzes the data found in fields such as
Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap
message.
If needed, LMS changes the property value of the object property. These are Processed Traps. To
configure Processed event/alert trap forwarding, select Admin > Network > Notification and
Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap
notifications if there is a threshold violation in the LMS managed devices.
For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN
B-42
OL-25947-01
Appendix B

Q. How can I receive Syslog messages from the LMS server?

A. To receive Syslog messages from a LMS server:
Step 1
Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog
notification
Step 2
Point it to any Solaris machine and run the following:
/etc/init.d/syslog start
tail -f /var/adm/messages
Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla
Plugins directory. To create the link, go to the command prompt and enter:
Step 1
cd /plugins
Step 2
ln -s /plugin/sparc/ns610/libjavaplugin_oji.so
Include the period at the end.

For Netscape 6.x/7.x or Mozilla browsers, restart your browser.
In Netscape, go to Help > About Plug-ins to confirm that the Java Plug-in is loaded.
Device Performance Management FAQs

Q. Can I set log levels for individual application modules? Where are these log files stored?
A. Yes. You can set log levels for all Device Performance Management modules. Log files are stored
at these locations:
On Windows: NMSROOT\log\, where NMSROOT is the Cisco Prime DPM installation directory.
On Solaris/Soft Appliance: /var/adm/CSCOpx/log/

Report specific logs are stored under DPMReportJobs under the log directory.

OL-25947-01
B-43
Appendix B
IPSLA Performance Management FAQs

This section provides the FAQs on IPSLA Performance Management:
Q.How can I enable debugging in IPSLA Performance Management?
Q.I have problems while migrating the IPSLA Performance Management data. What should I do?
Q. How can I enable debugging in IPSLA Performance Management?

A. Do the following:
Step 1
Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The IPSLA Debugging Settings page appears.
Step 2
Select the module and log level from the Module and Logging Level drop-down lists.
The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG.
Step 3
Click Apply.
Q. I have problems while migrating the IPSLA Performance Management data. What should I do?
A. Check the following log files for information:
restorebackup.log
migration.log
ipmclient.log
ipmserver.log
B-44
OL-25947-01
A P P E N D I X

Cisco Prime Data Extraction Engine (DEE) is a utility to export User Tracking, Topology, and
Discrepancy application data.
This utility provides servlet and command line access to User Tracking, Topology and Discrepancy) and
allows you to extract data in Extensible Markup Language (XML) format.
This appendix contains:
The cmexport Command
cmexport Manpage

Data Extraction Engine (DEE) is a utility that provides servlet access to User Tracking, Layer 2
topology, and discrepancy data.
It also includes a command line utility that you can use to fetch user tracking data, Layer 2 topology, and
discrepancy data for devices discovered by LMS server.
This utility supports the following features:
Generating user tracking data in XML format:

Allows you to access servlet and command line utilities that can generate user tracking data for
devices discovered by LMS Server.
Generating Layer 2 topology data in XML format:

Allows you to generate the latest Layer 2 topology data including information on neighbor devices.
Elements in XML file are created at the device level.
Generating discrepancy data in XML format:

Allows you to use discrepancy APIs to retrieve latest discrepancy data from LMS server.

OL-25947-01
C-1
Appendix C
Archiving XML Data:

Data generated through CLI is archived at the following locations:
Table C-1
Data Archive Locations
For
Location
User Tracking
PX_DATADIR/cmexport/ut/timestamput.xml
Layer 2 Topology
PX_DATADIR/cmexport/L2Topology/
timestampL2Topology.xml
Discrepancy
PX_DATADIR/cmexport/Discrepancy/
timestampDiscrepancy.xml
where PX_DATADIR is either %NMSROOT%/files folder (on Windows) or /var/adm/CSCOpx/files

directory (on Solaris/Soft Appliance).
NMSROOT is the directory where you installed LMS; timestamp is the time at which the log was
written in YearMonthDateHourOfDayMinuteSecond format.
You can also specify a directory to store the output. This utility does not delete the files created in
the archive. You should delete these files when necessary. While generating data through the servlet,
the output appears at the client terminal.
Generating user tracking and configuration data in XML format using the Servlet:
Allows you to generate and download the user tracking, topology and discrepancy XML files using
the servlet.
You must upload a payload XML file, which contains the cmexport and utexport command options
and Cisco Prime user credentials.
You should write your own script to invoke the servlet with a payload of this XML file. If the
credentials are correct and options are valid, the servlet returns the exported file in XML format.

cmexport is the Cisco Prime LMS command line interface for exporting discrepancy and Layer 2
topology data details into XML format.
Running cmexport Command
cmexport Arguments and Options
Running cmexport Command

Command Line Syntax
Commands
C-2
OL-25947-01
Appendix C

Command Line Syntax
The command line syntax of the utility is in the following format:

cmexport
command arguments options
where:
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
cmexport
command specifies the core operation that is to be performed.
arguments are the additional parameters required for each core command.
options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options are not important. However, you must enter the core command
immediately after cmexport.
Commands
Table C-2 lists the command part of the cmexport syntax.

Table C-2
Command Descriptions
Core Command
Description
ut
Generates User Tracking data in XML format.
l2topology
Generates layer 2 topology data in XML format.
discrepancy
Generates discrepancy data in XML format.
You must invoke the cmexport command with one of the core commands specified in the above table. If
you do not specify any core commands, cmexport can only execute the -v or -h options:
Option -v displays the version of the cmexport utility
Option -h (or null option) lists the usage information for this utility.
cmexport Arguments and Options

Mandatory Arguments
Optional Arguments
Function-Specific Options
Displaying Help
Uses of cmexport

OL-25947-01
C-3
Appendix C
Mandatory Arguments
The arguments that must be specified with all functions are:
-u
userid: Specifies the Cisco Prime userid.
-p
password: Specifies the password for Cisco Prime userid.
If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must
store your userid and password in a file and set a variable CMEXPORTFILE which points to this
file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we
recommend that you do not use this option.
You must enter the password in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password.
The password file can contain multiple entries with different user names. If there are duplicate
entries the password that matches the first user name is considered.
If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Note
Optional Arguments
The arguments you can specify with any function are:
-d
debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debuggingTRACE and DEBUG. If you do not specify the -d option, logging will not occur.
-l
logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output is displayed in the standard output.
C-4
OL-25947-01
Appendix C

DEE supports the following function-specific option:
-f
filename
If used with:
User Tracking function

Specifies the name of the file to which the user tracking information is to be exported.
Topology function
Specifies the name of the file to which the layer 2 topology information is to be exported.
Discrepancy function
Specifies the name of the file to which the discrepancy information is to be exported.
Displaying Help
To display help for cm export Enter the following at a CLI prompt: cmexport -h.
This displays a list of options for cmexport.
On Solaris, you can also enter the following at a CLI prompt:
man cmexport
Uses of cmexport
If you enter:
cmexport ut
{u userid} p password host -f filename.xml
User Tracking XML output for host will be generated and it is stored in the file filename.xml.
If you want to export the latest topology details for all Layer 2 devices enter:
cmexport L2Topology {u
userid} p password -f filename.xml
If you want to export the latest discrepancy details, enter:

cmexport Discrepancy { u
userid} p password -f filename.xml
Notations
The notations followed in describing the command line arguments are explained below:
{argument}Argument is a mandatory parameter.
[argument]Argument is an optional parameter.
argumentArgument is a variable.
argument 1 | argument 2Either argument 1 or argument 2 may be specified but not both.
Table C-3 lists the notations part of the cmexport syntax.

OL-25947-01
C-5
Appendix C
Table C-3
Notations Descriptions
Command
Description
ut
cmexport ut {-u userid} [ -p password ] -host [

host-options ] | -phone [ phone-options ] [ options ]
l2topology
{-u userid} [-p password] [-f filename]
discrepancy
{-u userid} [-p password] [-f filename]
empty
[-v | -h]
-vDisplays
-hLists
the version of the cmexport utility.
the options available and function of each option.

This topic describes the cmexport User Tracking command, and the various options available to you. It
contains the following sections:
Name
Synopsis
Description
Mandatory Arguments
Accessing Help
Examples
Name
cmexport ut:
CiscoWorks cmexport user tracking function
Synopsis
cmexport ut: { -u
userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ]
C-6
OL-25947-01
Appendix C

Table C-4
Command Descriptions
Argument
Can be one of the Following
host-options
-query queryname
-query queryname -view viewname
-layout layoutname
-layoutlayoutname -view viewname
-query queryname -layout layoutname
-query queryname -layout layoutname -view viewname
phone-options
-queryPhone
queryname
-layoutPhone layoutname
-queryPhone
options
queryname --layoutPhone layoutname
-f filename
-d
debuglevel
-l logfile
Description
User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined
schema.
Mandatory Arguments
The options that must be specified with the cmexport ut function are:
-u
-p
password: Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
full path.
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend
that you do not use this option.
The password must be provided in the file in the following format:
userid password

OL-25947-01
C-7
Appendix C
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
Note
Specifies host data to be exported.
-host:
-phone:
Specifies phone data to be exported.
Options
The options you can specify with the ut function are:
-d
debuglevel
debuggingTRACE and DEBUG. If you do not specify the -d option, no logging will occur.
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
output will be displayed in the standard output.
-f
filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option, an XML file of the format timestamput.xml is stored in the following
directory: PX_DATADIR/cmexport/ut
-view
Specifies the format in which the user tracking XML data is to be presented. It supports two optional
arguments:
a. switch: User Tracking data is displayed based on the type of switch.
b. subnet: User Tracking data is displayed based on the subnet in which they are present.
The -view options are not case sensitive.
-query queryname
User Tracking host data is exported in XML format for the query provided in queryname. This
option must be used with the -host argument. For this option:
Create a Custom report for end hosts from the mega menu:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layout layoutname
User Tracking host data is exported in XML format for the layout provided in layoutname. This
option must be used with the -host argument. For this option:
Create a Custom layout for end hosts in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
C-8
OL-25947-01
Appendix C

The Custom layouts are defined per user. An invalid layout name error message will be
displayed if layout name created by another user is entered as custom layout name.
Note
-queryPhone queryname
User Tracking phone data is exported in XML format for the query given in queryname. This option
must be used with the -phone argument. For this option:
Create a Custom report for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Reports.
Use the Custom report name as a value here.
-layoutPhone layoutPhone
User Tracking phone data is exported in XML format for the layout given in layoutPhone. This
option must be used with the -phone argument. For this option:
Create a Custom layout for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
Use the Custom layout name as a value here.
Accessing Help
Enter the following in the CLI:
cmexport -h:
Displays a list of options for cmexport.
cmexport ut -h:
Displays a list of options for the cmexport ut command.
On Solaris, you can also enter the following in the CLI:

man cmexport
Examples
Considering userid: admin, password: admin, queryname: host1Query, layoutname: host1Layout,

queryphone: phone1Query, layoutphone: phone1Layout, filename: file1.xml, we can have the following:
cmexport
cmexport
cmexport
cmexport
cmexport
cmexport
cmexport
ut
ut
ut
ut
ut
ut
ut
-u
-u
-u
-u
-u
-u
-u
admin
admin
admin
admin
admin
admin
admin
-p admin -host
-p admin -phone
-p admin -host -query host1Query -layout all
-p admin -host -query host1Query -layout layoutname
-p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout
-p admin -host -f file1.xml
-view switch -host

Name
Synopsis
Description
Mandatory Arguments
Accessing Help

OL-25947-01
C-9
Appendix C
Examples
Name
cmexport
L2Topology: Cisco Prime cmexport layer 2 topology function
Synopsis
cmexport l2topology
Table C-5
{-u userid} [ -p password ] [ options ]
Command Description
Argument
can be one of the following
options
-f filename
-d debuglevel
-l logfile
where cmexport l2topology -h lists the options available and function of each option.
Description
Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based
on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport L2Topology function are:
The options that you must specify with the cmexport L2Topology function are:
-u
userid: Specifies the Cisco Prime user ID.
-p
password
Specifies the password for Cisco Prime user ID.

full path.
userid password
C-10
OL-25947-01
Appendix C

Note
Options
The options you can specify with the layer 2 topology function are:
-d
debuglevel
-l
logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
-f
filename
specified with -f option an XML file of the format timestampL2Topology.xml is stored in the
following directory: PX_DATADIR/cmexport/L2Topology
Accessing Help

cmexport -h:
cmexport l2topology -h:
Displays a list of options for the cmexport l2topology command.
On Solaris, you can also enter the following at a CLI:

man cmexport
Examples
Considering userid: admin, password: admin, filename: file1.xml, you can have the following:
cmexport L2Topology -u admin -p admin
cmexport L2Topology -u admin -p admin -f file1.xml
cmexport L2Topology -u admin -l file.log

OL-25947-01
C-11
Appendix C

Name
Synopsis
Description
Mandatory Arguments
Accessing Help
Examples
Name
cmexport Discrepancy:
Cisco Prime cmexport Discrepancy function.
Synopsis
cmexport discrepancy
{-u userid} [ -p password ] [ options ]
where
Table C-6
Command Description
Argument
Can be one of the Following
options
-f filename
-d debuglevel
-l logfile
cmexport discrepancy -help
lists the options available and the function of each option.
Description
Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a
predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport Discrepancy function are:
-u
-p
password
Specifies the password for Cisco Prime userid.

full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from
the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you
do not use this option.
C-12
OL-25947-01
Appendix C


userid password
Note
Options
The options you can specify with the Discrepancy function are:
-d
debuglevel
-l
logfile
-f
filename
specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the
following directory: PX_DATADIR/cmexport/Discrepancy
Accessing Help

cmexport -h:
cmexport discrepancy -h:
Displays a list of options for the cmexport discrepancy command.

man cmexport
Examples
Considering userid: admin, password:admin, filename: file1.xml, you can have the following:
cmexport Discrepancy -u admin -p admin
cmexport Discrepancy -u admin -p admin -f file1.xml
cmexport Discrepancy -u admin -d 2

OL-25947-01
C-13
Appendix C
cmexport Manpage
cmexport Manpage
This sections contains:
Command Line Syntax
Commands
Arguments and Options
Accessing Help
Command Line Syntax

The command line syntax of the utility is in the following format:
cmexport
command arguments options
where:
is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
cmexport
command specifies the core operation that is to be performed.
arguments are the additional parameters required for each core command.
options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options is not important. However, you must enter the core command
immediately after cmexport.
Commands
Table C-7
Command Description
Core Command
Description
ut
Generates User Tracking data in XML format.
l2topology
Generates Layer 2 topology data in XML format
discrepancy
Generates discrepancy data in XML format
You must invoke the cmexport command with one of the core commands specified in the above table. If
no core command is specified, cmexport can execute the -v or -h options only:
Option -v displays the version of the cmexport utility.
Option -h (or null option) lists the usage information of this utility.
C-14
OL-25947-01
Appendix C

cmexport Manpage
Arguments and Options

This sections contains:
Mandatory Arguments
Mandatory Arguments
The options that must be specified with all functions are:
-u
Optional Arguments
The options you can specify with any function are:
-p
password
Specifies the password for Cisco Prime userid.

full path.
userid password
Note
-d
debuglevel
-l
logfile

OL-25947-01
C-15
Appendix C
DEE Developers Reference
The following function-specific option is supported
-f
filename
If used with the:
User Tracking functionSpecifies the name of the file to which the user tracking information is to
be exported.
Topology functionSpecifies the name of the file to which the layer 2 topology information is to
be exported.
Discrepancy functionSpecifies the name of the file to which the discrepancy information is to be
exported.
Accessing Help
cmexport -h:
cmexport command -h:
Displays a list of options for the cmexport command.

man cmexport

The cmexport command exports data to XML format, as per the schema defined. When you need data
only for a few columns, remove the unwanted columns in the schema file. The schema files are available
in the following path in the LMS Server:
NMSROOT/campus/bin (Solaris/Soft Appliance)
NMSROOT\campus\bin (Windows)
The following are the schemas used for exporting the user tracking data in XML format:
Schema for User Tracking Data
User Tracking Schema for Switch Data
User Tracking Schema for Phone Data
User Tracking Schema for Subnet Data
Schema for Topology Data
Schema for Discrepancy Data
Using Servlet to Export Data from LMS
C-16
OL-25947-01
Appendix C

Schema for User Tracking Data

<?xml version="1.0" encoding="UTF-8" ?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:element name="UTDetails">
<xs:complexType>
<xs:sequence>
<xs:element name="CMServer" type="xs:string" />
<xs:element name="CreatedAt" type="xs:string" />
<xs:element name="SchemaVersion" type="xs:string" />
<xs:element name="Heading" type="xs:string" />
<xs:element name="Query" type="xs:string" />
<xs:element name="Layout" type="xs:string" />
<xs:element ref="UTData" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="UTData">
<xs:complexType>
<xs:sequence>
<xs:element name="Index" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Subnet" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PrefixLength" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="ParentVLAN" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="dot1xEnabled" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="associatedRouters" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="discrepancyEnabled" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="bestPracticesDeviationEnabled" type="xs:string" minOccurs="0" maxOccurs="1"
/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

OL-25947-01
C-17
Appendix C
User Tracking Schema for Switch Data


<xs:complexType>
<xs:sequence>
<xs:element name="CMServer" type="xs:string"/>
<xs:element name="CreatedAt" type="xs:string"/>
<xs:element name="SchemaVersion" type="xs:string"/>
<xs:element name="Heading" type="xs:string"/>
<xs:element name="Query" type="xs:string"/>
<xs:element name="Layout" type="xs:string"/>
<xs:element ref="SwitchUTData" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="SwitchUTData">
<xs:complexType>
<xs:sequence>
<xs:element name="DeviceName" type="xs:string"/>
<xs:element name="DeviceIP" type="xs:string"/>
<xs:element name="UTData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType>
<xs:sequence>
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Subnet" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PrefixLength" type="xs:string" minOccurs="0"
maxOccurs="1"/>
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
C-18
OL-25947-01
Appendix C

User Tracking Schema for Phone Data

<xs:annotation>
<xs:documentation>It gives the Phone details</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="PhoneQuery" type="xs:string"/>
<xs:element name="PhoneLayout" type="xs:string"/>
<xs:element ref="PhoneData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="PhoneData">
<xs:complexType>
<xs:sequence>
<xs:element name="PhoneNumber" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="CCMAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Status" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PhoneType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PhoneDescr" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
User Tracking Schema for Subnet Data


<xs:complexType>
<xs:sequence>
<xs:element name="Query" type="xs:string"/>
<xs:element name="Layout" type="xs:string"/>
<xs:element ref="SubnetUTData" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="SubnetUTData">

OL-25947-01
C-19
Appendix C
<xs:complexType>
<xs:sequence>
<xs:element name="SubnetId" type="xs:string"/>
<xs:element name="UTData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType>
<xs:sequence>
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PrefixLength" type="xs:string" minOccurs="0"
maxOccurs="1"/>
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Schema for Topology Data

<xs:element name="CMData">
<xs:complexType>
<xs:sequence>
<xs:element ref="Layer2Details" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Layer2Details">
<xs:complexType>
<xs:sequence>
<xs:element ref="Device" minOccurs="0" maxOccurs="unbounded"/>
C-20
OL-25947-01
Appendix C

</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Device">
<xs:complexType>
<xs:sequence>
<xs:element name="DeviceName" type="xs:string"/>
<xs:element name="IPAddress" type="xs:string"/>
<xs:element name="DeviceState">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="Reachable"/>
<xs:pattern value="UnReachable"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="DeviceType" type="xs:string"/>
<xs:element ref="Neighbors" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbors">
<xs:complexType>
<xs:sequence>
<xs:element ref="Neighbor" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbor">
<xs:complexType>
<xs:sequence>
<xs:element name="NeighborIPAddress" type="xs:string"/>
<xs:element name="NeighborDeviceType" type="xs:string"/>
<xs:element name="Link" type="xs:string"/>
<xs:element name="LocalPort" type="xs:string"/>
<xs:element name="RemotePort" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Schema for Discrepancy Data

<?xml version="1.0" encoding="UTF-8" ?>

<xs:element name="CMData">
<xs:complexType>
<xs:sequence>
<xs:element name="CMServer" type="xs:string" />
<xs:element name="CreatedAt" type="xs:string" />
<xs:element name="SchemaVersion" type="xs:string" />
<xs:element name="Heading" type="xs:string" />
<xs:element ref="Discrepancies" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Discrepancies">
<xs:complexType>
<xs:sequence>
<xs:element ref="Best-Practices-Deviation" minOccurs="0" maxOccurs="unbounded" />

OL-25947-01
C-21
Appendix C
<xs:element ref="Network-Discrepancy" minOccurs="0" maxOccurs="unbounded" />

</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Best-Practices-Deviation">
<xs:complexType>
<xs:sequence>
<xs:element name="Details" type="xs:string" />
<xs:element name="Type" type="xs:string" />
<xs:element name="Severity">
<xs:simpleType>
<xs:pattern value="High" />
<xs:pattern value="Medium" />
<xs:pattern value="Low" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Description" type="xs:string" />
<xs:element name="FirstFound" type="xs:string" />
<xs:element name="Acknowledged" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Network-Discrepancy">
<xs:complexType>
<xs:sequence>
<xs:element name="Details" type="xs:string" />
<xs:element name="Type" type="xs:string" />
<xs:element name="Severity">
<xs:simpleType>
<xs:pattern value="High" />
<xs:pattern value="Medium" />
<xs:pattern value="Low" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Description" type="xs:string" />
<xs:element name="FirstFound" type="xs:string" />
<xs:element name="Acknowledged" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Using Servlet to Export Data from LMS

The servlet allows you to access DEE features using simple scripts. You can invoke DEE functions by
running the script that connects to the LMS server and retrieves the data.
You can send the commands to export user tracking, topology, and discrepancy data (cmexport and
utexport) as HTTP or HTTPS requests to a special LMS server URL. This URL identifies a servlet that
accepts the request and authenticates the requesting user identity and credentials before authorizing the
information exchange.
To export User Tracking data, use UTExportServlet.
To export Discrepancy and Layer 2 Topology data, use CMExportServlet.
C-22
OL-25947-01
Appendix C

To invoke cmexport and utexport commands, the servlet requires a payload file that contains details
such as:
User credentials
The command you want to execute.
Optional details such as log and debug options as inputs in XML format.
The servlet then parses the payload file encoded in XML, performs the operations, and returns the results
in XML format. You must create the payload file to include the input details and submit it when you ask
for servlet access.
Typically, servlet access is used when you need to use the data export feature from a client system.
To use DEE export features, you can write a script to upload the payload file and perform the data export
functions.
See the following sample scripts:
Sample Perl Script (test.pl) to Access the Servlet
Sample Java Code to Access the Servlet
For example, if you are using the script test.pl, you can invoke the servlet in either of these modes:
HTTP Mode
HTTPS Mode
HTTP Mode
For Discrepancy and Layer 2 topology data export, enter:

perl test.pl http://campus-server:1741/campus/servlet/CMExportServlet payload.xml
For User Tracking data export, enter:

perl test.pl http://campus-server:1741/cmapps/UTExportServlet payload.xml
HTTPS Mode
For Discrepancy and Layer 2 topology data export, enter:

perl test.pl https://campus-server/campus/servlet/CMExportServlet payload.xml
For User Tracking data export, enter:

perl test.pl https://campus-server/cmapps/UTExportServlet payload.xml
Sample Perl Script (test.pl) to Access the Servlet

#!/opt/CSCOpx/bin/perl
use LWP::UserAgent;
$| = 1;
$temp = $ARGV[0] ;
$fname = $ARGV[1] ;
if ( -f $fname ) {
open (FILE,"$fname") || die "File open Failed $!";
while ( <FILE> )
{
$str .= $_ ;
}
close(FILE);
}
url_call($temp);

OL-25947-01
C-23
Appendix C
#-- Activate a CGI:

sub url_call {
my ($url) = @_;
my $ua = new LWP::UserAgent;
$ua->timeout(5000);
my $hdr = new HTTP::Headers 'Content-Type' => 'text/html';
my $req = new HTTP::Request ('GET', $url, $hdr);
$req->content($str);
my $res = $ua->request($req);
my $result;
if ($res->is_error)
{
print "ERROR : ", $res->code, " : ", $res->message, "\n";
$result = '';
}
else
{
$result = $res->content;
if($result =~ /Authorization error/)
{
print "Authorization error\n";
}
else
{
print $result ;
}
}
}
Sample Java Code to Access the Servlet

import
import
import
import
import
java.io.*;
java.net.URL;
java.net.HttpURLConnection;
java.lang.String;
java.lang.Byte;
class CMExportServletRun {
static void main (String args[])
{
try {
URL url = new URL("http://localhost:1741/campus/servlet/CMExportServlet");
String payload = "adminadminut_hostdee.log1";
HttpURLConnection con;
InputStream is;
//opens connection to servlet
con = (HttpURLConnection)url.openConnection();
con.setRequestMethod("POST");
con.setRequestProperty("Content-type", "text/xml");
con.setDoOutput(true);
con.setUseCaches(false);
OutputStream bos = new BufferedOutputStream(con.getOutputStream());
PrintWriter out = new PrintWriter(bos);
out.println(payload);
out.flush();
out.close();
C-24
OL-25947-01
Appendix C

//prints out response from CMExportServlet

byte [] strBytes=new byte[10];
int noOfBytes = 0;
is = con.getInputStream();
BufferedReader bfr = new BufferedReader(new InputStreamReader(is));
String str = null ;
while ( ( str = bfr.readLine()) != null ) {
System.out.println(str);
}
}
catch (Exception e) {
System.out.println(e.toString());
}
}
}
Payload File
The payload file is an XML file that contains inputs required for the DEE servlet to process requests for
data export. Schema for the payload XML file is given in Schema for Payload File.
Table C-8 describes the elements in the schema.
Table C-8
Elements in the Schema
Element
Description
username
Cisco Prime user name.
password
Password for Cisco Prime username.
command
Command inside this tag can be ut_host, ut_phone, l2topology or

discrepancy.
view
Use this option when you specify ut_host. This is optional.

This specifies the presentation of the User Tracking data in the
hierarchical format with either switch or subnet as the root.
queryname
User Tracking host data is exported in XML format for the query provided
in queryname.
You can use this option when you specify ut_host
layoutname
User Tracking host data is exported in XML format for the layout provided
in layoutname.
You can use this option when you specify ut_host
queryphone
User Tracking phone data is exported in XML format for the query given
in queryphone.
You can use this option when you specify ut_phone

OL-25947-01
C-25
Appendix C
Table C-8
Elements in the Schema (continued)
Element
Description
layoutphone
User Tracking phone data is exported in XML format for the layout given
in layoutPhone.
You can use this option when you specify ut_phone
debug
Optional. Debug messages can be collected only if log file is specified in

the log option. The debug level could be 1 or 2. You can set the value to:
1For basic debug information.
2For detailed debug information.
This is optional.
This section also describes:
Sample Payload File
Schema for Payload File
Sample Payload File

<payload>
<username>username</username>
<password>password</password>
<command>ut_host</command>
<debug>1</debug>
<view></view>
</payload>
Schema for Payload File
You can use the following schema for creating the payload file in XML format.
<xs:element name="payload">
<xs:complex Type>
<xs:sequence>
<xs:element name="username" type="xs:string"/>
<xs:element name="password" type="xs:string"/>
<xs:element name="command" type="xs:string"/>
<xs:element name="view" type="xs:string"/>
<xs:element name="queryname" type="xs:string"/>
<xs:element name="layoutname" type="xs:string"/>
<xs:element name="queryphone" type="xs:string"/>
<xs:element name="layoutphone" type="xs:string"/>
<xs:element name="debug" type="xs:string"/>
</xs:sequence>
</xs:complex Type>
</xs:element>
C-26
OL-25947-01
A P P E N D I X

The Cisco Prime LMS Server provides some of the security controls necessary for a web-based network
management system. It also relies heavily on the end users own security measures and controls to
provide a secure computing environment for Cisco Prime applications.
The Cisco Prime LMS Server provides and requires three levels of security to be implemented to ensure
a secure environment:
General SecurityPartially implemented by the client components of Cisco Prime and by the
system administrator.
Server SecurityPartially implemented by the server components of Cisco Prime and by the system
administrator.
Application SecurityImplemented by the client and server components of the Cisco Prime
applications.
For more information on security related features, see Setting up Security.

The following sections describe the general and server security levels.
General Security
The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network
management applications.
Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure
than the standard computing model that only requires a system login to execute applications.
The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used
to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco
Prime applications and data.
However, Cisco Prime applications can change the behavior and security of your network devices.
Therefore, it is critical to limit access to applications and servers as follows:
Limit access to personnel who need access to applications or the data that the applications provide.
Limit Cisco Prime LMS Server logins to just the systems administrator.
Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.

OL-25947-01
D-1
Appendix D
Server Security
Server Security
The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the
code and data files that reside on the server. The following Cisco Prime LMS Server security control
elements apply:
ServerImposed Security
System Administrator-Imposed Security
ServerImposed Security
The Cisco Prime LMS Server has many dimensions, such as:
Files, File Ownership, and Permissions
Runtimer
Remote Connectivity
Access Control
Files, File Ownership, and Permissions

The following describes the file ownership and permissions.
UNIX SystemsCisco Prime must be installed by a user with root privilege. It should be installed
as the user, casuser with a casusers group. If the system administrator needs to work on causer files,
a user with a name chosen by the system administrator, must be created and added to the causers
group.
All files and directories are owned by casuser with group equal to casusers. Temporary files are
created as the user casuser with permissions set to read-write for the user casuser and read for
members of group casusers.
The only exception to this rule is the log files created by the Cisco Prime web server and
diskWatcher. The Cisco Prime web server and diskWatcher must be started as root. Therefore, their
log files are owned by the user root with group=casusers.
Windows SystemsCisco Prime must be installed by the administrator and must be installed as the
user casuser.
If it is a new installation, the system displays a message prompting you to either create or to
cancel the process. You can enter the password or it can be automatically generated.
If it is not a new installation, the system displays a message prompting you to either continue
resetting the password or to retain the old password.

The Cisco Prime LMS Server uses the password but the casuser user is not intended as a general user
of the Windows system. No user is required to log on the Windows system as casuser.
All files and directories are owned by the user casuser. Read and write access are restricted to the
user casuser and the administrator. Temporary files are created as the user casuser with permissions
set to read-write for the user casuser.
The Cisco Prime LMS Server relies on the security mechanisms of the NTFS filesystem to provide
access control on Windows systems. If Cisco Prime is installed on a FAT filesystem, most security
assumptions made about controlled access to files and network management data are not valid.
D-2
OL-25947-01
Appendix D

Server Security
Runtimer
This describes the runtime activities.
UNIX SystemsTypically Cisco Prime back-end processes are run with permissions set to the user
ID of the binary file.
For example, if user Joe owns an executable file, it will be run by the Cisco Prime daemon
manager under the user ID of Joe).
The exception are files owned by the root user ID. To prevent a potentially harmful program from
being run by the daemon manager with root permissions, the daemon manager will run only a
limited set of Cisco Prime programs that need root privilege.
This list is not documented to preclude any user from trying to impersonate these programs.
All back-end processes are run with a umask value of 027. This means that all files created by these
programs are created with permissions equal to rwxr-x, with an owner and group of the user ID
and group of the program that created it. Typically this will be casuser and group=casusers.
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the
control of the web servers child processes or the servlet engine, which all run as the user casuser.
Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser
have access to the directories that these services read and write to.
The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the
Resource Manager Essentials Software Management application to run image download jobs.
WindowsCisco Prime back-end processes are run with permissions set to the user casuser. Some
of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID.
These processes include:
Daemon manager
Web server
Servlet engine
Rcp/rsh service
TFTP service
Corba service
Database engine
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control
of the web server and the servlet engine that run as the user localsystem.
The local system user has special permissions on the local system but does not have network
permissions.
Cisco Prime provides several services for RCP, TFTP communication with devices. These services
are targeted for use by Cisco Prime applications, but can be used for purposes other than network
management.
The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager
Essentials Software Image Manager application. Jobs run by the at command, run with system level
privileges.

OL-25947-01
D-3
Appendix D
Server Security
Remote Connectivity
The remote connectivity details for Windows and Solaris are:
UNIX SystemsThe Cisco Prime daemon manager only responds to requests to start, stop, register,
or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
Windows SystemsThe Cisco Prime daemon manager only responds to requests to start, stop,
register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.

The access details for UNIX and Windows are:
UNIX SystemsSystems used by the Cisco Prime LMS Server as remote sources of device
information for importing into the LMS Inventory Manager application must allow the user casuser
to perform remote shell operations on the user who owns the device information.
Windows SystemsSystems used by the Cisco Prime Server as remote sources of device
information for importing into the LMS Inventory Manager application must allow the user casuser
to perform remote shell operations on the user who owns the device information.
Access Control
The access control details are:
UNIX SystemsThe UNIX user casuser is a user ID that is not typically enabled for login.
Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies
the installation process and ensures limited access to the Cisco Prime Server. This is because casuser
is not a valid login ID as there is no password assigned to it.
However, the casuser user on UNIX systems can perform system and possibly network-wide
operations that could be harmful to the system or the network.
Windows SystemsThe user casuser, created as part of the install process, has no special
permissions or considerations on a system so it is a safe user ID under which to run the Cisco
Prime Server and application code. The localsystem user can perform harmful system operations.
Therefore, consider that by using the localsystem user ID to run some of the backend processes, the
localsystem user ID cannot perform network operations.
Note
The system administrator should review and adopt the security recommendations in System
Administrator-Imposed Security.
D-4
OL-25947-01
Appendix D

Server Security
System Administrator-Imposed Security

To maximize Cisco Prime LMS Server security, follow these security guidelines:
Do not allow users other than the systems administrator to have a login on Cisco Prime LMS Server.
Do not allow the Cisco Prime LMS Server file systems to be mounted remotely with NFS or any
other file-sharing protocol.
Limit remote access (for example, FTP, RCP, RSH) to Cisco Prime LMS Server to those users who
are permitted to log into Cisco Prime LMS Server.
Place your network management servers behind firewalls to prevent access to the systems from
outside of your organization.
Change the database password after installation and periodically based on your companys security
policies.
Back up the security certificates in a safe location, if you are using SSL in Cisco Prime LMS Server.
Connection Security
The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection
between the client browser and management server, and Secure Shell (SSH) to provide secure access
between the management server and devices.
Security Certificates
Security certificates are similar to digital ID cards. They prove the identity of the server to clients.
Certificates are issued by Certificate Authorities (CAs) such as VeriSign or Thawte.
A certificate vouches for the identity and key ownership of an individual, a computer system (or a
specific server running on that system), or an organization. It is a general term for a signed document.
Typically, certificates contain the following information:
Note
Subject public key value.
Subject identifier information (such as the name and e-mail address).
Validity period (the length of time that the certificate is considered valid).
Issuer identifier information.
The digital signature of the issuer. This attests to the validity of the binding between the subject
public key and the subject identifier information.

A certificate is valid only for the period of time specified within it. Every certificate contains Valid From
and Valid To dates, which are the boundaries of the validity period.
For example, a user's certificate verifies that the user owns a particular public key. The server certificate
for the server named myserver.cisco.com verifies that a specific public key belongs to this server.
Certificates can be issued for a variety of functions such as web user authentication, web server
authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code
signing.

OL-25947-01
D-5
Appendix D
Server Security
Cisco Prime LMS Server supports security certificates for authenticating secure access between client
browser and management server.
Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates.
For more information, see Creating Self Signed Certificates.
Terms and Definitions

The following explains the terms and corresponding definitions in Cisco Prime:
Secure Socket Layer (SSL)
Public Key, Private Key
Secure Shell (SSH)
PKCS#8
Base64- Encoded X.509 Certificate Format
Certificate Authority
Cisco Prime TrustStore or KeyStore
Secure Socket Layer (SSL)

Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data
through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private
keys.
Public Key, Private Key

Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is
shared quite freely, the private key is never given out. Each public-private key pair works together. Data
encrypted with the public key can only be decrypted with the private key.
Secure Shell (SSH)

Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley
r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application
can be used similarly to the Berkeley rexec and rsh tools.
Two versions of SSH are currently available: SSH Version 1 and SSH Version 2.
PKCS#8
Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography,
developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple,
Microsoft, DEC, Lotus, Sun and MIT.
The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation
of OSI standards.
The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509
standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13
and #14 are currently being developed.
PKCS #8 describes a format for private key information. This information includes a private key for
some public-key algorithm, and optionally a set of attributes.
D-6
OL-25947-01
Appendix D

Server Security
Base64- Encoded X.509 Certificate Format

X.509 certificate format is an emerging certificate standard. It is part of the OSI group of standards.
X.509 certificates are very clearly defined using a notation called ASN.1 (Abstract Syntax Notation 1)
which specifies the precise kinds of binary data that make up the certificate.
ASN.1 can be encoded in many ways, but the emerging standard is an encoding called DER
(Distinguished Encoding Rules), which results in a compact binary certificate.
For e-mail exchange purposes the binary certificate is often Base64 encoded, resulting in an ASCII text
document that looks like the following:
-----BEGIN CERTIFICATE----MIIC4jCCAkugAwIBAgIEA0E1UDANBgkqhkiG9w0BAQBhMC
VVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYNQ2lz
Y28gU3lzdGVtczENMAsGA1UECxMERU1CVTEqMCgG0ZXN0
MiBDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTAyMDas3DA4
NTgwOVowgYIxCzAJBgNVBAYTAklOMQswCQYDVQQIQ2hl
bm5haTEMMAoGA1UEChMDSENMMQ0wCwYDVQQLEtzZGlu
YWthci1wYzEhMB8GCSqGSIb3DQEJARYSc2RpbmFrYXfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV1o9PyO7txr5vme
FU/f9tp5To/HaLIWHVx9zpihPnVuKaepp8kcEXO8Sed8crXeU8BP
9qHoIswGn1oJEGFXm9gs5uupJyAgeDd6O9eCuQbiSKgE1sFGFSL
xNGQJZbCrQIDAQABo2UwYzARBglghkgBhvhCAQEEB/BAQD
-----END CERTIFICATE-----
Cisco Prime requires the Certificates to be uploaded in this format.
Note
Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you
confirm with the CA the format of the certificate, and request specifically for Base64 Encoded
X.509Certificates formats.
Certificate Authority
A certificate authority (CA) is an authority in a network that issues and manages security credentials and
public keys for message encryption.
As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify
information provided by the requestor of a digital certificate. If the RA verifies the requestor's
information, the CA then issues a certificate.
Cisco Prime TrustStore or KeyStore

Cisco Prime TrustStore or KeyStore is the location where Cisco Prime maintains the list of Certificates
that it trusts.
The KeyStore location is:
NMSROOT\MDC\Apache\conf\ssl (on Windows)
NMSROOT/MDC/Apache/conf/ssl (on Solaris/Soft Appliance)

OL-25947-01
D-7
Appendix D
Server Security
D-8
OL-25947-01
A P P E N D I X
Commands to Enable MAC Notification Traps on

Devices
This appendix provides information on the list of commands that needs to run on each device to enable
MAC Notification traps.
This appendix contains the following:

Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps sent by
devices to Network Topology, Layer 2 Services and User Tracking . These traps are sent as and when
there are changes to the network.
You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification traps when a
host is connected to or disconnected from that port.
If you do not have Configuration Management enabled on your LMS server, you have to manually
configure the switches, for the switches to send MAC Notifications to the LMS server.
To manually configure the switches:
Step 1
Choose Admin > Trust Management > Multi Server > System Identity Setup.
Step 2
Renter the password for the System Indentity user.
Ensure that the System Indentity User user name and password are are valid, also under Admin >
System > User Management > Local User Setup.
See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more
information.

OL-25947-01
E-1
Appendix E

The list of commands that needs to be run on the devices are stored on the built-in XML file namely,
MACCommands.XML in a hierarchical manner.
The list of commands available are:
Global commands
Device Family-specific commands
Device Type-specific commands
Device Operating System version-specific commands
While configuring, Network Topology, Layer 2 Services and User Tracking selects the commands for
each device based on the fallback rule in the following order:
1.
Device Operating System version-specific commands
2.
Device Type-specific commands
3.
Device Family-specific commands
4.
Global commands
If a device OID matches an OS version, the Device OS version-specific commands should be selected to
configure the device. Otherwise, the Device Type-specific commands should be selected.
If a device OID could not find a specific match on both Device OS version-specific commands and
Device Type-specific commands, the Device-Family specific commands should be selected.
The Global commands are selected for configuring the device when there is no match of Device OS
version-specific, Device Type-specific, or Device Family-specific commands available for the device.
The device is considered as an unknown device type when there is no match of any of the command sets
available. In other words, for an unknown device type, command set will not be generated.

A device OID finds a match from the OS versions first, in the XML file.
A range of OS versions for which the command set remains the same, are indicated in the osversion tag
in the XML file.
The range of OS versions are represented using brackets [ ] and parantheses ( ). Brackets [ ] indicate an
inclusive list of OS versions. Parantheses ( ) indicate an exclusive list of OS versions.
The following are the examples for OS version ranges:
[12.2(40),12.2(43)) denotes all OS versions between 12.2(40) and 12.2(43) including 12.2(40) and
excluding 12.2(43).
[,12.2(40)] denotes all OS versions prior to 12.2(40) and including version 12.2(40).
[12.1(19)EA1,12.2(46)SE) denotes all OS versions 12.1(19)EA1 and later, and prior to 12.2(46)SE.
E-2
OL-25947-01
Appendix E


Table E-1 explains the list of commands that needs to be run on the devices.
Table E-1
List of Commands to Enable SNMP Traps in Devices
Device Family
Device Type
SysOID
Global Command Set
default
mac address-table
notification:mac
address-table notification
interval 15:snmp-server
enable traps
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Command Set
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
OS Version
-

OL-25947-01
E-3
Appendix E
Table E-1
List of Commands to Enable SNMP Traps in Devices (continued)
Device Family
Device Type
Interface
Command Set
SysOID
Global Command Set
mac address-table
notification change:mac
change interval
15:snmp-server enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3750-STACK 1.3.6.1.4.1.9.1.516
mac-address-table
notification:mac-address-tabl
e notification interval
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac address-table
change interval
TRAPVERSION
COMMUNITY udp-port
PORT mac-notificatio
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
12.2(52)SE
C3750-STACK -
OS Version
E-4
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
C3750-STACK NME16ES1GP 1.3.6.1.4.1.9.1.663

(continued)
NME16ES1GP 1.3.6.1.4.1.9.1.702
Global Command Set
Interface
Command Set
OS Version
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)

OL-25947-01
E-5
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK NMEX23ES1
GP
(continued)
NMEXD24ES
1SP
Interface
Command Set
SysOID
Global Command Set
1.3.6.1.4.1.9.1.664
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
1.3.6.1.4.1.9.1.665
OS Version
E-6
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
C3750-STACK NMEXD48ES
2SP
(continued)
C3550-24ME
Interface
Command Set
SysOID
Global Command Set
1.3.6.1.4.1.9.1.666
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
1.3.6.1.4.1.9.1.574
OS Version

OL-25947-01
E-7
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3550-24ME
Global Command Set
1.3.6.1.4.1.9.1.589
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3550-24ME
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.590
OS Version
E-8
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
Global Command Set
1.3.6.1.4.1.9.1.591
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3550-24ME
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.592
OS Version

OL-25947-01
E-9
Appendix E
Table E-1
Device Family
Device Type
Global Command Set
1.3.6.1.4.1.9.1.688
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750-24P
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.536
OS Version
E-10
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
C3750-STACK C3750
Global Command Set
1.3.6.1.4.1.9.1.530
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.511
OS Version

OL-25947-01
E-11
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
Global Command Set
1.3.6.1.4.1.9.1.512
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.513
OS Version
E-12
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
C3750-STACK C3750
Global Command Set
1.3.6.1.4.1.9.1.514
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.535
OS Version

OL-25947-01
E-13
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
Global Command Set
1.3.6.1.4.1.9.1.602
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.603
OS Version
E-14
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
C3750-STACK C3750P
Global Command Set
1.3.6.1.4.1.9.1.604
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3750
Interface
Command Set
SysOID
1.3.6.1.4.1.9.1.624
OS Version

OL-25947-01
E-15
Appendix E
Table E-1
Device Family
Device Type
C3750-STACK C3750
Global Command Set
1.3.6.1.4.1.9.1.656
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[12.1(19)EA1,12
.2(46)SE)
(continued)
C3550
Interface
Command Set
SysOID
OS Version
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3550-24
1.3.6.1.4.1.9.1.366
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-48
1.3.6.1.4.1.9.1.367
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
E-16
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
C3550-12T
1.3.6.1.4.1.9.1.368
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-12G
1.3.6.1.4.1.9.1.431
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-24FX
1.3.6.1.4.1.9.1.453
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-24DC
1.3.6.1.4.1.9.1.452
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3550-24PWR 1.3.6.1.4.1.9.1.485
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
(continued)
Interface
Command Set
OS Version

OL-25947-01
E-17
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
C3560-24PS
1.3.6.1.4.1.9.1.563
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560-48PS
1.3.6.1.4.1.9.1.564
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560G-24PS
1.3.6.1.4.1.9.1.614
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560G-24TS
1.3.6.1.4.1.9.1.615
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560G-48PS
1.3.6.1.4.1.9.1.616
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
(continued)
Interface
Command Set
OS Version
E-18
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
C3560G-48TS
1.3.6.1.4.1.9.1.617
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C3560E
1.3.6.1.4.1.9.1.930
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3560E
1.3.6.1.4.1.9.1.956
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3560E
1.3.6.1.4.1.9.1.1015 mac address-table

notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version

OL-25947-01
E-19
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
3000
1.3.6.1.4.1.9.1.909
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.910
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.911
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.912
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-20
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
3000
1.3.6.1.4.1.9.1.918
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.919
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.920
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.921
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version

OL-25947-01
E-21
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
3000
1.3.6.1.4.1.9.1.922
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.947
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.948
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000
1.3.6.1.4.1.9.1.949
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version
E-22
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
3000
1.3.6.1.4.1.9.1.999
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000

notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000

notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
3000

notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
(continued)
Interface
Command Set
OS Version

OL-25947-01
E-23
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C3550
C3000IE
1.3.6.1.4.1.9.1.958
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3000IE
1.3.6.1.4.1.9.1.959
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C3508GXL
1.3.6.1.4.1.9.1.246
C3512XL
1.3.6.1.4.1.9.1.247
C3524XL
1.3.6.1.4.1.9.1.248
C3548XL
1.3.6.1.4.1.9.1.278
C3524PWRXL 1.3.6.1.4.1.9.1.287
(continued)
-
C3500XL
Interface
Command Set
OS Version
E-24
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2970
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2970G-24T
1.3.6.1.4.1.9.1.527
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
C2970G-24TS
1.3.6.1.4.1.9.1.561
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
371098-001
1.3.6.1.4.1.11.2.3.7. mac-address-table
11.33.3.1.1
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
ME-3400G-12
CS-D
1.3.6.1.4.1.9.1.781
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
mac-address-table
TRAPVERSION
COMMUNITY udp-port
Interface
Command Set
OS Version

OL-25947-01
E-25
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2970
ME-3400G-12
CS-A
1.3.6.1.4.1.9.1.780
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
C2960-24TC-S 1.3.6.1.4.1.9.1.928
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
ME-3400G-2C 1.3.6.1.4.1.9.1.825
S-A
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(19)EA1)
C2960G-48TC
-L
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
12.2(35)SE5
mac address-table
notification change interval
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
12.2(44)SE6
(continued)
ME-3400
1.3.6.1.4.1.9.1.697
1.3.6.1.4.1.9.1.873
Interface
Command Set
OS Version
E-26
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
C2970
ME-3400
(continued)
C2900XL
C2900XL
(continued)
Interface
Command Set
OS Version
1.3.6.1.4.1.9.1.1007 -
ME-3400
1.3.6.1.4.1.9.1.1008 -
ME-3400
1.3.6.1.4.1.9.1.1009 -
C2960
1.3.6.1.4.1.9.1.929
C2960
1.3.6.1.4.1.9.1.927
C2960
1.3.6.1.4.1.9.1.1005 -
C2960
1.3.6.1.4.1.9.1.1006 -
C2960
1.3.6.1.4.1.9.1.950
C2960
1.3.6.1.4.1.9.1.951
C2960
1.3.6.1.4.1.9.1.952
C2975
1.3.6.1.4.1.9.1.1067 -
C2975
1.3.6.1.4.1.9.1.1068 -
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2908XL
1.3.6.1.4.1.9.1.170
C2924XL
1.3.6.1.4.1.9.1.183
C2924CXL
1.3.6.1.4.1.9.1.184
C2924XLV
1.3.6.1.4.1.9.1.217
C2924CXLV
1.3.6.1.4.1.9.1.218
C2912XL
1.3.6.1.4.1.9.1.219
C2924MXL
1.3.6.1.4.1.9.1.220
C2912MFXL
1.3.6.1.4.1.9.1.221
C2924XL-LRE 1.3.6.1.4.1.9.1.369
C2912XL-LRE 1.3.6.1.4.1.9.1.370
Global Command Set

OL-25947-01
E-27
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2950
mac address-table
notification:mac
enable traps
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2950-12
1.3.6.1.4.1.9.1.323
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950-24
1.3.6.1.4.1.9.1.324
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
Interface
Command Set
OS Version
E-28
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2950
(continued)
C2950C-24
1.3.6.1.4.1.9.1.325
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950T-24
1.3.6.1.4.1.9.1.359
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950G-24
1.3.6.1.4.1.9.1.428
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950G-12
1.3.6.1.4.1.9.1.427
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950G-48
1.3.6.1.4.1.9.1.429
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
Interface
Command Set
OS Version

OL-25947-01
E-29
Appendix E
Table E-1
Device Family
Device Type
C2950
(continued)
C2950G-24DC 1.3.6.1.4.1.9.1.472
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950-24SX
1.3.6.1.4.1.9.1.480
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2955C-12
1.3.6.1.4.1.9.1.489
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2955S-12
1.3.6.1.4.1.9.1.508
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2955T-12
1.3.6.1.4.1.9.1.488
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
SysOID
Global Command Set
Interface
Command Set
OS Version
E-30
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2950
(continued)
C2950ST-8LR
E
1.3.6.1.4.1.9.1.483
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950ST-24L
RE
1.3.6.1.4.1.9.1.482
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2940-8TT
1.3.6.1.4.1.9.1.540
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2940-8TF
1.3.6.1.4.1.9.1.542
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C2950-48SX
1.3.6.1.4.1.9.1.560
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
Interface
Command Set
OS Version

OL-25947-01
E-31
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2950
(continued)
CIGESM-18T
T
1.3.6.1.4.1.9.1.592
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
[,12.1(11)EA1)
C6000
set cam notification

enable:set snmp trap enable
macnotification:set snmp trap
HOST COMMUNITY
version TRAPVERSION port
PORT
set cam
notification
added enable
INTERFACE:set
cam notification
removed enable
INTERFACE
C6006
1.3.6.1.4.1.9.5.38
C6009
1.3.6.1.4.1.9.5.39
C6509
1.3.6.1.4.1.9.5.44
C6506
1.3.6.1.4.1.9.5.45
C6509SP
1.3.6.1.4.1.9.5.47
C6513
1.3.6.1.4.1.9.5.50
C6503
1.3.6.1.4.1.9.5.56
mac-address-table
notification
change:mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
C6000-IOS
Interface
Command Set
OS Version
E-32
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
C6000-IOS
(continued)
C4000
Global Command Set
Interface
Command Set
OS Version
catalyst6000IO 1.3.6.1.4.1.9.1.657
S
catalyst6006IO 1.3.6.1.4.1.9.1.280
S
catalyst6009IO 1.3.6.1.4.1.9.1.281
S
Cisco
C6506-IOS
1.3.6.1.4.1.9.1.282
catalyst6509IO 1.3.6.1.4.1.9.1.283
S
catalyst6509sp
IOS
1.3.6.1.4.1.9.1.310
catalyst6513IO 1.3.6.1.4.1.9.1.400
S
ciscoWSC6503 1.3.6.1.4.1.9.1.449
ciscoWSC6509 1.3.6.1.4.1.9.1.534
neba
catalyst6509V
E
1.3.6.1.4.1.9.1.832
Cisco
C6503-IOS
1.3.6.1.4.1.9.1.449
set cam notification

enable:set snmp trap enable
macnotification:set snmp trap
HOST COMMUNITY port
PORT
set cam
notification
added enable
INTERFACE:set
cam notification
removed enable
INTERFACE
C4003
1.3.6.1.4.1.9.5.40
C4912G
1.3.6.1.4.1.9.5.41
C2948G
1.3.6.1.4.1.9.5.42
C4006
1.3.6.1.4.1.9.5.46
C2980G
1.3.6.1.4.1.9.5.49
C2980G-A
1.3.6.1.4.1.9.5.51
C4503
1.3.6.1.4.1.9.5.58
C4506
1.3.6.1.4.1.9.5.59
C2948G-GE-T
X
1.3.6.1.4.1.9.5.62
SysOID

OL-25947-01
E-33
Appendix E
Table E-1
Device Family
Device Type
SysOID
Global Command Set
C4000-IOS
mac-address-table
notification
change:mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
cisco4000
1.3.6.1.4.1.9.1.448
cisco4900M
1.3.6.1.4.1.9.1.917
cisco4948
1.3.6.1.4.1.9.1.626
cisco4948-10G 1.3.6.1.4.1.9.1.659
E
cisco4948-10G 1.3.6.1.4.1.9.1.875
E
cisco4948-10G 1.3.6.1.4.1.9.1.877
E
cisco4948-10G 1.3.6.1.4.1.9.1.874
E
cisco4948-10G 1.3.6.1.4.1.9.1.876
E
C4506-IOS
mac address-table
change interval
mac-notification:snmp-serve
r host HOST version 1
COMMUNITY udp-port
1431 mac-notification
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
12.2(53)SG
mac-address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
change
added:snmp trap
mac-notification
change removed
1.3.6.1.4.1.9.1.502
C4900ME
-
C4900ME
1.3.6.1.4.1.9.1.788
Interface
Command Set
OS Version
E-34
OL-25947-01
Appendix E

Table E-1
Device Family
Device Type
SysOID
Global Command Set
C2400ME
mac address-table
TRAPVERSION
COMMUNITY udp-port
snmp trap
mac-notification
added:snmp trap
mac-notification
removed
C2400ME
1.3.6.1.4.1.9.1.735
C2350
1.3.6.1.4.1.9.1.1104 -
Interface
Command Set
OS Version

OL-25947-01
E-35
Appendix E
E-36
OL-25947-01
A P P E N D I X

This appendix provides the recommended best practices for increasing the disk space and system
performance. It contains the following topics:
Note
Backing Up Data
To avoid restarting daemons, you must ensure that device packages, point patches and software updates
are updated (up-to-date) before network is down during planned network downtime.

Before installing LMS software, you must check if your system meets the recommended prerequisites.
There are various factors that you must consider before installing LMS on Soft Appliance, Windows and
Solaris systems. For more details, refer to Prerequisites in the Installing and Migrating to Cisco Prime
LAN Management Solution 4.2 guide.
Refer the following links to check if your system meets the recommended prerequisites:
System and Browser Requirements for Server and Client
Terminal Server Support for Windows Server
Solaris Patches
LMS 4.2 Port Usage
Required Device Credentials for LMS Functionalities

This section contains the list of best practices that are recommended when you want to reclaim disk
space using purging method.
When data in your system increases and disk space decreases, purging helps you reclaim disk space. You
can reclaim disk space using the following methods:

OL-25947-01
F-1
Appendix F
Purging Databases
Purging Jobs
Purging Archives
Purging Databases
To reclaim disk space by purging your systems database:
Set the Syslog Purge Settings in such a way that syslog records do not pile up in the database. The
following steps should be performed to set the Syslog Purge Settings:
Enable the Syslog Backup Settings by navigating to Admin > Network > Purge Settings >
Syslog Backup Settings.

Set the purge policy date and schedule a job on daily/weekly basis by navigating to Admin >
Network > Purge Settings > Syslog Purge Settings.

Perform a force purge job by navigating to Admin > Network > Purge Settings > Syslog Force
Purge.
Run the DBSpaceReclaimer tool after performing force purge job to reclaim disk space to a greater
extent. The following steps should be performed:
Open RMEDebugToolsReadme.txt from
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools, where NMSROOT is the

Cisco Prime installation directory.
Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and
execute the perl script DBSpaceReclaimer.pl. For more details, refer Syslog Administrative
Tasks.
In Device Performance Management, if the size of the database remains the same after purging, the
following steps should be performed to reclaim disk space:
For Windows:
Stop the daemon using the net stop crmdmgtd command.
Enter dbunload -c "uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>> " -ar
For example: dbunload -c

"uid=DBA;pwd=admin;dbf=C:\Progra~2\CSCOpx\databases\upm\upm.db" -ar
Start the daemon using the net start crmdmgtd command.
For Solaris:
Stop the daemon using the /etc/init.d/dmgtd stop command.
If you get an error message regarding library path, enter source
/opt/CSCOpx/etc/install.cshrc
To get the library path LD_LIBRARY_PATH, navigate to
/opt/CSCOpx/lib/classpath/md.properties.
To set the library path, enter setenv LD_LIBRARY_PATH <<PATH>>
To reload the database, enter dbunload -c
"uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>>" -ar

"uid=DBA;pwd=welcome;dbf=/opt/CSCOpx/databases/upm/upm.db" -ar
F-2
OL-25947-01
Appendix F

Note
Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
chmod 600 upm.db
chown casuser:casusers upm.db
Start the daemon using the /etc/init.d/dmgtd start command.
For Linux:
Stop the daemon using the /etc/init.d/dmgtd stop command.
If you get an error message regarding library path, enter source
/opt/CSCOpx/etc/install.cshrc
from the csh shell.
To get the library path LD_LIBRARY_PATH, navigate to
/opt/CSCOpx/lib/classpath/md.properties.
To set the library path, enter setenv LD_LIBRARY_PATH <PATH>
To reload the database, enter dbunload -c
"uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>>" -ar

"uid=DBA;pwd=welcome;dbf=/opt/CSCOpx/databases/upm/upm.db" -ar
Note
Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
chmod 600 upm.db
chown casuser:casusers upm.db
Start the daemon using the /etc/init.d/dmgtd start command.
Purging Jobs
You can configure LMS to periodically purge job data that you no longer need. This is done using Job
Purge. For more details, refer Performance Purge Jobs.
Refer the following links to configure the purge settings for all modules in LMS:

OL-25947-01
F-3
Appendix F
Note
You can view the status of all the LMS admin-related Jobs in Job Browser. For more details, refer Using
Job Browser.
Purging Archives
Purging archives frees disk space and maintains your archive at a manageable size. For more details,
refer Purging Configurations from the Configuration Archive.
Note
Log files can expand and fill up disk space. Log files disk space usage can be maintained by deleting the
unwanted log files from the Cisco Prime installation directory. For more details, refer Maintaining Log
Files. Log Files can also be maintained by using the logrot functionality. For more details, refer
Configuring Log Files Rotation. Log files rotation can be also be scheduled. For more details, refer
Scheduling Log Files Rotation.

System performance can be improved by setting the Performance Tuning Tool (PTT) and also by
managing core devices in critical device poller.
Improving System Performance Using PTT
PTT is a Command Line Interface (CLI) utility that enables you to apply and list various profiles
available in LMS server. Profiles consist of configuration files, which are in the form of XML files whose
values are based on the recommendations for various applications. There are two profiles shipped with
LMS. You can use any of the profiles that matches the system. Parameters are tuned and available in each
profile. You can apply the required profile to the system and improve performance. This is a major
advantage of using PTT. For more details, refer to Performance Tuning Tool in the Configuration
Management with Cisco Prime LAN Management Solution 4.2 guide. For Layer2 and topology related
PTT, refer to Performance Tuning Tool in Appendix A.
Improving System Performance Using Critical Device Poller
Data collection consumes significant system resources. The critical device poller allows you to view the
device and link status without running Data Collection. You can simply poll the network and view the
device and link status in Topology maps. Only core devices should be managed in critical device poller.
For more details, refer Data Collection Critical Device Poller.
Suggestions for Better System Performance
Consider the following points for better system performance:
Configure devices to send only the syslogs that you are working with. This practice will help you
avoid server issues that occur due to huge amount of syslogs.
Avoid running numerous scheduled jobs of the same type.
F-4
OL-25947-01
Appendix F

When restarting the scanner, delay the anti-virus scan to avoid issues that could occur in upcoming
processes. You can restart the scanner only after all processes are up again.
Do not delete or move any files available in LMS-installed location, without confirming with the
TAC engineer about the impact the action might cause.
Related or critical jobs from the same application should not be triggered in a way that it conflicts
with each other. For example: Inventory collection and Configuration collection should not be
scheduled to run at the same time because doing so will create system issues. Similarly, Data
Collection and User Tracking must not be scheduled to run simultaneously. You should identify
priority of jobs based on use cases and schedule appropriate timings for those critical jobs to run.
Unrelated jobs or non-critical jobs can run at a parallel or later time.
Consider the following points when you configure systems to manage a large number of devices:
Note
Device Discovery Set up the discovery schedule to a less frequent one and choose the time most
appropriate to you. You must select the discovery parameters most suitable to your environment so
that it could speed up the discovery process, and discover and populate correct values.
Data Collection Settings The data collection is configured to run every four hours starting at
midnight. Run discovery manually once to determine an appropriate polling cycle. The subsequent
polls will be shorter in duration, but you should still give it a 20 percent buffer. For example, if it
took four hours to poll the whole network the first time, you could set the frequency to five hours to
make sure that there is no overlapping between the two consecutive data collection processes.
User-Tracking Discovery You must configure the time so that two consecutive schedules do not
overlap. You could also filter subnets for which you do not want to perform end-host discovery or
subnets where no end hosts are present. Configure subnets that you want excluded from doing a ping
sweep before the discovery process.
Fault Management Polling Parameters and Threshold Default Cisco Prime fault management
polling and threshold parameters are configured for Cisco Prime fault management system-defined
groups; however, it is recommended that you look at these configurations based on critical and
noncritical devices in your network.
Cisco Prime Inventory, Configuration, and Image Management In Cisco Prime LMS, you can
create user-defined jobs for inventory polling and collection, and configuration collection and
polling on a set of devices selected as part of the job creation process. You should consider this
option when servers manage a large number of devices.
Periodic Polling Versus Periodic Collection Polling uses fewer resources than full scheduled
collection because configuration files are retrieved only if the configuration MIB variable is set, so
it is recommended that you enable the Period Polling option and disable the Periodic Collection
option.
All collection must be scheduled in a way that it does not conflict with each other.
Recommendations on when to schedule various jobs
Consider the following points when scheduling jobs:
Inventory/Config jobs can be scheduled to run on daily basis.
Inventory/Config collection jobs can be scheduled to run on weekly basis.
All Purge jobs (not specific to inventory and Config) can be scheduled to run on weekly basis.
CDA Job can be scheduled to run on weekly basis.

OL-25947-01
F-5
Appendix F
Backing Up Data
Note
The UI performance of the application client can be improved by using device groups when executing
application tasks, especially when a single server is managing a large number of devices.
Backing Up Data
Regular backup of data should be practiced on a daily/weekly basis to avoid data loss. To schedule
system backups at regular intervals, select Admin > System > Backup. For more details, refer Backing
Up Data.
Consider the following points when backing up data:
Note
While scheduling or triggering a backup, if the backup time conflicts with any JRM job time (Jobs
that is scheduled between backup time +/- one hr), then an error pops up displaying a list of job IDs.
Similarly, when scheduling or triggering a JRM job, if the JRM job schedule time conflicts with any
backup time (Backup time that is scheduled between JRM job time +/- one hr), then an error pops
up displaying a list of backup time that runs around the same schedule as the JRM job.
If you want to backup Config on a daily basis, the shadow directory option can be used.
DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file. For
more details, refer Configuring Disk Space Threshold Limit.

You can set the protocol order for Configuration Management features such as Archive Management,
Config Editor, and NetConfig jobs to download configurations and to fetch configurations.
The configuration archive uses Telnet/SSH to collect the configurations from the devices. Make sure you
enter the correct Telnet and Enable passwords.
If the device prompts for login credentials, you may experience problem in Telnet connection because
LMS may fail to recognize the login credential prompt. To make your prompts recognizable, you must
edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom Telnet Prompts.
F-6
OL-25947-01
INDEX
A
access
connection security, understanding
control, security and
D-5
4-26
default credential set policies
4-27
default credential set policies, creating
4-28
default credential set policies, deleting
4-33
D-4
default credential set policies, Display name

policy type example 4-31
5-52
default credential set policies, examples
access ports
customizable groups
default credential set, editing
system defined groups
default credential set policies, host name policy

type example 4-32
5-51
ACS
roles on NDG basis, assigning
4-30
default credential set policies, IP range policy type

example 4-30
2-13
admin
default credential set policies, ordering
application settings
purge settings
8-28
default credential sets
16-18
setting log level
mode, changing
3-1
3-2
database password, changing

processes, back-end processes
user-defined fields, adding

3-22
3-3
Display Settings and DCR

A-5
3-5
processes, viewing
3-4
4-1
best practices in discovery scheduling

data collection, scheduling
3-20
3-5
debugging options
6-3
6-3
17-20
user and host acquisition, using
DCR
default credentials
4-21
ANI data collection, using
processes, viewing specific state processes

restoring data
4-22
administering Campus Manager
3-5
processes, stopping
4-21
user-defined fields, renaming
processes, managing through CLI

processes, starting
4-20
user-defined fields, deleting
3-6
4-16
4-15
unreachable devices deletion
Daemon Manager, using
processes, managing
4-18
Master-Slave configuration, prerequisites
administering
Common Services
4-24
device polling settings
17-11
4-33
delete interval, modifying

4-22
default credentials,using
7-22
end host user information, importing

4-22
purge policy, specifying
default credentials,using in multi-server

setup 4-23
default credential set,configuring
default credential set,deleting
4-24
4-27
schedule, modifying
7-24
15-1
7-19
subnet discovery, configuring
7-21
Administering Virtual Network Manager

Setting VNM Debugging Options
17-30

OL-25947-01
IN-1
Index
VNM Client Debugging Settings
17-33
content engine commands
VNM Server Debugging Settings
17-31
content service switch commands
VNM Utility Debugging Settings
17-33
IOS commands
VRF Collector Debugging Settings
setting up
17-32
Using VNM Administration
Scheduling VRF Collector
8-19
using
log level
8-28
purge
8-29
11-11
deleting
11-14
11-13
enabling, disabling
17-11
exporting, importing
8-29
Alerts and Activities display

17-8, 17-9
creating
10-37
deleting
10-42
editing
ANI data collection administration, using
debugging options
6-3
example of
6-3
verifying
10-41
10-42
17-20
SNMP settings, modifying
11-14
10-39
enabling, disabling
best practices in discovery scheduling

data collection, scheduling
11-13
in Syslog Analysis
16-18
log file
11-10
creating
editing
managed source interface
8-37
8-30
in Change Audit
8-18
copying IP SLA configuration
8-36
automated actions, defining
admin setting
application
8-30
shadow directory, enabling and disabling
Administering VRF
Using VRF Administration
8-35
8-34
directory, moving
Modifying VNM SNMP Timeouts and

Retries 8-20
8-35
10-41
10-44
6-1
applications
Job Approval
12-15
licensing
backing up data
licensing information, viewing

licensing procedure
application settings
using CLI
B-28
A-17
backing up selective data

8-29
8-29
using CLI
A-17
backup policy, setting
Archive Management (part of Configuration Management)

archive purging
B-28, B-29
sample CMF backup directory
3-29

running-config
directory structure of
3-29
8-28
3-19
back-up data
3-29
obtaining a license
updating licenses
3-29
16-5
browser-server security. See SSL
16-2
configurations, modifying
credentials, entering
security, modifying
8-32
8-30
8-34
Catalyst commands
C
cautions regarding
8-35
IN-2
OL-25947-01
Index
admin password, guest password
2-6
backups, and the CiscoWorks Daemon Manager

changing Change Audit purge settings
data restoration from a backup
11-5
restarting Daemon Manager on Solaris
16-6
3-2
restarting Daemon Manager on Windows
3-2
certificates
D-6
D-7
public key, private key

SSL
D-6
B-3
CiscoWorks Server back-end process

CiscoWorks Server Processes
deleting
11-14
1-12
11-7
deleting
11-9
5-79
5-78
5-68
16-2
collection settings, defining

job policies, configuring
8-43
12-5
defining default policies
12-6
scenarios, job password configured

11-8
purge policy, setting
11-5
requirements for use
8-46
subnet discovery for User Tracking
10-5
2-38
connection security, understanding

security certificates
CiscoWorks
terms and definitions
3-16
CiscoWorks Server, troubleshooting

collecting information on
8-49
configuring
11-4
Cisco.com connection, managing
B-3
12-8
transport protocols, configuring

order, defining
11-3
forced purges, performing
processes and DFM
5-73
5-79
archive purging
enabling and disabling
changing event names
setting properties
5-81
Configuration Management, using
11-14
11-9
maintenance tasks
11-10
collector group rules
11-13
exception periods
defining
5-82
viewing summary
11-8
5-80
viewing group details
11-13
creating
5-77
refreshing membership
11-10
viewing
enabling, disabling
B-18
5-75
operation based
Automated Action window details

11-11
D-7
CM view
membership details
D-5
creating
3-6, A-5
CiscoWorks Trust Store or KeyStore, definition
defining rules
automated actions, defining
3-6
collector group
D-6
Change Audit, using
editing
B-3
assigning membership
understanding
editing
process status, checking
user log-in information
D-6
D-6
B-4
cmf as part of database path, explanation of
D-7
CiscoWorks TrustStore or KeyStore
SSH
MDC support
cmexport command (see under Data Extraction

Engine) C-2
CA (certificate authority)
PKCS#8
B-18
self-test, performing
3-21
resetting purge policy in Syslog Analyzer
terms and definitions in
17-2
locked out of
7-21
D-5
D-5
D-6
D-7
D-7

OL-25947-01
IN-3
Index
PKCS#8
Solaris
D-6
3-22
Windows
D-6
3-23
SSH
D-6
Data Extraction Engine (see DEE)
SSL
D-6
DCR
administering
connectivity
tasks
C-1
default credentials
B-3
checking process status
device polling settings
B-3
collecting server information

MDC support
copying IP SLA
4-18
Master-Slave configuration, prerequisites
B-3
mode, changing
B-4
performing a self-test
4-22
4-15
unreachable devices deletion
B-3
user-defined fields, adding
8-29
creating
4-20
4-21
user-defined fields, deleting
user-defined collector groups

CS portlets
changes, effect on DFM
job information status

log space usage
1-10
customizable groups
5-52
access port
5-52
editing
5-54
interface
log file
trunk port
8-25
8-26
17-9
DCR (Device and Credential Repository) CLI interface,

using A-22
DCR mode, changing
5-52
restrictions
4-21
Fault Management discovery and
1-12
5-52
device
4-22
user-defined fields, renaming
5-73
4-16
importing using
A-24
listing attributes
A-22
A-23
listing default credential sets
5-53
viewing current DCR mode
5-52
viewing device details
(see also groups)
A-22
A-22
A-23
DDV
log file
17-8
debugging options, setting
3-2
restarting on Solaris
3-2
restarting on Windows
DEE (Data Extraction Engine)

about
3-2
mandatory arguments
optional arguments
16-20
running
database
inaccessible, troubleshooting
B-29
path includes "cmf," explanation

purging
B-18
database password, changing
3-22
3-24
C-5
C-4
C-4
C-2
cmexport Discrepancy comand
C-12
cmexport L2topology command
C-9
cmexport manpage
16-20
available formats
C-2
function-specific options
17-8
managing
C-1
cmexport command
Daily Purging Schedule

log file
17-20
C-14
cmexport ut command
C-6
developers reference
C-16
IN-4
OL-25947-01
Index
Discrepancy data schema
Device Selector
C-21
Device Selector settings
exporting data from Campus Manager,

servlet C-22
Topology data schema
filtering usage example

C-17
searching devices
User Tracking phone data schema
C-19
User Tracking subnet data schema
C-19
User Tracking switch data schema
C-18
overview
Default
displaying available devices
C-20
User Tracking data schema
C-1
Simple Search
selecting devices
4-8
4-7
4-6
12-23
changing event names
device groups
5-28
device groups, managing

customizable
4-22
DCR synchronization and

device states
5-68
group membership
log file
8-25
17-9
rediscovery
6-4
8-25
adding critical devices
6-4
devices
8-25
discovery, scheduling
4-1
discrepancy reporting
14-1
8-25
physical discrepancies
devices, discovery
4-1
adding
4-2
editing
14-2
disk space, threshold configuring
scheduling
deleting
8-26
8-25
events that trigger
5-67
5-61
Device Poller
duplexity, interface
3-42
5-63
4-3
4-2
viewing status
4-3, 4-4
editing
devices, managing
device group details
attributes, editing
Device Selector
12-33
local user profile
12-23
device states
8-25
forwarding traps to DFM

importing
5-27
2-13
e-mail
displaying available devices
12-30
configurations (Notification Services)

10-22
E-Mail Subject Customization
A-24
17-8, 17-9
8-25
See also Software Center
SMTP server
10-13
10-13
10-16
notifications (Notification Services)
using CLI
rediscovering
17-8
discovery
5-54
5-52
deleting groups
10-5
DFM Object Grouping Services Server, log file
user-defined fields from DCR
log files
12-29
DFM
deleting
states
12-30
4-7
Advanced Search
device selector
4-23
rules
4-10
10-3
3-31
ESS (Event Service Software)

changing the port for
in Solaris
B-27

OL-25947-01
IN-5
Index
events
changing names
10-5
log files
details
5-65
editing
5-54, 5-55
managing, overview
Event Processing Adapters

Event Promulgation Module
membership
17-8
rules
17-8
Event Sets (see Notification Services)
5-61
DFM
automated actions in Syslog Analysis
5-65
system defined
B-23
exporting
message filters, in Syslog Analyzer
5-64, 5-66, 5-67
summaries
expired server certificate, how to handle
5-53
5-51
user defined
11-14
editing
10-47
5-54
Groups, administering
creating
5-5
deleting
groups
Fault History
log file
5-28
details
17-8
file ownership, and permissions
modifying
D-2
viewing
filters
Inventory change report filters, setting
message filters in Syslog Analyzer, defining

creating
10-45
deleting
10-48
editing
editing
11-22
10-44
5-26
5-27
exporting
5-29
sample export file

exporting from UI
enabling, disabling
10-47
10-47
forced purges
11-5
in Syslog Analyzer
importing
5-25
5-31
importing from UI
5-31
multi-server setup
5-3
refreshing
5-7
5-28
rules, defining
5-4
group membership, assigning
properties, specifying
16-7
5-29
5-30
Group Administration
10-46
in Change Audit
5-27
5-9
composite group rule example
group administration
composite rule
5-72
group administration process
5-71
creating
5-54, 5-58
customizable
editing
5-52
restrictions
deleting
5-53
5-68
5-13
5-11
range operator
5-11
simple group rule example

simple rule
5-54
5-10
example for IP range

examples
groups
5-11
5-9
single server scenario

single server setup
syntax checking
5-12
5-3
5-3
5-10, 5-11
IN-6
OL-25947-01
Index
system- and user-defined attributes

system defined attributes
IP Address range operator, See range operator
5-13
5-13
J
H
Java Plug-in, version to use
HP OpenView
Job Approval, using
10-24
HPOV as primary listener
B-17
12-15
approver details, specifying
7-30
12-16
approver lists
assigning
12-18
creating, editing
12-17
jobs, approving and rejecting
images
IOS images, and recommendation filters
importing automated actions in Syslog Analysis
12-16
Job Browser (see under Inventory)

Job Browser, using
A-24
jrm, checking
interfaces
customizable groups
12-18
task workflow
11-14
importing devices and credentials

using CLI
setting up
11-20
12-20
8-2
12-1
B-20
5-52
5-51
Inventory
change report filters, setting
Known device state
11-22
8-25
inventory
effect of DCR changes
8-25
log files
Inventory Collector
17-8
Learning device state
Inventory Interactor
17-8
licensing CiscoWorks applications
Inventory Service
17-9
license information, viewing
Inventory, using
licensing procedure
collection or polling schedule, changing

Inventory Job Browser
8-12
8-2
8-7
8-6
polling jobs, creating and editing
overview
local user policy setup
3-29
3-29
3-29
3-29
2-4
locked out of CiscoWorks Server, troubleshooting

8-7
inventory collection
log file
obtaining a license
updating licenses
collection jobs, creating and editing

job details, viewing
8-25
log files, maintaining

on UNIX
17-9
17-3
on Windows
8-25
17-3
logrot utility, configuring
(see also discovery)
logrot utility, running
IOS
B-18
3-40
3-41
login module
images, and recommendation filters
11-20
CiscoWorks Local, changing to
2-27

OL-25947-01
IN-7
Index
local NT system, changing to
Local UNIX system, changing to

MS Active Directory, changing to
Netscape Directory, changing to
Radius, changing to
defining protocol order
2-27
purging jobs
2-28
NetView
logrot utility
10-24
10-24
Notification Groups (see Notification Services)
configuring
running
12-15
NMS, integrating with DFM
17-11
Notification Services
3-40
configuring notifications, overview
3-41
logs
E-Mail Configurations
configuring
E-Mail Notifications
17-18
DFM log files
log file (for Logging Services)

Lookup Analyzer, using
3-31, 10-3
E-Mail Subject Customization
17-9
event names, customizing
17-8
Event Sets
A-32
log file
subscriptions
8-29
Common Services resources

message filters, in Syslog Analysis
10-2
10-3, 10-17
12-15
10-44
creating
10-45
online users, messaging
deleting
10-48
osagent, changing the port for

Solaris
10-46
messaging online users
Windows
10-47
3-34
B-19
B-19
overview
10-47
authentication using login modules
3-34
MS Active Directory, changing login module to

multi-server mode, and security
10-3, 10-9
3-35
Masking credentials of show commands
enabling, disabling
10-5
5-54, 10-7
Syslog Notifications
managing
10-16
17-8
SNMP Trap Notifications
10-13
10-6
Notification Groups
10-6
10-13
17-8, 17-9
incharge log files
editing
12-14
17-17
credentials, masking
2-33
12-12
12-13
setting log levels
2-32
2-32
TACACS+, changing to
log level setting
defining default job policies
2-28
2-28
overviews
Common Syslog Collector
2-16
2-24
Syslog Analyzer
8-50
8-50
overviews of
DEE (Data Extraction Engine)
Netscape Directory, changing login module to
C-1
2-32
NetShow
Administering NetShow settings
IN-8
OL-25947-01
Index
CiscoWorks
3-16
log file for multiple thread

peer server certificates
setting up
processes, managing
2-19
8-25
PSUCLI
physical discrepancy reports
14-2
ping sweep options, modifying

PKCS#8, definition
7-20
D-6
device packages, uninstalling
13-13
device updates, downloading
13-14
software updates, downloading
17-9
software updates, querying

17-9
public key, definition
17-9
purge settings
polling and thresholds
13-16
13-17
13-13
13-12
D-6
16-18
historical data
log files
16-18
purging messages
adapter
17-8
database
cautions regarding changing purge values
17-9
in Change Audit
grouping services
manager
17-9
17-9
Administration
in Change Audit
5-41
Examples
5-42
Properties
5-37
5-39
in Change Audit
11-4
in Syslog Analyzer

Editing Groups
16-7
purge policies, setting
Defining Rule Expression

Attributes
11-5
in Syslog Analyzer
5-37
Deleting Groups
16-6
forced purges
5-35
Creating Groups
11-5
in Syslog Analyzer
port and module groups
16-6
5-38
5-49
Questioned device state
8-25
5-48
5-47

ports
5-47
R
Radius, changing login module to
5-51, 5-52
occupied by CiscoWorks
trunk ports
13-12
device packages, listing device packages
17-8
grouping services
access ports
13-11
device packages, listing dependents
log files
manager
10-21
device packages, installing
polling
database
A-5
protocols, used by CiscoWorks
Pending device state
adapter
17-8
range operator
10-21
private key, definition
D-6
5-11
rediscovery
5-51, 5-52
preferences for system, modifying
2-32
DCR synchronization and

3-35
events that trigger

log file
8-26
8-25
17-9
processes
OL-25947-01
IN-9
Index
runtime security, understanding
8-25
D-3
(see also discovery)

Rediscovery Schedule page
8-22
(see also rediscovery)

refreshing group membership
5-81
remote connectivity, security and
Secure Shell (SSH), definition

D-4
security
reports
access control, and
discrepancy reporting
14-1
physical discrepancies
understanding
14-2
understanding
14-1
general
server
switch port usage reports, exporting

resources, managing in Common Services
solaris
A-31
3-35
3-20
D-5
D-1
D-1
D-2
security, setting up
2-1
AAA mode, setting up
2-24
Cisco.com login, setting up
3-21
windows
D-4
certificates, understanding
user tracking
restoring data
D-6
2-39
login module
3-22
multi-server mode
RME portlets
2-16

RME Job Approval
1-13
setting up
1-14
2-19
proxy server, setting up
1-15
2-39
security levels, understanding
RSAC (Remote Syslog Analyzer Collector)
SSL
properties file
2-7
2-2
enabling from the CiscoWorks Server
COLLECTOR_PORT
COUNTRY_CODE
8-57
enabling from the CLI
8-55
8-56
8-56
DEBUG_LEVEL
A-13, A-15
SSO (Single Sign-On) mode
DEBUG_CATEGORY_NAME
DEBUG_FILES
8-56
changing
2-22
enabling
2-20
user management
DEBUG_MAX_BACKUPS
8-57
local user profile, modifying
DEBUG_MAX_FILE_SIZE
8-57
peer server, setting up
FILTER_THREADS
PARSER_FILE
8-57
8-57
SUBSCRIPTION_DATA_FILES
SYSLOG_FILES
8-57
8-57
8-56
8-55
TIMEZONE_FILE
rules, group
Self Signed certificates
2-9
A-2
2-14
self-test information, collecting
3-33
server, configuring
AAA mode, setting up
2-24
authentication using login modules

8-56
5-61
running-config
2-13
2-17
users, setting up through CLI
READ_INTERVAL_IN_SECS
TIMEZONE
users, adding
8-57
QUEUE_CAPACITY
2-3
8-29
2-24
applications, licensing
licensing information, viewing
licensing procedure
3-29
3-29
IN-10
OL-25947-01
Index
obtaining a license
updating licenses
certificate setup
server security, understanding
3-29
administrator-imposed
3-29
connection
2-14
Cisco.com login, setting up
Common Services, administering

backing up data
server-imposed
processes, managing
runtime
3-31
log files, maintaining
17-11
Setting system preferences

job purge
17-4
16-8
log level settings
17-3
17-13
RME device attributes
17-3
logging, configuring
8-9
RME secondary credentials
17-17
login module
8-11
setting up, local user

setting up
2-19
proxy server, setting up
modify profile
2-13
security levels
2-7
user accounts
2-39
2-6
security. See security, setting up
setting up, local user policy
Self-signed certificates
setting up, local users
2-6
SMTP server, default
3-31
2-14

changing
2-22
enabling
2-20
MAC notification listener
SNMP traps on ports, enabling
7-29
7-27
SNMP traps
2-9
integrating SNMP trap receiving with other

NMS 10-24
adding through CLI

import remote users
2-8, A-3
local user policy setup
SNMP Trap Notifications
2-4
local user profile, modifying
trap forwarding port
2-13
Software Center
A-2
10-24
13-1
activity logs, viewing
2-13
server certificate for CiscoWorks, expiration, how to

handle B-23
server information, collecting (Common Services)
10-3, 10-9
10-25
trap receiving port
2-17
setting up through CLI

users, local, setting up
7-29
SNMP trap listener, configuring
3-35
user management
peer server, adding
2-4
SNMP
system preferences, modifying

adding
D-4
D-3
setting log level
3-42
D-2
D-4
remote connectivity
disk space, threshold configuring
on Windows
D-4
other systems
A-5
3-35
server information, collecting
on UNIX
D-6
files, file ownership, permissions
3-3
resources, managing
D-5
D-2
access control
3-2
processes, managing through CLI
List of log files
D-5
terms and definitions
3-1
3-19
D-5
security certificates
2-39
D-2
3-31
event log
13-10
scheduled job
13-9
device downloads, scheduling
13-8

OL-25947-01
IN-11
Index
device updates, checking

device updates, performing
packages, deleting
enabling, disabling
13-6
example
13-4
software updates, downloading

software updates, performing
backup policy, setting
13-4
software updates, selecting
13-11
Software Management, using

11-15
protocol order, selecting
11-15
forced purges
16-7
11-20
creating
10-45
deleting
10-48
SSL, enabling on the server
10-3, 10-17
critical message window
2-2
from the CiscoWorks Server
1-8
system administration
2-3
databases, purging
A-13, A-15
SSL, definition
10-47
System Admin dashboard portlets
B-19
from the CLI
10-47
8-50
Syslog Notifications
B-27
16-20
devices from traps to DFM
D-6
logging, configuring
17-18
3-31
changing
2-22
SMTP default server
enabling
2-20
SNMP trap forwarding port
starting CiscoWorks applications, troubleshooting

states, devices
B-18
SNMP trap receiving port
10-22
10-25
10-24
8-25
subscriptions (see Notification Services)
DFM
Syslog Analyzer
(see also groups)
purge policy
5-51
System Preferences
caution regarding changing values

setting
8-51
10-46
overview
8-51
10-44
enabling, disabling
11-19
Solaris, changing ports in

for osagent
8-52
editing
11-15
recommendation filters, and IOS images

for ESS
procedure
message filters
preferences, viewing and editing
16-5
collector status, viewing
13-2
13-3
preferences, viewing and editing
10-41
Common Syslog Collector, subscribing to
13-2
list of applications installed, viewing
administration tasks
10-42
13-7
Software Center CLI utility
10-41
16-6
16-6
status, viewing
8-51
collector status, viewing

procedure
8-51
8-52
Syslog Analyzer and Collector, using

automated actions
Loading MIB Files

Poll Settings
8-27
Purging Data
16-14
Purging Jobs
16-12
Setting Log Levels
9-2
17-9
Setting Report Publish Path

Syslog Receiver Group
15-2
10-31
creating
10-37
Creating Syslog Reveiver Group
10-32
deleting
10-42
Deleting Syslog Reveiver Group
10-34
editing
10-39
Editing Syslog Reveiver Group
10-33
IN-12
OL-25947-01
Index
Filtering Syslog Reveiver Group

Trap Receiver Group
server status, verifying
10-35
database
10-25
Creating Trap Receiver Group
10-26
inaccessability
Deleting Trap Reveiver Group
10-29
path includes "cmf"
Editing Trap Receiver Group

Viewing Audit Trail Log Report
B-29
Solaris
10-29
B-27
FAQs list
10-25, 10-31
Apache and Tomcat
16-17
Backup-restore
Database
T
TACACS+, changing login module to
B-29
terms and definitions in security certificates
PKCS#8
jrm
B-20
Solaris
B-19
Windows
D-6
B-19
SSH
D-6
suggestions
SSL
D-6
User Tracking
B-5
outdated entries in User Tracking table
thresholds
log files
adapter
B-17
osagent port change
D-7
D-6
B-25
Java Plug-in, which version to use
D-6
D-7
B-27
Software Center
2-33
B-31
B-28
EDS and ESS
B-18
ESS port change
10-27
Filtering Trap Reveiver Group

Viewing Purge Details
B-3
manager
customizable groups
17-9
grouping services
B-38
trunk ports
17-8
database
B-7
5-52
end host discovery on trunk ports
17-9
17-9
7-23
5-51
topology groups
system-defined groups
creating, based on subnet
5-33
transport protocols, configuring

order, defining
UNIX systems
changing login module to local UNIX system
8-49
requirements for use
log files, maintaining on
8-46
traps
Unknown device state
forwarding from devices to DFM
10-22
17-3
8-25
user accounts
setting up
SNMP (see SNMP traps)
Cisco.com
troubleshooting
back-up data, directory structure of
CiscoWorks applications, starting
B-28, B-29
B-18
local
2-39
2-13
user and host acquisition administration

delete interval, modifying
CiscoWorks Server
locked out of, diagnosing
2-27
B-18
7-22
end host user information, importing
7-24

OL-25947-01
IN-13
Index
ping sweep options, modifying

purge policy, specifying
schedule, modifying
viewing
7-20
application license information
15-1
collector group
7-19
subnet discovery, configuring

user-defined collector groups
group details
5-73
user defined groups

editing
5-79
5-26
membership details
5-80
views
5-54
log file
User Tracking
acquisition schedule, modifying
acquisition settings, modifying
command-line interface
DHCP snooping
17-9
view groups
7-19
5-54
VNM Administration, using
7-8
SNMP settings, modifying
A-27
8-20
7-25
Dynamic updates
7-24
Dynamic User Tracking
7-24
FAQs
warnings regarding
error logging
B-9
length of time data is maintained

non-CDP devices
MACUHIC
configuration change detection schedule, and

purging 16-2
B-8
Windows 2003 or Windows NT systems
B-8
log files, maintaining on
7-26
Major Acquisition
7-3
Minor Acquisition
7-3
changing the port

using
for osagent
7-14
properties that support duplicate MAC address

understanding
17-3
Windows systems
properties from the backend, configuring
using
5-79
collector group details
7-21
3-29
7-12
jrm, running
B-19
B-20
A-39
A-39
A-40
7-2
UT data, accessing
7-2
UT in DHCP environment
various acquisitions
7-11
7-3
User Tracking Utility

installing
UTLite script, installing
A-37
UTLite script, uninstalling

UTLite, understanding
A-39
A-34
V
verifying CiscoWorks Server status
B-3
IN-14
OL-25947-01

LMS Admin Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LMS Admin Guide

Uploaded by

Copyright:

Available Formats

Administration of Cisco Prime LAN

Management Solution 4.2

Text Part Number: OL-25947-01

OpenSSL/Open SSL Project i-xxvii

Understanding the System Dashboard 1-8

Managing Security in Single-Server Mode 2-1

Importing Local Users Using CLI 2-8

Setting up the Authentication Mode 2-24

Managing Cisco.com Connection 2-39

Administering LMS Server

Managing Processes 3-3

Administration of Cisco Prime LAN Management Solution 4.2

Restoring Data 3-20

Compliane and Audit Manager (CAAM) Server License

Modifying System Preferences

Configuring Log Files Rotation

Configuring Disk Space Threshold Limit

Effects of Third Party Backup Utility and Virus Scanner

Cisco Prime Integration Application Settings

Collecting Self Test Information

Administering Discovery Settings and Device and Credential Repository

Configuring Device Selector 4-5

Renaming User Defined Fields 4-21

Groups - Components and Basic Concepts

Groups in Single-Server and Multi-Server Setup

Device Group Administration 5-4

Port and Module Group Administration 5-35

Entering the Port and Module Group Properties Details 5-37

Managing Fault Groups 5-53

Working with User-Defined Collector Groups 5-73

Administration of Cisco Prime LAN Management Solution 4.2

Administering Data Collection

Modifying Data Collection SNMP Timeouts and Retries

Data Collection Critical Device Poller

Compliance and Audit Settings 6-5

User Tracking and Dynamic Updates

Understanding User Tracking 7-1

Using User Tracking Administration 7-4

Administration of Cisco Prime LAN Management Solution 4.2

Using User Tracking Utility 7-34

Administering Collection Settings

Using the Inventory Job Browser 8-2

Modifying Fault Management SNMP Timeout and Retries

Configuring Fault Management Rediscovery Schedules 8-22

Fault Monitoring Device Administration

Device Management Functions

Performance Management SNMP Timeouts and Retry Settings

Setting Up Archive Management 8-30

Configuring Transport Protocols 8-46

Viewing Status and Subscribing to a Common Syslog Collector

Administration of Cisco Prime LAN Management Solution 4.2

Viewing Common Syslog Collector Status 8-51

Monitoring and Troubleshooting Settings

Configuring Fault Poller Settings For Topology

Configuring RMON 9-5

Configuring Topology Settings 9-8

Notification and Action Settings

Understanding Notifications and Subscriptions

Configuring Event Sets and Notification Groups for Subscriptions 10-6

Managing Fault Syslog Notifications 10-17

Administration of Cisco Prime LAN Management Solution 4.2

Resuming a Syslog Notification Subscription 10-20

Performance Syslog Notification Groups 10-31

Administration of Cisco Prime LAN Management Solution 4.2