You are on page 1of 842

Administration of Cisco Prime LAN

Management Solution 4.2

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Text Part Number: OL-25947-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Administration of Cisco Prime LAN Management Solution 4.2
Copyright 2012 Cisco Systems, Inc. All rights reserved.

CONTENTS
Preface

xxiii

Notices

xxvii

OpenSSL/Open SSL Project i-xxvii


License Issues i-xxvii

CHAPTER

Overview of Administration
How the guide is organized?
Administration Tasks

1-1
1-1

1-3

Understanding the System Dashboard 1-8


Cisco Prime Product Updates 1-8
Critical Message Window 1-8
Device Credentials and AAA Information
Log Space Usage 1-10
Process Status 1-11
System Backup Status 1-11
User Login Information 1-12
Job Information Status 1-12
Audit Trail Information 1-13
Job Approval 1-14
Syslog Collectors Information 1-15
Supported Device Finder Portlet 1-15
VRF Collector Summary 1-18
Collection Summary Portlet 1-19

CHAPTER

Setting up Security

1-9

2-1

Managing Security in Single-Server Mode 2-1


Setting up Browser-Server Security 2-2
Enabling Browser-Server Security From the LMS Server 2-3
Disabling Browser-Server Security From the LMS Server 2-3
Setting up Local User Policy 2-4
Setting up Local Users 2-6
About User Accounts 2-6
Understanding Security Levels 2-7
Importing and Exporting Local Users 2-7
Administration of Cisco Prime LAN Management Solution 4.2
OL-25947-01

iii

Contents

Importing Local Users Using CLI 2-8


Importing Users From ACS 2-9
Adding and Modifying a Local User 2-9
Adding Local Users Using CLI 2-11
Assigning Roles on NDG Basis 2-13
Modifying Your Profile 2-13
Creating Self Signed Certificates 2-14
Creating a Self Signed Certificate From the User Interface
Working With Third Party Security Certificates 2-16
Managing Security in Multi-Server Mode 2-16
Setting up Peer Server Account 2-17
Setting up System Identity Account 2-18
Setting up Peer Server Certificate 2-19
Enabling Single Sign-On 2-20
Single Sign-On Setup 2-20
Navigating Through the Single Sign-On Domain
Changing the Single Sign-On Mode 2-22

2-21

Setting up the Authentication Mode 2-24


Authentication Using Login Modules - Overview 2-24
Cisco Secure ACS Support for LMS Applications 2-26
Setting the Login Module to Pluggable Authentication Modules
Managing Roles

CHAPTER

2-26

2-36

Managing Cisco.com Connection 2-39


Setting up Cisco.com User Account
Setting Up the Proxy Server 2-40
Support Settings

2-15

2-39

2-40

Administering LMS Server


Using Daemon Manager

3-1
3-2

Managing Processes 3-3


LMS Back-end Processes 3-6
Server Back-end Processes 3-6
Inventory, Config and Image Management Processes 3-11
Network Topology, Layer 2 Services and User Tracking Processes 3-14
IPSLA Performance Management Processes and Dependency Processes 3-15
Device Performance Management Module Processes 3-15
Fault Management Processes 3-16
Backing Up Data 3-19
Scheduling a Backup

3-19

Administration of Cisco Prime LAN Management Solution 4.2

iv

OL-25947-01

Contents

Restoring Data 3-20


Changing the Database Password 3-22
Effects of Backup-Restore on DCR 3-24
Master-Slave Configuration Prerequisites and Restore Operations
Effects of Backup-Restore on Groups 3-27
Backup for Cisco Prime Infrastructure
Licensing Cisco Prime LMS

3-28

3-29

Compliane and Audit Manager (CAAM) Server License


Configuring a Default SMTP Server
Collecting Server Information

Managing Resources

3-31

3-33

3-34

3-35

Modifying System Preferences

3-36

Configuring Log Files Rotation

3-38

Configuring Disk Space Threshold Limit

3-43

Effects of Third Party Backup Utility and Virus Scanner


Configuring TFTP

3-44

3-44

Cisco Prime Integration Application Settings

CHAPTER

3-30

3-31

Collecting Self Test Information


Messaging Online Users

3-26

3-45

Administering Discovery Settings and Device and Credential Repository


Scheduling Device Discovery

4-1

4-1

Configuring Device Selector 4-5


Selecting Devices for Device Management Tasks 4-6
Searching Devices 4-7
Performing Simple Search 4-7
Performing Advanced Search 4-8
Device Selector Settings 4-10
Understanding Device Groups 4-10
Customizing Device Grouping 4-12
Customizing Display Order of Device Groups 4-14
Administering Device and Credential Repository 4-15
Changing DCR Mode 4-15
Configuring Device Polling 4-18
Configuring Device Polling Settings 4-18
Deleting Unreachable Devices from DCR 4-20
Configuring User Defined Fields 4-20
Adding User Defined Fields 4-21
Administration of Cisco Prime LAN Management Solution 4.2
OL-25947-01

Contents

Renaming User Defined Fields 4-21


Deleting User Defined Fields 4-22
Configuring Default Credentials 4-22
Using Default Credentials 4-22
Important Notes on Default Credentials 4-23
Default Credentials Behavior in Multi-Server Setup
Configuring Default Credential Sets 4-24
Configuring Default Credential Set Policy 4-27

CHAPTER

Managing Groups

4-23

5-1

Groups - Components and Basic Concepts

5-2

Groups in Single-Server and Multi-Server Setup


Groups in Single Server Scenario 5-3
Groups in Multi-Server Scenario 5-3

5-3

Device Group Administration 5-4


Creating Groups 5-5
Specifying Group Properties 5-7
Defining Group Rules 5-9
System Defined Attributes 5-13
Assigning Group Membership 5-25
Viewing Group Details 5-26
Modifying Group Details 5-27
Refreshing Groups 5-28
Deleting Groups 5-28
Exporting Groups 5-29
Sample Export Groups Output File 5-29
Exporting Groups From User Interface 5-30
Importing Groups 5-31
Important Notes on Importing Groups 5-31
Importing Groups From User Interface 5-31
Overview of Subnet Based Groups 5-32
Accessing Subnet Based Groups 5-32
Understanding Subnet Based Groups 5-33
Creating Groups Based on Subnet 5-33
DCR Mode Changes and Group Behavior 5-33
Unregistering a Slave 5-34
Behavior of IP Address Range Based Device Groups in Multi-Server Setup

5-35

Port and Module Group Administration 5-35


Creating Port and Module Groups 5-37
Administration of Cisco Prime LAN Management Solution 4.2

vi

OL-25947-01

Contents

Entering the Port and Module Group Properties Details 5-37


Selecting Group Source 5-38
Defining Rule Expression for Port or Module Groups 5-39
Understanding the Summary 5-46
Viewing Port and Module Group Details 5-47
Editing Port and Module Groups 5-48
Deleting Port and Module Groups 5-49
Working with Fault System-defined Groups
LMS System-defined Groups 5-50
Fault System Defined Groups 5-51
Working with Customizable Groups

5-50

5-52

Managing Fault Groups 5-53


Editing and Creating Fault Groups 5-54
Editing a Fault Group 5-55
Creating a Fault Group 5-58
Understanding Rules 5-61
Finalizing Fault Group Membership 5-64
Viewing the Fault Group Summary 5-65
Viewing Fault Group Details 5-65
Viewing Fault Membership Details 5-66
Refreshing Fault Membership 5-67
Deleting Fault Groups 5-68
Understanding Collector Group Rules 5-68
IPSLA Collector Group Administration Process 5-71
Understanding IPSLA Collector Group Administration

5-72

Working with User-Defined Collector Groups 5-73


Creating and Modifying User-Defined Collector Groups 5-73
Setting Collector Group Properties 5-73
Defining Collector Group Rules 5-75
Assigning Collector Group Membership 5-77
Viewing the Collector Group Summary 5-78
Deleting User-Defined Collector Groups 5-79
Viewing User-Defined Collector Groups 5-79
Viewing Collector Group Details 5-79
Viewing Membership Details 5-80
Refreshing User-Defined Collector Group Membership 5-81
Operation-Based Collector Groups (System-Defined)

5-82

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

vii

Contents

CHAPTER

Administering Data Collection

6-1

Modifying Data Collection SNMP Timeouts and Retries


Scheduling Data Collection

6-1

6-3

Data Collection Critical Device Poller

6-4

Compliance and Audit Settings 6-5


Compliance Data Collection 6-5
Compliance Data Collection Jobs 6-7
Import Contracts 6-7
Import Policy Updates 6-8

CHAPTER

User Tracking and Dynamic Updates

7-1

Understanding User Tracking 7-1


Using User Tracking 7-2
Accessing UT Data 7-2
Various Acquisitions in User Tracking

7-3

Using User Tracking Administration 7-4


Viewing User Tracking Acquisition Information 7-6
Configuring User Tracking Acquisition Actions 7-7
Using User and Host Acquisition 7-8
Modifying UT Acquisition Settings 7-8
Configuring Rogue MAC List 7-16
Modifying UT Acquisition Schedule 7-19
Modifying Ping Sweep Options 7-20
Configuring UT Subnet Acquisition 7-21
Deleting User Tracking Purge Policy Details 7-22
Configuring UT Acquisition in Trunk for End Host Discovery
Importing Information on End Host Users 7-24
Understanding Dynamic Updates 7-24
MAC User-Host Information Collector (MACUHIC) Process
User Tracking Manager (UTManager) Process 7-26
UTLite 7-26
Viewing Dynamic Updates Process Status 7-27
Enabling SNMP Traps on Switch Ports 7-27
SNMP MAC Notification Listener 7-29
Configuring SNMP Trap Listener 7-29
HPOV as Primary Listener 7-30
LMS Fault Monitor Module as Primary Listener 7-32
Configuring Dynamic User Tracking 7-33

7-23

7-26

Administration of Cisco Prime LAN Management Solution 4.2

viii

OL-25947-01

Contents

Using User Tracking Utility 7-34


Understanding UTU 7-34
Hardware and Software Requirements for UTU 7-35
Downloading UTU 7-35
Installing UTU 7-36
Installing UTU in Silent Mode 7-36
Installing UTU in Normal Mode 7-37
Accessing UTU 7-38
Configuring UTU 7-39
Searching for Users, Hosts or IP Phones Using UTU 7-40
Uninstalling UTU 7-45
Upgrading to UTU 2.0 7-45
Re-installing UTU 2.0 7-46

CHAPTER

Administering Collection Settings

8-1

Using the Inventory Job Browser 8-2


Viewing Job Details 8-6
Creating and Editing an Inventory Collection or Polling Job 8-7
Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
Timeout and Retry Settings
Secondary Credentials

8-9

8-9

8-11

Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX
System 8-12
Changing the Schedule for System Inventory Collection or Polling Settings 8-12
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings 8-13
PSIRT or End-of-Sale or End-of-Life Data Administration 8-14
Changing the Data Source for PSIRT/EOS/EOL Reports 8-14
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com 8-16
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location
Administering VRF Lite 8-18
Using VRF Lite Collector Settings 8-18
Scheduling VRF Lite Collector 8-19
Modifying VRF Lite SNMP Timeouts and Retries

8-16

8-20

Modifying Fault Management SNMP Timeout and Retries

8-21

Configuring Fault Management Rediscovery Schedules 8-22


Suspending and Resuming a Rediscovery Schedule 8-22
Adding and Modifying a Rediscovery Schedule 8-23
Configuring Event Forensics

8-24

Fault Monitoring Device Administration

8-25
Administration of Cisco Prime LAN Management Solution 4.2

OL-25947-01

ix

Contents

Device Management Functions

8-26

Performance Management SNMP Timeouts and Retry Settings


IPSLA Application Settings 8-28
Copying IPSLA Configuration to Running-Config
Managed Source Interface Setting 8-29

8-27

8-29

Setting Up Archive Management 8-30


Preparing to Use the Archive Management 8-30
Entering Device Credentials 8-30
Modifying Device Configurations 8-32
Enabling rcp 8-32
Enabling scp 8-33
Enabling https 8-33
Configuring Devices to Send Syslogs 8-33
Modifying Device Security 8-34
Router Commands 8-34
Switches Commands 8-35
Content NetworkingContent Service Switch Commands 8-35
Content NetworkingContent Engine Commands 8-35
Cisco Interfaces and ModulesNetwork Analysis Modules 8-35
Security and VPNPIX Devices 8-36
Moving the Configuration Archive Directory 8-36
Enabling and Disabling the Shadow Directory 8-37
Configuring Exclude Commands 8-38
Configuring Fetch Settings 8-40
Understanding Configuration Retrieval and Archival 8-40
Schedule Periodic Configuration File Archival 8-40
Schedule Periodic Configuration Polling 8-41
Manual Updates (Sync Archive function) 8-41
Using Version Summary 8-41
Timestamps of Configuration Files 8-42
How Running Configuration is Archived 8-42
Change Audit Logging 8-43
Defining the Configuration Collection Settings

8-43

Configuring Transport Protocols 8-46


Requirements to Use the Supported Protocols 8-46
Supported Protocols for Configuration Management Applications
Defining the Protocol Order 8-49
Overview: Common Syslog Collector

8-49

8-50

Viewing Status and Subscribing to a Common Syslog Collector

8-51

Administration of Cisco Prime LAN Management Solution 4.2

OL-25947-01

Contents

Viewing Common Syslog Collector Status 8-51


Subscribing to a Common Syslog Collector 8-52
Testing Syslog Collector Subscription 8-53
Understanding the Syslog Collector Properties File 8-55
Timezone List Used By Syslog Collector 8-58

CHAPTER

Monitoring and Troubleshooting Settings

9-1

Configuring Fault Poller Settings For Topology


Loading MIB Files

9-1

9-2

Configuring RMON 9-5


Modifying the Parameters 9-6
Enabling RMON on All Ports in Selected Devices 9-7
Enabling RMON on Selected Ports in Selected Devices
Disabling RMON 9-8

9-7

Configuring Topology Settings 9-8


Viewing Restricted Topology 9-9

CHAPTER

10

Notification and Action Settings

10-1

Understanding Notifications and Subscriptions


Customizing LMS Events

10-2

10-5

Configuring Event Sets and Notification Groups for Subscriptions 10-6


Configuring Event Sets 10-6
Configuring Fault Notification Groups 10-7
Setting Up a Fault Notification Group as Static or Dynamic 10-8
Managing Fault SNMP Trap Notifications 10-9
Adding an SNMP Trap Notification Subscription 10-10
Editing an SNMP Trap Notification Subscription 10-11
Suspending an SNMP Trap Notification Subscription 10-11
Resuming an SNMP Trap Notification Subscription 10-12
Deleting an SNMP Trap Notification Subscription 10-12
Managing Fault E-Mail Configurations 10-13
Managing Fault E-Mail Notification Subscriptions 10-13
Adding and Editing an E-Mail Notification Subscription
Managing Fault E-Mail Subject Customization 10-16

10-14

Managing Fault Syslog Notifications 10-17


Adding a Syslog Notification Subscription 10-18
Editing a Syslog Notification Subscription 10-19
Suspending a Syslog Notification Subscription 10-20

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xi

Contents

Resuming a Syslog Notification Subscription 10-20


Deleting a Syslog Notification Subscription 10-21
Configuring Fault SNMP Trap Receiving and Forwarding 10-21
Enabling Devices to Send Traps to LMS 10-22
Enabling Cisco IOS-Based Devices to Send Traps to LMS 10-23
Enabling Catalyst Devices to Send SNMP Traps to LMS 10-23
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs
Updating the SNMP Trap Receiving Port 10-24
Configuring SNMP Trap Forwarding 10-25
Performance SNMP Trap Notification Groups
Creating a Trap Receiver Group 10-26
Editing a Trap Receiver Group 10-27
Deleting a Trap Receiver Group 10-29
Filtering Trap Receiver Groups 10-29

10-24

10-25

Performance Syslog Notification Groups 10-31


Creating a Syslog Receiver Group 10-32
Editing a Syslog Receiver Group 10-33
Deleting a Syslog Receiver Group 10-34
Filtering Syslog Receiver Groups 10-35
Defining Automated Actions 10-36
Creating an Automated Action 10-37
Editing an Automated Action 10-39
Guidelines for Writing Automated Script 10-41
Enabling or Disabling an Automated Action 10-41
Exporting or Importing an Automated Action 10-41
Deleting an Automated Action 10-42
Automated Action: An Example 10-42
Verifying the Automated Action 10-44
Defining Syslog Message Filters 10-44
Creating a Filter 10-45
Editing a Filter 10-46
Enabling or Disabling a Filter 10-47
Exporting or Importing a Filter 10-47
Deleting a Filter 10-48
Inventory and Config Collection Failure Notification 10-48
Configuring Trap Notification Messages 10-50
Examples for Collection Failure Notification 10-50
Fields in a Trap Notification Message 10-50
IPSLA Syslog Configuration

10-51

Administration of Cisco Prime LAN Management Solution 4.2

xii

OL-25947-01

Contents

CHAPTER

11

Administering Change Audit and Software Management


Setting Up Preferences

11-1

11-2

Performing Change Audit Tasks

11-2

Performing Maintenance Tasks 11-3


Setting the Purge Policy 11-4
Performing a Forced Purge 11-5
Config Change Filter 11-7
Defining Exception Periods 11-7
Creating an Exception Period 11-8
Enabling and Disabling an Exception Period
Editing an Exception Period 11-9
Deleting an Exception Period 11-9

11-8

Defining Change Audit Automated Actions 11-10


Understanding the Automated Action Window 11-10
Creating an Automated Action 11-11
Editing an Automated Action 11-13
Enabling and Disabling an Automated Action 11-13
Exporting and Importing an Automated Action 11-14
Deleting an Automated Action 11-14
Software Management Administration Tasks 11-15
Viewing/Editing Preferences 11-15
Selecting and Ordering Protocol Order 11-19
How Recommendation Filters Work for an IOS Image
Setting Change Report Filters

CHAPTER

12

Managing Jobs

11-20

11-22

12-1

Using Job Browser

12-1

Configuring Default Job Policies 12-5


Defining the Default Job Policies 12-6
Configuring NetShow Job Policies 12-11
Defining Default Job Policies 12-12
Purging Configuration Management Jobs
Defining Protocol Order 12-14
Masking Credentials 12-15

12-13

Enabling Approval and Approving Jobs Using Job Approval

12-15

Job Approval Workflow 12-16


Specifying Approver Details 12-16
Creating and Editing Approver Lists 12-17
Administration of Cisco Prime LAN Management Solution 4.2
OL-25947-01

xiii

Contents

Assigning Approver Lists 12-18


Setting Up Job Approval 12-18
Approving and Rejecting Jobs 12-20
Using Device Selector 12-23
Using Simple Search 12-24
Using Advanced Search 12-25
Using the All Tab 12-30
Using the Search Results Tab 12-32
Using the Selection Tab 12-32
Editing Device Attributes 12-33
Attribute Error Report 12-36
Device Attributes Export File Format 12-36

CHAPTER

13

Working With Software Center

13-1

Performing Software Updates 13-2


Viewing the List of Installed Applications and Packages
Selecting Software Updates 13-3
Downloading Software Updates 13-4

13-2

Performing Device Update 13-4


Viewing Package Map 13-5
Viewing Device Map 13-5
Checking for Updates 13-6
Deleting Packages 13-7
Scheduling Device Package Downloads
Scheduled Job
Event Log

13-8

13-9

13-10

Point Patch Update

13-10

Using the Software Center CLI Utility 13-11


Querying Updates on the LMS Server 13-12
Installing Device Packages 13-12
Uninstalling Device Packages 13-13
Downloading Software Updates 13-13
Downloading Device Updates 13-14
Downloading Point Patch Updates 13-15
Installing Point Patch Updates 13-15
Listing Dependent Device Packages 13-16
Listing Device Packages Version 13-17

Administration of Cisco Prime LAN Management Solution 4.2

xiv

OL-25947-01

Contents

CHAPTER

14

Discrepancies and Best Practices Deviations

14-1

Understanding Discrepancies and Best Practices Deviations

14-1

Interpreting Discrepancies 14-2


Trunking Related Discrepancies 14-2
Trunk Negotiation Across VTP Boundary 14-3
Native VLANs Mismatch 14-4
Trunk VLANs Mismatch 14-4
Trunk VLAN Protocol Mismatch 14-4
VLAN-VTP Related Discrepancies 14-5
VTP Disconnected Domain 14-5
No VTP Server in Domain with at least One VTP Client
Link Related Discrepancies 14-6
Link Duplex Mismatch 14-6
Link Speed Mismatch 14-8
Link Trunk/NonTrunk Mismatch 14-9
Port Related Discrepancy 14-10
Port is in Error Disabled State 14-10
Device Related Discrepancy 14-11
Devices With Duplicate SysName 14-11
Spanning Tree Related Discrepancy 14-11
Port Fast Enabled on Trunk Port 14-11

14-5

Interpreting Best Practices Deviations 14-12


Channel Ports Related Best Practices Deviations 14-13
Non-channel Port in Desirable Mode 14-13
Channel Port in Auto Mode 14-14
Spanning Tree Related Best Practices Deviations 14-15
BPDU Filter Disabled on Access Ports 14-16
BPDU-Guard Disabled on Access Ports 14-17
BackboneFast Disabled in Switch 14-18
UplinkFast not Enabled 14-20
Loop Guard and Port Fast Enabled on Ports 14-22
Trunk Ports Related Best Practices Deviations 14-23
Non-trunk Ports in Desirable Mode 14-23
Trunk Ports in Auto Mode 14-25
VLAN Related Best Practices Deviations 14-25
VLAN Index Conflict 14-26
VLAN Name Conflict 14-26
Link Ports Related Best Practice Deviation 14-26
UDLD Disabled on Link Ports 14-27

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xv

Contents

Access Ports Related Best Practice Deviation 14-28


CDP Enabled on Access Ports 14-28
Cisco Catalyst 6000 Devices Related Best Practice Deviation
High Availability not Operational 14-29
Customizing Discrepancies Reporting and Syslog Generation

CHAPTER

15

Report Setting

Specifying Domain Name Display


Set Report Publish Location
16

Purge Settings

14-30

15-1

Specifying User Tracking Report Purge Policy

CHAPTER

14-29

15-1

15-2

15-2

16-1

Purging Reports Jobs and Archived Reports

16-1

Purging VRF Management Reports Jobs and Archived Reports


Purging Configurations from the Configuration Archive
Syslog Administrative Tasks 16-4
Setting the Syslog Backup Policy
Setting the Syslog Purge Policy 16-6
Performing a Syslog Forced Purge

16-2

16-2

16-5

16-7

Purging Configuration Management Jobs 16-8


Scheduling a Configuration Management Purge Job 16-10
Enabling a Configuration Management Purge Job 16-11
Disabling a Configuration Management Purge Job 16-11
Performing an Immediate Purge for Configuration Management Jobs
Performance Purge Jobs

16-12

Performance Purge Data

16-14

View Performance Purge Details


IPSLA Data Purging Settings

16-17

16-18

Configuring the Daily Fault History Purging Schedule

CHAPTER

17

Debugging Options

16-12

16-20

17-1

Configuring Discovery Logging

17-1

Maintaining Log Files 17-2


Maintaining Log Files on Solaris/Soft Appliance 17-3
Maintaining Log Files on Windows 17-3
About Cisco Prime Common Services Log Files 17-4
Viewing and Maintaining LMS Log File Details 17-6

Administration of Cisco Prime LAN Management Solution 4.2

xvi

OL-25947-01

Contents

Fault Management Log Files

17-8

Performance Debugging Settings 17-9


IPSLA Debugging Settings 17-11
Config and Image Management Debugging Settings
Configuring Logging

17-13

17-17

Fault Debugging Settings

17-18

Setting Debugging Options for Topology and User Tracking 17-20


Setting up Debugging Options for Data Collection 17-20
Setting up Debugging Options for Network Reports 17-23
Setting Debugging Options for Device Groups 17-24
Setting Debugging Options for Topology 17-24
Debugging Options for User Tracking Server 17-25
Debugging Dynamic Updates 17-26
Debugging Options for User Tracking Reports 17-29
Debugging Options for Dynamic User Tracking Console 17-29
Debugging Options for CiscoView 17-30
Setting VRF Lite Debugging Options 17-30
VRF Lite Server Debugging Settings 17-31
VRF Lite Collector Debugging Settings 17-32
VRF Lite Client Debugging Settings 17-33
VRF Lite Utility Debugging Settings 17-33

CHAPTER

18

Understanding LMS Tasks

18-1

Understanding Admin Tasks 18-1


Understanding System Tasks 18-2
Understanding Trust Management Tasks
Understanding Network Tasks 18-8
Understanding Collection Tasks 18-13

18-7

Understanding Report Tasks 18-17


Understanding Fault and Event Report Tasks 18-18
Understanding Report Archives Tasks 18-19
Understanding Report Designer Tasks 18-19
Understanding Inventory Report Tasks 18-20
Understanding Audit Report Tasks 18-20
Understanding Technology Report Tasks 18-21
Understanding Performance Report Tasks 18-21
Understanding System Report Tasks 18-23
Understanding Switch Port Report Tasks 18-24
Understanding Configuration Tasks

18-25
Administration of Cisco Prime LAN Management Solution 4.2

OL-25947-01

xvii

Contents

Understanding Configuration Archive Tasks 18-25


Understanding Configuration Tools Tasks 18-26
Understanding ConfigCLI Tasks 18-28
Understanding Configuration Workflows Tasks 18-29
Understanding Configuration Job Browsers Tasks 18-30
Understanding Compliance Tasks 18-30
Understanding Monitor Tasks 18-31
Understanding Performance Settings Tasks 18-31
Understanding Fault Settings Tasks 18-33
Understanding Threshold Settings Tasks 18-33
Understanding Troubleshooting Tools Tasks 18-34
Understanding Monitoring Tools Tasks 18-35
Understanding Inventory Tasks 18-36
Understanding Group Management Tasks 18-36
Understanding Job Browsers Tasks 18-37
Understanding Device Administration Tasks 18-37
Understanding Inventory Tools Tasks 18-38
Understanding Work Center Tasks 18-38
Understanding Smart Install Tasks 18-39
Understanding Auto Smartports Tasks 18-39
Understanding Identity Tasks 18-39
Understanding EnergyWise Tasks 18-40

APPENDIX

CLI Tools

A-1

Setting Up Local Users Through CLI A-2


Adding Local Users A-2
Importing Local Users A-4
Importing Users From ACS A-5
Migrating User Details from LMS 3.2 to LMS 4.x versions
Changing Cisco Prime User Password Through CLI

A-5

A-6

Managing Processes Through CLI A-8


Viewing Process Details Through CLI A-8
Viewing Brief Details of Processes A-9
Viewing Processes Statistics A-10
Starting a Process A-10
Stopping a Process A-10
Working With Third Party Security Certificates A-11
Uploading Third Party Security Certificates to LMS Server A-11
Using the SSL Utility Script to Upload Third Party Security Certificates

A-15

Administration of Cisco Prime LAN Management Solution 4.2

xviii

OL-25947-01

Contents

Setting up Browser-Server Security A-16


Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms A-16
Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance
Platforms A-17
Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms A-18
Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft Appliance
Platforms A-18
Backing up Data Using CLI

A-20

Using LMS Server Hostname Change Scripts A-20


Running the Hostname Change Script A-23
Using DCR Features Through CLI A-25
Viewing the Current DCR Mode Using CLI
Viewing Device Details A-26
Changing DCR Mode Using CLI A-26

A-25

Using Group Administration Features Through CLI


Exporting Groups Through CLI A-28
Importing Groups Through CLI A-29
Deleting Stale Groups Using CLI

A-27

A-30

User Tracking Command Line Interface A-30


Exporting Switch Port Usage Report A-34
Using Lookup Analyzer Utility

A-35

Understanding UTLite A-37


Installing UTLite Script on Active Directory/Windows A-38
Installing UTLite Script on NDS A-40
Uninstalling UTLite Scripts From Windows A-41
Uninstalling UTLite Scripts From Active Directory A-41
Uninstalling UTLite Scripts From NDS A-42
User Tracking Debugger Utility A-42
Understanding Debugger Utility A-42
Using Debugger Utility A-43
Configuring Switches to Send MAC Notifications to LMS Server

A-43

Administration Command Line Interface A-44


SNMP Configuration on Devices A-46

APPENDIX

Troubleshooting and FAQs

B-1

Troubleshooting Guidelines B-1


Troubleshooting User Tracking

B-1

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xix

Contents

Troubleshooting the Cisco Prime LMS Server


Verifying Server Status B-3
Troubleshooting Suggestions B-5

B-2

Frequently Asked Questions B-6


User Tracking FAQs B-7
VRF Lite FAQs B-9
Cisco Prime LMS Server FAQs B-14
General B-15
Important URLs B-26
Security B-27
Software Center B-30
Event Distribution Services and Event System Services
Backup and Restore B-33
Database B-34
Apache and Tomcat B-36
Fault Management FAQs B-42
Device Performance Management FAQs B-43
IPSLA Performance Management FAQs B-44

APPENDIX

Data Extraction Engine

B-32

C-1

Overview of Data Extraction Engine

C-1

The cmexport Command C-2


Running cmexport Command C-2
cmexport Arguments and Options C-3
Mandatory Arguments C-4
Optional Arguments C-4
Function-Specific Options C-5
Displaying Help C-5
Uses of cmexport C-5
cmexport User Tracking

C-6

cmexport Topology Command

C-9

cmexport Discrepancy Command

C-12

cmexport Manpage C-14


Command Line Syntax C-14
Commands C-14
Arguments and Options C-15
Mandatory Arguments C-15
Function-Specific Options C-16
Accessing Help C-16
Administration of Cisco Prime LAN Management Solution 4.2

xx

OL-25947-01

Contents

DEE Developers Reference C-16


Schema for User Tracking Data C-17
User Tracking Schema for Switch Data C-18
User Tracking Schema for Phone Data C-19
User Tracking Schema for Subnet Data C-19
Schema for Topology Data C-20
Schema for Discrepancy Data C-21
Using Servlet to Export Data from LMS C-22

APPENDIX

Understanding Cisco Prime Security


General Security

D-1

D-1

Server Security D-2


ServerImposed Security D-2
Files, File Ownership, and Permissions D-2
Runtimer D-3
Remote Connectivity D-4
Access to Systems Other Than the Cisco Prime LMS Server
Access Control D-4
System Administrator-Imposed Security D-5
Connection Security D-5
Security Certificates D-5
Terms and Definitions D-6

APPENDIX

Commands to Enable MAC Notification Traps on Devices


Overview of Dynamic Updates

E-1

E-1

Configuring Switches With MAC Notification Commands


Device Operating System Version-Specific Commands

E-2
E-2

List of Commands to Enable MAC Notification Traps on Devices

APPENDIX

Recommended Best Practices

E-3

F-1

Basic Server and Client Requirements

F-1

Best Practices to Reclaim Disk Space Using Purging Method


Purging Databases F-2
Purging Jobs F-3
Purging Archives F-4
Best Practices for Improving System Performance
Backing Up Data

D-4

F-1

F-4

F-6

Handling Custom Telnet Prompts

F-6

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xxi

Contents

INDEX

Administration of Cisco Prime LAN Management Solution 4.2

xxii

OL-25947-01

Preface
Administration in Cisco Prime LAN Management Solution (LMS) 4.2 groups all the activities and tasks
that a user with Network or System Administrator privileges needs to perform.
This preface details the related documents that support the Admin feature, and demonstrates the styles
and conventions used in this guide. This preface contains:

Audience

Document Conventions

Product Documentation

Audience
This guide is for users who are skilled in network administration and management, and for network
operators who use this guide to make configuration changes of devices using LMS. The network
administrator or operator should be familiar with the following:

Basic Network Administration and Management

Basic Solaris System Administration

Basic Windows System Administration

Basic Soft Appliance System Administration

Basic LMS Administration

Document Conventions
Table 1 describes the conventions followed in the user guide.
Table 1

Conventions Used

Item

Convention

Commands and keywords

boldface font

Variables for which you supply values

italic font

Displayed session and system information

screen

Information you enter

boldface screen

font
font

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xxiii

Preface

Table 1

Note

Conventions Used (continued)

Item

Convention

Variables you enter

italic screen

Menu items and button names

boldface font

Selecting a menu item in paragraphs

Option > Network Preferences

Selecting a menu item in tables

Option > Network Preferences

font

Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.

Product Documentation
Note

We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
Table 2 describes the product documentation that is available.
Table 2

Product Documentation

Document Title
Administration of Cisco Prime LAN Management
Solution 4.2 (this document)

Context-sensitive online help


Getting Started with Cisco Prime LAN
Management Solution 4.2

Configuration Management with Cisco Prime


LAN Management Solution 4.2

Available Formats

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/admin/admin.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

Select an option from the navigation tree, then


click Help.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/getting_started/
lms42_getstart_guide.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/configuration/config.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

Administration of Cisco Prime LAN Management Solution 4.2

xxiv

OL-25947-01

Preface

Table 2

Product Documentation (continued)

Document Title

Available Formats

Monitoring and Troubleshooting with Cisco


Prime LAN Management Solution 4.2

Inventory Management with Cisco PrimeLAN


Management Solution 4.2

Technology Work Centers in Cisco Prime LAN


Management Solution 4.2

Reports Management with Cisco PrimeLAN


Management Solution 4.2

Installing and Migrating to Cisco Prime LAN


Management Solution 4.2

Navigation Guide for Cisco Prime LAN


Management Solution 4.2

Open Database Schema Support in Cisco Prime


LAN Management Solution 4.2

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/lms_monitor/lms_mnt.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/inventory/inventory.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/workcenters/wcug.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/reports/lms42_reports_guide.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/in
stall/guide/install.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/N
avigation/guide/lms42_nav_guide.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/da
tabase_schema4.2/guide/dbviews.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xxv

Preface

Table 2

Product Documentation (continued)

Document Title
Release Notes for Cisco Prime LAN Management
Solution 4.2

Supported Devices Table for Cisco Prime LAN


Management Solution 4.2

Documentation Roadmap for Cisco Prime LAN


Management Solution 4.2

Available Formats

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/re
lease/notes/lms42rel.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

On Cisco.com at
http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/de
vice_support/table/lms42sdt.html

PDF version part of Cisco Prime LMS 4.2


Product DVD.

Printed document part of Software kit

Obtaining Documentation and Submitting a Service Request


For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.

Administration of Cisco Prime LAN Management Solution 4.2

xxvi

OL-25947-01

Notices
The following notices pertain to this software license.

OpenSSL/Open SSL Project


This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:

Copyright 1998-2007 The OpenSSL Project. All rights reserved.


Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.

Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.

2.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.

3.

All advertising materials mentioning features or use of this software must display the following
acknowledgment: This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).

4.

The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xxvii

Notices

5.

Products derived from this software may not be called OpenSSL nor may OpenSSL appear in
their names without prior written permission of the OpenSSL Project.

6.

Redistributions of any form whatsoever must retain the following acknowledgment:


This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:

Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.


This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.

Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.

2.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.

3.

All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
The word cryptographic can be left out if the routines from the library being used are not
cryptography-related.

4.

If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: This product includes software written
by Tim Hudson (tjh@cryptsoft.com).

Administration of Cisco Prime LAN Management Solution 4.2

xxviii

OL-25947-01

Notices

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED


WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

xxix

Notices

Administration of Cisco Prime LAN Management Solution 4.2

xxx

OL-25947-01

CH A P T E R

Overview of Administration
This guide is intended for Local Area Network (LAN) administrators and management professionals
who perform LAN configurations and monitor LAN performance.
The Admin menu groups all the activities and tasks that a user with Network or System Administrator
privileges can perform.
This section explains:

How the guide is organized?

Administration Tasks

Understanding the System Dashboard

How the guide is organized?


The Administration user guide is organized as follows:
Table 1-1

Administration User Guide

Chapter

Description

Chapter 1, Overview of Administration

Provides information on the organization of Administration with Cisco Prime


LMS user guide, and describes the System Dashboard portlets in LMS.

Chapter 2, Setting up Security

Describes the security mechanisms that help to prevent unauthenticated access


to LMS server, Cisco Prime applications, and data. LMS provides features for
managing security while operating in single-server and multi-server modes.

Chapter 3, Administering LMS Server

Describes how to use administrative features to ensure that the server is performing properly.
You can manage processes, set up backup parameters, update licensing information, collect server information, manage jobs and resources, and configure system-wide information on the Cisco Prime LMS Server.

Chapter 4, Administering Discovery


Describes how to configure discovery settings, and perform administrative tasks
Settings and Device and Credential Repos- in DCR.
itory

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-1

Chapter 1

Overview of Administration

How the guide is organized?

Table 1-1

Administration User Guide (continued)

Chapter

Description

Chapter 5, Managing Groups

Describes how to use the Grouping feature in LMS.


LMS 4.2 has a more robust device grouping which can support 600 device
groups. The other grouping services that are available in LMS are:

Fault Group

IPSLA Collector Group

Port and Module Group

Chapter 6, Administering Data Collection

Describes how to use Data Collection.

Chapter 7, User Tracking and Dynamic


Updates

Describes how to use User Tracking and Dynamic Updates.


User Tracking allows you to track end stations.
Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.which

Chapter 8, Administering Collection


Settings

Describes how to configure the various collection settings in LMS.

Chapter 9, Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform
ing Settings
to monitor and troubleshoot your network using LMS.
Chapter 10, Notification and Action
Settings

Describes how to configure the the administrative tasks involved in setting up notification, syslog settings.
You can also customize the names and event severity, create and activate a notification subscriptions, and setup up automated actions for Change Audit tasks
and syslogs.

Chapter 11, Administering Change Audit Describes how to perform Change Audit tasks and set your preference to
and Software Management
download images.
Chapter 12, Managing Jobs

Describes how to manage jobs in LMS, and set up job approval for certain
modules in LMS.

Chapter 13, Working With Software


Center

Describes how to use the Software Center to check for software and device
support updates, download them to their server file system along with the related
dependent packages, and install the device updates.

Chapter 14, Discrepancies and


Best Practices Deviations

Describes how to use the Discrepancies Reporting module of LMS to view the
discrepancies and best practices deviations in your network.

Chapter 15, Report Setting

Describes how to configure some settings for generating reports and set a report
publish location.

Chapter 16, Purge Settings

Describes how to configure the purge settings of all modules in LMS.

Chapter 17, Debugging Options

Describes how to configure the debugging settings of all modules in LMS.


You can also view the details of all the log files.

Chapter 18, Understanding LMS Tasks

Describes all LMS tasks.

Appendix A, CLI Tools

Describes all the CLI utilities that are available for the administrator in LMS 4.2.

Appendix B, Troubleshooting and FAQs Provides troubleshooting and FAQs.


Appendix C, Data Extraction Engine

Describes how to export User Tracking, Topology, and Discrepancy application


data using Data Extraction Engine

Administration of Cisco Prime LAN Management Solution 4.2

1-2

OL-25947-01

Chapter 1

Overview of Administration
Administration Tasks

Table 1-1

Administration User Guide (continued)

Chapter

Description

Appendix D, Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS.
Security
Appendix E, Commands to Enable MAC Provides information on the list of commands that needs to run on each device
Notification Traps on Devices
to enable MAC Notification traps

Administration Tasks
The System Administration tasks are grouped into:

Authentication Mode Setup

Backup

Cisco.com Settings

Debug Settings

Group Management

License Management

Log Rotation

Server Monitoring

SMTP Default Server

Device Management Functions

Software Center

System Preferences

User Management

The Network Administration tasks are grouped into:

Change Audit Settings

Discovery Settings

PSIRT, EOS and EOL Settings

Configuration Job Settings

Device Credential Settings

Best Practises Deviation Settings

Display Settings

Monitor and Troubleshoot

Notification and Action Settings

Purge Settings

Resource Browser

Software Image Management

The Collection Settings are grouped into:

Config

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-3

Chapter 1

Overview of Administration

Administration Tasks

Data Collection

Fault

Inventory

Performance

Syslog

User Tracking

VRF Lite

Apart from the system administration and network administration tasks, you can also perform:

Trust Management
Local Server
Multi Server

Job Management
Job Browser
Job Approval

The two dashboards in the Admin menu are:

System Dashboard. For more information, see Understanding the System Dashboard

Device Status Dashboard.


This section is explained in the Inventory Online Help.

IPv6 Support in LMS

LMS provides IPv6 Support for the following features:

Administration of Cisco Prime LAN Management Solution 4.2

1-4

OL-25947-01

Chapter 1

Overview of Administration
Administration Tasks

Application

IPv6 Supported Features

Common Services

The following features in Common Services support IPv6:

Device Discovery
Common Services Device Discovery allows you to discover devices
from IPv6 networks, using CDP and Ping Sweep on IP Range Device
Discovery modules.

DCR and Grouping Services


DCR supports IPv6 and stores the expanded format of IPv6 Addresses
that are discovered by the CDP and Ping Sweep on IP Range modules.

Device Polling
The device polling feature allows you to poll device using IPv6 address.

Device Selector
The device selector feature allows you to search a device using IPv6
address either in a compressed format or in a expanded format.

Configuring Default Credentials


You can define a default credential policy type based on the standard
IPv6 Address format (6 octets separated by periods).

You can now create group rules based on IPv6 management addresses.
LMS supports IPv6 Addressing scheme in the following Device Discovery
pages:

Seed Device Setting Page

SNMP Settings Page

Filter Settings Page

In the Device Troubleshooting home page, the existing IP Address field


supports IPv6 Addresses.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-5

Chapter 1

Overview of Administration

Administration Tasks

Application

IPv6 Supported Features

Inventory, Config and


Image Management

The following features/technologies in Inventory, Config and Image


Management support IPv6:

CiscoView

Assigning an IPv6 Address to a Layer 3 device or VLAN

Retrieving software files from a device

Distributing different versions of software to a device

Scheduling retrieval of software from a device

Retrieving configuration files from a device

Distributing a new configuration to a device

Distributing a historical configuration file to a device

Scheduling distribution of configuration files to a device

Provisioning Auto Smart Ports on ASP-capable devices

Medianet

Provisioning Identity on Identity-capable devices

Configuring Syslogs

IPv6 sorting in Work Center Grids.

CiscoView allows you to enter an IPv6 Address of a device to display the


device view for configuring and remote monitoring.

Administration of Cisco Prime LAN Management Solution 4.2

1-6

OL-25947-01

Chapter 1

Overview of Administration
Administration Tasks

Application

IPv6 Supported Features

Network Topology,
Layer 2 Services and
User Tracking

The following features in Network Topology, Layer 2 Services and User


Tracking support IPv6:

Data Collection
The following tasks related to Data Collection are supported in the IPv6
environment:
SNMP Timeout and Retry configuration for IPv6 devices
Viewing Data Collection Metrics and reports for IPv4/IPv6 devices
Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks
Device-based debugging for IPv6 devices

Topology
The following tasks related to Topology are supported in the IPv6
environment:
Setting an IPv6 Address as the preferred Management Address

from Topology view


Cross-launching Inventory, Config and Image Management and

CiscoView from Topology Services - Device Dashboard and Add to


Critical Poller
Selecting IPv6 devices for Device Type Topology Filter

Network Topology, Layer 2 Services and User Tracking Reports


IP Address fields in all these reports except User Tracking reports can
now display IPv6 Addresses.
You can sort the reports based on IP Addresses (IPv4 and IPv6).

VLAN Configuration
The following VLAN related configurations are supported in the IPv6
environment:
Configure VLAN
Delete VLAN
Create Private VLAN
Delete Private VLAN
Configure Port Assignment
Configure Promiscuous Ports
Create Trunk
Modify Trunk Attributes

Monitoring and
Troubleshooting

Note

LMS supports IPv6 Addressing scheme in Device Performance


Management.

In LMS, IPv6 support is provided for Dual stack devices.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-7

Chapter 1

Overview of Administration

Understanding the System Dashboard

Understanding the System Dashboard


The System Dashboard has the following portlets:

Note

The data in these portlets does not appear based on any role-based authorization, both device-level or
user-level authorization.

Cisco Prime Product Updates

Critical Message Window

Device Credentials and AAA Information

Log Space Usage

Process Status

System Backup Status

User Login Information

Job Information Status

Audit Trail Information

Job Approval

Syslog Collectors Information

Supported Device Finder Portlet

VRF Collector Summary

Collection Summary Portlet

Cisco Prime Product Updates


You can view the recent updates and announcements of Cisco Prime products using Cisco Prime Product
Updates.

Critical Message Window


In the Critical Message Window portlet, you can view the alerts for Cisco Prime Drive Utilization and
for processes that are down. For details, see Utilizing Space in the Cisco Prime Drive.
For instance, if the usage of the drive exceeds the specified limit, the alerts appear. You can click the
help link to view the details, and can reduce drive utilization.
You must configure the refresh time in the portlets.
You can also get information about:

Authentication mode fallback


Authentication mode from which the user fallbacks to the Local Authentication module. This
message appears when the user is in fallback mode.

License expiration

Administration of Cisco Prime LAN Management Solution 4.2

1-8

OL-25947-01

Chapter 1

Overview of Administration
Understanding the System Dashboard

Single Sign On (SSO) master unreachability, which is applicable only for a slave server.

Utilizing Space in the Cisco Prime Drive


You can use the space in Cisco Prime LMS drive in the following ways:

Delete the unwanted log files from the NMSROOT directory.

Use the log rotate functionality, to rotate the logs to other drives.

Remove unwanted files from the NMSROOT drive.

Note

The Authentication modes appear in the Critical Message Window portlet (in red) if you do not
have full privileges in the Device Credential and AAA Information portlet.

Table 1-2 lists the Critical Message Window portlet details.


Table 1-2

Critical Message Window Portlet

Details

Description

Cisco Prime Drive Utilization

Displays the utilization of the drive for Windows, Solaris


and Soft Appliance.
For Windows:
Drive is where the product is installed.
For example, 'C' drive in case of "C/Program
Files/CSCOpx"
For Solaris/Soft Appliance:
The portlet displays the File System utilization of the
following:
/opt - Product Installed location
/var - Log file details location.

Processes xyz are down.

Displays the processes that are down.

For example:ESS, EssMonitor, Proxy


and so on.

All the processes that are down are displayed in red in the
portlet.
However, when Fault processes such as DFMCTMStartup
and Data Purge are down, they are not displayed in the
Critical Message Window portlet.

Device Credentials and AAA Information


The Device Credentials and AAA Information portlet allows you to view the information about the
device credentials, admin settings, security settings, and device polling status.
The security settings enable you to view the security settings in LMS such as the Authentication mode,
and Single sign-on configuration.
Table 1-3 lists the Device Credentials and AAA Information portlet details.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-9

Chapter 1

Overview of Administration

Understanding the System Dashboard

Table 1-3

Device Credentials and AAA Information Portlet

Field

Description

Authentication Mode

Mode selected to authenticate the LMS server when logging into the LMS
application. For example, TACACS+, MS Active Directory.

If the status is displayed in green, authentication is successful in the local or


external server.

The status is in red when you log into the Cisco Prime application in fallback
mode.

Authorization Mode

Mode used to authorize the user after authentication. From LMS 4.0, only the
Local Authentication mode is used to authenticate users, and authorize them to
access Cisco Prime LMS. ACS mode is not available.

Single Sign On (SSO) Mode

SSO mode such as Stand alone and Master/Slave.

No. of Devices

Number of devices. Click on the number to view the DCR Device Management
page details.

DCR Mode

DCR mode such as Standalone, Master, Slave.


For more information about DCR mode, see DCR Architecture in Inventory
Management Online Help.
For more information on changing the DCR mode, see Changing DCR Mode.

Device Polling Status

Device Polling Status

Status of the device polling.


The status can be either enabled or disabled.
If the status is enabled, then it displays the scheduled jobs along with the Job ID.
For example Job ID: 1034.

Device Polling Frequency

Polling frequency of the devices.


This frequency can be:

Total Unreachable Devices

Every 6 hours

Every 12 hours

Daily

Weekly

Monthly

Total number of devices that are not reachable.


Click the unreachable device link to view the report.

Next Polling Schedule

Time at which the next polling is scheduled.

Log Space Usage


In Log Space Usage portlet, you can manage the reports on log file size.
The Log Space Usage portlet also displays details of all log files, including the Tomcat and Apache log
files. You must configure the refresh time in the portlets.
Table 1-4 lists the Log Space Usage portlet details.

Administration of Cisco Prime LAN Management Solution 4.2

1-10

OL-25947-01

Chapter 1

Overview of Administration
Understanding the System Dashboard

Table 1-4

Log Space Usage Portlet

Field

Description

Log File

Name of the log file such as syslog.log, EDS.log upm_base.log, and


so on.
The asterisk (*) displayed along with some log file name denotes
that there are multiple files available.

Directory

Displays the location of the logfile.


For instance, var/adm/CSCOpx/log.

File Size

Current size of the log file in kilo bytes.


You can click the portlet name in the title bar of the portlet to navigate to Log File status report page
(Reports > System > Status > Log File).
For more information on the list of log files, see Maintaining Log Files.

Process Status
In Process Status portlet, you can manage all the activities or jobs.
Table 1-5 lists the Process Status portlet details.
Table 1-5

Process Status Portlet

Field

Description

State

Status of the process, such as Failed to start, Running normally and


Shutdown.

No. of Process

Number of processes in each state.


You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page
(Reports > System > Status > Process).
You can click the link displayed in the portlet to start or stop the process.

System Backup Status


In the System Backup Status portlet, you can view the details such as the current backup schedule, last
backup status, last backup location and the time when the last backup was completed.
You should back up the database regularly so that you have a safe copy of the database. You cannot back
up the database while restoring it. Whenever you perform a backup, all the databases of the installed
applications are backed up.
LMS provides a single backup and restore facility to back up and restore all applications installed on the
LMS server. You cannot backup or restore individual portal databases without the LMS backup utility.
See, Backing up Data Using CLI for more information on the backup utility.
To schedule system backups at regular intervals, select Admin > System > Backup.
Table 1-6 lists the System Backup Job Details portlet fields.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-11

Chapter 1

Overview of Administration

Understanding the System Dashboard

Table 1-6

System Backup Job Details Portlet

Field

Description

Backup Schedule

Date and time at which the backup was scheduled.


You can click the link corresponding to the Backup Schedule to
view/schedule the respective Backup Job details.

Last Backup Completed at

Date and time when the last backup was completed.

Last Backup Status

Status of the last backup.

Last Backup Location

Location of the last backup.

You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.

User Login Information


In the User Login Information portlet, you can view the information on users currently logged into LMS
server.
You must configure the refresh time in the portlets.
Table 1-7 lists the User Login Information portlet details.
.

Table 1-7

User Login Information Portlet

Field

Description

No. of Logged-in Users

Number of users who have logged in.


You can click the number of logged-in users to view the Who is Logged on
Report page (also available from Reports > System > Users > Who is Logged
On).

Users

Log-in details of all users and the number of sessions opened by each user.

Note

You can send broadcast messages to logged-in users by clicking the Send Message to all users
link displayed in the User Login Information and the users will receive the message within 60
seconds by default.

You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report
page.
For more information on setting up local users, see Setting up Local Users.

Job Information Status


In the Job Information Status portlet, you can view the status of up to 20 jobs of the installed
applications. You can click the portlet name in the title bar of the portlet to navigate to the Job Browser
page.
You must configure the refresh time in the portlets.

Administration of Cisco Prime LAN Management Solution 4.2

1-12

OL-25947-01

Chapter 1

Overview of Administration
Understanding the System Dashboard

Table 1-8 lists the Job Information Status portlet details.


Table 1-8

Job Information Status Portlet

Field

Description

Job ID

Unique ID assigned to the job by the system, when the job is created. The Job IDs are
displayed in ID.No.of.Instances format in periodic jobs.
For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job
whose ID is 1002.
When you click the Job ID, the job details, if available, are displayed.

Job Type

Type of the job.


For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job.

Status

Status of the scheduled jobs that are completed.


The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected.
The status of the succeeded jobs are displayed in green and the Failed, Crashed,
Cancelled, and Rejected jobs are displayed in red.

Job Description

Description of the job provided by the job creator.


It can contain alphanumeric characters.

Owner

Name of the user who created the job.

Scheduled At

Date and time at which the job is scheduled to run.

Audit Trail Information


In the Audit Trail Information portlet, you can view the details of the changes made to the LMS
application by the user.
You must configure the refresh time in the portlets.
Table 1-9 lists the Audit Trail Information portlet details.
Table 1-9

Audit Trail Information Portlet

Field

Description

User Name

Name of the person who performed the change. This is the name entered
when the person logged in.
It can be the name under which the LMS application is running, or the name
under which the Telnet connection is established.

Application Name

Name of the LMS component involved in the network change. For example,
Change Audit, Device Management, ICServer, NetConfig, and NetShow.

Creation Time

Date and the time at which the changes were performed on the LMS server.

Description

Brief summary of the change that occurred on the LMS server.


You can click the portlet name in the title bar to navigate directly to the Report Generator page.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-13

Chapter 1

Overview of Administration

Understanding the System Dashboard

Job Approval
In Job Approval portlet, you can view the list of all jobs.
To configure Job Approval portlet, see Configuring the Job Approval portlet.
Table 1-10 lists the Job Approval portlet details.
Table 1-10

Job Approval Portlet

Field

Description

Job ID

ID of the job that has been given for approval.


The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so
on, the job IDs are in the number x format. The x represents the number of instances of
the job.
For example, 1001.3, indicates that this is the third instance of the job ID 1001.
Click the Job ID hyperlink to view the job details.

Job Description

Description of the job.

Job Schedule

Date and time for which the job is scheduled.


The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will
run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it,
the job is moved to its rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other
instances are also considered as approved.
You are notified by e-mail, when a job approved by you is created.
This portlet enforces the approval process by sending job requests through e-mail to people on the
approved list.
You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details
page in LMS.
In the Job Approval portlet, you can view the list of Job details.
You can configure the Job Approval portlet to set the number of records to be displayed in the portlet,
and refresh time both manually and automatically.
Configuring the Job Approval portlet

To configure the Job Approval portlet:


Step 1

Click the Configuration icon. You can:

Step 2

Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.

Step 3

Select the number of records to be displayed in the portlet from the Show Last Records drop-down list.

Step 4

Click Save to view the portlet with the configured settings.

Administration of Cisco Prime LAN Management Solution 4.2

1-14

OL-25947-01

Chapter 1

Overview of Administration
Understanding the System Dashboard

Syslog Collectors Information


Syslog Collectors Information portlet displays the list of remote Syslog collectors subscribed to the LMS
servers. It contains the syslog collector information such as the name of the remote syslog, analyzer
name, status and the number of packets received.
Syslog Collector is a service to receive, filter and forward syslogs to one or more Syslog servers. In this
way the collectors reduces traffic on the network as well as the processing load on the server.
By default you can only view the remote Syslog analyzer name, status and the number of packets
received. However, you can configure the portlet for you to view the other details in the portlet such as
the number of packets that are filtered, invalid, dropped, or forwarded.
Table 1-11 lists the Syslog Collectors Information portlet details.
Table 1-11

Syslog Collectors Information Portlet

Field

Description

Name

Host name or the IP address on which the collector is installed.

Status

Status of the Remote Syslog Collector. For example, whether it is


connected.

Received

Number of packets received.


To configure Syslog Collectors Information:
Step 1

Move the mouse over the title bar of the Syslog Collector

Step 2

Click the configuration icon. You can:

Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The
items in the portlet get refreshed at the changed Refresh frequency.

Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to
view the respective columns in the Syslog Collector portlet.
FilteredNumber of filtered messages. Filters are defined with the option Message Filters

option. See Defining Syslog Message Filters for more information.


InvalidNumber of invalid Syslog messages.
DroppedNumber of Syslog messages dropped.
ForwardedNumber of forwarded Syslog messages.
Step 3

Click Save to view the portlet with the configured settings.

Supported Device Finder Portlet


The Supported Device Finder portlet enables you to view the details of the devices that are supported in
various LMS applications.
By default the Supported Device Finder portlet is added to the System View.
This portlet enables you to:

Locate the supported devices in the LMS applications

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-15

Chapter 1

Overview of Administration

Understanding the System Dashboard

Get the latest updates on devices that are supported and those that will be supported in the upcoming
releases.

Raise a request through mail to support a new device that is not supported.

You can search the support of devices added to the DCR using the following search options:

IP Address

Host Name

Device Name

Model Name

SysObjectID

To search using Supported Device Finder portlet:


Step 1

There are three scenarios when the device is not supported:

If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.

If the requested device is supported in later releases, and not available with your present installation,
the following message appears:
Not supported in Installed version <<version number>>. Support available in version
<< version number>>

Note

If the device is not currently supported with your existing package, you can install the latest IDU
from Cisco.com to get the device support.
If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.

Step 2

Click the click here link and a popup box appears:


The popup box has the following information:

Step 3

OK button to raise a request for the unsupported device.

Disclaimer: Please note that all efforts will be made to provide support to this request, however we
are unable to commit to a time-line at this moment.

Links to the latest device updates

Link to the Supported Devices Table

Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or
Model name.
The SysobjectID or the Model Name appears based on the entries made in the portlet.
The default mail client is launched.
The To field and Subject field has the following address and entries:

To field: lms-dev-supreq@external.cisco.com

Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>

The body lists the application names.


Step 4

Enter Yes against the respective application names for which device support is required.

Administration of Cisco Prime LAN Management Solution 4.2

1-16

OL-25947-01

Chapter 1

Overview of Administration
Understanding the System Dashboard

Step 5

Click Send to send a request.

IP Address

You can use the IP Address option to search the devices that are supported in the LMS application.
To search using the IP Address:
Step 1

Select the IP Address from the drop-down list.

Step 2

Enter an IP Address in the IP Address field and click Submit.


All applications are displayed, regardless of whether they are installed or not. The supported servers are
also displayed.

If the requested device is supported in the later releases and you have not installed it, the following
support details are displayed:
Supported in LMS 3.2. Click here to download

If the requested devices is in the roadmap of next recent releases, the following supported details
message is displayed.
Support expected by Sept 08.

If the requested device is not supported in any release, the following supported details are displayed.
Click here to send a request to support team.

Host Name

You can use the Host Name option to search the devices that are supported in the LMS applications.
To search using the Host Name:
Step 1

Select the Host Name from the drop-down list.

Step 2

Enter a Host Name in the Host Name field and click Submit.

Note

The valid Host Name characters are A-Z, a-z, 0-9, _.

All LMS functions are displayed. The supported servers are also displayed.
The LMS applications are:

Inventory, Config and Image Management

Network Topology, Layer 2 Services and User Tracking

Fault Management

IPSLA Performance Management

Device Performance Management

For more information on the server supported details, see Step 2 of IP Address.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-17

Chapter 1

Overview of Administration

Understanding the System Dashboard

Device Name

You can use the Device Name option to search the devices that are supported in the LMS applications.
To search using the Device Name:
Step 1

Select the Device Name from the drop-down list.

Note
Step 2

The valid Device Name characters are A-Z, a-z, 0-9, _.

Enter a Device Name in the Device Name field and click Submit.
All LMS functions are displayed. The supported servers are also displayed.
For more information on the server supported details, see Step 2 of IP Address.

SysObjectID

You can use the SysObjectID option to search the devices that are supported in the LMS application.
To search using the SysObjectID:
Step 1

Select the SysObjectID from the drop-down list.

Step 2

Enter a SysObjectID in the SysObjectID field and click Submit.


All LMS functions are displayed, regardless of whether they are installed or not. The supported servers
are also displayed.
For more information on the server supported details, see Step 2 of IP Address.

Model Name

You can use the Model Name option to search the devices that are supported in the LMS application.
To search using the Model Name:
Step 1

Select the Model Name from the drop-down list.

Step 2

Enter a Model Name in the Model Name field and click Submit.
All LMS functions are displayed. The supported servers are also displayed.
For more information on the server supported details, see Step 2 of IP Address.

Note

You can also use a wildcard search, (*), to search for the model name.

VRF Collector Summary


In the VRF Collector Summary portlet, you can view details of the VRF collection, number of VRFs
discovered, number of VRF-supported and VRF-capable devices.

Administration of Cisco Prime LAN Management Solution 4.2

1-18

OL-25947-01

Chapter 1

Overview of Administration
Understanding the System Dashboard

Table 1-12 lists the VRF process summary portlet details.


Table 1-12

VRF Process Summary Portlet

Field

Description

VRF Collector Status

Status of the VRF Collector. The two states are:

RunningIndicates that the VRF collector is running.

IdleIndicates that the VRF collector is not running.

VRF Collector Last Completion Time

Indicates the time when the VRF collection is completed.

Total VRFs Discovered

Total number of VRFs discovered. Click the number to launch the Virtual Network
Manager Report.

VRF Supported Devices [H/W and S/W


Supported]

Number of VRF-supported devices. These devices have both VRF-supported


hardware and software. Click the number to launch the VRF Readiness report.

VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but
S/W Update Required]
these devices do not have the supported IOS image for VRF. Click the number to
launch the VRF Readiness report.

Collection Summary Portlet


In the Collection Summary portlet, you can view details of the different collectors in LMS.
Table 1-13 lists the Collection Summary portlet details.
Table 1-13

Collection Summary Portlet

Field

Description

Collector Name

Name of the Collector. The various collectors in LMS are:

Succeeded

Inventory Collection

Config Archive

EnergyWise Collection

Device Discovery

Fault Discovery

Topology Data Collection

UT Major Acquisition

VRF Collection

Indicates if the respective collection has completed successfully.


Note

In Inventory Collection, Succedded will give the count of devices that


were successfully inventory collected at least once. In Config Archive,
partial success state devices will not be shown in Succeeded or Failed
columns.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

1-19

Chapter 1

Overview of Administration

Understanding the System Dashboard

Table 1-13

Collection Summary Portlet (continued)

Field

Description

Failed

Indicates if the respective collection has failed.


In Inventory Collection, Failed will give the count of devices that are
recently failed. A device which was previously successfully inventory
collected and recently failed will have entry in both the columns. We
should not compare this with DCR device count.

Note

Last Completion Time

Indicates the time when the collection is completed.

Current Status

Status of the Collector. The two states are:

Schedule

RunningIndicates that the collector is running.

IdleIndicates that the collector is not running.

Click the Schedule link next to the respective collector to launch the corresponding
page. You can now schedule the collector.
To configure this portlet:
Step 1

Move the mouse over the title bar of the Collection Summary Portlet.

Step 2

Click the configuration icon.

Step 3

Select the Auto Refresh check box.

Step 4

Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.

Step 5

Click Save to view the portlet with the configured settings.

Note

The data in the above portlets is not populated based on device-level or user-level authorization.
Role-based access control is not applicable to the portlets.

Note

From LMS 4.2.2, the Collection Summary Portlet page will display the total number of managed devices
in LMS server. The customer can view the detailed list of the devices managed by the LMS server by
clicking the Managed Device count link on the Collection Summary Portlet page.

Administration of Cisco Prime LAN Management Solution 4.2

1-20

OL-25947-01

CH A P T E R

Setting up Security
LMS 4.2 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS
applications, and data. LMS provides features for managing security while operating in single-server and
multi-server modes.
You can specify the user authentication mode using the Authentication Mode Setup.
This chapter explains the following:

Managing Security in Single-Server Mode

Managing Security in Multi-Server Mode

Setting up the Authentication Mode

Managing Roles

Managing Cisco.com Connection

Support Settings

Managing Security in Single-Server Mode


You can configure the following in Single-Server mode:

Browser-Server Security Mode Setup: LMS 4.2 Server uses Secure Socket Layer encryption to
provide secure access between the client browser and management server and also among the
management server and the devices. You can enable or disable SSL depending on your need to use
secure access between the client browser and management server.

Local User Policy Setup: Set up username and password policies for local users using this option.

Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a
user, or view a users settings using this option.

Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections
between the client browser and the management server.

You can set up browser-server security, add and modify users, and create self signed certificate using the
features that come under Single-Server Management in the Security Settings user interface.
The Single-Server Management page displays the mode of server security and the information on self
signed certificate.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-1

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

To open the Single-Server Management page:


Step 1

Select Admin > Trust Management > Local Server


The Browser-Server Security Mode Setup page appears.

Step 2

Click Single-Server Management in TOC.


The Single-Server Management page displays the mode of server security and the information on self
signed certificate.

This section contains the following:

Setting up Browser-Server Security

Setting up Local User Policy

Setting up Local Users

Creating Self Signed Certificates

Setting up Browser-Server Security


LMS provides secure access between the client browser and management server. It does this using SSL
(Secure Socket Layer).
SSL encrypts the transmission channel between the client, and server. LMS provides secure access
between the client browser, and management server.
SSL is an application-level protocol that enables secure transactions of data through privacy,
authentication, and data integrity. It relies upon certificates, public keys, and private keys.
You can enable SSL if you want to open the LMS application in secure mode. If you want to open the
LMS application in non-secure mode (http), you can disable SSL. The login pages always open in SSL
mode, irrespective of the Browser-Server security mode.
LMS Server uses certificates for authenticating secure access between the client browser and the
management server. To enable SSL from the client browser, you must have the necessary security
certificates on your computer. See Creating Self Signed Certificates for more information.
You can enable or disable the Browser Server Security using LMS Server GUI or Command Line
Interface CLI.
This section has the following:

Enabling Browser-Server Security From the LMS Server

Disabling Browser-Server Security From the LMS Server

Administration of Cisco Prime LAN Management Solution 4.2

2-2

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

Enabling Browser-Server Security From the LMS Server


To enable Browser-Server Security:
Step 1

Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.

Step 2

Select the Enable option to enable SSL.

Step 3

Click Apply.

Step 4

Log out from your Cisco Prime session and close all browser sessions.

Step 5

Restart the Daemon Manager from the LMS Server CLI:


On Windows:
a.

Enter net stop crmdmgtd

b.

Enter net start crmdmgtd

On Solaris/Soft Appliance:

Step 6

a.

Enter /etc/init.d/dmgtd stop

b.

Enter /etc/init.d/dmgtd start

Restart the browser and the Cisco Prime session.


When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following
changes:

The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.

Change the port number suffix from 1741 to 443.

If you do not make the above changes, LMS Server will automatically redirect you to https mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.

Disabling Browser-Server Security From the LMS Server


To disable Browser-Server Security:
Step 1

Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.

Step 2

Select the Disable option to disable SSL.

Step 3

Click Apply.

Step 4

Log out from your Cisco Prime session, and close all browser sessions.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-3

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

Step 5

Restart the Daemon Manager from the LMS Server CLI:


On Windows:
a.

Enter net stop crmdmgtd

b.

Enter net start crmdmgtd

On Solaris/Soft Appliance:

Step 6

a.

Enter /etc/init.d/dmgtd stop

b.

Enter /etc/init.d/dmgtd start

Restart the browser, and the Cisco Prime session.


When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the
following changes:

The URL should begin with http instead of https to indicate that connection is not secure.

Change the port number suffix from 443 to 1741.

The port numbers mentioned above are applicable for LMS Server running on Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.

Setting up Local User Policy


You can setup username and password policies for Local Authentication users in LMS.
With the new local user policy, you can:

Start the local username with a number

Include special characters in local username

Specify the length of local username

Specify the length of local user password

Include at least characters from lowercase, uppercase, digits and special characters in password.

The password should not be:

Same as the username, or the username in reverse

Have the same character repeated three times, in sequence

A variant of the word Cisco

You can apply only one local user policy at a time.


You cannot define policies for each local user. The local user policy you set up applies to all users
including the administrative users.
The local usernames that begin with numbers and contain special characters are not subject to the
security limitations of authentication and authorization in LMS Servers integrated with pluggable
authentication modules such as Active Directory.

Administration of Cisco Prime LAN Management Solution 4.2

2-4

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

To set up local user policies:


Step 1

Select Admin > System > User Management > Local User Policy Setup.
The Local User Policy Setup page appears.

Step 2

Select Allow Special Characters in username to allow special characters in the username.
You can include the following special characters in the username:
Special Character

Description

Tilde

Commercial At character

Number sign

Underscore

'

Apostrophe

Hyphen

Solidus or Leading slash

Trailing slash

Period

space

Non-breaking space

Note

Step 3

You can add the special characters including hyphen and period in local username only when
you have selected this check box. You cannot start a local username with special characters
except _ (Underscore).

Select Allow Username to start with numbers to allow the first character of a local username to be a
numeral.
You can enter any number between 0 to 9 in the username as the first character if you have enabled this
option.

Step 4

Enter the minimum and maximum length of username of local users.


The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum username length field that is greater than the number
in maximum username length field.

Step 5

Enter the minimum and maximum length of password of local users.


The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum password length field that is greater than the number
in maximum password length field.

Step 6

Click Apply to save the changes.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-5

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

Setting up Local Users


Local User Setup feature helps you to:

Import users

Export users

Modify your profile

Add a local user

Edit user profiles

Delete local users

You can also set up local users and reset Cisco Prime password through CLI.
This section explains:

About User Accounts

Understanding Security Levels

Importing and Exporting Local Users

Importing Local Users Using CLI

Importing Users From ACS

Adding and Modifying a Local User

Adding Local Users Using CLI

Assigning Roles on NDG Basis

Modifying Your Profile

About User Accounts


Several Cisco Prime network management and application management operations are potentially
disruptive to the network, or to the applications themselves, and must be protected.
To prevent such operations from being used accidentally or maliciously, Cisco Prime uses a multi-level
security system that allows access only to certain features, to users who can authenticate themselves at
the appropriate level.
LMS provides two predefined login IDs for which the password is specified during installation:

guestAfter authentication and authorization, user will have the default role. After a fresh
installation, the default role is Help Desk. You can change the default roles, see Managing Roles for
more information.

adminThis login provides the user access to all Cisco Prime tasks.

However, as an administrator, you can create additional unique login IDs for users in your company.

Note

The LMS Server Administrator can set the passwords for admin and guest users during installation.
Contact the LMS Server Administrator if you do not know the password for admin.

Administration of Cisco Prime LAN Management Solution 4.2

2-6

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

Understanding Security Levels


System administrators determine user security levels when users are granted access to Cisco Prime.
When users are granted logins to the Cisco Prime application, they are assigned one or more roles.
A role is a collection of privileges that dictate the type of system access you have. A privilege is a task
or operation defined within the application. The set of privileges assigned to you, defines your role and
dictates how much and what type of system access you have.
The user role or combination of roles, dictates the tasks that are presented to the users. For information
on tasks that can be performed with each role, see Permissions Report (Reports > System > Users >
Permission). See also About Cisco Prime Pluggable Authentication. Other roles are displayed,
depending on your applications.

Importing and Exporting Local Users


You can import local users from the client. If you want to import local users to the local server from a
remote LMS Server, you must first import the file from the remote server to the client and then use the
import function from the LMS UI.

Note

When you import local users, if there are no roles associated with the users, the default role will be
associated with them.
You can also export the local users to an output file.
You can import local users from the client through CLI. See, Importing Local Users Using CLI for more
information.
You can import local users from ACS through CLI. See, Importing Users From ACS for more
information.
Before you import users from the client, you must install the peer certificate of the remote server in the
local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more
information.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-7

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

To import users from a remote server:


Step 1

Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.

Step 2

You can do one of the following:

Import:
Click Import Users. You can import only files in the XML format.
Click Browse and select a file from the client.
Click Submit. To return to the Local User Setup page, click Cancel.

Export:
Select the users for whom you want to export information. If you want to select all the users,

you can check the check box next to the User field.
Click Export. The files exported are in XML format.

A message appears prompting you to open or save the LMSuserExport.xml file. This file is
saved in the client. Click Cancel to return to the Local User Setup page.

Importing Local Users Using CLI


This feature allows you to import information about local users to the local server, from a remote LMS
Server.
You should have the privileges to import local users from the remote LMS Server through CLI.
Before you import users from a remote server, you should install the peer certificate of the remote server
in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate
for more information.
To import users from a remote server, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber


Username Password (on Solaris/Soft Appliance)

NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber


Username Password (on Windows)

where,

Protocol Protocol of the remote LMS Server.


The supported values are HTTP or HTTPS.

Hostname Hostname or IP address of the remote LMS Server.

Portnumber Port Number of the remote LMS Server.

Username Remote LMS Server login Username.

Password Remote LMS Server login Password.

For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin

Administration of Cisco Prime LAN Management Solution 4.2

2-8

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

Importing Users From ACS


To import users from ACS through CLI, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on


Solaris/Soft Appliance)

NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on


Windows)

where,

Filename Output of executing CSUtil.exe.

Password Default password assigned to all the importing users.

To execute CSUtil.exe follow the steps below:


Step 1

Go to Start > Run in the ACS server.

Step 2

Enter services.msc in the Run command and click OK


It will list all the services registered.

Step 3

Select CSAuth and right click to get the Stop option.

Step 4

Click Stop to stop the CSAuth service

Step 5

Execute the command <ACS install directory>/bin/CSUtil.exe -q -d <output file> from CLI.
The output file which we got by running the CSUtil.exe should be given as the input while importing
users.

Log Files

The information on the users added or imported into the LMS Server is stored in the following files,
when you use the import local user CLI commands:

/var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)

NMSROOT\log\AddUser.log (on Windows)

The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages, and other information that you can use for
troubleshooting.

Adding and Modifying a Local User


You can add more users into Cisco Prime as required.
You can add only one user at a time through the user interface. See Adding Local Users Using CLI for
adding bulk users. You can delete Stale Users From Cisco Prime LMS Portal. See Deleting Stale Users
From LMS Portal for more details.
To add or edit a user:
Step 1

Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.

Step 2

Click Add or Edit.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-9

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

The User Information dialog box appears with the following fields:
Field

Description

Username

Enter the username. The value is case-insensitive.


You can control the length of the username, start the username with a
number, or include special characters in the local username.
To do this, you must set up the username and password policy in the Local
User Policy Setup page. See Setting up Local User Policy for information.

Password

Enter the password.


You can control the length of the password when you set up policies for local
users. See Setting up Local User Policy for information.

Verify Password

Re-enter the password.

E-mail

Enter the e-mail ID. This is mandatory if you assign the approver role to the
local user. Otherwise, this is optional.

Authorization Type

Select the radio button corresponding to the authorization type. You can
choose from:

Full AuthorizationSelect this radio button to enable full authorization


to the user.

Enable Task AuthorizationSelect this radio button to enable a role, and


the privileges and tasks associated with the roles, to the user.
After you select this option, you have to select the desired role from the
list of Roles. This is applicable for all devices.

Enable Device AuthorizationSelect this radio button to enable


authorization to device groups.
After you select this option, you have to:
Select the device group from the Device Group.
Select the role you want to associate with the device group. The user

group can perform the tasks that are assigned to the chosen roles on
the chosen device groups.
Roles

Select the check box corresponding to the role to specify the roles to be
assigned to the user from the Roles pane. The user group can perform the
tasks that are assigned to the chosen role on all devices and device groups.
The following roles are available:

Help Desk

Approver

Network Operator

Network Administrator

System Administrator

Super Admin

Network Level Login


Credentials

Enter the network device login credentials for LMS to communicate with the
network devices.

Username

Enter the username.

Administration of Cisco Prime LAN Management Solution 4.2

2-10

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

Step 3

Field

Description

Password

Enter the password.

Verify Password

Re-enter the password.

Enable Password

Enter the enable password.

Verify Password

Re-enter the enable password.

Click OK. To return to the Local User Setup page, click Cancel.

Adding Local Users Using CLI


You can add bulk local users through CLI. This feature allows you to specify a file that has the
information about the local users as an input. The input file you use should be a plain text file.

Note

You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,

Username Local username. The local username is case-insensitive.

Password Password for the local user account name.


You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.

E-mail E-mail address of the local user.


This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.

Roles Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
Help Desk
Approver
System Administrator
Network Administrator
Network Operator
Super Admin

DeviceUnameDevice login username

DevicePasswordDevice login password

DeviceEnPassword Device enable password.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-11

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes

To add local users through CLI, enter the following commands:

NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft


Appliance)

NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows)

where,

Filename Absolute path of the filename containing local users information.

Password Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.

For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin

Log Files

The user information added or imported into the LMS Server is stored in the following files, when you
use the import local user CLI command:

/var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)

NMSROOT\log\AddUser.log (on Windows)

The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages and other information that you can use for
troubleshooting.
Deleting Stale Users From LMS Portal

This section describes how to delete stale users from LMS Portal.
When you delete the user names from Cisco Prime Common Services application, they are deleted only
from the Common Services database and not from LMS Portal database.
The usernames remain in LMS Portal as stale users.

Administration of Cisco Prime LAN Management Solution 4.2

2-12

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

To delete stale users from LMS Portal:


Step 1

Go to the following link:


http://server-name:portno/cwportal/c/portal/StaleUserDeletion.

Step 2

In the URL, enter a server name and launch the URL in the browser window.
The Portal Stale User Deletion page is displayed.

Step 3

Click the Delete Stale Users button.


The stale users are deleted from the Portal database.

Assigning Roles on NDG Basis


You can choose to assign any number of role and device group combinations for a selected user or user
group to operate on Network Device Groups.
You should note the following to assign roles on a NDG basis:

If you have assigned a Network Device Group to your AAA client (LMS Server and network
devices), you must assign that device group to a role.
You cannot have role and device group combinations assigned to a user without assigning the
Network Device Group to your AAA client.

You can assign only one role to a user, to operate on an NDG.

If a user requires privileges other than those associated with the current role, to operate on an NDG,
a custom role should be created. All necessary privileges to enable the user to operate on the NDG
should be given to this role.
For example, if a user needs to have Approver and Network Operator privileges to operate on
NDG1, you can create a new custom role with Network Operator and Approver privileges, and
assign the role to the user to operate on NDG1.

You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device
group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen.
To assign the proper role, the network access server (NAS) should be added to device groups other
than DEFAULT.

Modifying Your Profile


To edit your profile:
Step 1

Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.

Step 2

Click Modify My Profile to modify the credentials of the logged in user and the network device login
credentials.

Step 3

Enter the user login details like username, password, and e-mail address.
The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-13

Chapter 2

Setting up Security

Managing Security in Single-Server Mode

Step 4

Enter the network device login credentials for LMS to communicate with the network devices.
Enter the values for username, password, and enable password.

Step 5

Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.

Creating Self Signed Certificates


Cisco Prime allows you to create security certificates that enable SSL communication between your
client browser and management server.
Self signed certificates are valid for five years from the date of creation. When the certificate expires,
the browser prompts you to install the certificate again from the server where you have installed Cisco
Prime.

Note

If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break.
The peers need to re-import the certificate in this scenario.
This section explains the following:

Creating a Self Signed Certificate From the User Interface

Working With Third Party Security Certificates

Administration of Cisco Prime LAN Management Solution 4.2

2-14

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Single-Server Mode

Creating a Self Signed Certificate From the User Interface


To create a certificate from the user interface:
Step 1

Select Admin > Trust Management > Local Server > Certificate Setup.
The Certificate Setup page appears.

Step 2

Enter the values required for the fields described in the following table:
Field

Usage Notes

Country Name

Two character country code.

State or Province

Two character state or province code or the complete name of the


state or province.

City

Two character city or town code or the complete name of the city or
town.

Organization Name

Complete name of your organization or an abbreviation.

Organization Unit Name

Complete name of your department or an abbreviation.

Server Name

DNS name, IP Address, or hostname of the computer.


Enter the server name with a proper and resolvable domain name.
This is displayed on your certificate (whether self-signed or third
party issued). Local host or 127.0.0.1 should not be given.

Email Address
Step 3

E-mail address to which the mail has to be sent.

Click Apply to create the certificate.


The process generates the following files:

server.keyPrivate key of the server.

server.crtSelf- signed certificate of the server.

server.pk8Private key of the server in PKCS#8 format.

server.csrCertificate Signing Request (CSR) file.

You can use the CSR file to request a security certificate, if you want to use a third party security
certificate.
If the certificate is not a Self signed certificate, you cannot modify it.
To return to the Cisco Prime home page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-15

Chapter 2

Setting up Security

Managing Security in Multi-Server Mode

Working With Third Party Security Certificates


Cisco Prime provides an option to use security certificates issued by third party certificate authorities
(CAs). You may want to use this option in cases where your organizational policy prevents you from
using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a
particular CA.
You can use these certificates to enable SSL when you need secure access between LMS Server and your
client browser.
You can upload Third Party Security Certificates using the SSL Utility Script. See Working With Third
Party Security Certificates.

Managing Security in Multi-Server Mode


Communication among peer servers that are part of a multi-server domain has to be secure. In
multi-server mode the server is configured as DCR Master/Slave or Single Sign-On Master/Slave. In a
multi-server scenario, secure communication between peer LMS Servers is enabled using certificates
and shared secrets.
You must copy certificates between the LMS Servers. You should also generate a shared secret on one
server, and configure it on the other servers that need to communicate with the server. The shared secret
is tied to a particular Cisco Prime user (for authorization).
You can configure the following in Multi-Server mode:

Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform
certain tasks. These users should be set up to enable communication among multiple LMS Servers.

System Identity Setup: Enables communication among multiple LMS Servers based on a trust model
addressed by Certificates and shared secrets. System Identity setup should be used to create a trust
user on slave or regular servers for communication to happen in multi-server scenarios.

Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This
allows LMS Servers to communicate with one another using SSL.

Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple
LMS Servers without authenticating to each server.

The Current Multi-Server Settings page displays the mode of server security and the information on self
signed certificate.
To open the Current Multi-Server Settings page:
Step 1

Select Admin > Trust Management > Multi Server.

Step 2

Click Current Multi-Server Setting in TOC.


The Current Multi-Server Settings page displays the Single Sign-On details.

Administration of Cisco Prime LAN Management Solution 4.2

2-16

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Multi-Server Mode

This section has the following information that helps you to understand better, the features that enable
secure communication between peer servers in a multi-server domain:
This section contains:

Setting up Peer Server Account

Setting up System Identity Account

Setting up Peer Server Certificate

Enabling Single Sign-On

Setting up Peer Server Account


Peer Server Account Setup helps you create users who can login to LMS Servers and perform certain
tasks. These users should be set up to enable communication among multiple LMS Servers. Users
created using Peer Server Account Setup can authenticate processes running on remote LMS Servers.
You can add a Peer Server user, edit user information and role, and delete a user.
To add a Peer Server user:
Step 1

Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.

Step 2

Click Add.
The Peer Server Account Setup page appears.

Step 3

Enter the username in the Username field.

Step 4

Enter the password in the Password field.

Step 5

Re-enter the password in the Verify field.

Step 6

Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

To edit Peer Server user information:


Step 1

Select Admin > Trust Management > Multi Server > Peer Server Account Setup.

Step 2

Click Edit.
The Peer Server Account Setup page appears.

Step 3

Enter the password in the Password field.

Step 4

Re-enter the password in the Verify field.

Step 5

Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-17

Chapter 2

Setting up Security

Managing Security in Multi-Server Mode

To delete a Peer Server user:


Step 1

Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.

Step 2

Select the check box corresponding to the user you want to delete.

Step 3

Click Delete.
The confirmation dialog box appears.

Step 4

Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click
Cancel.

Setting up System Identity Account


Communication between multiple LMS Servers is enabled based on a trust model addressed by
certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are
part of a multi-server setup. This user enables communication among servers that are part of a domain.
There can be only one System Identity User for each machine.
The System Identity User you configure must be a Peer Server User. The System Identity User you create
must be a local user with all privileges.
You can either configure the System Identity User with the predefined Super Admin role or with a
custom role created with all privileges. If you change the System Identity User later, you must ensure
that you add the local user with all privileges in Cisco Prime.
Cisco Prime installation program allows you to have the admin user configured as the default System
Identity User.
For the admin user to work as a System Identity User, the same password should be configured on all
machines that are part of the domain, while installing Cisco Prime on the machines part of that domain.
If this is done, the user admin serves the purpose of System Identity user. See Installing and Migrating
to Cisco Prime LAN Management Solution 4.2 for details.
If you create a System Identity User, the default System Identity User, admin, is replaced by the newly
created user.
While you create the System Identity User, LMS checks whether:

The user is a Local User with all privileges. If the user is not present, or if the user does not have all
privileges, an error message appears.

The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User.

For peer to peer communication to work in a multi-server domain, you have to configure the same
System Identity User on all the machines that are part of the domain.
For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say
Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on
all the other servers, S2, S3, and S4, to enable communication between them.
See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage
of this features.

Administration of Cisco Prime LAN Management Solution 4.2

2-18

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Multi-Server Mode

To add a System Identity user:


Step 1

Select Admin > Trust Management > Multi Server > System Identity Setup

Step 2

Enter the username in the Username field.

Step 3

Enter the password in the Password field.

Step 4

Re-enter the password in the Verify field.

Step 5

Click Apply.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.

Setting up Peer Server Certificate


You can add the certificate of another LMS Server into its trusted store. This will allow one LMS Server
to communicate with another using SSL. If a LMS Server needs to communicate with another LMS
Server, it must possess the certificate of the other server. You can add certificates of any number of peer
LMS Servers to the trusted store of each server.
You must add peer server certificates if LMS Servers are configured with Self-Signed Certificates. If the
certificates have been signed by popular CAs such as Verisign, and GlobalSign. this is not compulsory.
However we recommend that you add peer server certificates to avoid any possible problems with SSL
communication.
You can setup peer server certificates from the client browser and from a browser session on the server
where LMS Server is installed.
Ensure that there are no mismatches in the date and time settings between the servers. In case you find
any date or time mismatch, you need to correct it before proceeding.
If you change the date or time of the peer server, you must regenerate the self signed certificate of the
peer server.
To add peer LMS Server certificates:
Step 1

Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
The Peer Server Certificate page appears with a list of certificates imported from other servers.

Step 2

Click Add.

Step 3

Enter the IP address/hostname of peer LMS Server in the corresponding fields.


If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address.

Step 4

Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the
peer LMS Server is 443.

Step 5

Click OK. To return to the Peer Server Certificate page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-19

Chapter 2

Setting up Security

Managing Security in Multi-Server Mode

To delete peer certificates:


Step 1

Select the check box corresponding to the certificate you want to delete.

Step 2

Click Delete.
The confirmation dialog box appears.

Step 3

Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.

You can also view the details of the client certificates. For this, select the check box corresponding to
the certificate and click View.

Enabling Single Sign-On


With Single Sign-On (SSO), you can use your browser session to transparently navigate to multiple LMS
Servers without authenticating to each of them. Communication among multiple LMS Servers is enabled
based on a trust model addressed by Certificates and shared secrets.
This section explains:

Single Sign-On Setup

Navigating Through the Single Sign-On Domain

Changing the Single Sign-On Mode

Single Sign-On Setup


The following tasks need to be done initially:

One of the LMS Servers should be set up as the Authentication Server (AS).

Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate
is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is
maintained by the certificate management framework in LMS.

Each LMS Server should setup a shared secret with the authentication server. The System Identity
user password acts as a secret key for Single Sign-On.

The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server
(RS) is called the Slave.
You must perform the following tasks if the server is configured either as Master or as Slave:

Configure the System Identity User and password in both Master and Slave. The System Identity
User name and password you specify in Master and Slave should be the same.

Configure the Master Self Signed Certificate in Slave.

Single Sign-On uses System Identity user password as the secret key to provide confidentiality and
authenticity between Master and Slave. We recommend that you have the same user name and password
for both Master and Slave.
The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise
it would not be considered as a valid certificate.

Administration of Cisco Prime LAN Management Solution 4.2

2-20

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Multi-Server Mode

Single Sign-On is used only for authentication and not for authorization. In Single Sign-On,
authentication always takes place from the Single Sign-On Master server (Authentication Server-AS).
Hence, you need to provide the username and password as configured in Single Sign-On AS.
Authorization happens at the respective servers.
If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active
Directory (AD), and AS is configured for Local Authentication, then authentication happens as per the
credentials in Local Authentication (AS) and vice versa.
For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active
Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is
Local Authentication:
When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS)
and you get authenticated according to the username and password configured in AD. However,
authorization happens only in server B.
The privileges for the logged in user in any server within the Single Sign-On domain will depend upon
the user roles configured in that server. If the user is present only in the Single Sign-On Authentication
Server and not in the Regular Server, then that user gets authenticated according to the credentials in the
authentication server, but has only HelpDesk privileges in the Regular Server.
We recommend that you:

Add the user across all servers within the Single Sign-On domain.

Assign appropriate roles to the user, in each of the LMS Servers.

See Setting up System Identity Account for more information on how to set up System Identity User.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management >
Multi Server > Peer Server Certificate Setup.
The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it
would not be considered as a valid certificate.

Navigating Through the Single Sign-On Domain


The Authentication Server and all Regular Servers that are configured on this Authentication Server
forms an Single Sign-On domain. If you login to any of the servers that are part of the same Single
Sign-On domain, you can launch any other server that is part of the domain.
You can navigate through the Single Sign-On domain in two ways:

Registering Server Links

Launching a New Browser Instance

Registering Server Links

You can register the links of the servers part of the Single Sign-On domain, in any of the servers, using
the Link registration feature.
The registered links will appear either under Third Party or Custom tools, depending on what you specify
during registration. If you click on the registered link, it launches the page corresponding to the
registered link.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-21

Chapter 2

Setting up Security

Managing Security in Multi-Server Mode

You must specify the URL, with the context while registering the server link.
For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for
ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do

If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do

In the above example, clicking on the registered link will launch the Cisco Prime home page of server
ABC.
Launching a New Browser Instance

After logging into any of the servers that are part of the Single Sign-On domain, you can open a new
browser instance from that server, and provide the URL of any other server of the Single Sign-On
domain, to which you need to navigate.

Note

We recommend that you do not use the IP address of the servers that are part of Single Sign-On or
localhost, while specifying the URL.
For example, suppose ABC and XYZ are part of an Single Sign-On domain.

Step 1

Login to ABC.

Step 2

Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser
window.

Step 3

Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new
browser instance.
This launches the Cisco Prime home page of XYZ, directly.

Changing the Single Sign-On Mode


The LMS server can be configured for Single Sign-On. It can also be configured to be in Standalone
mode (Normal mode, without Single Sign-On).
When the server is configured for Single Sign-On, it can either be in:

Master modeThe Single Sign-On Authentication Server does the authentication and sends the
result to the Regular Server.
Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular
servers. Login requests for all the Single Sign-On regular servers will be served from the Master.

Slave modeSingle Sign-On Regular server for which authentication is done at the Master.
While logging into regular server, if the authentication server is not reachable, the following
message appears:
SSO unreachable

Administration of Cisco Prime LAN Management Solution 4.2

2-22

OL-25947-01

Chapter 2

Setting up Security
Managing Security in Multi-Server Mode

Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If
the server is configured as an Single Sign-On Regular server (Slave), you should provide the following
details:

Master server name


The Master server name must be DNS resolvable. If you change the name of the Single Sign-On
Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution
to reflect in the Slave.
If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master
server, you must ensure that you enter either the fully qualified domain name or hostname of the
Master consistently in all the Slave servers.
Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave
and hostname of the Master in another Single Sign-On Slave of the same Master server.

Login Port of the Master (443)

To change the Single Sign-On mode to Standalone:


Step 1

Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.

Step 2

Select Standalone (Normal) radio button.

Step 3

Click Apply. To return to the Cisco Prime home page, click Cancel.

To change the Single Sign-On mode to Master:


Step 1

Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign On mode.

Step 2

Select the Master (SSO Authentication Server) radio button.

Step 3

Click Apply. To return to the Cisco Prime home page, click Cancel.

To change the SSO mode to Slave:


Step 1

Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.

Step 2

Select the Slave (SSO Regular Server) radio button.

Step 3

Enter the Master server name and port number.


If you select the Slave mode, ensure that you specify the Master server name and port. The default port
is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-23

Chapter 2

Setting up Security

Setting up the Authentication Mode

Step 4

Click Apply.
It checks if:

The System Identity user password of the Slave matches that of the Master.

The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common
Name (CN) in the certificate matches with the Master server name.

The Master is up and running on the specified port.

In case any of these checks fail, you are prompted to perform these steps before proceeding.
To return to the Cisco Prime home page, click Cancel.

Setting up the Authentication Mode


Depending on your LMS Server platform (UNIX or Windows), different login modules that provide
Authentication, Authorization, and Accounting services are available. This feature allows you to select
login modules and set their options.
The LMS Server provides mechanisms used to authenticate users for Cisco Prime applications.
However, many network managers already have a means of authenticating users. To use your current
authentication database for Cisco Prime authentication, you can select a login module (TACACS+,
RADIUS, and others).
This section contains the following topics:

Authentication Using Login Modules - Overview

Cisco Secure ACS Support for LMS Applications

Setting the Login Module to Pluggable Authentication Modules

After you select and configure a login module, all authentication transactions are performed by that
module.
To assign a user to a different role, such as the System Admin role, you must configure the user locally.
Such users must have the same user ID locally, as they have in the alternative authentication source.
Users log in with the user ID and password associated with the current login module.

Authentication Using Login Modules - Overview


Cisco Prime login modules allow administrators to add new users using a source of authentication other
than the native LMS Server mechanism (that is, the Local Authentication login module).
This section contains:

About Cisco Prime Pluggable Authentication

Understanding Fallback Options

Debugging

Administration of Cisco Prime LAN Management Solution 4.2

2-24

OL-25947-01

Chapter 2

Setting up Security
Setting up the Authentication Mode

About Cisco Prime Pluggable Authentication

By default, Cisco Prime LMS uses LMS Server authentication (Local Authentication) to authenticate
users, and authorize them to access Cisco Prime LMS.
After authentication, your authorization is based on the privileges that have been assigned to you.
A privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role. It dictates how much, and what type of system access you have.
The LMS Server authorization scheme has the following default or predefined roles. You can also create
user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing
Roles for more information. The predefined roles are listed here in order from the least privileged to
most privileged:

Help Desk Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device, or schedule a job that will reach the network.

Approver Can approve all LMS tasks.

Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.

Network Administrator Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.

System Administrator Can perform all Cisco Prime system administration tasks.

Super Admin Can perform all Cisco Prime operations including administration and approval
tasks. By default, this role has full privileges.

The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
Understanding Fallback Options

Fallback options allow you to access the software if the login module fails, or you accidentally lock
yourself or others. There are three login module fallback options. These are available on all platforms.
The following table gives you the details:
Option

Description

Allow all Local Authentication users to fallback to All users can access Cisco Prime using the Local
the Local Authentication login.
login if the current login module fails and only if
PAM is unreachable.
Warning

Selecting this option allows local


authentication for users when the
external authentication server is
unreachable.

Only allow the following user to fallback to the


Local Authentication login if preceding login
fails: username.

Specified users can access Cisco Prime using the


Local login if the current login module fails. Use
commas between user names.

Allow no fallbacks to the Local Authentication


login.

No access is allowed if the current login module


fails.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-25

Chapter 2

Setting up Security

Setting up the Authentication Mode

Debugging

Cisco Prime allows you to enable debugging on the current login module so that you have additional
information in the log files that you can use for troubleshooting. Turn debugging on only when requested
to do so by your customer service representative.
Enabling debugging does not alter the behavior of the modules.
Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the
following locations:

NMSROOT/MDC/tomcat/logs/stdout.log (on Solaris/Soft Appliance)

NMSROOT\MDC\tomcat\logs\stdout.log (on Windows)

where NMSROOT is the Cisco Prime installation directory.

Cisco Secure ACS Support for LMS Applications


Cisco Prime LMS supports TACACS+ mode of authentication. To use this mode, you must have a Cisco
Secure ACS (Access Control Server), installed on your network. LMS 4.2 supports the following
versions of Cisco Secure ACS:

Note

Cisco Secure ACS 4.2 for Windows Server

Cisco Secure ACS 5.x for Windows Server

Cisco Secure Appliance 4.2

Cisco Secure Appliance 5.x

Cisco Secure ACS also supports RADIUS mode of authentication.

Setting the Login Module to Pluggable Authentication Modules


The Login Module defines how authorization and authentication are performed and how the login
modules are changed.
This section explains the following:

Changing Login Module to Local Authentication

Changing Login Module to Local Unix System

Changing Login Module to Local NT System

Changing Login Module to MS Active Directory

Changing Login Module to RADIUS

Changing Login Module to TACACS+

To set the login module:


Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

The Authentication Mode Setup page displays the current login module, and the available login modules.
The available login modules are:

Administration of Cisco Prime LAN Management Solution 4.2

2-26

OL-25947-01

Chapter 2

Setting up Security
Setting up the Authentication Mode

Local Authentication

Local Unix System

Local NT System

MS Active Directory

RADIUS

TACACS+

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-27

Chapter 2

Setting up Security

Setting up the Authentication Mode

The login username is case sensitive when you use the following login modules:

Local Unix System

RADIUS (only on Solaris)

TACACS+ (only on Solaris)

Step 3

Select a login module.

Step 4

Click Change.
The Login Module Options popup window appears.

Step 5

Enter the corresponding login module information.


See the respective login module section for login module options.

Step 6

Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to Local Authentication

To change the login module to Local Authentication:


Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

Select the Local Authentication radio button.

Step 3

Click Change.
The Login Module Options popup window appears.

Step 4

Set the Debug option to False.


Set it to True for debugging purposes, when requested by your customer service representative.

Step 5

Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to Local Unix System

This option is available only on Unix systems.


To change the login module to Local Unix System:
Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

Select the Local Unix System radio button.

Step 3

Click Change.
The Login Module Options popup window appears with the following details:
Field

Description

Selected Login Module

Local UNIX System.

Description

Cisco Prime native Solaris module.

Administration of Cisco Prime LAN Management Solution 4.2

2-28

OL-25947-01

Chapter 2

Setting up Security
Setting up the Authentication Mode

Field

Description

Debug

Set to False, by default.


Set to True for debugging purposes, when requested by your customer
service representative.

Login fallback options

Step 4

Set the option for fallback to the Local Authentication module if the
alternative service fails.

Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to Local NT System

This option is available only on Windows


To change the login module to Local NT System:
Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

Select Local NT System radio button.

Step 3

Click Change.
The Login Module Options popup window appears with the following details:
Field

Description

Selected Login Module

Local NT System.

Description

Cisco Prime native NT login module.

Debug

Set to False, by default.


Set to True for debugging purposes, when requested by your customer
service representative.

Step 4

Domain

Set to localhost.

Login fallback options

Set the option for fallback to the Local Authentication module if the
alternative service fails.

Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to MS Active Directory

The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP).
Before a user logs in, the user account should be set up in the LDAP server.
When you change the login module to MS Active Directory, you should configure any one of the
following options to integrate LMS Server with Active Directory server for authentication services:

Distinguished Name (DN)


A distinguished name is made up of three parts, Relative Distinguished Name Prefix (RDN-Prefix),
User login, and Usersroot.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-29

Chapter 2

Setting up Security

Setting up the Authentication Mode

You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to
RDN-Prefix when the user logs into Cisco Prime.
For example, a distinguished name could be represented as:
cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and
Usersroot is ou=org1 dc=embu, dc=cisco.
A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
You can specify more than one usersroot value. Each usersroot value should be separated by a
semicolon.

User Principal Name (UPN)


User principal name is composed of two parts, User login and User Principal Name Suffix
(UPN-Suffix).
The User Principal Name suffix configured in Cisco Prime is appended to the login name when the
user logs into Cisco Prime.
The second part of the UPN, the UPN suffix, identifies the domain in which the user account is
located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name
created by an administrator and used just for log in purposes.
For example, a User Principal Name could be represented as user1@mydept.mycompany.com,
where user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix.

Domain name
You should configure the Active Directory domain name in Cisco Prime that contains a set of users
which needs to be integrated, for a domain based authentication.
For example, if you want the users of MyDomain domain in MS Active Directory server to be
authenticated in LMS Server, you should specify MyDomain in this field.
Each domain also has a pre-Windows 2000 domain name for use by computers running operating
systems released earlier than Windows 2000 operating systems. Similarly each user account has a
pre-Windows 2000 user login name.
The user account in the DomainName\UserName format used to log into the operating systems
released earlier than Windows 2000 operating systems is called Security Account Manager (SAM)
account. You can also configure SAM account in the LDAP server and enter the same name in Cisco
Prime when you change the login module to Microsoft Active Directory.

When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime
attempts to authenticate the Active Directory server using the User Principal Name string.
When both the Distinguished Name based authentication and the User Principal Name based
authentication fails, LMS Server tries to authenticate using the Domain name.
To change login module to MS Active Directory:
Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

Select MS Active Directory radio button.

Step 3

Click Change.

Administration of Cisco Prime LAN Management Solution 4.2

2-30

OL-25947-01

Chapter 2

Setting up Security
Setting up the Authentication Mode

The Login Module Options popup window appears with the following details:
Field

Description

Selected Login Module

Name of the login module (MS Active Directory) you have selected in the
Authentication Mode setup page.

Description

Brief description about the login module you have selected.


For the MS Active Directory login module, the description displayed is
Cisco Prime MS Active Directory module.

Server

Name of the LDAP server.

Usersroot

Default set to ldap://ldap.company.com.


User objects in MS Active Directory.
Default set to cn=users, dc=servername, dc=company, dc=com.
For example, if users in the Active Directory have
ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN)
strings, you should specify the same in this field to integrate the LMS
Server with the MS Active Directory server.
You can also enter multiple usersroot values separated by semicolon.
For example, you can enter ou=myDept, dc=myCompany, dc=com;
ou=Dept1, ou=Dept2, dc=myCompany, dc=com.
When you integrate your LMS Server with MS Active server, you should
configure this field for a Distinguished Name based authentication.
If you are using Windows 2008 Active Directory, you have to provide the
complete Usersroot information (including cn=Username). This is because
Windows 2008 Active Directory implementation has disabled anonymous
search requests.
Otherwise, if your Active Directory Server allows anonymous binds, you
need to specify only dc=servername, dc=company, dc=com.

RDN-Prefix

String prefixed with login username to form a Relative Distinguished Name


(RDN).
Default is set to cn=.
For example when you have configured this field as cn= and log into the
server as MyUser, the RDN formed is cn=MyUser.
When you integrate your LMS Server with MS Active server, you must
configure this field for a Distinguished Name based authentication.

UPN-Suffix

String suffixed with login username, usually the domain in which the user
account is located to form a User Principal name.
You should configure this field for a UPN based authentication.
For example, if the UPN of Active Directory users who need to be
integrated with Cisco Prime are user1@mydept.mycompany.com,
user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you
should mention @mydept.mycompany.com in this field.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-31

Chapter 2

Setting up Security

Setting up the Authentication Mode

Field

Description

AD-Domain

Active Directory domain.


You should configure this field for a domain based authentication. Users of
the specified domain in MS Active Directory server are authenticated when
you integrate the LMS Server with MS Active Directory server.

Debug

Set to False, by default.


Set to True for debugging purposes, when requested by your customer
service representative.

Login fallback options

Set the option for fallback to the Local Authentication module if the
alternative service fails.
You can set any of the following options:

Allow all Local Authentication users to fallback to the Local


Authentication login.

Allow only the specified users to fallback to the Local Authentication


login.
When you select this option, you should enter one or more Local
Authentication usernames separated by commas.
This is the default login fallback option.

Note

Step 4

Do not allow any fallback to the Local Authentication login.

Important configuration guidelines are listed below:

You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You
cannot leave all the three fields blank.

To allow only particular group of users to log into LMS, do not configure UPN-Suffix, and
AD-Domain.

Click OK. To return to the Authentication Mode Setup page, click Cancel.

After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with
an Active Directory username and the corresponding password.
MS Active Directory server provides authentication services to LMS Server by the default simple
authentication mechanism.
To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Step 1

Edit the Account Options of a user in the MS Active Directory Server and enable the Store password
using reversible encryption option.

Step 2

Reset the password of the user to authenticate properly.

Step 3

Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is
your Cisco Prime Installation directory.
You must change the following line in the cam.properties file from:

Administration of Cisco Prime LAN Management Solution 4.2

2-32

OL-25947-01

Chapter 2

Setting up Security
Setting up the Authentication Mode

#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5

to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5

If you want the secure authentication mechanism to fallback to simple authentication mechanism, you
must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property.
You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True

to
LDAP_FALLBACK_AUTHENTICATION_NEED=True

Step 4

Save the changes to the cam.properties file.

Note

You need not restart the Daemon Manager.

Digest-MD5 authentication supports only User Principal Name and Security Account Manager user
accounts. You cannot log into LMS Server with the User login name.
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name.
For example, to assign the System Administrator privileges to a MS Active Directory users User1 and
User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator
role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Changing Login Module to RADIUS

To change login module to RADIUS:


Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

Select the RADIUS radio button.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-33

Chapter 2

Setting up Security

Setting up the Authentication Mode

Step 3

Click Change.
The Login Module Options popup window appears with the following details:
Field

Description

Selected Login Module

RADIUS.

Description

Cisco Prime RADIUS module.

Server

Set to module type servername, radius.company.com.

Port

Set to 1645. Attempt to override it only if your authentication


server was configured with a non-default port.

Key

Enter the secret key.

Debug

Set to False, by default.


Set to True for debugging purposes, when requested by your
customer service representative.

Login fallback options

Step 4

Set the option for fallback to the Local Authentication module if


the alternative service fails.

Click OK. To return to the Authentication Mode Setup page, click Cancel.

Changing Login Module to TACACS+

To change login module to TACACS+:


Step 1

Select Admin > System > Authentication Mode Setup.


The Authentication Mode Setup page appears.

Step 2

Select TACACS+ radio button.

Step 3

Click Change.
The Login Module Options popup window appears with the following details:
Field

Description

Selected Login Module

TACACS+.

Description

Cisco Prime TACACS+ login module.

Server

Set to module type tacacs.company.com

Port

Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.

Secondary Server

Set to module type tacacs.company.com. This is the secondary


fallback server.

Secondary Port

Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.

Administration of Cisco Prime LAN Management Solution 4.2

2-34

OL-25947-01

Chapter 2

Setting up Security
Setting up the Authentication Mode

Field

Description

Tertiary Server

Set to module type tacacs.company.com. This is the tertiary


fallback server.

Tertiary Port

Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.

Key

Enter the secret key.

Debug

Set to False, by default.


Set to True for debugging purposes, when requested by your
customer service representative.

Login fallback options

The values True or False should not be entered in the Server, Secondary Server and Tertiary
Server fields, the corresponding Port fields or the Key field.

Note

Step 4

Set the option for fallback to the Local Authentication module


if the alternative service fails.

Click OK. To return to the Authentication Mode Setup page, click Cancel.

After you change the login module, you do not have to restart Cisco Prime. The user who logs in after
the change, automatically uses the new module. Changes to the login module are logged in the following
files:

NMSROOT/MDC/Tomcat/logs/stdout.log (On Solaris/Soft Appliance)

NMSROOT\MDC\Tomcat\logs\stdout.log (On Windows)

where NMSROOT is your Cisco Prime Installation directory.

Resetting Login Module


To reset the login module of LMS Server to Local Authentication:
Step 1

Stop the Daemon Manager using:

net stop crmdmgtd

(On Windows)

or

Step 2

/etc/init.d/dmgtd stop

(On Solaris/Soft Appliance)

Run the following script:

NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl (On Windows)


or

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl (On Solaris/Soft Appliance)

where NMSROOT is your Cisco Prime Installation directory.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-35

Chapter 2

Setting up Security

Managing Roles

Step 3

Start the Daemon Manager using:

net start crmdmgtd

(On Windows)

or

/etc/init.d/dmgtd start

(On Solaris/Soft Appliance)

This resets the login module to Local Authentication mode.


Step 4

Enter a username in the User ID field.

Step 5

Enter the corresponding password in the Password field.

Step 6

Click Login or press Enter.


You are now logged into LMS Server.

Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A
privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role.
The LMS authorization scheme provides you with the following system-defined roles.

Help Desk Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device or schedule a job which will reach the network.

Approver Can approve all tasks.

Network Operator Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.

Network Administrator Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.

System Administrator Can perform all Cisco Prime system administration tasks.

Super Admin Can perform all Cisco Prime operations including the administration and approval
tasks. This role has full privileges.

You can select a role and set it as the default role. After installing LMS 4.2, Help Desk will be the default
role.
If you do not want to use the system-defined roles, you can create custom roles and associate tasks to
them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool,
see, Removing Custom Roles Using CLI.
To manage roles:
Step 1

Select Admin > System > User Management > Role Management Setup. The Role Management
Setup Page appears with the available roles, their descriptions, and the default role.

Note

You cannot edit, delete, or export system-defined roles.

Administration of Cisco Prime LAN Management Solution 4.2

2-36

OL-25947-01

Chapter 2

Setting up Security
Managing Roles

Step 2

You can do the following:

Button

Description

Add

Click Add to add user-defined roles. The Role Management Page appears.
To add a role:
1.

Enter the role name and description.

2.

Select the tasks that have to be assigned to the new role.


The task can be identified using the search option. The search uses the task name and the task
description to perform a complete search. The search results and All tab contents are
synchronized. Any selections made on search results will reflected in all tab. For more details
see Searching LMS Tasks.

3.

Click OK to add the new role or click Cancel to return to the Role Management Setup Page.

For more information on the various tasks in LMS 4.2, see Understanding LMS Tasks.
Edit

Delete

Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit
a role:
1.

Modify the role description if required.

2.

Select or deselect the check box corresponding to the required tasks.

3.

Click OK to save the changes, or click Cancel to return to the Role Management Setup Page.

To delete a role:
1.

Select one or more user-defined roles and click Delete to delete the roles.

2.

Click OK to confirm or Cancel to return to the Role Management Setup Page.

If the deleted role is assigned to any user, then it will remove the association of this role with the user.
Copy

You can use this option to modify a system-defined role.


To copy a role:

Export

1.

Select a role from the roles and click Copy. The Role Management Page appears.

2.

Enter the role name and description.

3.

Select or deselect the check box corresponding to the tasks.

4.

Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.

You can export roles only in the XML format. The file will be saved in the client.
To export roles:
Select the user-defined roles that you want to export and click Export. A message appears prompting
you to open or save the LMSRoleExport.xml file.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-37

Chapter 2

Setting up Security

Managing Roles

Button

Description

Import

You can import roles only in the XML format.


To import roles:
1.

Click Import.

2.

Click Browse and select a file from the client.

3.

Specify if you want to to overwrite, merge or backup the existing roles when you import
roles:

4.

Click Submit to import the roles or Cancel to return to the Role Management Setup Page.

You can choose to:

Set as Default

OverwriteRoles with the same names will be overwritten.

MergeRoles with the same names will be updated with details of the existing role and details
of the imported role.

BackupRoles with the same names will be overwritten. The existing role will be renamed as
CopyOf<Role name>.

Default role will be assigned to users who:

Do not have any role assigned to them.

Have logged in using an external authentication server, like PAM, and are not available in the
local database.

When multiple roles are set as default role, the user will be assigned with all the roles selected as
default roles.
If there is no default role configured, then authorization will fail for users who:

Do not have any role assigned to them.

Have logged in using an external authentication server, like PAM, and are not available in the
local database.

To set a default role:

Clear Default

1.

Select a role from the roles listed in the Role Management Setup Page.

2.

Click Set as Default. The selected roles will be the default roles.

Click Clear Default to clear the default role. After you clear the default role, authorization will fail
for any user assigned without this role.

Note

After adding roles you must assign one or more roles to your users, select Admin > System > User
Management > Local User Setup.

Searching LMS Tasks

To search the LMS tasks,


Step 1

Specify the exact task name or the first few characters of the task name in the search text box and click
the search icon. The task name is case-insensitive.

Administration of Cisco Prime LAN Management Solution 4.2

2-38

OL-25947-01

Chapter 2

Setting up Security
Managing Cisco.com Connection

For example enter admin or *admin or admin* or *change* in the search text box.

admin will search for the task and task description that contains the exact term admin.

*admin will search for the task and task description that ends with the term admin either in task
name or description.

admin* will search for the task and task description that begins with the term admin either in task
name or description.

*change* will search for the task and task description that contains the term change.

If there are no search results generated, then a pop-up window appears.

Note
Step 2

You are not allowed to use any other wildcard character apart from *.
Click the Search Results tab to see the corresponding search result.
In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree
will be in the expanded state.
You will note that when you select or unselect a particular set of tasks in the Search Results tab, the
same set of tasks will be automatically selected or unselected in the All tab.

Removing Custom Roles Using CLI

You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles.
To do this:
On Windows, run:
NMSRoot\bin\ResetToFactoryRole.pl
On Solaris/Soft Appliance, run:
NMSRoot/bin/ResetToFactoryRole.pl

Managing Cisco.com Connection


Certain Software Center features require Cisco.com access. This means that Cisco Prime must be
configured with a Cisco.com account, which is to be used when downloading new and updated packages.
This section explains:

Setting up Cisco.com User Account

Setting Up the Proxy Server

To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings >
Connection Management. The Cisco.com Connection Management page displays the current Proxy
Server settings.

Setting up Cisco.com User Account


This feature lets you add and modify Cisco.com user login names and password.
To set up Cisco.com login account:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

2-39

Chapter 2

Setting up Security

Support Settings

Step 1

Select Admin > System > Cisco.com Settings.

Step 2

Click User Account Setup in the TOC list.


The User Account Setup page appears.

Step 3

Enter your Cisco.com Username, and Cisco.com Password.

Step 4

Re-enter the password in the Verify Password field.

Step 5

Click Apply.

Setting Up the Proxy Server


You can update the proxy server configuration using the Proxy Server set up option.
To update your proxy server configuration:
Step 1

Select Admin > System > Cisco.com Settings.

Step 2

Click Proxy Server Setup in the TOC list.


The Proxy Server Setup page appears.

Step 3

Enter the Proxy Server host name or IP address, and the port number.
Optionally, you can enter the Username and Password for accessing the proxy server.
If you have entered your password, re-enter the same password in the Verify Password field.

Step 4

Click Apply.

Support Settings
From LMS 4.2.2, Cisco Prime LAN Management Solution will support the Support Settings feature to
allow user to set the following two types of interactions:

Enabling interactions directly from the LMS server

Enabling interactions only through client system

For more information on creating a new service request and updating an existing service request, see
Creating/Updating Support Case section in Getting Started with Cisco Prime LAN Management
Solution 4.2.

Administration of Cisco Prime LAN Management Solution 4.2

2-40

OL-25947-01

CH A P T E R

Administering LMS Server


LMS includes several administrative features to ensure that the server is performing properly. You can
manage processes, set up backup parameters, update licensing information, collect server information,
manage jobs and resources, and configure system-wide information on the LMS Server.

Using Daemon Manager

Managing Processes

Backing Up Data

Backup for Cisco Prime Infrastructure

Licensing Cisco Prime LMS

Compliane and Audit Manager (CAAM) Server License

This chapter has the following information:

Using Daemon Manager

Managing Processes

Backing Up Data

Licensing Cisco Prime LMS

Configuring a Default SMTP Server

Collecting Server Information

Collecting Self Test Information

Messaging Online Users

Managing Resources

Collecting Server Information

Collecting Self Test Information

Messaging Online Users

Managing Resources

Modifying System Preferences

Configuring Log Files Rotation

Modifying System Preferences

Configuring Disk Space Threshold Limit

Effects of Third Party Backup Utility and Virus Scanner

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-1

Chapter 3

Administering LMS Server

Using Daemon Manager

Configuring TFTP

Cisco Prime Integration Application Settings

Using Daemon Manager


The Daemon Manager provides the following services:

Maintains the startup dependencies among processes.

Starts and stops processes based on their dependency relationships.

Restarts processes if an abnormal termination is detected.

Monitors the status of processes.

The Daemon Manager is useful to applications that have long-running processes that must be monitored
and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start
transient jobs.
Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager
will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you
start the Daemon Manager.
If the System resources are less than the resources required to install the application, the Daemon
Manager restart displays warning messages that are logged into dmgtd.log.
You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server
when SSL is enabled in LMS.
Restarting Daemon Manager on Solaris/Soft Appliance

To restart Daemon Manager on Solaris/Soft Appliance:


Step 1

Log in as root.

Step 2

Enter /etc/init.d/dmgtd stop to stop the Daemon Manager.

Step 3

Enter /etc/init.d/dmgtd start to start the Daemon Manager.

Restarting Daemon Manager on Windows

To restart Daemon Manager on Windows:


Step 1

Go to the command prompt.

Step 2

Enter net stop crmdmgtd to stop the Daemon Manager.

Step 3

Enter net start crmdmgtd to start the Daemon Manager.

Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager
will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute
before you start the Daemon Manager.
If the System resources are less than the required resources to install the application, Daemon Manager
restart displays warning messages that are logged into syslog.log.

Administration of Cisco Prime LAN Management Solution 4.2

3-2

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The
process management tools enable you to manage these backend processes to optimize or troubleshoot
the LMS Server.
You can do the following activities:

View the details of all processes

Filter and show only processes of a specific state

Start the processes

Stop the processes

All mandatory processes are started when you start the system.
See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS.
You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for
more information.

Note

Your role and privileges determine whether you can use this option.
This section contains the following:

Process States

Viewing Process Details

Viewing Processes of a Specific State

Starting a Process

Stopping a Process

Process States

The state of the Cisco Prime backend processes fall under either one of the following categories:
State

Description

Running normally

Processes are started and are running normally.


Sometimes, you find the state of a few processes as follows:
Program started - No mgt msgs received

This indicates that the processes are started automatically at boot and are
running normally.
Never started

Processes that cannot start automatically and are to be started by operator


or administrator.

Failed to run

Processes that failed to start because of an error in the system.

Administratively
shutdown

Processes that are stopped by the system or by the administrator.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-3

Chapter 3

Administering LMS Server

Managing Processes

State

Description

Transient Terminated

Terminated transient processes.


Processes that are created or started by Daemon Manager whenever
required are called transient processes.

Waiting to Initialize

Processes that are yet to run normally and are in initialization phase.

Viewing Process Details

To view Process details:


Step 1

Select Admin > System > Server Monitoring > Processes.


The Process Management page appears with all Cisco Prime processes listed.
You can see the following information of a Cisco Prime process in the Process Management window:
Column

Description

ProcessName

Name of the process. Describes how the process is registered. See LMS
Back-end Processes for more information on process description. For
information on suite-specific processes, see the relevant Online help.
You cannot view the details of Apache and Tomcat processes or restart them from
the user interface. But you can view the details of these processes in Process
Status report (Reports > System > Status > Process).

Step 2

ProcessState

Process status and a summary of the log file entries for the process. If the process
fails, this column is highlighted in red.

ProcessId

Unique number by which the operating system identifies each running program.

ProcessRC

Return code. 0 represents normal program operation. Any other number


represents an error. See the error log for details.

ProcessSigNo

Signal number. 0 represents normal program operation. Any other number is the
last signal delivered to the program before it terminated.

ProcessStartTime

Time and date on which the process was started.

ProcessStopTime

Time and date on which the process was stopped.

Click the ProcessName link of a process to view its details.


The Process Details popup window appears with the following information:
Column

Description

Process

Name of the process.

Path

File Location.

Flags

Flags used to register the process with the Daemon Manager.

Startup

Method used to start the process (manual or automatic).

Dependencies

Other processes that are running, and that are required for this process to
run.

Administration of Cisco Prime LAN Management Solution 4.2

3-4

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Step 3

Click OK.

You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the
updated information of the processes.
Viewing Processes of a Specific State

To view processes of a specific state:


Step 1

Select Admin > System > Server Monitoring > Processes.


The Process Management page appears.

Step 2

Select a process state from the Show Only process state.


You can select any one of the following process states:

Never started

Waiting to initialize

Running normally

Failed to run

Transient terminated

Administrator has shut down this server

Program started No mgt msgs received

See Process States for description of each of these process states.


The details of processes of the selected state appears.

Starting a Process

To start a process:
Step 1

Select Admin > System > Server Monitoring > Processes.


The Process Management page appears.

Step 2

Select the check box corresponding to the process.

Step 3

Click Start.

Stopping a Process

To stop a process:
Step 1

Select Admin > System > Server Monitoring > Processes.


The Process Management page appears.

Step 2

Select the check box corresponding to the process.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-5

Chapter 3

Administering LMS Server

Managing Processes

Step 3

Click Stop.

LMS Back-end Processes


The back-end processes in the LMS Server are required to manage application specific activities and
jobs.
Table 3-1 lists the back-end processes in LMS Server, their description and dependent processes.
In LMS 4.2, Compliance and Audit Manager (CAAM) Server is added as a new back-end process.
Log files for most of the processes are located in the following locations:

On Solaris/Soft Appliancevar/adm/CSCOpx/log

On WindowsNMSROOT\log, where NMSROOT is your Cisco Prime default installation directory.

You can also manage the Cisco Prime processes through CLI. You can perform the following activities
through CLI:

Viewing Process Details Through CLI

Viewing Brief Details of Processes

Viewing Processes Statistics

Starting a Process

Stopping a Process

This section contains:

Server Back-end Processes

Inventory, Config and Image Management Processes

Network Topology, Layer 2 Services and User Tracking Processes

IPSLA Performance Management Processes and Dependency Processes

Device Performance Management Module Processes

Fault Management Processes

Server Back-end Processes


Table 3-1 lists the LMS 4.2 Server Back-end processes and their dependency processes.

Administration of Cisco Prime LAN Management Solution 4.2

3-6

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Table 3-1

Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Process Name

Description

Apache

Apache web server used on both UNIX


and Windows systems. This hosts the
base Cisco Prime home page and all
major applications.

Normal Process
State

Dependent Process

Program started - TomcatMonitor


No mgt msgs
received

Log Files
NMSRoot\MDC\
Apache\logs
(On Windows)
/opt/CSCOpx/MDC/
Apache/logs
(On Solaris/Soft Appliance)

You cannot view the details of this


process or restart this process from the
user interface (from Process Management page).
CmfDbEngine

Sybase database instance used by the


base Cisco Prime framework.

Program started - None


No mgt msgs
received

CmfDbMonitor

Monitors the CmfDbEngine process and Running


periodically checks for connectivity and normally
SQL errors.

CmfDbEngine

NMSRoot/MDC/log/
daemons.log
(On Solaris/Soft
Appliance only)
NMSRoot\log\
CmfDbMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/CmfDbMonitor.log
(On Solaris/Soft Appliance)

CMFOGSServer

Device grouping service in CS that


provides grouping capability based on
device attributes stored in DCRServer.

Program started - CmfDbMonitor,


No mgt msgs
EssMonitor,
received
DCRServer

NMSRoot\log\
CMFOGSServer.log
(On Windows)
/var/adm/CSCOpx/log
/CMFOGSServer.log
(On Solaris/Soft Appliance)

CSDiscovery

Transient process created by Daemon


Manager. This process initiates Device
Discovery.

Transient Terminated

NMSRoot\log\
CSDiscovery.log
(On Windows)
/var/adm/CSCOpx/log
/CSDiscovery.log
(On Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-7

Chapter 3

Administering LMS Server

Managing Processes

Table 3-1

Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Process Name

Description

Normal Process
State

CSRegistryServer Registry Server for other CS processes


Running
such as DCRServer and CMFOGSServer normally
and provides the backbone for inter-process communication for DCRServer and
CMFOGSServer.

Dependent Process

Log Files
NMSRoot\log\
CSRegistryServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

Sometimes, the Tomcat process may start


this process. In such cases, the process
status is displayed as follows:
Administrator has shut down this
server

You can ignore this error message.


DCRServer

DCRDevicePoll

Device List and Credential Repository


Server that provides the repository for
shared device list and credentials to be
used across applications.

Running
normally

Transient process created by Daemon


Manager. This process initiates Device
Polling.

Transient Terminated

TomcatMonitor,
CmfDbMonitor,
EssMonitor

NMSRoot\log\
DCRServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

NMSRoot\log\
DCRDevicePoll.log
(On Windows)
/var/adm/CSCOpx/log
/DCRDevicePoll.log
(On Solaris/Soft Appliance)

diskWatcher

Monitors disk space availability on the


LMS Server.

Running
normally

See Configuring Disk Space Threshold


Limit for more information.

EDS

Legacy Event Distribution engine. This Running


is currently used by some applications to normally
send and receive event messages.

NMSRoot\log\
diskWatcher.log
(On Windows)
/var/adm/CSCOpx/log
/diskWatcher.log
(On Solaris/Soft Appliance)

NameServiceMonitor

NMSRoot\log\
EDS.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2

3-8

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Table 3-1

Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Process Name

Description

EDS-GCF

EDS - Generic Consumer Framework


process. It is an extension to EDS that
allows Generic Event Consumers to
provide a pluggable event interface.

ESS

EssMonitor

Normal Process
State

Dependent Process

Running
normally

EDS, CmfDbMonitor

Log Files
NMSRoot\log\
EDS-GCF.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

Event Services Software. The new


Program started -
engine that handles distribution of events No mgt msgs
between processes. This is slated to
received
eventually replace EDS.

NMSRoot\log\ESS.log
(On Windows)

Monitors ESS process to check if events Running


normally
related functionality works properly.
This process shuts down automatically
when the ESS process fails or does not
function properly.

NMSRoot\log\
EssMonitor.log
(On Windows)

ESS

/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

EventFramework

Event management bus, LMS uses this to Program started - EssMonitor


No mgt msgs
facilitate event transmissions between
received
daemons.

No log files

FDRewinder

Enables the rotation of log files function- Never started


ality using logrot.

/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

(Solaris/Soft
Appliance Only)
jrm

LicenseServer

Job and Resource Manager. This allows


scheduling of jobs to be run at specific
times. It also allows locking and
unlocking of resources.

Program started - CmfDbMonitor,


No mgt msgs
NameServicereceived
Monitor, EDS, EssMonitor

Provides Licensing functionality for


Program started -
evaluation and file based licensing mech- No mgt msgs
anisms.
received

NMSRoot\log\
jrm.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)
NMSRoot\log\
LicenseServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-9

Chapter 3

Administering LMS Server

Managing Processes

Table 3-1

Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions

Normal Process
State

Process Name

Description

NameServiceMonitor

Running
Name Service agent that monitors
Normally
objects and messages and acts as a
gateway between the JacORB clients and
the Name Server.

Dependent Process
NameServer

Log Files
NMSRoot\log\
NameServiceMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

NameServer

Object Request Broker for the JacORB


framework used in Cisco Prime.

Program started -
No mgt msgs
received

NMSRoot\log\
NameServer.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

Tomcat

Java servlet engine used on Windows,


Solaris and Soft Appliance systems
hosting applications based on the Cisco
Prime desktop.

Program started -
No mgt msgs
received

/opt/CSCOpx/MDC/
tomcat/logs/stdout.log(On
Solaris/Soft Appliance)

You cannot view the details of this


process or restart this process from the
user interface (from Process Management page).
TomcatMonitor

Monitors the health of the Tomcat


process and shuts down automatically
when Tomcat fails or does not function
properly.

NMSRoot\MDC\
tomcat\logs\stdout.log
(On Windows)

Running
normally

Tomcat

NMSRoot\log\
TomcatMonitor.log
(On Windows)
/var/adm/CSCOpx/log
/daemons.log
(On Solaris/Soft Appliance)

Administration of Cisco Prime LAN Management Solution 4.2

3-10

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Inventory, Config and Image Management Processes


Table 3-2 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-2

Inventory, Config and Image Management Processes and Dependency Processes

Process Name

Dependency
(Sequential)

Log Information

Description

RMEDbEngine

None

NA

System service: the database engine for


Inventory, Config and Image Management
applications.

ConfigMgmtServer

EssentialsDM

dcmaservice.log

Configuration Management service performs


the following tasks,

ConfigUtilityService EssentialsDM

cfgutilservice.log

Collects the configuration for the LMS


managed devices on request from jobs or
user Interface.

Archives new version if there is a


difference between the fetched
configuration and the latest configuration
in archive.

Parses the configuration based on configlet


rules and generates differences between the
configurations.

Logs change record for every new version


of archived running configuration.

Detects config changes on the device and


triggers configuration collection

Caches the device and NetConfig template


mapping information.

Populates the database with NetShow


system-defined command sets and
NetShow commands by retaining them
from device packages.

ConfigUtilityService parses the archived


configurations of the devices for assessing the
technology readiness of the devices. It does
config and CLI parsing.
ConfigUtilService also performs OGS grouping
attributes updates at the end of Inventory
collection.

SyslogCollector

ESS

SyslogCollector.log

Filters and sends the syslog objects to various


SyslogAnalyzer services subscribed to it.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-11

Chapter 3

Administering LMS Server

Managing Processes

Table 3-2

Inventory, Config and Image Management Processes and Dependency Processes (continued)

Process Name

Dependency
(Sequential)

EssentialsDM

ESS
DCRServer
LMSDbEngine

Log Information

Description

EssentialsDM_Server.log It publishes a dummy Common Services


Transport Mechanism (CSTM) service name to
synchronize publishing of service names with
CSTM.
All other LMS services that publish service
names with CSTM are made dependant on this
service either directly or indirectly.
After adding devices to LMS, this service
triggers for Inventory and Configuration
collection.
System service that monitors the accessibility
of the LMS database engine that helps to ensure
that the system is not started until the database
engine is ready.

EnergyWise

EssentialsDM ICServer

EnergyWise.log

EnergyWise process provides services for:

EnergyWiseUI.log

EnergyWise endpoint and device collection

EnergyWiseConfiguratio
n.log

EnergyWise monitoring

EnergyWise compliance check

Auto-push of EnergyWise policies on the


devices.

EnergyWiseMonitoring.l
og
EnergyWiseCollection.lo
g
EnergyWiseNative.log
EnergyWiseComplianceC
heck.log
EnergyWiseNativeCompl
iance.log
EnergyWise_Purge.log
EnergyWiseNativePolicy.
log
CTMJrmServer

EssentialsDM

CTMJrmServer.log

This service is a proxy to the JRM service. This


is used by LMS to connect to the JRM service.
It hides all the direct interaction with JRM.

ChangeAudit.log

Change Audit program that provides back-end


database services for applications that want to
log network changes and for Change Audit
reports and Automated actions

jrm
Tomcat
ChangeAudit

EssentialsDM
CTMJrmServer
jrm

Administration of Cisco Prime LAN Management Solution 4.2

3-12

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Table 3-2

Inventory, Config and Image Management Processes and Dependency Processes (continued)

Process Name

Dependency
(Sequential)

Log Information

Description

ICServer

ESS

IC_Server.log

This is a service that collects and stores


Inventory information from the device using
SNMP.

CTMJrmServer

It also detects changes that occurred between


the last time Inventory was collected for a
device, and the current Inventory collection.
SyslogAnalyzer

ESS
EssentialsDM
CTMJrmServer

SyslogAnalyzer.log for
Windows
AnalyzerDebug.log for
Solaris/Soft Appliance

jrm

It takes the filter definition from the user and


sends it to the various Syslog Collectors it is
subscribed to.
Receives the syslogs from the Syslog collector
and inserts them into the database and also takes
automated actions from the user.

PMCOGSServer

LMSOGSServer

PMCOGSServer.log

Port and Module group administration service.


This is used for managing Port and Module
groups.

ANIDbEngine

None

None

System service: Database engine for Topology


and Identity Services.

ANIServer

EDS

ani.log

System service: Collects device information for


Topology and Identity Services.

macuhic.log

System service: Receives and processes SNMP


traps for Dynamic UT

utlite.log

System service: Receives and processes the


UTLITE data

UTMajorAcquisition ANIServer

ut.log

UTMajor Acquisition is a transient process.


System service: Collects end hosts information.

UTManager

utm.log

System service: Queries external system for


Dynamic UT

ANIDbEngine
MACUHIC

EssMonitor
ANIDbEngine

UTLITE

EssMonitor
ANIDbEngine

EssMonitor
ANIDbEngine
DCRServer

VNMServer

ANIDbEngine

Vnmserver.log

System service: Handles VRF Lite Services like


configuration, VRF Lite collector job
scheduling

WlseUHIC

ANIDbEngine

wlseuhic.log

System service: Collects information from


Wlse Device

Compliance and
Audit Manager
(CAAM) Server

Essentials DM

caam_server.log

The Compliance and Audit Manager server


collects information from the Inventory and
Configuration management servers and stores
the details in a database.

cammserverui.log
caamservercollection.log

If you stop or restart any of these processes you must stop and restart their dependency processes. See
Table 3-2 for the list of dependent processes.
You can stop and restart the process using Admin > System > Server Monitoring > Processes.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-13

Chapter 3

Administering LMS Server

Managing Processes

Network Topology, Layer 2 Services and User Tracking Processes


Table 3-3 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-3

Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes

Process Name

Dependency
(Sequential)

Log Information

Description

ANIDbEngine

None

None

System service: Database engine for


Topology and Identity Services.

ANIServer

EDS

ani.log

System service: Collects device information


for Topology and Identity Services.

macuhic.log

System service: Receives and processes


SNMP traps for Dynamic UT

utlite.log

System service: Receives and processes the


UTLITE data

ANIDbEngine
MACUHIC

EssMonitor
ANIDbEngine

UTLITE

EssMonitor
ANIDbEngine

UTMajorAcquisition

ANIServer

ut.log

UTMajor Acquisition is a transient process.


System service: Collects end hosts
information.

UTManager

EssMonitor

utm.log

System service: Queries external system for


Dynamic UT

ANIDbEngine
DCRServer
VNMServer

ANIDbEngine

Vnmserver.log

System service: Handles VRF Lite Services


like configuration, VRF Lite collector job
scheduling

WlseUHIC

ANIDbEngine

wlseuhic.log

System service: Collects information from


Wlse Device

Administration of Cisco Prime LAN Management Solution 4.2

3-14

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

IPSLA Performance Management Processes and Dependency Processes


Table 3-4 lists the LMS 4.2 Performance Management processes and their dependency processes.
Table 3-4

LMS 4.2 IPSLA Performance Management Process and the Dependency Processes

Dependency (Sequential)

Process Name

Description

IPMProcess

Provides core function of managing


IPSLA Performance Management
Devices, Collectors and Operations in
LMS.

DCRServer,
IpmDbEngine

Log Files

Program
Started

ipmserver.log,dmgtd.log

Program
Started

IPMOGSServer.log,

Program
Started

dmgtd.log

jrm

IPMOGSServer IPSLA Performance Management


group administration service. This is
used for managing IPSLA Performance
Management collector groups. It is also
used for IPSLA Performance Management Collector selector.

CmfDbMonitor,

IpmDbEngine

NA

IPSLA Performance Management


Database Engine service.

Default State

EssMonitor,

IPMOGSClient.log

DCRServer,
IpmDbEngine

It is used for managing and storing


IPSLA Performance Management
related information on the database

Device Performance Management Module Processes


Table 3-5 gives a description of key processes in Device Performance Management module.
Table 3-5

Key Processes in LMS 4.2 Device Performance Management Module

Dependent
Process

Process Name

Description

UPMDbEngine

None
This is the Device
Performance Management
database engine process. If
this process is down, you will
not be able to access Device
Performance Management
module of LMS, and polling,
threshold monitoring, and
trendwatch monitoring will
fail.

Default
State

Log Files

Started

None

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-15

Chapter 3

Administering LMS Server

Managing Processes

Table 3-5

Process Name

Key Processes in LMS 4.2 Device Performance Management Module

Description

UPMDbMonitor Responsible for monitoring


the UPMDbEngine process.
UPMProcess

Dependent
Process

Default
State

Log Files

UPMDbEngine

Started

UPMDbMonitor.log

DCRServer,
Started
Responsible for the Polling
UPMDbMonitor
engine, Threshold
monitoring and Poller
Management features of
LMS. If this process is down,
poller management,
threshold management,
trendwatch management will
fail.

upm_process.log

Fault Management Processes


Table 3-6 provides a complete list of Fault Management-related Cisco Prime processes. Logs for most
of these processes are provided in Table 17-2.
Table 3-6

Fault Management Related Processes

Name

Description

Dependency

Default State Log Files

AdapterServer/
AdapterServer 1

Event adapter takes events from backend


servers.

None

Program
Started

DataPurge

Data PurgeStarts as scheduled in the GUI and jrm


purges the Fault History database.

adapterServer.log,
adapterServer1.log
, daemons.log

Administrato DPS.log,
daemons.log
r has shut
down this
server

Administration of Cisco Prime LAN Management Solution 4.2

3-16

OL-25947-01

Chapter 3

Administering LMS Server


Managing Processes

Table 3-6

Fault Management Related Processes (continued)

Name

Description

Dependency

DfmBroker

Fault Management Broker maintains a registry None


about Fault Management domain managers, that
register the following information with the
broker when its initialization is complete:

Default State Log Files


Program
Started

brstart.log

None

Program
Started

DfmLogService.lo
g, daemons.log

DFMMultiProcLog Handles processes with multiple threads.


ger

None

Program
Started

MultiProcLogger.l
og, daemons.log

DFMOGSServer

Fault Grouping Service Server evaluates group


membership.

CmfDbEngine,
Program
ESS, DCRServer, Started
TISServer

DFMOGSServer.l
og

DfmServer/DfmSe
rver 1

Infrastructure device domain manager, a


program that provides backend services for
Fault Management. Services include SNMP
data retrieval and event analysis. The
DfmServer log is
NMSROOT/objects/smarts/logs/DFM.log.

DfmBroker

Running
Normally

DFM.log,
DFM1.log

Application name of the domain manager

Hostname on which the domain manager is


running

TCP port at which the HTTP server is


listening

When a client needs to connect to the domain


manager, it first connects to the broker to
determine the hostname and TCP port the HTTP
service of that server is listening.
It then disconnects from the broker and
establishes a connection to the domain manager.
The DfmBroker log file is located at
NMSROOT/objects/smarts/local/logs/brstart.log
.
DFMLogServer

Controls Fault Management logs.

If there are two instances of the DfmServer


running, each will have a log file, DFM.log and
DFM1.log.
DFMCTMStartup

Handles interprocess communication.

None

Administrato DFMCTMStartup.
log, daemons.log
r has shut
down this
server

EPMDbEngine

Event Promulgation Module (EPM) database


engineRepository for the EPM module.

None

Program
Started

EPM.log

EPMServer

Sends events to notification services.

EPMDbEngine

Running
Normally

EPM.log

FHDbEngine

Fault History database engineRepository for


alerts and events.

None

Program
Started

daemons.log

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-17

Chapter 3

Administering LMS Server

Managing Processes

Table 3-6

Fault Management Related Processes (continued)

Name

Description

Dependency

Default State Log Files

FHPurgeTask

Fault History purge task.

None

Transient
terminated

FHCollector.log,
FHUI.log

FHServer

Fault History server, a program that runs


backend services for Fault History.

EPMServer,
EPMDbEngine,
FHDBEngine

Running
Normally

FHServer.log

Interactor

Provides inventory and device information to


the Detailed Device View (DDV); updates the
DDV with events.

InventoryCollect
or

Program
Started

Interactor.log

Interactor 1

Provides inventory and device information to


the Detailed Device View (DDV); updates the
DDV with events.

Inventory
Collector 1

Program
Started

Interactor1.log

InventoryCollector
/
InventoryCollector
1

Synchronizes voice device inventory with


infrastructure device inventory. Handles all
inventory events, such as adding and deleting
devices.

ESS, TISServer,
DFMOGSServer

Running
Normally/Pr
ogram
Started

InventoryCollector
.log,
InventoryCollector
1.log

INVDbEngine

Inventory database engineRepository for


devices.

None

Program
Started

daemons.log

NOSServer

Notification Server monitors alerts and sends


notifications based on subscriptions.

EPMDbEngine,
EPMServer,
INVDbEngine,
DFMOGSServer

Running
Normally

nos.log

PTMServer

Polling and thresholds server.

DFMOGSServer

Running
Normally

PTMServer.log

PMServer

PMServer is used for the Partition Manager


funtionality for the Fault Management module
of LMS. When you add a device to the Fault
Management module, it is always added to the
default partition 0.

INVDbEngine

Running
Normally

PMServer.log (For
Windows)

EssMonitor

daemons.log (For
Solaris/Soft
Appliance)

All the debug logs related to PMServer can be


found at NMSROOT/log/dfmLogs/PM
TISServer

Inventory server.

EssMonitor,
INVDbEngine

Program
Started

TISServer.log

Administration of Cisco Prime LAN Management Solution 4.2

3-18

OL-25947-01

Chapter 3

Administering LMS Server


Backing Up Data

Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule
immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges
to use this option.
You cannot back up the database while restoring the database. LMS uses multiple databases to store
client application data. These databases are backed up whenever you perform a backup.
Backup requires enough storage space on the target location for the backup to start.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.

Caution

You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes,
storing the backup data in this location may corrupt the Cisco Prime installation.
This section explains:

Scheduling a Backup

Restoring Data

Changing the Database Password

Effects of Backup-Restore on DCR

Master-Slave Configuration Prerequisites and Restore Operations

Effects of Backup-Restore on Groups

Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up
Data Using CLI for more information.
To schedule a backup:
Step 1

Select Admin > System > Backup.


The Backup Job page appears.

Step 2

Enter the appropriate information in the following fields:


Field
Backup Directory

Generations
Time

Description
Location of the backup directory. We recommend that your target location be on
a different partition than the Cisco Prime installation location.
The backup directory should not contain any special character.
Maximum number of backups to be stored in the backup directory.
From the lists, select the time period between which you want the backup to
occur. Use a 24-hour format.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-19

Chapter 3

Administering LMS Server

Backing Up Data

Field
E-mail

Description
Enter a valid e-mail ID in this field.
You can enter multiple e-mail IDs separated by commas.
The system uses the e-mail ID or e-mail IDs to notify you the following:

New backup schedules.

Status of immediate or scheduled backup jobs upon their completion.

Cancelled backup schedules.

Warning

Frequency

There may be a problem in sending e-mails when you have enabled


virus scanner in the Cisco Prime LMS Server.

Select the backup schedule:

Immediately - The database is backed up immediately.

Daily - The database is backed up every day at the time specified.

Weekly - The database is backed up once a week on the day and time
specified. Select a day from the Day of week list.

Monthly - The database is backed up once a month on the day and time
specified. Select a day from the Day of month list.

You cannot schedule more than one backup at a time. The new schedule
overwrites the previous schedule, if any.
Step 3

Click Apply.
The Schedule Backup message verifies your schedule and provides the location of backup log files.
Examine the log file at the following location to verify backup status:
On Solaris/Soft Appliance:
/var/adm/CSCOpx/log/dbbackup.log
On Windows:
NMSROOT\log\dbbackup.log
You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job.
The Remove button appears only if you have scheduled any backup.

Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from
versions 3.1, 3.2. The restore framework checks the version of the archive.

If the archive is of the current version, then the restore from current version is run.

If the backup archive is of an older version, the backup data is converted to LMS format, if needed,
and applied to the machine.

You can restore your database by running a script from the command line. You have to shut down and
restart Cisco Prime while restoring data.

Administration of Cisco Prime LAN Management Solution 4.2

3-20

OL-25947-01

Chapter 3

Administering LMS Server


Backing Up Data

In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is
restored on the same machine A, or on a different machine B.
Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data
of such tasks.
For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on
DCR and Effects of Backup-Restore on Groups.

Caution

Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on the LMS
Server where you want to restore the data. You should not continue the restore when there is a mismatch,
as it may cause problems in the functionality of Cisco Prime applications.
This section explains the following:

Restoring Data On Solaris/Soft Appliance

Restoring Data On Windows

Restoring Data On Solaris/Soft Appliance

To restore the data on Solaris/Soft Appliance:


Step 1

Log in as the superuser, and enter the root password.

Step 2

Stop all processes by entering:


/etc/init.d/dmgtd stop

Step 3

Restore the database by entering:


/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]

[-t temporary directory]The restore framework uses a temporary directory to extract the content
of backup archive.
By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData.
You can customize this, by using this t option, where you can specify your own temp directory.
This is to avoid overloading NMSROOT

[-gen generationNumber]Optional. By default, it is the latest generation. If generations 1 through


5 exist, then 5 will be the latest.

[-d backup directory]Required. Which backup directory to use.

[-h]Provides help. When used with -d <backup directory> syntax, shows correct syntax along
with available suites and generations.

To restore the most recent version, enter:


/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl -d backup directory
For example, -d /var/backup
Step 4

Examine the log file in the following location to verify that the database was restored by entering:
/var/adm/CSCOpx/log/restorebackup.log

Step 5

Restart the system:


/etc/init.d/dmgtd start

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-21

Chapter 3

Administering LMS Server

Backing Up Data

Restoring Data On Windows

To restore the data on Windows, make sure you have the correct permissions, and do the following:
Step 1

Stop all processes by entering the following at the command line:


net stop crmdmgtd

Step 2

Restore the database by entering:


NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]
where NMSROOT is the Cisco Prime installation directory. See the previous section for command option
descriptions.
To restore the most recent version, enter the following command:
NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory

Step 3

Examine the log file in the following location to verify that the database was restored by entering:
NMSROOT\log\restorebackup.log

Step 4

Restart the system by entering:


net start crmdmgtd

Note

For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.2 in
Installing and Migrating to Cisco Prime LAN Management Solution 4.2

Changing the Database Password


You must enter the database password while installing Cisco Prime. If you do not enter the password,
Cisco Prime generates the password at random. However, we recommend that you change the password
periodically to ensure system security.

Caution

You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes
to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data.
This section explains the following:

Changing Password on Solaris/Soft Appliance

Changing Password on Windows

Formats Available for Changing the Database Password

Changing Password on Solaris/Soft Appliance

To change the password on Solaris/Soft Appliance:


Step 1

Log in as the superuser, and enter the root password.

Administration of Cisco Prime LAN Management Solution 4.2

3-22

OL-25947-01

Chapter 3

Administering LMS Server


Backing Up Data

Step 2

Stop all processes by entering:


/etc/init.d/dmgtd stop

Step 3

Change to the installation directory by entering:


cd

NMSROOT/bin

NMSROOT is your default Cisco Prime installation directory.


Step 4

Enter the following command to list the different formats available for changing the database password:
NMSROOT/bin/perl dbpasswd.pl

Step 5

When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.

Step 6

Start all processes by entering:


/etc/init.d/dmgtd start

Changing Password on Windows

To change the password on Windows:


Step 1

At the command line, make sure you have the correct permissions.

Step 2

Stop all processes by entering:


net stop crmdmgtd

Step 3

Change to the Installation Directory by entering:


cd

NMSROOT\bin

NMSROOT is your default Cisco Prime installation directory.


Step 4

Enter the following command to list the different formats available for changing the database password:
NMSROOT\bin\perl dbpasswd.pl

Step 5

When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.

Step 6

Start all processes by entering:


net start crmdmgtd

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-23

Chapter 3

Administering LMS Server

Backing Up Data

Formats Available for Changing the Database Password

The different formats available and the commands for changing the database passwords on Windows,
Solaris and Soft Appliance platforms are tabulated below:
Format

Command

Format 1 detects the available datasource names


and databases and prompts you to enter and
confirm the passwords for each of them.

On Solaris/Soft Appliance:

It also allows you to encrypt the password.

NMSROOT/bin/perl dbpasswd.pl all


On Windows:
NMSROOT\bin\perl dbpasswd.pl all

Format 2 allows you to list all the databases and


datasource names (DSNs) available in the server.

On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl listdsn
On Windows:
NMSROOT\bin\perl dbpasswd.pl listdsn

Format3 allows you to change the database


password.

On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource

Format 4 allows you to change the database


password for a specific DSN.
It also allows you to enter a new password in the
command line using the npwd option.

On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password

Format 5 allows you to encrypt the existing


database password.

On Solaris/Soft Appliance:
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes

Format 6 allows you to change the database


password for a specific DSN.

On Solaris/Soft Appliance:

Format 6.0 also:

encryption=yes

Allows you to enter a new password in the


command line using the npwd option.

NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password


On Windows:

NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password


Allows you to encrypt the password using the encryption=yes
encryption option.

Effects of Backup-Restore on DCR


Data changes are a normal part of any restore from a backup. However, because Device and Credential
Repository (DCR) is a distributed system with varying modes, it is also possible for any restored DCR to:

Change modes.

Administration of Cisco Prime LAN Management Solution 4.2

3-24

OL-25947-01

Chapter 3

Administering LMS Server


Backing Up Data

For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is
performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from
which the backup was taken (source machine), and the machine on which the data was restored
(target machine).

Change Master/Slave relationships.


For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain
may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed,
the Slave will attempt to use Master A.

For detailed information on DCR, see Managing Device and Credentials in Inventory Management
Guide.
The following scenarios helps you understand the implications of Restore operations on DCR.

Restoring Data From a DCR Standalone

Restoring Data From S1 on S1

Restoring Data From S1 to M1

Restoring Data From S1 on M2

Restoring Data From M1 on M1

Restoring Data From M1 to M2

Restoring Data From a DCR Standalone

If you restore the data backed up from a machine in the Standalone mode, on any machine whose
working mode is either Standalone, Master, or Slave, the end mode will be Standalone.
Let X be a machine in Standalone mode.
If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a
Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to
Standalone mode.
Further scenarios can be better explained based on the following DCR set up.
Let us assume there are two DCR domains.

For Domain 1, you have M1 as Master, and S1, and S2 as Slaves.

For Domain 2, you have M2 as Master, and S3, and S4 as Slaves.

Restoring Data From S1 on S1

Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1
will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1
is available.
However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize
after the restore on S1. The changes that have taken place after the backup was taken from S1 will be
reflected in S1, even if S1b is restored on S1.
In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the
end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1
is down.
Restoring Data From S1 to M1

Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to
Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to
Standalone mode.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-25

Chapter 3

Administering LMS Server

Backing Up Data

At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices.
Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However,
after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent
than the data on M1.
Restoring Data From S1 on M2

Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master
in the DCR Domain 2 in our example.
After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3,
and S4, which were Slaves of M2, will switch to the Standalone mode.
Restoring Data From M1 on M1

Suppose you take a back up from M1. After the backup you would be performing several operations that
would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example.
Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older
than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that
on the Master.
To avoid this, you must perform the Restore operation in the following sequence:
Step 1

Back up data from the slaves, S1 and S2.

Step 2

Back up data from the Master, M1.


This is to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2.

Step 3

Stop Daemon Manager on all three machines.

Step 4

Restore data on the Master, M1.

Step 5

Restart Daemon Manager on M1.

Step 6

Restore data on S1, and S2 after the Master is up and stable,

Step 7

Restart Daemon Manager on S1, and S2.

This ensures that Master has more recent data than the Slaves.

Note

To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take
a back up of all machines at the same time.
Restoring Data From M1 to M2

Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2.
S3, and S4 which were Slaves of M2, will switch to Standalone mode.

Master-Slave Configuration Prerequisites and Restore Operations


DCR Master-Slave setup requires you to perform certain tasks prior to Master-Slave configuration, to
enable proper, and secure communication between them. This involves copying certificates, and setting
up a valid system identity user. For details, see Master-Slave Configuration Prerequisites.

Administration of Cisco Prime LAN Management Solution 4.2

3-26

OL-25947-01

Chapter 3

Administering LMS Server


Backing Up Data

Restore operations can affect Master-Slave relationships because they may modify these pre-configured
parameters.
For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server.
Suppose you take a backup from S1, and restore the backed up data, say S1b on X.
Now, X has to be in Slave mode.
Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1,
and S1 will have the certificate of M1.
After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not
present on M1, X will not be able to have M1 as its Master.
So you have to ensure that the certificates of the peer machines are in place, before you do a Restore.
Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer
Server Account user configuration might get affected by Restore operations.
For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user.
You take a backup from S1.
After you take the backup, say you change the Peer Server User and System Identity User to Bob.
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This
will upset the Master-Slave relationship.
During restore you are prompted to confirm whether you need to overwrite the SSL certificate.
SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it
on another, you should be careful not to overwrite the SSL certificate.
However, if you backup data from a machine and restore it to the same machine, you may overwrite the
SSL certificate.

Effects of Backup-Restore on Groups


Backup-Restore operations have an implication on the way Groups will be displayed in the LMS. The
changes in Groups behavior is discussed in relation with the Device and Credential Repository (DCR)
mode changes explained in Effects of Backup-Restore on DCR.
If you perform a backup on machine A and restore the backed up data, say Ab, on the same machine, the
system-defined groups, and the user-defined groups created after the data backup will be removed.
The following scenarios helps you understand the implications of Restore operations on Groups.

Restoring Data From a DCR Standalone

Restoring Data From S1 on S1

Restoring Data From S1 on M1

Restoring Data From S1 on M2

Restoring Data From M1 on M2

Restoring Data From a DCR Standalone

The following scenarios have to be considered:

Restore data from a Standalone machine A to another Standalone machine B:


The provider group name will change accordingly. That is, the provider group CS @A will become
CS@B.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-27

Chapter 3

Administering LMS Server

Backup for Cisco Prime Infrastructure

Restore data from a Standalone machine A to a Master M:


The Master will switch to Standalone mode. The provider group name will be updated accordingly.
The Slave groups will be removed from the Master.
Only the groups pertaining to LMS and the applications installed in the Standalone machine will be
visible. All dependent Slaves of M will become Standalone.

Restore data from a Standalone machine A to a Slave S:


The Slave will switch to Standalone mode. The provider group name is updated accordingly. The
groups pertaining to other Slaves in the domain, and the Master of S, will be removed from S. The
groups UI will be enabled.

The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.
Restoring Data From S1 on S1

No impact on CS groups.
There may be applications installed on S1. Say you create 10 groups in the Applications before you
backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore,
the 10 groups you created after backup will not be present. This loss of newly added groups also
propagates to other Slaves in the domain.
Restoring Data From S1 on M1

After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups
pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other
Slaves of M1 will switch to Standalone mode.
Restoring Data From S1 on M2

After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all
the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of
M2 (before restore) will now switch to Standalone mode.
Restoring Data From M1 on M2

Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be
deleted from M2.
In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated
in the target machine.

Backup for Cisco Prime Infrastructure


From LMS 4.2.2, Cisco Prime LAN Management Solutions will support data migration to Cisco Prime
Infrastructure (PI) and the device data from LMS 4.2.x versions can be exported to PI 1.2.
The following two procedures will be used to export data from LMS to PI:

Exporting Device Credentials Repository (DCR) data from LMSUser can export the Device List
and Credentials to a CSV file that would be shown as a link. The data backup status and backup
location will be displayed at the bottom of the Export Data to Prime Infrastructure page.

Administration of Cisco Prime LAN Management Solution 4.2

3-28

OL-25947-01

Chapter 3

Administering LMS Server


Licensing Cisco Prime LMS

Exporting complete data of LMSThis option enables you to store data in an external server or
LMS server. The default backup location will be populated in the Backup location field at the bottom
of the Export Data to Prime Infrastructure page. If the user chooses storing data in external server,
the external server credentials namely Server IP or Host name, username, password and backup
location will be required.

Licensing Cisco Prime LMS


You must register your software and obtain a product license before you start using an application. You
can obtain a product license and license your application, view details of your current software license,
or update to a new license from the Licensing page.
LMS will authenticate and perform the license check.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
This section explains:

Obtaining a License for Cisco Prime LMS

Licensing the Application

Viewing License Information

Updating Licenses

Ordering LMS licenses

Obtaining a License for Cisco Prime LMS

To obtain a product license for your Cisco Prime applications, register your software at one of the
following websites. You will need to provide the Product Authorization Key (PAK), which is printed on
a label affixed to the Bundle sub-box.
If you are a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license
If you are not a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license/public
The product license will be sent to the e-mail address you provide during registration. Retain this license
with your Cisco Prime software records.
Licensing the Application

After you obtain the product license, perform these steps to license your software:
Step 1

Copy the new license file to the LMS Server, with read permission for casuser/casusers.

Step 2

Select Admin > System > License Management.


The License Information page appears. The License Information page displays the name, version, size,
status and expiration date of the license.

Step 3

Click Update.

Step 4

Enter the path to the new license file in the License field, or click Browse to locate the new file.

Step 5

Click OK.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-29

Chapter 3

Administering LMS Server

Compliane and Audit Manager (CAAM) Server License

The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise an error message is displayed.
To return to the License Information page, click Cancel.

Note

You must have Compliance and Audit Manager (CAAM) server license for accesing the CAAM features
in LMS 4.2. For more details, refer Compliane and Audit Manager (CAAM) Server License.
Viewing License Information

To view details of your current software license, select Admin > System > License Management to
open the License Information page.
The license name, license version, size (device limit for the licensed application), status of the license,
and the expiration date of the license appear under License Information.
The license version shows the major version of the application.
Updating Licenses

You can view details of your current software license, or update to a new license from the License page.
To update to a new license from the Licensing page:
Step 1

Select Admin > System > License Management.


The License Information page displays the license name, license version, status of the license, and the
expiration date of the license.

Step 2

Click Update.

Step 3

Enter the path to the new license file in the License field, or click Browse to locate the new file.

Step 4

Click OK.
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise, an error message is displayed.
To return to the License Information page, click Cancel.

Ordering LMS licenses

For availability, ordering, upgrade, and licensing options refer to www.cisco.com/go/lms

Compliane and Audit Manager (CAAM) Server License


You must have CAAM server license for accessing the following CAAM features in LMS:

Compliance data collection

Compliance profile execution

Compliance Policy and groups

HIPAA Compliance Reports

SOX(COBIT) Compliance Reports

Administration of Cisco Prime LAN Management Solution 4.2

3-30

OL-25947-01

Chapter 3

Administering LMS Server


Configuring a Default SMTP Server

ISO/IEC 27002 Compliance Reports

NSA Compliance Reports

PCI DSS Compliance Reports

Department of Homeland Security (DHS) Checklist Reports

Defense Information Systems Agency (DISA) Checklists

Center for Internet Security (CIS) Benchmarkss

The following Compliance and Audit Reports are supported only by LMS license and do not require
CAAM server license.

Service Reports

Lifecycle Management Reports

Vendor Advisory Reports

Configuring a Default SMTP Server


This SMTP server is used by default when you add or edit subscriptions for e-mail notifications or send
e-mail notifications from the Alerts and Activities display. LMS also provides a facility for specifying a
default SMTP server. Specifying a default server here will override the setting used by LMS.
Step 1

Select Admin > System > SMTP Default Server.

Step 2

Enter a fully qualified SMTP server name.

Step 3

Click Apply.

Collecting Server Information


This feature helps you to get the required information about the server. The information about the server
includes system information, environment, configuration, logs, web server information, device and
credentials administration information, and grouping services information.
You can use the collected server information for troubleshooting.
For example, when you have chosen to collect the grouping services information about the server, the
following details will be collected and stored:

Status of LMS grouping server. The status values are Running, and Not Running.

List of groups created in the LMS grouping server.

Content of the registry and properties files associated with LMS.

Status of the grouping server installed on same Cisco Prime


Server. The status values are Running, and Not Running.

List of groups created in the LMS grouping server.

Content of the properties files associated with other applications.

Error encountered if the grouping servers are not running or if they are not reachable.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-31

Chapter 3

Administering LMS Server

Collecting Server Information

You can look into this collected information to find out the errors with grouping servers and debug them.
You can also collect server information using CLI. See Collecting Server Information Using CLI
To collect the server information:
Step 1

Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.

Step 2

Click Create to collect the current server information.


The Collect Server Information popup dialog box appears with a list of options. The available options
are:

Step 3

System Information Displays the server type, operating system version, installation date of
operating system, and other system information.

Event Logs Displays the logs of events in the LMS Server.

Cisco Prime Registry Displays the registry entries of Cisco Prime components installed in the
server.

Tomcat Log Files Displays the log files corresponding to the application server.

Grouping Service Displays the information of grouping servers and the groups created in the
grouping server.

Application Registry Details Displays the information of applications registered with Cisco
Prime home page.

Device Credentials Admin Information Displays the details of DCR mode, status of DCR Master,
number of devices in DCR and the contents of DCR configuration files.

ODBC Configuration Displays the information about the configuration of database connection
in the LMS Server.

Product Log Files Displays the contents of log files of all Cisco Prime components.

Environment Variables Displays the list of environmental variables set up in the LMS Server.

Process Status Displays the name of processes, current state of the process, process ID, start and
finish time of the process, and other information.

Network Configuration Displays information about the various configurations in a network.

Memory and Harddrive Status Displays details of free space and total space of memory and hard
disk drives in the LMS Server.

JRE Registry Displays information about the Java Runtime Environment registry files.

Select the check boxes corresponding to the options you need.


You can use the All check box to select or deselect all the available options.
By default all the check boxes are selected.

Step 4

Click OK.
The server information for the selected components is collected.
Collecting server information may take longer if more components are selected.
To return to the Collect Server Information page, click Cancel.
You can click Refresh in the Collect Server Information page to see the latest status.

Administration of Cisco Prime LAN Management Solution 4.2

3-32

OL-25947-01

Chapter 3

Administering LMS Server


Collecting Self Test Information

To view the collected information:


Step 1

Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.

Step 2

Click Server Information at the date time link to view the collected server information.
The popup window displays the server information collected.

Step 3

View server information by clicking the corresponding link in the Table of Contents.

To delete the collected server information:


Step 1

Select Admin > System > Server Monitoring > Collect Server Information
The Collect Server Information page appears.

Step 2

Select the corresponding check box of the server information you want to delete.

Step 3

Click Delete.

Collecting Server Information Using CLI

You can also collect server information using CLI.


Enter the following command:

NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows)

or

NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance)

where NMSROOT is the directory where you installed Cisco Prime.

Collecting Self Test Information


You can view self test reports using this option. Self test feature helps to test certain basic functions of
the server.
Execute the following steps to receive the system generated self test report to your Email ID.
Step 1

Go to Admin > System > Server Monitoring > Selftest.

Step 2

Select the E-mail text box and enter your Email ID.

Step 3

Click Save.
The system generated self test report will be sent to the specified Email ID.

Execute the following steps to create a self test report.


Step 1

Select Admin > System > Server Monitoring > Selftest.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-33

Chapter 3

Administering LMS Server

Messaging Online Users

Step 2

Click Create to perform a selftest and to view the report.

Step 3

Click the Selftest Information at date time link.


A popup window displays the selftest information report.
To delete a Selftest Information report, select the checkbox and click Delete.

In LMS 4.2, the selftest report provides the following Hardware Parameters details:

Memory availability

Swap

CPU

DSN

Backup status

Number of MIB objects being polled

Maximum number of MIB objects that can be managed

Syslog database size

If the syslog database size exceeds 10 GB you need to purge the syslog records to reclaim space. Do the
following to purge syslog records and reclaim the database space:

Note

If you want to backup the syslogs, refer Setting the Syslog Backup Policy.

Step 1

Perform a forced purge of Syslog messages, refer Performing a Syslog Forced Purge.

Step 2

Open RMEDebugToolsReadme.txt from


NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools.
where NMSROOT is the Cisco Prime installation directory.

Step 3

Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and execute the
perl script DBSpaceReclaimer.pl.

Note

The perl script will reclaim the space occupied by SyslogFirst.db, SyslogSecond.db and
SyslogThird.db files present in the server. The amount of space reclaimed will depend on the
purge criteria that you specify. The most effective way to reclaim the space is to purge the
records older than 1 day.

Messaging Online Users


You can use the Notify User feature in LMS to broadcast messages to online users.
You can post messages to users with active Cisco Prime browsers. By default, the messages will be
received within 60 seconds. You can also change this polling interval.
To send a broadcast message:

Administration of Cisco Prime LAN Management Solution 4.2

3-34

OL-25947-01

Chapter 3

Administering LMS Server


Managing Resources

Step 1

Select Admin > System > User Management > Notify Users.
The Notify Users page lists all the users currently logged in.

Step 2

Enter the message in the Message field and click Send.


The Status field displays the status of the message.

Note

If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every
visit to the page.

Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when
necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can
access the Resource browser page. The Refresh icon in the Resource browser is available for all users.

Note

The System Identity user must configure all the Resource management related tasks. The Browse
Resources and Free Resources tasks should be enabled.
To view Resource details:

Step 1

Select Admin > Network > Resource Browser.


The Resource Browser page displays the following details:
Item

Description

Resource

Name of the resource currently locked.

Job ID / Owner

Number assigned to this task at creation time. Identifies all related locked
resources, and user who locked the resource.

Time Locked

Time this lock was established.

Expire Time

Lock expiration time.

To free locked resources:


Step 1

Select Admin > Network > Resource Browser.


The Resource Browser page appears.

Step 2

Check the check box corresponding to the Job ID.

Step 3

Click Free Resources.


All users (except those with Help Desk and Approver role) can perform the Free Resource operation in
the Resource browser.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-35

Chapter 3

Administering LMS Server

Modifying System Preferences

To view updated resources, click Refresh.

Modifying System Preferences


You can configure system-wide information on the LMS Server using the System Preferences option. It
is a way to centrally locate information that is used by Cisco Prime applications.
Field

Description

SMTP Server

System-wide name of the SMTP server used by Cisco Prime applications to


deliver reports. The default server name is localhost.

Administrator
E-mail ID

Cisco Prime Administrator e-mail ID.


This e-mail address is used as the From Address in all mails sent from LMS
Server.
There is no default e-mail ID.

Enable E-mail
Attachment

Allows you to enable e-mail attachments in the mails sent from LMS Server.
This option helps you to attach PDF or CSV reports with the e-mail after the
scheduled jobs have completed.
This option is disabled by default.

Maximum
Attachment Size

Maximum size of the e-mail attachments that are allowed to be sent from LMS
Server.
You can specify the attachment size in KB or MB.

RCP User

Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.

SCP User

Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.

SCP Password

Enter the password for SCP User in this field.


The password you have entered here is used for authentication while
transferring software images using SCP protocol.
You must specify a user name that has SSH authentication on a Solaris system.
SCP uses this authentication for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.

Administration of Cisco Prime LAN Management Solution 4.2

3-36

OL-25947-01

Chapter 3

Administering LMS Server


Modifying System Preferences

RCP User

Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.

SCP User

Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.

SCP Password

Enter the password for SCP User in this field.


The password you have entered here is used for authentication while
transferring software images using SCP protocol.
You must specify a user name that has SSH authentication on a Solaris system.
SCP uses this authentication for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.

To edit system preferences:


Step 1

Select Admin > System > System Preferences.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-37

Chapter 3

Administering LMS Server

Configuring Log Files Rotation

The System Preferences page appears.


Step 2

Caution

Enter the following information:

SMTP Server

Administrator E-mail ID

Maximum Attachment Size

RCP User

Set this information carefully. If you introduce errors, users may not be able to log in.

Step 3

Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution
for the crmlog service, on a Windows system.

Step 4

Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the
LMS Server:

Step 5

SCP User

SCP Password

SCP Verify Password

Click Apply after making the changes. To cancel the changes, click Cancel.

Configuring Log Files Rotation


Log files can expand and fill up disk space. Log files rotation helps you manage the log files more
efficiently. See Maintaining Log Files for an overview of maintaining the log files in LMS Server.
Logrot is a log rotation program that enables you to control the size growth of the log files. It helps you
to:

Rotate log files while Cisco Prime is running.

Optionally archive and compress rotated logs.

Rotate log files only when they have reached a particular size.

Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI.
The following log files are maintained by the log rotation program:

Daemon Manager

Web server log files

This section explains:

Configuring Log Files Rotation Settings From the User Interface

Configuring Log Files For Rotation From the User Interface

Scheduling Log Files Rotation

Configuring Logrot Utility

Running Logrot Script

Viewing the Scheduled Logrot Job

Administration of Cisco Prime LAN Management Solution 4.2

3-38

OL-25947-01

Chapter 3

Administering LMS Server


Configuring Log Files Rotation

Configuring Log Files Rotation Settings From the User Interface

To configure log files rotation from the user interface:


Step 1

Select Admin > System > Log Rotation.


The Log Rotation page appears.

Step 2

Set your backup directory in the Backup Directory field.


This backup directory stores the rotated log files.
You can also use the Browse button to select a directory from the file browser. The default directory is:

NMSROOT\log on Windows systems

/var/adm/CSCOpx/log on Solaris/Soft Appliance systems

If you do not set a backup directory, each log file will be rotated in its current directory.
Step 3

Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log
rotation starts. This is optional.

Configuring Log Files For Rotation From the User Interface

To add the log files for rotation:


Step 1

Select Admin > System > Log Rotation.


The Log Rotation page appears.

Step 2

Click Add to add the log files you wish to rotate.


The Configure Logrot page appears.

Step 3

Enter the name of the log file in the Select Log File field.
You can enter only one log file at a time.
You should specify log file using its fully-qualified path. If the log files do not exist in the path you have
specified, this will not be considered for rotation.
You can also click Browse to select a log file name from the file system.

Step 4

Enter the maximum file size in the Maximum Logrot Size field.
The log file will not be rotated until this size is reached.
You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log
rotation is 4096 MB.

Step 5

Select a file compression type from Compression Format.


The supported formats are:

Step 6

ZUNIX compression (on Solaris/Soft Appliance only)

gzGNU gzip

bz2bzip2 (on Solaris/Soft Appliance only)

Specify the number of backups in the No of Backups field.


If you do not want to keep any archives, enter 0 (the default) for this option.

Step 7

Click Apply to save the changes.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-39

Chapter 3

Administering LMS Server

Configuring Log Files Rotation

To return to the Log Rotation page, click Cancel.

To edit the log files that you have configured for rotation:
Step 1

Select Admin > System > Log Rotation.


The Log Rotation page appears.

Step 2

Select a record from the list of log files displayed.

Step 3

Click Edit.
The Edit Logrot page appears.

Step 4

Edit the name of the log file. The rotated log files will be stored with the new name you have edited.

Step 5

Edit the log file size, compression type or number of archive revisions.

Step 6

Click Apply to save the changes.


To return to the Log Rotation page, click Cancel.

Scheduling Log Files Rotation

To schedule log files rotation:


Step 1

Select Admin > System > Log Rotation.


The Log Rotation page appears.

Step 2

Click Schedule.
The Schedule Logrot appears.

Step 3

Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should
start.
You should specify the time in 24-hour format.

Step 4

Select a periodic or immediate backup schedule in the Frequency field.


The available schedule frequencies are:

Step 5

ImmediateLog rotation job runs immediately.

DailyLog rotation job runs every day at the time specified.

WeeklyLog rotation job runs once a week on the day and time specified. Select a day from the
Day of Week list.

MonthlyLog rotation job runs once a month on the day and time specified. Select a day from the
Day of Month list.

Click Apply to save the changes.


You can remove a schedule at any time. Click Remove to delete the scheduled job. The Remove button
is enabled only if you have scheduled a log rotation. To return to the Log Rotation page, click Cancel.

Configuring Logrot Utility

Logrot should be installed on the same machine where you have installed LMS.

Administration of Cisco Prime LAN Management Solution 4.2

3-40

OL-25947-01

Chapter 3

Administering LMS Server


Configuring Log Files Rotation

To configure the Logrot script:


Step 1

Enter:

NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows)

Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance)

The Logrot configuration menu appears. You have the following options:

Step 2

Edit variables.

Edit log files.

Quit and save changes.

Quit without saving change.

Select Edit variables to set your Backup Directory.


If you do not set a backup directory, each log will be rotated in its current directory.

Step 3

Select Edit log files to add log files you wish Logrot to rotate.
You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log
file does not exist in that path, the default log file path for your operating system will be added during
rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).

Step 4

Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default)
for this option.

Step 5

Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in
kilobytes (KB). The default is 1024 KB or 1 MB.

Step 6

Specify the file compression type to be used. It can be:

ZUNIX compression (on Solaris/Soft Appliance only)

gzGNU gzip

bz2bzip2 (on Solaris/Soft Appliance only)

When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a
certain pattern.
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for
example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that
match the pattern *.log.
You can also specify the special pattern, *, which means delete all logfiles in the configuration.

Running Logrot Script

To run the Logrot Script enter:

On Windows:
Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl

On Solaris/Soft Appliance:
Run /opt/CSCOpx/bin/logrot.pl

You can schedule log rotation so that the utility works on a specified time and day.
The following command line flags are accepted:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-41

Chapter 3

Administering LMS Server

Configuring Log Files Rotation

Caution

-v

option to get verbose messages.

-s

option shuts down dmgtd before rotating logs.

The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is
shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.

-c

option reruns the configuration tool.

-h

option displays the help.

The following wrapLogrot permissions should be checked for proper working of LogRotation.
For Solaris:
bash-3.00# ls -l /opt/CSCOpx/bin/wrapLogrot
-r-sr-x--- 1 root

casusers

6852 Oct 1 19:08

/opt/CSCOpx/bin/wrapLogrot
For Virtual Appliance:
[root@HOSTNAME bin]# ls -l wrapLogrot
-r-sr-s--- 1 root casusers 7430 Sep 26 16:00 wrapLogrot
Viewing the Scheduled Logrot Job

You can view the scheduled jobs log file to troubleshoot the logrot utility.
To look at the scheduled logrot job:

On Windows, use the command: crontab.cmd

On Solaris, use the command:


crontab -l <UserName>

Example:
To view the job scheduled to run as root user, use the command:
crontab -l root

To view the job scheduled to run as casuser, use the command:


crontab -l casuser

On Soft Appliance, use the command:


crontab -lu <UserName>

Example:
To view the job scheduled to run as root user, use the command:
crontab -lu root

To view the job scheduled to run as casuser, use the command:


crontab -lu casuser

Administration of Cisco Prime LAN Management Solution 4.2

3-42

OL-25947-01

Chapter 3

Administering LMS Server


Configuring Disk Space Threshold Limit

Configuring Disk Space Threshold Limit


DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file.
Disk space information is calculated for the following directories on LMS Server:

Cisco Prime Installation directory (on both platforms)

/var directory (on Solaris/Soft Appliance platform only)

/tmp directory (on Solaris/Soft Appliance platform only)

The process calculates the disk space availability of the LMS Server directories at a regular interval of
approximately one hour.
In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one
hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes
and in the last 15 minutes of an approximate one hour time interval.
This process also alerts you when the disk space is less than the threshold level you have configured in
the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert
messages through e-mail if you have configured your e-mail ID along with threshold level.
This process records the alert information in the system log files. The alert information is recorded in
diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and
daemons.log files in Solaris machines.
To configure the disk space threshold limit:
Step 1

Select Admin > System > Server Monitoring > DiskWatcher Configuration.
The DiskWatcher Configuration page appears.

Step 2

Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk
space in the Cisco Prime Installation directory. This is mandatory.
You should enter the threshold value in units of MB or GB.

Step 3

Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in
Solaris file systems. This is mandatory.
You should enter the threshold value in units of MB or GB.

Note
Step 4

This field is available only on Solaris systems.

Enter a valid e-mail in the E-mail ID field.


You can enter multiple e-mail addresses separated by commas.
The system uses the e-mail addresses to notify about the disk space availability when the disk space is
less than the threshold limit you have configured.
There may be a problem in sending e-mails if you have enabled virus scanner in the LMS Server.

Step 5

Click Apply to save the changes or click Cancel to reset the values.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-43

Chapter 3

Administering LMS Server

Effects of Third Party Backup Utility and Virus Scanner

Effects of Third Party Backup Utility and Virus Scanner


Sometimes, the LMS database fails to run and throws the following Sybase Assertion error message:
*** ERROR *** Assertion failed: 100909 (9.0.0.1383).
100909 is the Assertion ID.

The following are the scenarios where Assertion Error might appear:

If you use any third-party backup software to back up a live, running database, the Assertion Error
might be thrown.
This is because some of the database pages that have been modified will be in the database server
cache, so the database file will be in an inconsistent state.

If you use any anti-virus software.


The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O
operations, which contribute to the good performance of Adaptive Server Anywhere. However,
anti-virus software might detect this as a potential problem and quarantine the file.
This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption
by interfering with the normal functions of the database. Poor performance can also occur if the
anti-virus software is checking all I/O operations performed by the database server.

We recommend that you do not use third-party backup software for backing up a running database.
We also recommend that you configure your anti-virus software so that it must not scan the
NMSROOT/databases directory.
NMSROOT is the directory where you have installed Cisco Prime.

Configuring TFTP
This applies only to Solaris.
The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP
(Transmission Control Protocol) Wrappers.
If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the
jobs requiring TFTP may fail.
To ensure that TFTP works properly, check the following configuration files:

Note

If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the
command is not there in the file at all, add it as in.tftpd:ALL
If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file
If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any
changes

The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon
under its control. It provides logging support, returns messages to connections, and permits a daemon to
accept only internal connections.

Administration of Cisco Prime LAN Management Solution 4.2

3-44

OL-25947-01

Chapter 3

Administering LMS Server


Cisco Prime Integration Application Settings

Displaying LMS Server Name With Browser Title

Displaying LMS Server name with browser title helps you to identify the server from which the
application window is launched especially in a multi-server setup and Single Sign-On based setup.
You can enable or disable the option of displaying the LMS Server name along with the browser title.
When you choose to display the server name in the browser title, the browser window displays the title
in the following format:
Hostname - ApplicationWindowTitle
where,
Hostname is the name of the LMS Server
ApplicationWindowTitle is the title of application window launched from LMS Server.

Note

By default, the option of displaying the LMS Server name with the application window title in the
browser is enabled.
For example, if the name of your LMS Server is lmsdocultra, then the title of the Cisco Prime home
page is displayed as lmsdocultra - CiscoPrime.
If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra
- LMS Home.
You can also enable or disable the display of server name with the browser title by changing the
configurations in a properties file.
Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:

Enable or disable the option of displaying server name with browser title.

Change the format of display from Hostname - ApplicationWindowTitle to


ApplicationWindowTitle - Hostname and vice versa.

Replace hyphen (-) with any other delimiter except empty spaces.

Trim the spaces between the Hostname, delimiter and Application window title.

Cisco Prime Integration Application Settings


The Cisco Network Analysis Module Traffic Analyzer (NAM) offers flow-based traffic analysis of
applications, hosts, and conversations, performance-based measurements on application, server, and
network latency, quality of experience metrics for network-based services such as voice over IP (VoIP)
and video. Only NAM 4.1 is supported in LMS 4.2. The Cisco Prime Integration Application Settings
page allows you to configure NAM.
To add, edit, or delete the NAM configuration details:
Step 1

Select Admin > Cisco Prime Integration > Application Settings. The Application Settings page
appears.

Step 2

You can do the following:

Add
Click Add. The Server Configuration page appears.
Select NAM from the drop-down list.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

3-45

Chapter 3

Administering LMS Server

Cisco Prime Integration Application Settings

Enter the IP Address in the NAM IP field.


Enter the user name and password in the corresponding fields.
Enter the SNMP read community.
Select either HTTP or HTTPS as the protocol.
Enter the port number.
Click Add to add the new NAM configuration details or Cancel to return to the NAM

Configuration page.

Edit
Select a configuration detail that has to be edited.
Click Edit. The Edit NAM Configuration page appears.
Enter the IP Address in the NAM IP field.
Enter the user name and password in the corresponding fields.
Enter the SNMP read community.
Select either HTTP or HTTPS as the protocol.
Enter the port number.
Click Edit to save the changes or Cancel to return to the NAM Configuration page.

Delete
Select a configuration detail that has to be deleted.
Click Delete. A confirmation dialog box appears.
Click OK to confirm or Cancel to return to the NAM Configuration page.

Filter
In the Filter By field, select the filter criteria e.g. ApplicationName from the drop-down list.
In the Matches text box, enter the matching details e.g. NAM.
Click Go, to execute the selected filter condition.
Click Clear Filter, to clear the filter condition.

Administration of Cisco Prime LAN Management Solution 4.2

3-46

OL-25947-01

CH A P T E R

Administering Discovery Settings and Device


and Credential Repository
You can configure discovery settings, and perform some administrative tasks in DCR.
This chapter contains:

Scheduling Device Discovery

Configuring Device Selector

Administering Device and Credential Repository

For details on configuring discovery logging, see Configuring Discovery Logging.

Scheduling Device Discovery


You can schedule one or more Device Discovery jobs. The optimum Device Discovery schedule depends
on the size of network and changes in the network.
Before you schedule a Device Discovery job, read the following:

Only one Device Discovery job can run at a time.

Ensure jobs, other than Device Discovery, are not scheduled parallely along with the Device
Discovery jobs. If any other jobs are scheduled parallely, Device Discovery job will take more than
5 min to complete.

When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each
other. Otherwise, one of the Device Discovery jobs may fail.

You should configure the Device Discovery settings before you schedule a Device Discovery job.
Otherwise, the system displays an error message when you try add a schedule. However, you can
edit the Device Discovery settings for the scheduled job later.

From the Discovery Schedule page, you can:

Add a Device Discovery schedule. See Adding Device Discovery Schedule for details.

Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details.

Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details.

Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for
details.

Start device discovery. See Starting Device Discovery for details.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-1

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Scheduling Device Discovery

Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple
Discovery Settings for Multiple Scheduled Jobs for details.

View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing
Discovery Settings for Selected Discovery Schedule for details.

Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery
Settings for Selected Discovery Schedule for details.

Adding Device Discovery Schedule

To add a Device Discovery schedule:


Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Step 2

Click Add.
The Add Discovery Schedule popup window appears.
The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add
button if you have not configured Device Discovery Settings.
The Add button is disabled on a fresh installation of LMS in LMS Server.

Step 3

Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should
start.
You should specify the time in 24-hour format.

Step 4

Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.

Step 5

Enter a description in the Job Description field. This is optional.


You cannot edit the description entered in this field later.

Note
Step 6

The job description should not contain special characters like , and #.

Click Schedule.
The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the
email address you have configured in the Discovery Settings wizard.

Editing Device Discovery Schedule

To edit a Device Discovery schedule:


Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Step 2

Select a Device Discovery schedule from the list.

Step 3

Click Edit.
The Edit Discovery Schedule popup window appears.

Step 4

Edit the values in the Hour and Min drop-down list, if required.

Administration of Cisco Prime LAN Management Solution 4.2

4-2

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Scheduling Device Discovery

Step 5

Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.

Step 6

Click Schedule to save the changes.

Deleting Device Discovery Schedule

To delete a Device Discovery schedule:


Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Step 2

Select a Device Discovery schedule from the list.

Step 3

Click Delete.
The Delete Confirmation dialog box appears.

Step 4

Click OK.
The selected Device Discovery schedule is deleted from the list of schedules.

Caution

Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the
Device Discovery job is running, deleting the schedule will stop the job first and then will
remove it.

Starting Device Discovery

To start immediate discovery for scheduled job:


Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Step 2

Select a job from the list.

Step 3

Click Start Discovery. A popup window appears with the information on the immediate jobID.
The Start Discovery button will be disabled before setting any jobs or if a discovery is already running.

Step 4

Click OK. The Device Discovery summary screen appears.


You can view the status of the job in Job Browser page (Admin > Jobs > Browser).

Viewing the Status of Device Discovery Schedules

You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status
of Device Discovery jobs.
To do so:
Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-3

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Scheduling Device Discovery

Step 2

Click the link provided at the bottom of the page.


The Job Browser page displays the Device Discovery jobs.

Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs

Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the
settings for scheduled jobs later and maintain different settings for different jobs.
To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for
Selected Discovery Schedule.
To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected
Discovery Schedule.
Viewing Discovery Settings for Selected Discovery Schedule

You can view the Discovery settings used to create the selected Discovery Schedule job.
To do so:
Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Step 2

Select a Discovery schedule from the list.

Step 3

Click View Settings.


The View Discovery Settings dialog box appears.

Step 4

Click OK to return to the Discovery Schedule page after you have view the schedule.

Editing Discovery Settings for Selected Discovery Schedule

You can edit the Discovery Settings used to create the selected Discovery Schedule job.
To do so:
Step 1

Select Admin > Network > Discovery Settings > Schedule.


The Discovery Schedule page appears.

Step 2

Select a Discovery schedule from the list.

Step 3

Click Edit Settings.


The Module Settings page of Discovery Settings wizard appears.

Step 4

Edit the required module settings and click Next. The Seed Devices Settings page appears.

Step 5

Edit the required seed devices settings and click Next. If you do not want to proceed further, click
Finish. The SNMP Settings page appears.

Step 6

Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish.
The Filter Settings page appears.

Step 7

Edit the Filter settings and click Next. If you do not want to proceed further, click Finish.
The Global Settings page appears.

Step 8

Edit the Global settings and click Next. If you do not want to proceed further, click Finish.

Administration of Cisco Prime LAN Management Solution 4.2

4-4

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Configuring Device Selector

The Discovery Settings Summary page appears.


Step 9

Click Finish to return to Discovery Schedule page.

Configuring Device Selector


The improved Device Selector allows you to search the devices in DCR. It helps to locate the devices
and perform the various device management tasks quickly. With this improved Device Selector, you need
not remember the device type or application group hierarchy to locate the devices.
The devices are categorized under Device Type based groups, User Defined groups, Subnet Based
groups, or under All Groups.
You can define the settings of the Device Selector pane to customize the display of devices and the order
of display. You can customize the top level groups, sub-groups and the list of devices displayed under
each group using the Group Customization option.
The Group Ordering option allows you to specify the order of display in which the groups are seen in
the Device Selector pane. See Device Selector Settings for more information.
The Device Selector Settings are specific to each user. You can search for devices using a Simple search
or an Advanced search. See Searching Devices for more information.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
The Device Selector is used to select devices to perform various device management tasks. The device
selector lists all devices in a group. The Device Name of the devices added in DCR is displayed in the
Device Selector pane.
The Device Selector contains the following components:
Component Name

Description

Search Input

Enter your search expression in this text field.


You can enter a single device name or multiple device names in this field.
You can enter the following as search inputs for searching multiple devices:

Comma separated list of full device names

Device names with wildcard characters, (?) and (*), to search for
multiple devices matching the text string entered in this input field.
The wildcard character ? matches a single character in a device name
and the wildcard character * matches multiple characters in a device
name.

Combination of comma separated list of device names, and device


names with wildcard characters.

See Performing Simple Search for more information.


Search

Use this icon to perform a Simple search of devices, after you have entered
your search input. See Performing Simple Search for more information.

Advanced Search

Use this icon to perform an Advanced search of devices. See Performing


Advanced Search for more information.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-5

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Configuring Device Selector

Component Name

Description

All

This tab lists all the top-level device groups and the device names under
each group in a hierarchical format (tree view).
The top-level device groups include:

All Devices

Device Type Groups

Subnet Groups

User Defined Groups

See Understanding Device Groups for more information on types of device


groups.
Search Results

This tab displays all the Simple or Advanced search results and you can
select all devices, clear all devices, or select a few devices from the list.
The Simple search results are based on the device name of the devices
added to DCR. The Advanced search results are based on the grouping
attributes of the grouping services server.

Selection

This tab lists all the devices that you have selected in the All or Search
Results tab or through a combination of both. You can also use this tab to
deselect the devices you have already selected.
You can perform more than one search and can accumulate your selection
of devices.

The Device Selector displays the number of devices selected by you at the bottom. When you click the
link provided, it launches the Selection Tab.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
This section contains the following information:

Selecting Devices for Device Management Tasks

Searching Devices

Device Selector Settings

Selecting Devices for Device Management Tasks


You can select devices to perform various device management tasks such as editing device credentials
and viewing device credentials, using any of these methods:

Selecting Devices From All Tab

Selecting Devices From Search Results

Combination of Selection From All Tab and Search Results

Selecting Devices From All Tab

The All tab lists the top-level device groups and the device names under each group in a hierarchical
format (tree view).

Administration of Cisco Prime LAN Management Solution 4.2

4-6

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Configuring Device Selector

You can select the devices from the tree view. The Selection tab shows the flat list of selected devices
from the All tab.
You should expand the nodes of the top-level device groups and sub groups to see the list of devices
within a group and select the devices you want. We recommend that you do not expand all and leave all
the multiple group nodes open. This may affect the performance of the device selector.
Selecting Devices From Search Results

You can perform a Simple Search or an Advanced Search, and the search results are displayed under the
Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab
and the All tab, display the devices you have selected from the Search Results tab.

Note

You can perform more than one search and can accumulate your selection of devices.
Combination of Selection From All Tab and Search Results

You can select the devices from the All tab and add more devices to the Selection list from the Simple
or Advanced search results in the Search Results tab.
The Selection tab displays the accumulated list from both All and Search Results tabs.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the Selection tab.

Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an
Advanced search. In both cases, you do not need to remember the name of the devices and the groups in
which the devices are grouped.

Note

The search string is not case sensitive in LMS.


This section contains the following:

Performing Simple Search

Performing Advanced Search

Performing Simple Search


You can enter your search criteria in the Search Input field and search for the devices using the Search
icon. The search results are based on the device name of the devices added in DCR.
Note the following points when you perform a Simple search.

You can enter a comma separated list of device names to search for multiple devices.

You can use the wildcard characters, * and ?, to search for multiple devices that match the text string
entered in this input field. Multiple wildcard characters are allowed in a search string.

You can use the combination of comma separated list of device names and wildcard characters in
the device names to search for multiple devices.

If you are not using the wildcard characters, make sure that you enter the full device name.

For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-7

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Configuring Device Selector

Device names starting with device2 and with only one character after device2

Device names ending with .cisco1

Device names containing the text string device10

Performing Advanced Search


Use the Advanced Search icon to open the Advanced Search popup window and specify a set of rules for
performing an Advanced search. The advanced search is based on the grouping attributes of the
application's grouping server.
You can create a rule in the Advanced Search dialog box by either:

Using Expressions

or

Using Rule Text Fields

You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule
you have created using the Clear button.

Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression
contains:

Device Type Object type used for forming a group. All expressions start with the string Device

Variables Device attributes used to form a device group. The list of variables for advanced search
are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress,
MDFId, Model, Series, SystemObjectID, and the user-defined data, if any.
The list of device attributes are different across Cisco Prime modules. The Advanced Search window
in the Device Selector of Cisco Prime applications displays the respective device attributes as
variables.

Operators Various operators to be used with the rule. The list of operators includes equals,
contains, startswith, and endswith. The list of operators changes dynamically with the value of the
variable selected.
For the ManagementIpAddress variable, you can select the range operator other than the standard
list of operators. The range operator enables you to search for devices of the specified range of IP
Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.

Value Value of the variable. The value field changes dynamically with the value of the variable
and operator selected, and this may be a text field or a list box.

After you define the rule settings, click Add Expression to add the rule expression.
You can also enter multiple rule expressions using the logical operators. The logical operators include
OR, EXCLUDE and AND.
Using IP Address Range to Form a Search Rule

The range operator enables you to search the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:

Administration of Cisco Prime LAN Management Solution 4.2

4-8

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Configuring Device Selector

Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.

Use the hyphen character (-) as a separator between the numbers within a range.

Specify the range of IP Addresses within the [ and ] characters to create a group rule.

For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:

Enter numbers lesser than 0 and greater than 255 in the IP Address range.

Enter any characters other than the range separator (-).

Enter the value of highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].

Example for forming a Search Rule Using Expressions

For example, if you want to search all the devices in the network whose device name contains
TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform
the following:
Step 1

Click the Advanced Search icon in the Device Selector pane.


The Define Advanced Search Rule dialog box appears.

Step 2

Step 3

Create a search rule expression. To do so:


a.

Select Variable as DisplayName

b.

Select Operator as equals

c.

Enter the Value as TestDevice

Click Add Rule Expression.


The rule is added into the Rule Text.

Step 4

Step 5

Create another rule expression. To do this:


a.

Select OR as the logical operator

b.

Select Variable as ManagementIPAddress/IP.Address

c.

Select Operator as range

d.

Enter the Value as 10.10.[210-212].[207-247]

Click Add Rule Expression.


The rule is appended into the Rule Text.

Step 6

Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-9

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Configuring Device Selector

Using Rule Text Fields


You can use Rule Text Fields to directly enter a rule without building any expressions. Ensure the rule
you create follows the syntax Object type.Variable Operator Value.
You can also enter multiple rule expressions using the logical operators.
For example, if you want to search all the devices in the network whose device name contains
or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:

TestDevice

Device.DisplayName contains "TestDevice" OR Device.SystemObjectID startswith


1.3.12.1.4"

Note

We recommend that you use expressions to construct a complex rule instead of creating them using the
Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.

Additional Notes
Read the following notes before you perform an advanced search:

You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith
or contains.

You can use Check Syntax button, when you add or modify a rule manually.

You must delete the complete rule expression including the logical operator, when you delete a
portion of your rule.

The search string is case-insensitive.

Device Selector Settings


The devices are categorized under Device Type groups, User Defined groups, Subnet groups,
Application specific groups or under All groups.
You can define the settings of the Device Selector pane to customize the display of devices and the order
of display. These configurations are specific to each user and you can save them.
The devices are displayed in the appropriate category based on your roles and privileges. All the devices
will be listed to the administrator role.
This section has the following information:

Understanding Device Groups

Customizing Device Grouping

Customizing Display Order of Device Groups

Understanding Device Groups


The Device Selector pane displays the following top-level device groups:

All Devices

Device Type Groups

Subnet Groups

User Defined Groups

Administration of Cisco Prime LAN Management Solution 4.2

4-10

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Configuring Device Selector

All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their device
names. The device names are defined when you have added the devices in DCR.

Device Type Groups


The Device Type Groups displays all devices in groups and subgroups based on their Device Category,
Series and Model. By default, the device grouping is based on their Device Categories such as Routers,
Switches and Hubs.
The Device Category Groups folder can contain devices in subgroups based on their Device Series. For
example, the Device Category Group Router can contain devices (Routers) in subgroups Cisco 7000
Router Series and Cisco 12000 Router Series.
The Device Series subgroup can contain subgroups of devices based on their Model. For example, the
subgroup Cisco 12000 Router Series can contain the devices Cisco 12012 Router and Cisco 12816
Router.
See Customization of Device Type Groups for information on customizing the display of devices under
Device Type Groups.

Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can
check the functionality settings at Admin > System Administration > Collection Settings >
Functionality Settings.
In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services,
then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups
folder in the Device Selector pane.
See Customization of Subnet Groups for information on customizing the display of devices under this
group.

User Defined Groups


The User Defined Groups are created by users to administer the applications. The User Defined Groups
are created in Groups Administration window based on defined group rules.
All User Defined Groups (shared groups) from all application group hierarchies are collated and shown
as subgroups under this group. In a Multi Server Setup, the top level User Defined Groups will be named
as User Defined Groups@Server Name.
When there two or more User Defined Groups with the same name, the Device Selector displays all of
them. You have to use the Tooltip to find the source server where the User Defined Group is created.

Tip

We recommend you to provide unique and meaningful names to User Defined Groups when you create
them to avoid the display of multiple User Defined Groups with the same name.
See Customization of User Defined Groups for information on customizing the display of devices under
this group.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-11

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Configuring Device Selector

Customizing Device Grouping


You can customize the device grouping and display the customized device groups in the Device Selector
pane. See Understanding Device Groups for more information on Device Groups.
You can use the Group Customization option to customize the display of device groups.
This section contains:

Customization of Device Type Groups

Customization of Subnet Groups

Customization of User Defined Groups

Customization of Device Type Groups


You can display or hide the Device Type Groups folder in the Device Selector pane using the Group
Customization option. You can customize the Device Type Based Groups folder to display:

All devices in groups, based on their Device Category only

All devices in groups and subgroups, based on their Device Category and Series

All devices in groups and subgroups, based on their Device Category, Series and Model

By default, the Device Type Group folder displays the devices in sub groups based on their category only.
To display the devices in groups based on their Device Category:
Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Check the Show Category Groups check box from the Device Type Based Groups panel.

Step 3

Click Apply to save your changes or click Restore Defaults to restore the default values.

To display the devices in groups and subgroups based on their Device Category and Series:
Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Check the Show Series Groups check box from the Device Types Based Groups panel.
When you check the Show Series Groups check box, the Show Category Groups check box will also be
checked automatically and will be disabled.

Step 3

Click Apply to save your changes or click Restore Defaults to restore the default values.

Administration of Cisco Prime LAN Management Solution 4.2

4-12

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Configuring Device Selector

To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Check the Show Model Groups check box from the Device Type Based Groups panel.
When you check the Show Model Groups check box, the Show Category Groups and Show Series
Groups check boxes will also be checked automatically and will be disabled to you.

Step 3

Click Apply to save your changes or click Restore Defaults to restore the default values.

To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Go to the Device Type Based Groups Panel and uncheck all the check boxes.

Step 3

Click Apply to save your changes.

Customization of Subnet Groups


The Subnet Groups contains device groups from the Topology and Identity Services. By default, the
Subnet Based Groups folder is not displayed in the Device Selector pane.
You can customize the Device Selector pane to display the Subnet Based Groups folder using the Group
Customization option.
To display the devices under Subnet Based groups in the Device Selector Pane:
Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel.

Step 3

Click Apply to save your changes or click Restore Defaults to restore the default values.

Customization of User Defined Groups


You can customize the User Defined Groups folder in the Device Selector pane to contain the following:

Only User Defined Groups created by you in the local server

Only User Defined Groups created by you in all Peer Servers in a Multi Server setup

All User Defined Groups created by any user in the local server

All User Defined Groups created by any user in all Peer Servers in a Multi Server setup

By default, you can view all the User Defined Groups (irrespective of any user) created in the local server
in the Device Selector pane.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-13

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Configuring Device Selector

To display only the User Defined Groups created by you:


Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel.

Step 3

Select either:

Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
created by you in the local server.

Or

All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups created by you in all the servers in a Multi-server setup.

In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4

Click Apply to save your preferences or click Restore Defaults to restore the default values.

To display all the User Defined Groups created by all users:


Step 1

Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.

Step 2

Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups
panel.

Step 3

Select either:

Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
in the local server.

Or

All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups in all the servers in a Multi-server setup.

In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4

Click Apply to save your preferences or click Restore Defaults to restore the default values.

Customizing Display Order of Device Groups


You can specify the order in which device groups appear in the Tree view on the Device Selector pane
using the Group Ordering option.
The Group Ordering setup is specific to each user and the changes will be reflected in the Device
Selector panes of all applications.
The default order of the groups displayed in the Device Selector pane is:
1.

All Devices

2.

Device Type Groups

3.

User Defined Groups

Administration of Cisco Prime LAN Management Solution 4.2

4-14

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

4.

Subnet Groups

5.

Application Specific Groups

You can change the order and save the configurations.


To change the order of the device groups:
Step 1

Select Admin > Network > Display Settings > Group Ordering.
The Group Ordering page appears.

Step 2

Select a group from the list displayed.

Step 3

Click Up to move the device group up in the displayed order or click Down to move down.

Step 4

Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.

Administering Device and Credential Repository


The DCR Administration feature allows you to do the following tasks:

Changing DCR Mode

Configuring Device Polling

Configuring User Defined Fields

Configuring Default Credentials

To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page
appears with the current DCR Administration settings.
You can change the Mode Settings or modify User Defined fields.

Changing DCR Mode


To change Mode Settings:
Step 1

Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page
appears.

Step 2

Click Change Mode to change the current mode.


The DCR Mode dialog box appears. You can select the required mode from this dialog box.

This section contains information on:

Master-Slave Configuration Prerequisites

Changing the Mode to Standalone

Changing the Mode to Master

Changing the Mode to Slave

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-15

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Master-Slave Configuration Prerequisites

Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure
communication takes place between the Master and Slave.

Tip

We recommend you to configure the Master and all its Slaves in the management domain with the same
version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory
Management Guide.
If machine M is to be the Master and S is to be the Slave:

Step 1

Add a Peer Server User and password in M


See Setting up Peer Server Account for details.

Step 2

Add a System Identity user and password in S. This should be same as the Peer Server User set up in M.
See Setting up System Identity Account for details.

Step 3

Copy the Self-Signed Certificate of S to M. Also, copy the Self-Signed Certificate of M to S.


See Creating Self Signed Certificates for details on creating Self-Signed Certificate and Setting up Peer
Server Certificate for details on copying Peer Certificate.

Step 4

Configure S as Slave and M as Master.

Changing the Mode to Standalone


Step 1

Select the Standalone radio button.

Step 2

Click Apply to change mode.


The default DCR mode is Standalone.

Changing the Mode to Master

Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in
place.
Step 1

Select the Master radio button.

Step 2

Click Apply to change mode.

Changing the Mode to Slave

Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place.
You need to perform the following tasks:
Step 1

Select the Slave radio button.

Step 2

Enter the hostname of the Master in the Master field.


This hostname should exactly match the Hostname field in the Self Signed Certificate of the Master.

Administration of Cisco Prime LAN Management Solution 4.2

4-16

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

Step 3

Specify the SSL port of the master. Default is 443.

Step 4

Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from
Master to Slave.
If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave)
will be informed of the new master hostname. That is, they will become the slaves of the new Master.

Step 5

Select the Add new devices to Master check box to add the devices in Slave to the new Master.
If the devices are already available in the new Master, they will be discarded.

Step 6

Click Apply.
A warning message appears when the Master server has the earlier version of LMS.

Step 7

Click OK to change the mode to Slave.


To cancel the change of mode, click Cancel.

Note

You must restart the daemon manager after the mode change to Slave is complete.

Changing the Hostname of a Master

Changing the hostname of a Master is equivalent to pointing Slaves to a new Master.


When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same
Domain ID as the current machine.
If Domain ID is the same, DCR displays an error message that Master cannot be configured since the
new Master has the same Domain ID.
In this case, you need to convert the Slave to Standalone, and then register the machine with the new
Master. When you re-register, the applications on Slave will clean up the device list.
When you change the host name of the current Master, you must change the Slave mode to Standalone,
and then re-register the machine as a Slave by providing the new Master hostname. However, when the
machine is re-configured as Slave, the applications will clean up the device list.
For example, if you have a Master M and Slave S, and if you change the hostname of M, you should
change the mode of S to standalone. Then, you have to configure S as the Slave of M. But when you
re-configure S as Slave, the applications on S will clean up their device lists.
Therefore, you have to be aware that while changing the hostname of a Master, application data is
cleaned up on all Slaves.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-17

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Configuring Device Polling


In the earlier releases, there was no mechanism to detect the devices that were not reachable for a certain
time period and easily identify the devices to be deleted.
The Device Polling configuration feature overcomes this and helps you to:

Activate Device Polling to check whether the devices can be reached

Configure Device Polling policy

Schedule Device Polling

Display a list of devices that are not reachable for a certain period of time

Delete the selected unreachable devices from DCR

You should have the required privileges to configure Device Polling policy.
You should be a Network Administrator, or a System Administrator to perform this task in Local
Authentication mode.
You should have the following privileges to delete the devices:

Privileges to perform the Delete Devices task

Device level authorization

This section explains:

Configuring Device Polling Settings

Deleting Unreachable Devices from DCR

Configuring Device Polling Settings


You can configure a Device Polling policy and schedule a Device Polling job to check whether the
devices can be reached.
Read the following notes before you configure Device Polling settings:

You can use any one or more of the following protocols to poll devices:
ICMP (Ping)
SNMPv3
SNMPv2c/SNMPv1

When you select all protocols, the devices in the network are polled using ICMP (Ping) first
followed by SNMPv3, and later by SNMPv2c/SNMPv1.

When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1
is used to poll the devices only if the SNMPv2c protocol has failed to query the device.

If you use more than one protocol for polling and if a device is reachable using the first protocol,
the other protocols will not be used.

You can configure only one job at a time to detect unreachable devices. You can modify the schedule
later at any point of time.

You cannot schedule an immediate Device Polling job.

In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job
only from Master server.

Administration of Cisco Prime LAN Management Solution 4.2

4-18

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

To configure a Device Polling policy:


Step 1

Select Admin > Network > Timeout and Retry Settings > Device Poll Settings.
The Device Poll Settings page appears.

Step 2

Select the Activate Device Polling to Check Reachability check box to enable Device Polling.
Device Polling is not enabled by default. You must select this check box to activate Device Polling.

Step 3

Configure a Polling Policy. To do so:


a.

Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for
polling:
ICMP (Ping)
SNMPv3
SNMPv2c/SNMPv1

You must select at least one protocol to activate Device Polling.


b.

Enter the timeout value for the selected protocols in the appropriate Timeout fields.
The timeout denotes the time period after which the ICMP or SNMP query of devices times out.
You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds
and the maximum value is 20000 milliseconds.
Default value is 1000 milliseconds.
You cannot leave this field blank.

c.

Enter the value of retries for the selected protocols in the appropriate Retries fields.
The retry denotes the number of attempts made to query the device.
You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for
both ICMP and SNMP protocols.
You cannot leave this field blank.

d.

Enter the number of instances in Notify when devices not reachable for, to receive notifications
when the devices are not reachable for a specific time period.
This is mandatory.
For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily,
you will receive notifications of devices that are not reachable for two days or more than 2 days.
If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will
receive notifications of devices not reachable for last 18 hours or more than 18 hours.
See Step 4 for details on the job frequencies available.

Step 4

Schedule the Device Polling task. To do this:


a.

Select a job frequency from the Run Type drop-down list.


You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily,
Weekly, or Monthly.

b.

Enter a date in the Date field or select a date from the date picker to start the scheduled job.
The current date on the client system is displayed in the Date field by default.

You can edit the schedule at a later point of time. See Step 5 for details.
If you do not want to edit the schedule, go to Step 7.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-19

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Step 5

Select the Change Schedule check box if you want to edit the schedule information (Run Type and
Starting Date).
This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not
been scheduled earlier.
If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager
(JRM) and a job is scheduled. The device reachability status is also reset.
A warning message appears if you select this check box.

Step 6

Click OK.

Step 7

Enter the Job information. To do this:


a.

Select the Report Attachment field if you want to receive the report through e-mail.

b.

Select the Attachment Option as either PDF or CSV.

c.

Enter a brief description about the Device Polling job in the Job Description field.

d.

Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device
Polling job.
You can enter multiple e-mail addresses separated by commas.
Entering an e-mail ID is mandatory when you have selected the Report Attachment field.

Step 8

Click Apply for the Device Polling settings to take effect.


The Device Polling schedule is created and assigned with a job ID.
Notification is sent to the e-mail address you have configured in the Device Polling Settings page.

Deleting Unreachable Devices from DCR


The possible reasons for device unreachability are:

Connectivity protocols such as SNMP or ICMP may be disabled on the device.

Incorrect credentials may be configured for the device.

Invalid timeout and retries may have been configured on the device.

To delete unreachable devices from DCR, select Reports > Inventory > Management Status >
Unreachable Devices.

Configuring User Defined Fields


The User Defined Fields (UDFs) are used to store the additional information about a device. DCR
supports a maximum of ten UDFs.
By default, the user interface provides four UDFs:

user_defined_field_0

user_defined_field_1

user_defined_field_2

user_defined_field_3

Administration of Cisco Prime LAN Management Solution 4.2

4-20

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

You can add six more UDFs through the user interface. You can rename or delete all the UDFs including
the four default UDFs provided by the user interface.
This section explains the following:

Adding User Defined Fields

Renaming User Defined Fields

Deleting User Defined Fields

Adding User Defined Fields


To add a User Defined Field (UDF):
Step 1

Select Admin > Network Administration > Device Credential Repository Settings > User Defined
Fields.
The User Defined Fields page appears with the current settings.

Step 2

Click Add to add a UDF.

Step 3

Enter the field label and description in the corresponding fields.

Step 4

Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.

Renaming User Defined Fields


To rename a UDF:
Step 1

Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.

Step 2

Select the radio button corresponding to the UDF you want to rename.

Step 3

Click Rename.
The User Defined Field dialog box opens in a new window.

Step 4

Enter the UDF label and description in the corresponding fields.

Step 5

Click Apply. To return to the User Defined Fields page, click Cancel.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-21

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Deleting User Defined Fields


By default, you can define four attribute fields for a device. These fields are used to store additional
user-defined data for the device. You can add up to ten UDFs.
To delete a UDF:
Step 1

Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.

Step 2

Select a UDF and click Delete.


A confirmation message window appears.

Step 3

Click OK. To return to the User Defined Fields page, click Cancel.

Configuring Default Credentials


Devices added or imported into DCR do not contain all credentials required by the network management
applications to manage them. Sometimes this could lead to failure of application jobs.
The default credentials feature helps you to add or import devices into DCR with the default credentials
and prevents the management applications from failing when the network management applications
manage the devices added or imported in DCR.
Default credentials are stored in DCR and are not associated with any device.
You can configure multiple default credential sets. You can set these default credential sets for a range
of devices to be added or imported to DCR based on certain policies.
You should be a Network Administrator, a System Administrator, or a Super Admin to configure default
credential sets and default credential set policies.
This section explains:

Using Default Credentials

Important Notes on Default Credentials

Default Credentials Behavior in Multi-Server Setup

Configuring Default Credential Sets

Configuring Default Credential Set Policy

Using Default Credentials


You can choose to use the default credentials when you:

Manually add devices in DCR


When you manually add devices with a similar credential set in DCR, you have to enter the
credentials repetitively for every device addition. Instead, you use the default credentials defined in
default credential sets or default credential set policies to populate DCR.

Add devices into DCR through Discovery


Discovery populates only the SNMP read community string in DCR during device addition and
leaves the other credentials as blank.

Administration of Cisco Prime LAN Management Solution 4.2

4-22

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

When other applications manage the newly added device, the management operations fail if they
cannot retrieve the required credentials from DCR. To prevent the management operations failing,
you can use the default credentials while adding devices through Discovery.

Import devices into DCR


Importing devices from a file, NMS or any other third party applications into DCR populates the
SNMP read-only community string and the SNMP read/write community string.
When other applications manage the newly imported devices, the management operations fail if they
could not retrieve the required credentials from DCR. To prevent the management operations from
failing, you can use the default credentials while importing devices from NMS or any other third
party application.

Important Notes on Default Credentials


You should read the following notes about the default credentials before you configure them and choose
to use them in various flows:

The default credentials you use while adding or importing devices into DCR will not be verified.

You can configure multiple default credential sets and add or import a set of devices in DCR with
default credentials from a default credential set. Later, you can edit the value of the credentials in a
default credential set and add another set of values with the edited default credentials.

The devices that are already added or imported into DCR will not be affected if you edit the values
of the default credentials or remove the default credentials from DCR.

Devices added with default credentials in DCR populates all the credentials you have configured for
the default credential set irrespective of the device management type.
For example, if you have configured the default credential set with Standard credentials, SNMP
credentials, and Auto Update Server Managed Device credentials and if you add a device of
Standard management type in DCR, the Auto Update Server Managed Device credentials are also
populated for that device.

We recommend you to configure a default credential set with the values common for most of the
devices that are to be added or imported into DCR.

Default Credentials Behavior in Multi-Server Setup


You can configure the default credential sets and policies only in the DCR Master and Standalone modes.
This option is not available in the DCR Slave Server.
However, you can use the default credentials in the Cisco Prime applications in DCR Slave Server while
adding the devices to DCR. If you opt to use the default credentials, the DCR Slave Server uses the
credentials stored at the DCR Master Server.
If you configure a LMS Server from DCR Standalone to DCR Slave mode, the default credentials entered
in the server will not be used after the mode is changed to Slave. However, when you change the DCR
mode back to the Standalone mode from the Slave mode, the default credential sets and policies are
restored as configured earlier.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-23

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Configuring Default Credential Sets


You can configure a maximum of 50 default credential sets.
Each default credential set comprises the following credentials:

Primary Credentials (Username, Password, Enable Password)

Secondary Credentials (Username, Password, Enable Password)

SNMPv2c/SNMPv1Credentials (Read-Only Community String, Read-Write Community String)

SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm,


Privacy Password, Privacy Algorithm)

HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and
Password, HTTP port, HTTPS port, Current Mode)

Auto Update Server Managed Device Credentials (Username and Password)

Rx Boot Mode Credentials (Username, Password)

This section explains:

Configuring a Default Credential Set

Editing a Default Credential Set

Deleting a Default Credential Set

Configuring a Default Credential Set


To configure a default credential set:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.

Step 2

Click Next or select Credential Sets name from the Default Credentials list panel and enter the
respective credential information.

Step 3

Enter a name of the credential set in the Credential Set Name field. This is mandatory.
The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9).
You can include the following special characters in the Credential Set Name:
Special Character

Description

Underscore

Hyphen

Period

Administration of Cisco Prime LAN Management Solution 4.2

4-24

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

Step 4

Enter a description of the credential set in the Set Description field.

Step 5

Click Next or select a credential type from the Default Credentials list panel and enter the respective
credential information. You can select any of the credential types from the panel.

Step 6

Standard Credentials

SNMP Credentials

HTTP Credentials

Auto Update Server Managed Device Credentials

Rx-Boot Mode Credential

Enter the following credentials as required:

Standard Credentials
Primary Credentials (Username, Password, Enable Password)
Secondary Credentials (Username, Password, Enable Password)

SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community

String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy

Password, Privacy Algorithm)


You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these
fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is
AuthPriv.

HTTP Credentials
Primary Credentials (Username, Password)
Secondary Credentials (Username, Password)
Other Information (HTTP Port, HTTPS Port, Current Mode)

Auto Update Server Managed Device Credentials (Username, Password)

Rx-Boot Mode Credentials (Username, Password)

Note

Re-enter the value of passwords in the respective Verify fields.

You must enter a value for at least one credential before applying the default credentials.
Step 7

Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-25

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Editing a Default Credential Set


To edit a default credential set:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.

Step 2

Click Next or select Credential Set Name from the Default Credentials list panel.

Step 3

Select a default credential set name from the Credential Set drop-down list box.

Step 4

Edit the description of the credential set in the Set Description field.
You cannot edit the name of the credential set.

Step 5

Click Next or select a credential type from the Default Credentials list panel.

Step 6

Edit the following credentials as required:

Standard Credentials
Primary Credentials (Username, Password, Enable Password)
Secondary Credentials (Username, Password, Enable Password)

SNMP Credentials
SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community

String)
SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy

Password, Privacy Algorithm)


You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default,
these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode
is AuthPriv.

HTTP Credentials
Primary Credentials (Username, Password)
Secondary Credentials (Username, Password)
Other Information (HTTP Port, HTTPS Port, Current Mode)

Auto Update Server Managed Device Credentials (Username, Password)

Rx-Boot Mode Credentials (Username, Password)

Note
Step 7

Re-enter the value of passwords in the respective Verify fields.

Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.

Administration of Cisco Prime LAN Management Solution 4.2

4-26

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

Deleting a Default Credential Set


To delete a default credential set:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS
Servers. You cannot see this list item in DCR Slave Server.

Step 2

Select a credential set from Credential Set drop-down list box.

Step 3

Click Remove to delete a default credential set.


The selected default credential set is deleted from the LMS Server.
The default credential set policies that you have configured with this default credential set will also be
deleted.

Configuring Default Credential Set Policy


You can configure default credential set policies and apply the default credentials for a range of devices
to be added or imported to DCR.
We recommend that you create up to 50 default credential set policies.
You can create default credential set policies based on following policy types:

IP Address

Hostname

Device Name

This section explains:

Before Configuring a Credential Set Policy

Creating a Default Credential Set Policy

Patterns in IP Address Default Credential Set Policy Rules

Regular Expressions in Default Credential Set Policy Rules

Examples For Default Credential Set Policies

Deleting Default Credential Set Policies

Defining the Order of Default Credential Set Policies

Before Configuring a Credential Set Policy


Read the following notes before configuring a default credential set policy:

You can include patterns when creating rules for IP Address based default credential set policies.
See Patterns in IP Address Default Credential Set Policy Rules for more information.

Regular expressions are supported for policies based on Hostname and Device Names. IP Address
based policy types do not support regular expressions.
See Regular Expressions in Default Credential Set Policy Rules for more information.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-27

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

The expressions in default credential set policy rules are case insensitive.

You can include the following characters in Device Name and Hostname:
Lower case alphabets
Upper case alphabets
Numerals ( 0 to 9)
Special characters such as hyphen (-), underscore (_), period (.) and colon (:)

When you define more than one policy for a default credential set, all these policy rules work
together. The policies will be applied in the same order in which they appear on the Credentials Sets
Policy Configuration page.
See Defining the Order of Default Credential Set Policies for more information.

Creating a Default Credential Set Policy


To create a default credential set policy:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Default Credentials Sets Policy Configuration page appears.
The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master
and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.

Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Step 3

Construct a policy rule. To do so:


a.

Select a parameter from the Select a Policy Type drop-down dialog box.
The listed parameters are IP Range, Hostname and Device Name.
Based on the parameter that you have selected, the value field name changes dynamically.

b.

Enter a value for the rule parameter.


If you have selected IP Range as the rule parameter, enter a value in the IP Range field.
If you have selected Hostname as the rule parameter, enter a value in the Hostname field.
If you have selected Device Name as the rule parameter, enter a value in the Device Name field.
See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default
Credential Set Policy Rules for more information.
The expressions in credential set policy rules are case insensitive.

c.

Select a credential set name from the Credentials Set drop-down list box to associate the rule
expression with the default credential set.
Select No Default if you do not want to enter a credential set name.

Step 4

Click OK to go back to Credentials Sets Policy Configuration page.


The policy that you have configured is listed in the Credentials Sets Policy Configuration page.

You can edit a default credential set policy later. To do so, you must select a default credential set policy
in the Credentials Sets Policy Configuration page and click Edit.

Administration of Cisco Prime LAN Management Solution 4.2

4-28

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

Patterns in IP Address Default Credential Set Policy Rules


When you define a default credential policy type based on IP Address, you should follow these
guidelines:

Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format.

Any octet can have one of the following:


Any Octet can have..

Example

Numbers between:

10.77.240.225 (IPv4 Address)

001:DB8:0:2AA:FF:C0A8:0:640A
(IPv6 Address)

Asterisk (*) as wildcard denoting all numbers from


0 to 255 in an IPv4 Address and 0 to FFFF in an
IPv6 Address.

10.*.*.240 (IPv4 Address)

001:*:0:2AA:FF:*:*:* (IPv6 Address)

Range of numbers in the


[StartingNumber-EndingNumber] format, where:

10.77.[220-240].[210-220] (IPv4
Address)

001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA
F] (IPv6 Address)

0 to 255 for an IPv4 Address

0 to FFFF for an IPv6 Address

StartingNumber and EndingNumber should

be numbers between 0 to 255 in an IPv4


Address and 0 to FFFF in an IPv6 Address
StartingNumber should not be greater than

or equal to EndingNumber

The following are examples of invalid IP


Address ranges:

10.77.[250-200].221

10.77.200-250.221

001:DB8:0:[EEEE-FF]:FF:C0A8:0:[D-5]

001:DB8:0:AA-BB:FF:C0A8:0:[D-5]

The octets in an IP Address policy type can also contain the combination of wildcard characters and
range of numbers. Some examples of IP Address filter combinations include:
10.77.[210-230].*
10.77.*.[110-210]
001:DB8:*:*:FF:[C0A-DD8]:0:[5-D]
[10-20]:[10-20]:[A-F]:2:4:*:*:*

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-29

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Regular Expressions in Default Credential Set Policy Rules


Hostname and Device Name policy types supports regular expressions.
You can use the following characters in regular expressions:
Character Description

Purpose

Period

Matches any character

Opening parenthesis

Marks the beginning of a group of matched characters

Closing parenthesis

Marks the end of a group of matched characters

Asterisk

Matches zero or more occurrences of regular expression specified


earlier

Plus character

Matches zero or more occurrences of regular expression specified


earlier

Trailing slash

Identifies a special character within a regular expression

Examples For Default Credential Set Policies


Example 1 - IP Range Policy Type

Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added
or imported to DCR with the default credentials defined in a default credential set IPSet.
You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.

Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Step 3

Step 4

Construct the policy:


a.

Select the policy type as IP Range from the Select a Policy Type drop-down list box.

b.

Enter the IP Range value as 10.77.[210-230].*

c.

Select the Default Credential Name as IPSet

Click OK to go back to Default Credential Sets Policy Configuration page.


The policy that you have configured will be listed in a table format.

Example 2 - IP Range Policy Type

Consider that all devices whose IP Addresses are within the range
100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default
credentials defined in a default credential set IPv6Set.
You should create a default credential set policy based on the IP Range policy type. To do so:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.

Administration of Cisco Prime LAN Management Solution 4.2

4-30

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

The Credentials Sets Policy Configuration page appears.


Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Step 3

Step 4

Construct the policy:


a.

Select the policy type as IP Range from the Select a Policy Type drop-down list box.

b.

Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15]

c.

Select the Default Credential Name as IPv6Set

Click OK to go back to Default Credential Sets Policy Configuration page.


The policy that you have configured will be listed in a table format.

Example 3 - Device Name Policy Type

Consider that all devices whose Device Names end with or contain device, should be added or imported
to DCR with the default credentials defined in a default credential set SetName2.
You should create a default credential set policy based on the Device Name policy type. To do so:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.

Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Step 3

Step 4

Construct the policy:


a.

Select the policy type as Device Name from the Select a Policy Type drop-down list box.

b.

Enter the value as (.)*device

c.

Select the Default Credential Name as SetName2

Click OK to go back to Default Credential Sets Policy Configuration page.


The policy that you have configured will be listed in a table format.

Example 4 - Device Name Policy Type

Consider that all devices whose Device Names contain 1.3.6.1.4.1.9.1.n, should be added or
imported to DCR with the default credentials defined in a default credential set SOIDset.
You should create a default credential set policy based on the Device Name policy type. To do so:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.

Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-31

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Step 3

Step 4

Construct the policy:


a.

Select the policy type as Device Name from the Select a Policy Type drop-down list box.

b.

Enter the value as (.)*\.1\.3\.6\.1\.4\.1\.9\.1\.(.)

c.

Select the Default Credential Name as SOIDset

Click OK to go back to Default Credential Sets Policy Configuration page.


The policy that you have configured will be listed in a table format.

Example 5- Host Name Policy Type

Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with
the default credentials defined in a default credential set SetName1.
You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.

Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Step 3

Step 4

Construct the policy:


a.

Select the policy type as Host Name from the Select a Policy Type drop-down list box.

b.

Enter the value as Che(.)*

c.

Select the Default Credential Name as SetName1

Click OK to go back to Default Credential Sets Policy Configuration page.


The policy that you have configured will be listed in a table format.

Example 6- Host Name Policy Type

Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the
default credentials defined in a default credential set SetName3.
You should create a default credential set policy based on the Hostname policy type. To do so:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.

Step 2

Click Add to add a default credential set policy.


The Add Credentials Policy Configuration dialog box appears.

Step 3

Construct the policy:


a.

Select the policy type as Host Name from the Select a Policy Type drop-down list box.

b.

Enter the value as (.)*lab2(.)*.

c.

Select the Default Credential Name as SetName3

Administration of Cisco Prime LAN Management Solution 4.2

4-32

OL-25947-01

Chapter 4

Administering Discovery Settings and Device and Credential Repository


Administering Device and Credential Repository

Step 4

Click OK to go back to Default Credential Sets Policy Configuration page.


The policy that you have configured will be listed in a table format.

Deleting Default Credential Set Policies


To delete default credential set policies:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR
Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.

Step 2

Select a default credential set policy to delete.


You can also select multiple default credential set policies to delete.

Step 3

Click Delete to remove the default credential set policies.

Defining the Order of Default Credential Set Policies


You can specify the order in which the default credential set policies should be applied for devices that
are added or imported into DCR.
The default credential set policies are applied in the order they appear on the Credentials Sets Policy
Configuration page. The default credential set policies appearing at the top of the list are applied first.
You can create more than one default credential set policy for a default credential set.
When you define more than one policy for a default credential set, all these policy rules work together.
For example, consider 10.77.240.[50-52] as a first IP Address policy associated with a default credential
set name Test1 and 10.77.240.* as the second IP Address policy associated with a default credential set
name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.240.[50-52]
added or imported into DCR. The default credentials defined in Test2 will be applied for all devices in
the IP range 10.77.240.* except the devices with IP Addresses 10.77.240.50, 10.77.240.51 and
10.77.240.52.
For example, consider 10.77.*.* as a first IP Address policy for a default credential set name Test1 and
10.77.210.* as the second IP Address policy for a default credential set name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.*.* added
or imported into DCR. The policy rule 10.77.210.* will never be applied as 10.77.210.* is a subset of
10.77.*.*.
To specify the order of default device credentials policies:
Step 1

Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears with a list of default credential set policies.

Step 2

Select a default credential set policy.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

4-33

Chapter 4

Administering Discovery Settings and Device and Credential Repository

Administering Device and Credential Repository

Step 3

Either:

Click the Up Arrow icon to move the selected default credential set policy up in the displayed order.

Or

Step 4

Click the Down Arrow icon to move the selected default credential set policy down in the displayed
order.

Click Apply Settings to save the changes.

Administration of Cisco Prime LAN Management Solution 4.2

4-34

OL-25947-01

CH A P T E R

Managing Groups
LMS 4.2 combines the device grouping with a new attribute list.
The other grouping services that are available in LMS are:

Fault Group - supports 50 groups

IPSLA Collector Group - supports 100 groups

Port and Module Group - supports 100 groups

The numbers of groups that LMS supports will vary according to the SKU that you use. For more details,
see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN
Management Solution 4.2 guide.
This chapter explains the following:

Groups - Components and Basic Concepts

Groups in Single-Server and Multi-Server Setup

Device Group Administration

DCR Mode Changes and Group Behavior

Port and Module Group Administration

Working with Fault System-defined Groups

Working with Customizable Groups

Managing Fault Groups

Viewing Fault Group Details

Viewing Fault Membership Details

Refreshing Fault Membership

Deleting Fault Groups

Understanding Collector Group Rules

IPSLA Collector Group Administration Process

Understanding IPSLA Collector Group Administration

Working with User-Defined Collector Groups

Operation-Based Collector Groups (System-Defined)

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-1

Chapter 5

Managing Groups

Groups - Components and Basic Concepts

Groups - Components and Basic Concepts


This section explains the components of a group and the basic concepts of a group.
Components

The following are the components of a group:

Group Server:
Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by
the application. It interfaces with an application service adapter (ASA) to evaluate group rules and
retrieve devices of a particular group.

Application Service Adapters (ASAs):


Application-specific information repository that serves as source of the devices and attributes that
are grouped by the Groups Server.
Till LMS 3.2, ASA was an interface between applications and Groups Server.
In LMS 4.2, there is only a single ASA.

Group Admin:
Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.

Basic Concepts

The following are the basic concepts of a group:

Group Class:
Representation of a set of devices belonging to DCR. In this context a device in Device and
Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set
of attributes and a unique device ID.

Group Object:
Device in a group class. Each device in the group will have a set of attributes stored in DCR.
Associated with every device is a unique and immutable device ID.

Group:
Named aggregate entity comprising a set of devices belonging to a single class or a set of classes,
with a common superclass. Groups can be shared between users or applications, subject to
access-control restrictions. The membership of a group is determined by a rule.

Group Rule:
Consists of one or more rule expressions combined by operators, which can be AND, OR or
EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.

Administration of Cisco Prime LAN Management Solution 4.2

5-2

OL-25947-01

Chapter 5

Managing Groups
Groups in Single-Server and Multi-Server Setup

Groups in Single-Server and Multi-Server Setup


This section has the following subsections:

Groups in Single Server Scenario

Groups in Multi-Server Scenario

Groups in Single Server Scenario


The devices you see in the Group Administration UI in depends on whether the devices are being
managed by LMS or not, and not on any application like CS, RME, CM.
In LMS 3.2, if there are Common Services, LMS, and RME installed on a server, you can see the
following groups in the Groups UIs of the applications.

CS@hostname

RME@hostname

Campus@hostname

In LMS 4.2, there are no separate applications and there are four types of groups:

Device Groups
The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and
Campus@hostname. LMS supports 200 device groups.

Fault Groups
These groups are created by the Fault Management module in LMS, and consist of interface, trunk
port, and access port groups. Each group has a set of properties (such as a name, description, and
permission.), and are defined by the rules associated with the group.

IPSLA Collector Groups


You can group IPSLA collectors based on a set of criteria such as operation name, operation type,
source address, target address.

Port and Module Groups


You can group ports and modules for easy port and module selection in various configuration
workflows.

Groups in Multi-Server Scenario


Groups you create in LMS groups UI in the Master get synchronized with the Slave.
If you create a subgroup under LMS@Master hostname in one server, it appears under LMS@Slave
hostname in the peer server.
However, in the Master server, if you create a subgroup under LMS@Master hostname, it will always
appear under LMS@\Slave hostname\, in the Slave. That is, the subgroup created in the Master appears
under the shared group of the application in the Slave.
When the user-defined group under master and the user-defined group under slave has the same group
name, then when doing master slave setup, the master group will be retained in slave. The slaves group
will get deleted.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-3

Chapter 5

Managing Groups

Device Group Administration

Once the master slave setup is done, when we add a group in master it will be synced with slave only
after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both
the OGS will act as a individual servers.

Note

You can create groups in LMS even if the server on which it is installed is in Slave mode.
If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under
LMS@Slave hostname.
In a cluster, if you have M as the Master, and S1 and S2 as Ms slaves, and you want to evaluate S1s
groups from S2, you need to import the certificate of S1 to S2 and vice versa.

Device Group Administration


The Group Administration UI helps you to create, edit, view, delete, export, import, and refresh groups.
The UI displays a Group Selector that contains the following predefined higher-level groups:

System-defined Groups

User-defined Groups

The System-defined Groups shows subgroups only after Device and Credential Repository is populated.
The predefined sub-groups under System-defined Groups are:

Cisco Interfaces and Modules

Network Management

Non Cisco Devices

Routers

Switches and Hubs

Subnet Based Groups


Contains sub folders representing subnets (one folder per subnet) discovered in the network. Each
folder contains the devices corresponding to those subnets.

Note

Subnets groups will appear only after a successful Data Collection.

Voice and Telephony

Unknown Device Type

Universal Gateways and Access Servers

Wireless

You can create subgroups only under User-defined Groups. You cannot create them under
System-defined Groups. However, you can view the details of a subgroup under System-defined Groups
and refresh the group.

Note

Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone
mode. The groups created in DCR Master will be copied to Group Administration instances on servers
where DCR is in Slave mode.

Administration of Cisco Prime LAN Management Solution 4.2

5-4

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

The following sections provide information on how to perform group administrative tasks in LMS 4.2:

Migrating Device Groups from Previous Releases of LMS

Creating Groups

Viewing Group Details

Modifying Group Details

Refreshing Groups

Deleting Groups

Exporting Groups

Importing Groups

Overview of Subnet Based Groups

Migrating Device Groups from Previous Releases of LMS

The following table explains migration of device groups from previous releases of LMS, in the table. In
this example, Group A is an application group created separately in CS, RME, and CM, in earlier
versions of LMS:

LMS Version

Common Services
UDG/SDG

RME UDG/SDG

Campus Manager UDG/SDG

3.2.1

Group A

Group A

Group A

4.2

After migration to
After migration to LMS
LMS 4.2, Group A is 4.2, Group A is not
available
Available

After migration to LMS 4.2,


Group A is not available

3.2.1

Group A

Group A

4.2

After migration to LMS After migration to LMS 4.2,


4.2, Group A will not be Group A will not be available
available

3.2.1

4.2

You must create new


subnet-based groups
after a successful
Data Collection

Subnet-based groups
After migration to LMS 4.2, CM
Subnet-based groups will not be
available.

Creating Groups
This section contains:

Specifying Group Properties

Defining Group Rules

System Defined Attributes

Assigning Group Membership

You can create device groups using this feature.


To create a new device group:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-5

Chapter 5

Managing Groups

Device Group Administration

Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

The Group Administration in the Group Administration page provides you with Group Selector.
Step 2

Select the group from the groups listed in Group Selector to create a new subgroup.
The Group Info fields on the right, display details of the selected group.
The group you select here is the Parent group for the new group that you are about to create. You can
change the Parent group later, if required. You cannot create groups under System-defined Groups but
you can view details and refresh the group.
Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public
or Private). If you have the required permissions, you can create subgroups under groups.

Step 3

Click Create to create a new group.


The Group Administration Creation wizard is launched and guides you through the process of creating
a new group.
Perform the following tasks using the Groups Create wizard.
a.

Specify group properties. See Specifying Group Properties for information.

b.

Define group rules. See Defining Group Rules for information.

c.

Assign group membership. See Assigning Group Membership for information.

The first page in the wizard is the Properties:Create window. While creating a new group you must complete
all of the above three tasks in this sequence to create a group.
If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the
group will not be created.

The recommended limit for creating User-Defined group is 200, but you are allowed to create upto 600
User-Defined groups in LMS.
Example

To create a group of all Energywise capable devices:


Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

The Group Administration in the Group Administration page provides you with Group Selector.
Step 2

Select User Defined Groups from the groups listed in Group Selector to create a new subgroup.

Administration of Cisco Prime LAN Management Solution 4.2

5-6

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Step 3

Click Create to create a new group.


The Properties page appears.

Step 4

Enter the name Energywise_capable devices in the Group Name field in the Properties:Create dialog
box.

See Specifying Group Properties for more details.

Note
Step 5

Click Next.
The Rule Dialog box appears.

Step 6

Step 7

Create an expression in the Rules:Create dialog box by entering:


a.

Select Variable as EnergyWise.EnergyWisestate

b.

Select Operator as =

c.

Enter the Value as EnergyWise_capable

Click Add Rule Expression.


The rule is added into the Rule Text.
You can also check the syntax of the group rule entered.

Note
Step 8

See Defining Group Rules for more details.

Click Next.
The Group Membership Assigning page appears.

Step 9

Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.

Step 10

Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.

Note
Step 11

See Assigning Group Membership for more details.

Click Next.
The Summary page appears.

Step 12

Click Finish.

Specifying Group Properties


While specifying group properties, you can enter the properties such as name and description, and
modify the parent group, if required, and update membership, and specify the visibility scope.
To complete the tasks in this phase:
Step 1

Either:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-7

Chapter 5

Managing Groups

Device Group Administration

Select Admin > System > Group Management > Device. Click
The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

Step 2

Click the Create button in the Group Administration.


The Properties page appears.

Step 3

Enter a name for the group in the Group Name field in the Properties:Create dialog box.
The group name should be unique within the Parent group. However, it need not be so across groups.
The same group name cannot be used in the same group hierarchy.
For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create
another group with the same name MyView under /LMS@Servername/User Defined Groups.

Step 4

Click Select Group, if you want to copy the attributes of an existing group.
The Replicate Attributes dialog box appears.

Step 5

Select the group you need from the Replicate Attributes list and click OK. To return to the Properties
page, click Cancel.

Step 6

Click Change Parent, to change the Parent group.


The Group Selector page appears.

Step 7

Select the group you need from the Select Parent list.

Step 8

Click OK.
The Group Administration wizard changes the Parent group to the one you selected. To return to the
Properties page, click Cancel.

Step 9

Enter a description for the group.


Typically, you can enter a detailed description of the group that identifies its characteristics in this field.

Step 10

Select the Membership Update mode for the group.


The modes of membership updates available are:

Automatic:
The membership of the group is updated when you add a new device to the group, and each time the
group is invoked.

Only Upon User Request:


The membership of the group is recomputed only when an explicit request is made, using the
Refresh option.

If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request,
the group will be a Static group.
Step 11

Select either Public or Private to specify the visibility scope.

Private
The group created can be viewed only by user who creates the group.

Public
The group created can be viewed by all users.

Administration of Cisco Prime LAN Management Solution 4.2

5-8

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Step 12

Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and
composite group rules.

Defining Group Rules


In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase
determine the contents of the group. The rules you specify here determine the devices to be included in
the group.
In the Rules:Create dialog box, you can either enter the rules directly in the Rule Text field, or select the
components of the rule from the Rule Expression fields, and form a rule.
The rule expression has the following components:
Object.Variable operator value

If you have created the group by copying the attributes of another group, the rules specified for that group
appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a
new set of rules.
The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this
facility to validate the rules you have created. If you leave the rule blank, it creates a Container group.
Click View Parent Rules to display the rules defined for its ancestor groups.
This section explains:

Defining a Group Rule

Defining Composite Group Rules

Using IP Address Range Operator

Examples

System Defined Attributes

Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in
Properties:Create dialog box. See Specifying Group Properties for more information.

Defining a Group Rule


To create a group rule:
Step 1

Complete all the tasks in the Properties page. See Specifying Group Properties for more information.

Step 2

Delete the rules displayed in the Rule Text field, if any.

Step 3

Select appropriate parameters for the following:

Object Type Denotes the object type used for forming a group. All expressions start with the
string Device.

Variables Denotes the device attributes, which are used to form a device group.
See System Defined Attributes for details on the variables.

Operators Denotes the various operators to be used with the rule. The list of operators includes
equals, contains, startswith and endswith. The list of operators changes dynamically with the value
of the variable selected.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-9

Chapter 5

Managing Groups

Device Group Administration

For the ManagementIpAddress variable, you can select a range operator other than the standard list
of operators. See Using IP Address Range Operator for more information.

Step 4

Value Denotes the value of the variable. The value field changes dynamically based on the value
of the variable and operator selected, and the field type can be a text field or a list box.

Click Add Rule Expression.


The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
For example, the rule type:
Device.DisplayName equals "joe"

will select the device with the DisplayName joe.


The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.
You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field.
See Defining Composite Group Rules for more information.
You can validate rules that are entered directly into the Rules Text field, or rules formed using the Add
Rules Expression option in the dialog box.

Step 5

To check whether the syntax is valid, click Check Syntax.

To view the rules defined for the parent groups, click View Parent Rules.

Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
If you have entered an invalid IP Address range or invalid values in the Value field, an error message will
be displayed. You should correct the values and then navigate to the Membership:Create dialog box.

Defining Composite Group Rules


A Composite rule contains more than one rule expression separated by a Boolean operator.
The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you
have entered at least one rule expression.
When the composite rule has more than two simple rule expressions, you can adjust priorities among the
expressions using opening and closing parenthesis.
To create a composite rule:
Step 1

Delete the rules displayed in the Rule Text field and click any other field.

Step 2

Form a simple rule. See Defining a Group Rule for details.

Step 3

Click Add Rule Expression.


The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.

Step 4

Select a Boolean Operator from the drop-down list.

Administration of Cisco Prime LAN Management Solution 4.2

5-10

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Step 5

Select the appropriate parameters for Object Type, Variables, and Operators.

Step 6

Enter a value in the Value field.

Step 7

Click Add Rule Expression.


You can validate rules that are entered directly into the Rules Text field or rules formed using the Add
Rules Expression option in the dialog box.

Step 8

To check whether the syntax is valid, click Check Syntax.

To view the rules defined for the parent groups, click View Parent Rules.

Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.

Using IP Address Range Operator


The range operator enables you to group the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:

Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.

Use the hyphen character (-) as a separator between the numbers that indicate a range.

Specify the range of IP Addresses within the [and] characters to create a group rule.

For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:

Enter numbers less than 0 and greater than 255 in the IP Address range.

Enter any characters other than the range separator (-).

Enter the value of the highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].

See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on
the IP Address Range based device groups in a multi-server setup.

Examples
This section contains:

Example to Create a Simple Group Rule

Example to Create a Composite Group Rule

Example to Create a Group Rule Using Range Operator

Example to Create a Simple Group Rule

To create a group of all devices ending with the hostname Test, you should:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-11

Chapter 5

Managing Groups

Device Group Administration

Step 1

Step 2

Create an expression in the Rules:Create dialog box by entering:


a.

Select Variable as HostName

b.

Select Operator as endswith

c.

Enter the Value as Test

Click Add Rule Expression.


The rule is added into the Rule Text.
You can also check the syntax of the group rule entered.

Example to Create a Composite Group Rule

If you want to group all the devices in the network that match the following criteria:

Device Name of the device should contain TestDevice

Category of the device should be equal to Routers or IP Address of the device should starts with
10.77

To create this composite rule:


Step 1

Step 2

Create an expression in the Rules:Create dialog box by entering:


a.

Select Variable as DisplayName

b.

Select Operator as contains

c.

Enter the Value as TestDevice

Click Add Rule Expression.


The rule is added into the Rule Text.

Step 3

Step 4

Create another rule expression by entering:


a.

Select AND as the Boolean operator

b.

Select Variable as Category

c.

Select Operator as equals

d.

Enter the Value as Routers

Click Add Rule Expression.


The rule is appended into the Rule Text.

Step 5

Step 6

Create another rule expression by entering:


a.

Select OR as the Boolean operator

b.

Select Variable as ManagementIPAddress/IP.Address

c.

Select Operator as startswith

d.

Enter the Value as 10.77

Click Add Rule Expression.


The following composite rule is formed in the Rule Text Area:
Device.DisplayName contains TestDevice AND
Device.Category equals Routers OR
Device.ManagementIpAddress startswith 10.77

Administration of Cisco Prime LAN Management Solution 4.2

5-12

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Step 7

Edit the rule expression in the text area to adjust the priorities among the group expressions.
You should place two rule expressions together within an opening and a closing parentheses. Ensure that
you leave a space between the parenthesis and the group expressions.
The edited composite rule is:
Device.DisplayName contains "TestDevice" AND
( Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77" )

You can also check the syntax of the group rule entered.
Step 8

Click Next to proceed further.

Example to Create a Group Rule Using Range Operator

To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you
should:
Step 1

Step 2

Create an expression in the Rules:Create dialog box by entering:


a.

Select Variable as ManagementIPAddress/IP.Address

b.

Select Operator as range

c.

Enter the Value as 10.10.[0-212].[207-247]

Click Add Rule Expression.


The rule is added into the Rule Text.
You can also check the syntax of the group rule entered

System Defined Attributes


The following table provides details on some of the System Defined attributes that are available in LMS.
These are predefined attributes, available by default.

Note

In LMS 4.2, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are
not available. If you backup and restore any group created in older versions of LMS using these
attributes, the groups will not be restored.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-13

Chapter 5

Managing Groups

Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

Asset.CLE_Identifier

CLE identifier of the asset.

To create a group of all devices having asset


CLE identifier CLE12:

Asset.Part_Number

Asset.User_Defined_Identifier

Category

Orderable part number of the asset.

User-defined identifier of the asset

Select the variable


Asset.CLE_Identifier

Select the operator equals.

Enter the value CLE12.

To create a group of all devices having asset


part number PN123:

Select the variable


Asset.Part_Number

Select the operator equals.

Enter the value PN123.

To create a group of all devices having user


defined asset identifier UD34:

Select the variable


Asset.User_Defined_Identifier.

Select the operator equals.

Enter the value UD34.

Category into which the device falls. The To create a group of all routers in the
first level entries in the Device Type tree network.
in DCR Device Management UI.
Select the variable Category.

Chassis.Model_Name

Chassis.Number_Of_Slots

Name of the model.

Number of slots in that chassis.

Select the operator contains.

Enter the value router.

To create a group of all devices containig


chassis model name WS-C6506:

Select the variable


Chassis.Model_Name

Select the operator contains.

Enter the value WS-C6506.

To create a group of all devices containig 10


chassis slots.

Select the variable


Chassis.Number_Of_Slots

Select the operator =.

Enter the value 10.

Administration of Cisco Prime LAN Management Solution 4.2

5-14

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

Chassis.Port_Count

Total port count of the chassis.

To create a group of all devices having


chassis port count more than 5.

Chassis.Serial_Number

Chassis.Vendor_Type

Chassis.Version

DeviceName

DomainName

Serial number of the chassis.

Vendor type of the chassis.

Select the variable


Chassis.Port_Count.

Select the operator >.

Enter the value 5.

To create a group of all devices containing


chassis serial number SSI1.

Select the variable


Chassis.Serial_Number.

Select the operator contains.

Enter the value SSI1.

To create a group of all devices containing


chassis vendor type cevChassisN5k.

Version number of the chassis.

Device name, as you want it to be


represented in reports or graphical
displays. This can be derived from Host
Name, Management IP Address or
Device Identity.
Domain name of the device.

Select the variable


Chassis.Vendor_Type.

Select the operator contains.

Enter the value cevChassisN5k.

To create a group of all devices containing


chassis version 0.102.

Select the variable Chassis.Version.

Select the operator contains.

Enter the value 0.102.

To create a group of all devices having


Device Name starting with 10.77.132.

Select the variable DeviceName.

Select the operator startswith

Enter the value 10.77.132.

To create a group of all Cisco.com devices.

Select the variable DomainName.

Select the operator contains.

Enter the value Cisco.com.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-15

Chapter 5

Managing Groups

Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

EnergyWise.Domain_Name

Name of the EnergyWise domain.

To create a group of all devices having


EnergyWise Interfaces Information.

EnergyWise.EnergyWiseState

Select the variable


EnergyWise.Domain_Name.

Select the operator contains.

Enter the value Interfaces


Information.

To create a group of all EnergyWise-capable


EnergyWise status of the device, for
devices.
example, EnergyWise-capable devices,
EnergyWise-enabled devices,
Select the variable
EnergyWise-hardware-incapable devices
EnergyWise.EnergyWiseState.
and EnergyWise-software-incapable
Select the operator =.
devices.

EnergyWise.Importance

EnergyWise Importance of the device.


This value prioritizes the devices in a
domain based on their power usage.

EnergyWise.Keyword

EnergyWise.Role

Flash.File_Name

Enter the value EnergyWise-capable


devices.

To create a group of all devices having


EnergyWise importance 2.

Select the variable


EnergyWise.Importance.

Select the operator =.

Enter the value 2.

A word that will help you identify a


To create a group of all devices having
specific device or group of devices in the EnergyWise keyword switch.
EnergyWise domain.
Select the variable
EnergyWise.Keyword.

Role or function of the device in the


EnergyWise domain.

Location of Flash file.

Select the operator contains.

Enter the value switch.

To create a group of all devices having


EnergyWise role router.

Select the variable EnergyWise.Role.

Select the operator contains.

Enter the value router.

To create a group of all devices having Flash


file name /20-oct.cfg.

Select the variable Flash.File_Name.

Select the operator equals.

Enter the value /20-oct.cfg.

Administration of Cisco Prime LAN Management Solution 4.2

5-16

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

Flash.File_Size

Flash file size in MB.

To create a group of all devices having Flash


file size greater than 20 KB.

Flash.Model_Name

Flash.Partition_Free

Flash.Partition_Name

Flash.Partition_Size

Flash.Size

Model name of the Flash device.

Free space in MB.

Select the variable Flash.File_Size.

Select the operator >.

Enter the value 20.

To create a group of all devices having Flash


model name starting with c3725-i.

Select the variable


Flash.Model_Name.

Select the operator startswith.

Enter the value c3725-i.

To create a group of all devices having Flash


free space greater than 50 MB.

Flash partition name.

Select the variable


Flash.Partition_Free.

Select the operator >.

Enter the value 50.

To create a group of all devices having Flash


partition name flash:1.

Flash partition size in MB.

Select the variable


Flash.Partition_Name.

Select the operator contains.

Enter the value flash:1.

To create a group of all devices having Flash


partition size less than or equal to 20 MB.

Total Flash device size in MB.

Select the variable


Flash.Partition_Size.

Select the operator <=.

Enter the value 20.

To create a group of all devices having Flash


size greater than or equal to 50 MB.

Select the variable Flash.Size.

Select the operator >=.

Enter the value 50.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-17

Chapter 5

Managing Groups

Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

HostName

Device Host name.

To create a group of all devices ending with


the hostname 3750:

Image.ROM_Sys_Version

Image.ROM_Version

Image.Sys_Description

Image.Version

ImageVersion

IP.Address

System ROM software version

Version of ROM.

Image system description

Running device image version.

Software version running on the device.

Device IP address.

Select the variable HostName

Select the operator endswith.

Enter the value 3750.

To create a group of all devices having


system ROM software version 12.4(25):

Select the variable


Image.ROM_Sys_Version.

Select the operator equals.

Enter the value 12.4(25).

To create a group of all devices having ROM


image version 12.2(8r)T2:

Select the variable


Image.ROM_Version.

Select the operator equals.

Enter the value 12.2(8r)T2.

To create a group of all devices having ROM


image version 12.2(8r)T2:

Select the variable Image.Sys_Version.

Select the operator equals.

Enter the value 12.2(8r)T2.

To create a group of all running devices


having image version 12.4(25):

Select the variable Image.Version.

Select the operator equals.

Enter the value 12.4(25).

To create a group of all devices having


image version 12.2(52)SE:

Select the variable ImageVersion.

Select the operator equals.

Enter the value 2.2(52)SE.

To group all devices whose IP Addresses are


within the range 10.10.0.0 to 10.10.50.255

Select the variable IP.Address.

Select the operator range.

Enter the value 10.10.[0-50].[0-255].

Administration of Cisco Prime LAN Management Solution 4.2

5-18

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

IP.Address_Type

Version of IP, IPv4 or IPv6

To group all IPv6 devices:

IP.Network_Mask

IPv4.Subnet

IPv4.SubnetMask

IPv6.Subnet

IPv6.SubnetMask

ManagementIpAddress

Network mask address

Select the variable IP.Address_Type.

Select the operator =.

Select IPv6.

To group all devices having network mask


address starting with 255.255.255:

IPv4 subnet of a device.

Select the variable IP.Network_Mask.

Select the operator startswith.

Enter the value 255.255.255.

To create a group of all devices having


subnet 32:

IPv4 subnet mask of a device.

IPv6 subnet of a device.

Select the variable IPv4.Subnet.

Select the operator contains.

Enter the value 32.

To create a group of all devices having


subnetmask starts with 255.

Select the variable IPv4.SubnetMask.

Select the operator startswith.

Enter the value 255.

To create a group of all devices having


subnet 32

IPv6 subnet mask of a device.

IP Address used to access the device.


Both IPv4 and IPv6 address types are
supported.

Select the variable IPv6.Subnet.

Select the operator contains.

Enter the value 32.

To create a group of all devices having


subnetmask starts with 255.

Select the variable IPv6.SubnetMask.

Select the operator startswith.

Enter the value 255.

To group all devices having Management IP


address starting with 10.77.215:

Select the variable


ManagementIpAddress.

Select the operator startswith.

Enter the value 10.77.215

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-19

Chapter 5

Managing Groups

Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

MDFId

To create a group of all devices having MDF


Normative name for the device type as
described in Cisco Meta Data Framework ID 323.
(MDF) database. Each device type has a
Select the variable MDFID.
unique normative name defined in MDF.
Select the operator equals.

Memory.Free

Memory.Name

Memory.Size

Memory.Type

Memory.Used

Model

Free memory in MB.

Name of the memory.

Total RAM size in MB.

Memory type.

Used memory in MB.

Model of the device. The third level


entries in the Device Type tree in DCR
Device Management UI.
For example, the model Cisco 3101
Router falls under the Cisco 3100
Series Routers, which comes under the
category Routers.

Enter the value 323.

To create a group of all devices having free


Memory greater than 83 MB.

Select the variable Memory.Free.

Select the operator >.

Enter the value 83.

To create a group of all devices having


Memory name starting with workspace:

Select the variable Memory.Name.

Select the operator startswith.

Enter the value workspace.

To create a group of all devices having


Memory size greater than 512 MB.

Select the variable Memory.Size

Select the operator >.

Enter the value 512.

To create a group of all devices having


processorMemory.

Select the variable Memory.Type

Select the operator equals.

Enter the value processorMemory.

To create a group of all devices having


Memory used size less than 30 MB.

Select the variable Memory.Used

Select the operator <.

Enter the value 30.

To create a group of all Cisco 3101 Routers.

Select the variable Model

Select the operator contains.

Enter the value Cisco 3101 Routers.

Administration of Cisco Prime LAN Management Solution 4.2

5-20

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

Module.HW_Version

Module hardware version.

To create a group of all devices having


Module hardware version 3.x

Module.Model_Name

Module.Port_Count

Module.Serail_Number

Module.Vendor_Type

Processor.Model_Name

Name of the model.

Select the variable


Module.HW_Version.

Select the operator startswith.

Enter the value 3.

To create a group of all devices having


model name starting with NM-16.

Total ports on that module.

Select the variable


Module.Model_Name.

Select the operator startswith.

Enter the value NM-16.

To create a group of all devices having 16


port modules.

Serial number of the module.

Vendor type of the module.

Name of the model.

Select the variable


Module.Model_Count.

Select the operator =.

Enter the value 16.

To create a group of all devices having


module serial number starting with FOC08.

Select the variable


Module.Serail_Number.

Select the operator startswith.

Enter the value FOC08.

To create a group of all devices having


module vendor type starting with cevPwr.

Select the variable


Module.Vendor_Type.

Select the operator startswith.

Enter the value cevPwr.

To create a group of all devices having


pentium processor.

Select the variable


Processor.Model_Name.

Select the operator contains.

Enter the value pentium.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-21

Chapter 5

Managing Groups

Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

Processor.NVRAM_Size

Size of the processor NVRAM in MB.

To create a group of all devices having


NVRAM greater than 512 KB.

Processor.NVRAM_Used

Processor.Port_Count

Processor.RAM_Size

Processor.Serial_Number

Processor.Vendor_Type

Size of the processor NVRAM that has


been utilized, in MB.

Total port count of the processor

Size of the processor RAM in MB.

Serial number of the processor.

Vendor type of the processor.

Select the variable


Processor.NVRAM_Size.

Select the operator >.

Enter the value 512.

To create a group of all devices with


NVRAM used size greater than 23 KB.

Select the variable


Processor.NVRAM_Used.

Select the operator >.

Enter the value 23.

To create a group of all devices having 24


ports processor.

Select the variable


Processor.Port_Count.

Select the operator =.

Enter the value 24.

To create a group of all devices having


processor RAM of 0f 128 MB.

Select the variable


Processor.RAM_Size.

Select the operator =.

Enter the value 128.

To create a group of all devices containing


processor serial number JAE081.

Select the variable


Processor.Serial_Number.

Select the operator contains.

Enter the value JAE081.

To create a group of all devices containing


processor vendor type cevCpu37252fe.

Select the variable


Processor.Vendor_Type.

Select the operator contains.

Enter the value cevCpu37252fe.

Administration of Cisco Prime LAN Management Solution 4.2

5-22

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

Series

Series to which the device belongs. The


second level entries in the Device Type
tree in DCR Device Management UI.

To create a group of Cisco 3100 Series


Routers.

System.ASP_Capability

System.Contact

System.Description

System.DomainName

System.Identity_Capability

Groups devices according to their Auto


Smartport capability

Device contact person name.

Description of the system.

Select the variable Series.

Select the operator equals.

Enter the value Cisco 3100 Series


Routers.

To create a group of all ASP_Enabled


devices.

Select the variable


System.ASP_Capability.

Select the operator =.

Select the value ASP_Enabled.

To create an User Defined group whose


member devices have a common system
contact person, J Smith

Select the variable System.Contact.

Select the operator equals.

Enter the value J Smith.

To create a group of all devices having Cisco


IOS software.

Device domain name.

Select the variable


System.Description.

Select the operator contains.

Enter the value Cisco IOS software.

To create a group of all Cisco.com devices.

Groups devices according to their


Identity capability

Select the variable


System.DomainName.

Select the operator contains.

Enter the value Cisco.com.

To create a group of all Identity_Enabled


devices.

Select the variable System.Identity_


Capability.

Select the operator =.

Select the value Identity_Enabled.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-23

Chapter 5

Managing Groups

Device Group Administration

Table 5-1

Group Attributes in LMS

Attribute

Description

Example

System.Location

Device location information.

To create a System Defined Group whose


member devices are located in Bldg 1
Devices

System.Name

Name of the device as configured by the


Administrator.

System.OSTYPE

Type of the operating system.

System.Smart_Install_Directors

SystemObjectID

Groups devices according to their Smart


Install capability

SysObjectID of the device as configured


by the Administrator. It may be
UNKNOWN in the case the facility that
populates the repository does not know
the value.

Select the variable System.Location.

Select the operator equals.

Enter the value Bldg 1 Devices.

To create a group of all devices whose


system name has NDX

Select the variable System.Name.

Select the operator contains.

Enter the value NDX.

To create a group of all devices having


UNIX OS.

Select the variable System.OSTYPE.

Select the operator contains.

Enter the value UNIX.

To create a group of all Smart Install


software incapable devices.

Select the variable


System.Smart_Install_Directors.

Select the operator =.

Enter the value Smart


Install_SW_Incapable.

To group all devices whose systemObjectID


starts with 1.3.6.1.4.1.9

Select the variable SystemObjectID.

Select the operator startswith.

Enter the value 1.3.6.1.4.1.9.

The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can
create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details,
see Adding User Defined Fields.
If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is
appended to the User-Defined Field you add, to distinguish these two attributes.
For example if you create a UDF called DisplayName (which is one of the predefined attributes present
in the Variable drop-down list), this will be displayed as DisplayName_UDF.

Note

You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field
stands for any attribute listed in the above table.

Administration of Cisco Prime LAN Management Solution 4.2

5-24

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum
number of UDFs that can be added in the Variable drop-down list is 10.

Assigning Group Membership


You can include more devices or exclude devices using this option. To decide the devices that will be
available to the group you have created, the wizard uses the details of the parent members and rules you
have already specified.
These devices appear in Available Objects From Parent Group column based on the properties and rules
you have already specified in the Properties:Create and Rule:Create dialog boxes. See Specifying Group
Properties and Defining Group Rules for more information.

Note

You can add devices from the list of available objects in the parent group even if they do not match
membership criteria.
To add devices to the group you have created:

Step 1

Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.

Step 2

Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.

To remove devices from the group:


Step 1

Select one or more devices in Object Matching Membership Criteria column.


To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.

Step 2

Click Remove.
The selected devices are removed from the Object Matching Membership Criteria column and added to
Available Objects From Parent Group.

Step 3

Click Next.
The Summary:Create window appears. It displays the group name, the parent group, description, the
membership update type, group rules, and the visibility scope of the group you created.
If you want to change the parameters, click Back to go back to the previous windows and make changes.

Step 4

Click Finish to create the group based on the parameters specified.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-25

Chapter 5

Managing Groups

Device Group Administration

Viewing Group Details


You can view the details of a group using this feature.
To view the details of a group:
Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

Step 2

Select a group from the Group Selector pane.


The Group Info pane on the right side displays the high-level properties of the selected group.

Step 3

Click Details.
The Group Administration wizard displays the details of the group in Properties:Details window.

Click View Parent Rules to display the rules set for the parent group.
The rules set for the parent group are displayed in the Show Parent Rules window.

Click Membership Details to display a list of devices and their corresponding object types.
The membership details are displayed in Membership:Details window.
In the Membership:Details window, you can:
Click on the column headers to sort the entries in the table.
Select the number of rows to be displayed in the table in the Rows per page option.

Step 4

Click Property Details to return to the Property:Details window.

Click Cancel to return to the Group Administration and Configuration page.

Administration of Cisco Prime LAN Management Solution 4.2

5-26

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Modifying Group Details


You can modify some of the details for a group using this feature.
To modify the details of a group:
Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

Step 2

Select a group from the Group Selector pane.


The Group Info fields on the right side displays details of the selected group.

Step 3

Click Edit.
The Group Administration wizard guides you through the process of editing a group. It displays the
details of the group in Properties:Edit window.

Step 4

Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit
dialog box.
You cannot change the Parent group or copy attributes from a different group in Edit mode.

Step 5

Click Next.
The wizard takes you to the Rules:Edit window.

Step 6

Change the rules as required. For details on creating the rules, see Defining a Group Rule.

Step 7

Click Next.
The wizard takes you to the Membership:Edit window.

Step 8

Add or remove devices from the list of objects in Objects Matching Membership Criteria as required.
For details on creating the rules, see System Defined Attributes.

Step 9

Click Next.
The wizard takes you to the Summary window.
If you want to change the parameters specified, click Back to go back to the previous windows and make
changes to the properties or rules.

Step 10

Click Finish to modify the group.

Step 11

Click OK.
The Group Administration wizard copies the attributes of the selected group and displays it in the
corresponding fields in Properties:Create window.
Note that the Parent group you have selected for the group does not change even if you are copying
attributes from a group that belongs to a different Parent group.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-27

Chapter 5

Managing Groups

Device Group Administration

Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of
Automatic groups is recomputed dynamically.
The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with
this option.

Note

Only users with read-write access can refresh the Only-upon-user-request groups.
To refresh a group:

Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

Step 2

Select a group from the Group Selector pane.


The Group Info fields on the right pane displays details of the selected group.

Step 3

Click Refresh.
The Group Administration popup window prompts you for confirmation.

Step 4

Click Yes.
The selected group is recomputed and the window, refreshed.

Whenever you delete devices from a group, refresh the group so that group membership is recomputed.

Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the
group are also deleted. You can also delete the stale groups (groups that belong to users removed from
Cisco Prime).
To delete a group:
Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

Step 2

Select the group from the Group Selector.

Administration of Cisco Prime LAN Management Solution 4.2

5-28

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

The Group Info fields on the right pane displays details of the selected group.
Step 3

Click Delete.
The Group Administration prompts you for confirmation.

Step 4

Click Yes.
The selected group is deleted.

See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.

Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file.
You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to
an output file.
Private User-defined groups created by other users will not be exported. However, the
privateUser-defined groups created by you will be exported.
You must have Network Administrator, System Administrator or Super Admin privileges to export
groups.
In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same
DCR domain. You can do this from a DCR Master Server and a Slave server.
Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are
not supported.
See Sample Export Groups Output File for sample XML file generated by the Grouping Services export
utility.

Note

We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:

Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details.
or

Export Groups through the CLI. See Exporting Groups Through CLI for details.

This section explains:

Sample Export Groups Output File

Exporting Groups From User Interface

Sample Export Groups Output File


<?xml version="1.0" encoding="UTF-8"?>
<!--This content is generated by OGS Import Export operations-->
<ogs-groups>
<server name="LMS@server-name">
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSDyna</name>

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-29

Chapter 5

Managing Groups

Device Group Administration

<description> </description>
<rule/>
<evaluation-type>2</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_ID" tag-value="CS$216"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
</tags>
</ogs-group-definition>
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSStat</name>
<description/>
<rule>:CMF:DCR:Device.DisplayName contains "77"</rule>
<evaluation-type>1</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
<tag tag-name="__GROUP_ID" tag-value="CS$221"/>
</tags>
</ogs-group-definition>
</server>
</ogs-groups>

Exporting Groups From User Interface


To export device groups from the user interface:
Step 1

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Step 2

Select a User-defined Group hierarchy from the Group Selector.

Step 3

Click Export.
The Export Groups dialog box appears.

Step 4

Select either one of the following options:

Export the selected User-defined Group hierarchy Exports the selected User-defined Group and
its child groups.

Or

Export All Applications User-defined Groups Exports all User-defined Groups from all
applications installed on all LMS Server in the same DCR domain.

The browser-specific File Download window appears prompting you to open or save the output XML
OGSExport.xml file.
Step 5

Click either of the following buttons:

Open to open the XML file

Or

Save to store the file on the client system with the same or a different filename.

Administration of Cisco Prime LAN Management Solution 4.2

5-30

OL-25947-01

Chapter 5

Managing Groups
Device Group Administration

Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS
Server.

Note

You cannot import User-defined groups from older versions of LMS to LMS 4.0 and later versions.
You can import User-defined groups from an input file to the LMS Server.
The private User-defined groups in the input XML file will be imported as your private User-defined
groups in LMS Server. They will not be visible to other users.
You must have Network Administrator, System Administrator or Super Admin privileges to import
groups.
In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave
server.

Note

We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:

Importing Groups From User Interface


Or

Importing Groups Through CLI

This section explains:

Important Notes on Importing Groups

Importing Groups From User Interface

Important Notes on Importing Groups


Read the following notes before importing User-defined groups:

You must have the required file permissions to select a source XML file for import groups operation.

After importing groups, the group selector may take some time to refresh and display the latest
groups information.
You must launch the Groups Administration page again to view the newly imported groups.
To launch the Groups Administration page, select Admin > System > Group Management >
Device.

Importing groups from an input XML file fails if:


The groups to be imported to the selected Grouping Server locations already exist.
The User-Defined Fields (UDF) that are configured for the import group rules are not available

in the Grouping Servers to which the groups are to be imported.

Importing Groups From User Interface


To import device groups from the user interface:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-31

Chapter 5

Managing Groups

Device Group Administration

Step 1

Either:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Select Inventory > Group Management > Device.


The Group Administration page appears.

Step 2

Click Import.
The Import Groups - File Selection dialog box appears.

Step 3

Enter an input XML file name in the File Name field or click Browse to select a file from the client
system.
The Import Groups dialog box appears with a list of import groups specified in the input XML file.

Step 4

Select the list of groups to be imported from the Import Groups From field.

Step 5

Select a server location to which the groups are to be imported in the Import Groups to Servers field.
You can select multiple Grouping Server locations or All to select all the Grouping Server locations.
This field is disabled on LMS Servers operating in the DCR Standalone mode.

Step 6

Click OK.
A message appears indicating if the groups were imported or not.
See Important Notes on Importing Groupsfor the possible causes of the import job failure.

See Using Group Administration Features Through CLI for more information on using group
administration feature using CLI.

Overview of Subnet Based Groups


Subnet based groups are automatically created when devices are managed. These are a part of System
defined groups. You cannot create, edit or delete them.
Subnet based groups help you work on smaller subsets of devices that are logically grouped. They are
automatically deleted when all the devices in a subnet are deleted.
This topic covers:

Accessing Subnet Based Groups

Understanding Subnet Based Groups

Creating Groups Based on Subnet

Accessing Subnet Based Groups


To access Subnet based groups:

Select Admin > System > Group Management > Device.


The Group Administration page appears.

Or

Administration of Cisco Prime LAN Management Solution 4.2

5-32

OL-25947-01

Chapter 5

Managing Groups
DCR Mode Changes and Group Behavior

Select Inventory > Group Management > Device.


The Group Administration page appears.

This displays the Group Management page. The Group Selector field displays two groups,
System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System
Defined Groups.

Understanding Subnet Based Groups


The Subnet based groups use the following name format:
Subnet -- Subnet Mask.

The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"

For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"

The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.

Creating Groups Based on Subnet


When you need to create subnet based groups, you can do it under User defined groups.
For example, the following rules might be used to create two groups based on the IP address subnet:
Device.IP.Subnet equals "172.29.252.32"
Device.IP.Subnet equals "172.29.252.64"

The examples provided here are simple. However, the Grouping Service allows complex rules to be
arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives
the administrator the power and flexibility to create view partitions tailored to the needs of their site.

DCR Mode Changes and Group Behavior


The DCR modes have a bearing on how groups are displayed in the Groups UI. Also the DCR mode
decides whether you can perform any operation on the groups.
In Standalone mode, you can create system-defined and user-defined groups.
In Slave mode, LMS allows you to preserve the user-defined groups, and create new system-defined
device groups.
The port and module groups, Fault groups and Collector groups are not affected by the change in the
DCR mode.
All DCR devices in the Slave are removed, and synchronized with the Master server. Therefore, in a
cluster that has several Slaves and a Master, if you need to create LMS group, you need to go to the LMS
Groups UI in the Master and create the group. The group you create there, will be synchronized with the
Slaves.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-33

Chapter 5

Managing Groups

DCR Mode Changes and Group Behavior

The following table gives details of DCR mode changes and implications on Groups.
Mode Changed to:
The Initial
Mode

Standalone

Slave

Master

Standalone

Not applicable.

Slave will get Masters groups, both


system-defined and user-defined groups.

No change in the Group


hierarchy.

You can also create new user-defined


groups in the Slave. These groups will not
be shared with the Master or other slaves in
the domain.
Device Allocation Policy gets disabled
(Inventory > Device Administration >
Device Allocation Policy).
Slave

Device Allocation Policy gets Not applicable.


enabled. The groups pertaining
to Master and Slaves will be
removed.
The existing Device Allocation
Policy is retained.

Device Allocation Policy gets


enabled. Groups pertaining to the
previous Master and the
associated Slaves will be
removed.
Local groups will behave in the
same manner.
The existing Device Allocation
Policy is retained.

Master

All dependent Slaves will


switch to Standalone mode.
All groups pertaining to other
machines will be removed.
Device Allocation Policy will
be enabled on all machines in
the cluster.

If you select Inform current Slaves of new Not applicable.


Master Hostname when you change the
mode to Slave, all the Slaves in the domain,
switch to the new Master.
In this case, the groups in the Master will be
seen in the new Slave. Device Allocation
Policy gets disabled.
If this check box is not selected, the new
Slave will pickup the groups of the new
Master. Other Slaves in the domain will
move to Standalone mode.

Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain.
The utility is useful in the following scenarios:

Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone
or Master belonging to a different domain.

When you uninstall Cisco Prime from the Slave.

Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode
changes, the Master will not be aware of the Slave mode change, when it comes up.

The Master will not receive any data from the Slave, but the Slave information will still be in its registry.
A redundant group (such as LMS@Slave) will still appear in the Master Groups UI.

Administration of Cisco Prime LAN Management Solution 4.2

5-34

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

In the case of DCR, any device operation on Master will update the Slave list. However, this does not
happen in the case of Groups.
You can run the UnregisterSlave utility to remove any unwanted slave information:
From the CLI, run:
NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name
You have to enter the hostname of the machine you want to unregister.
For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of
Backup-Restore on DCR and Effects of Backup-Restore on Groups.

Behavior of IP Address Range Based Device Groups in Multi-Server Setup


The range operator allows you to group devices within a specified range of IP addresses.
In a Master-Slave setup:

When the Master server is using an earlier version of LMS, you cannot create device groups based
on IP Address range.

When the Slave server is using an earlier version of LMS, the IP Address Range based device groups
information in the Master is synchronized with the Slave.
Even if you change the mode of Slave server to Standalone, the IP address range based device groups
will remain as they were in the Groups Server.
However, you cannot retrieve the device group information from the Standalone LMS Server to view
it in the user interface. To retrieve and view the device group information, you should either:
Upgrade the LMS in Standalone LMS Server to LMS 4.2.

Or
Change the mode of the LMS Server that has the earlier version of LMS 4.2 from Standalone to

Slave for a DCR Master with the latest version of the software.

Port and Module Group Administration


LMS allows you to create groups based on ports and modules for a selected set of devices or device
groups using Port and Module Group Administration.
Notes for Port and Module Configuration
1.

Port and Module configuration depends on the data collected by LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.

2.

You must trigger a fresh inventory collection to update all the port and module attributes.

3.

If the data collection is not successful, then data will not be available for some attributes.

4.

The following are the recommended number of ports in LMS:


1.

The maximum number of ports supported in LMS is 500,000 ports.

2.

The maximum number of ports supported in a port group is 100,000 ports.

3.

The maximum number of ports supported in an LMS job is 250,000 ports.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-35

Chapter 5

Managing Groups

Port and Module Group Administration

4.

In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry
for the ifName will be considered and the duplicate entries will be dropped.

5.

The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in
the device, then port configuration for the device will not work.
For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the
device. In this case, the port configuration for the device will not work.

The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Table 5-2

Fields on Port and Module Group Browser

Field/Button

Description

Group Name

Name of the group created.


By default, the following System-defined groups are displayed:

1 Gbps Ethernet PortsContains all 1 Gbps Ethernet ports in the network.

10 Gbps Ethernet PortsContains all 10 Gbps Ethernet ports in the network.

10 Mbps Ethernet PortsContains all 10 Mbps Ethernet ports in the network.

100 Mbps Ethernet PortsContains all 100 Mbps Ethernet ports in the network.

Access PortsContains all the Access mode ports.

DMP PortsContains all ports connected to DMP.

End HostsContains all ports connected to End Hosts.

IP PhonesContains all ports connected to IP Phones.

IPVSC PortsContains all ports connected to IPVSC.

Link PortsContains all ports connected to other devices.

Description

Description of the group created.

Group Type

Type of the group created. For example, Port or Module.

Created By

User who created the group.

Last Modification
Time.

Time at which the group settings were last modified.

Rows per page

This page displays the number of rows you have set for display in the Rows per page field.
You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You
can navigate through the pages of the report using the navigation icons at the bottom right of this table.

Create

Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module
Groups.

Edit

Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module
Groups.

View

Allows you to view the group details, as described in the Viewing Port and Module Group Details.

Delete

Deletes the group, as described in the Deleting Port and Module Groups.
You can perform the following tasks from the LMS Port and Module Group Browser window:

Creating Port and Module Groups

Editing Port and Module Groups

Administration of Cisco Prime LAN Management Solution 4.2

5-36

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

Viewing Port and Module Group Details

Deleting Port and Module Groups

Creating Port and Module Groups


Creating a Port and Module Group involves the following steps:
1.

Entering the Port and Module Group Properties Details

2.

Selecting Group Source

3.

Defining Rule Expression for Port or Module Groups

4.

Understanding the Summary

You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using
Cancel, the details you have specified will be lost and the group will not be created.

Note

Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.

Entering the Port and Module Group Properties Details


In this step, you will enter the name and description for the group.
The Port and Module Group Properties dialog box contains the following fields. (See Table 5-3)
Table 5-3

Fields on the Port and Module Group Properties dialog box

Field

Description

Group Name

Name of the group you are creating.

Description

Text description of the group.

To enter the values in Port and Module Group Properties dialog box:
Step 1

Either:

Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Or

Select Inventory > Group Management > Port and Module.


The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Step 2

Click Create.
The Group Properties page appears.

Step 3

Enter a unique name for the group in the Group Name field.

Step 4

Enter a description for the group in the Description field (optional).

Step 5

Click Next.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-37

Chapter 5

Managing Groups

Port and Module Group Administration

The Select Group Source page appears, displaying the Device Selection dialog box.

Selecting Group Source


In this step, you need to select the Group source. This can be either devices or groups (System-defined
or User-defined).
The Select Group Source page displays the Device Selection and Group Selection dialog box. The
Device Selection and Group Selection dialog box contains the following fields. (See Table 5-4)
You must select either devices or device groups from Device Selector or Group Selector, respectively.
Table 5-4

Fields on the Device Selection dialog box

Fields

Description

Device Selector

Displays all LMS devices in the group.

Search Input

Enter the search expression in this field.


You can enter single device names or multiple device names. If you are entering
multiple device names, separate them with a comma. You can also enter the
wildcard characters * and "?".
For example: 192.168.10.1*, 192.168.20.*

Search

Use this icon to perform a simple search of devices based on the search criteria
you have specified in the Search Input text field.
For information on Search, see Performing Simple Search.

Advanced Search

Use this icon to perform an advanced search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Advanced Search, see Performing Advanced Search.

All

Lists all User-defined and System-defined groups for all applications that are
installed on LMS Server.
For more information, see Selecting Devices From All Tab.

Search Results

Displays all the search results from Search or Advanced Search.


For more information, see Selecting Devices From Search Results.

Selection

Lists all the devices that you have selected in the Search Results or All tab.
Using this tab, you can deselect devices from the list.

Group Selector

Displays all groups in LMS.

To select the group source:


Step 1

Either:

Select Device Selector.

Select the devices.

or

Select Group Selector.

Administration of Cisco Prime LAN Management Solution 4.2

5-38

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

Step 2

Select the groups.

Click Next.
The Rule Express page appears.

Defining Rule Expression for Port or Module Groups


In this step, you will define the rules for creating port or module groups. The rules you define in this
phase, determine the contents of the group. The rules you specify here, determine the ports and modules
to be included in the group.
You can either enter the rules directly in the Rule Text field, or select the components of the rule from
the Rule Expression fields, and form a rule.
The Rules Expression page contains the following fields:
Field/Buttons

Description

Object Type

Select the following object types to form a group:

Variable

Module

Port

Object type attributes, based on which you can define the group.
See Rule Attributes for Port and Module Creation.

Operator

Operator to be used in the rule. The list of possible operators change, based on the variable
selected.
When using the equals operator the rule is case-sensitive.

Value

Value of the rule expression. The possible values depend upon the variable and operator that you
select. Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.

Add Rule Expression

Adds the rule expression to the group rules.

(Button)
Rule Text

Displays the rule.

Check Syntax

Verifies that the rule syntax is correct.

(Button)

Use this button to verify the syntax of the rule that you have created before proceeding to the
next step.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-39

Chapter 5

Managing Groups

Port and Module Group Administration

Field/Buttons

Description

Include

Include List popup opens and lists all the modules or ports from the selected devices that do not
match the rule. You can choose to include those modules or ports for group creation.

(Button)

The Include List popup will also list the modules or ports that match the rule but will not be
enabled for selection.
Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in
the Include List window.
You can also include modules or ports for the selected devices, without specifying a rule, by
clicking Include.
Exclude

Exclude List popup opens and lists all the modules or ports from the selected devices that match
the rule. You can choose to exclude those modules or ports for group creation.

(Button)

The Exclude List popup will also list the modules or ports that do not match the rule but will not
be enabled for selection.
Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields
in the Exclude List window.
To define the group rule:
Step 1

Go to the Rules Expression page.

Step 2

Set the parameters for Object Type, Variable and Operator.

Step 3

Enter the desired value for the Variable you have selected.

Step 4

Click Add Rule Expression.


The LMS Port and Module Group Administration creates the rule based on the parameters you have
specified and adds it to the rules already present in the Rules Text field. You can use the same procedure
to add more rules.
You can manually add or change any text in the Rule Text box.

Step 5

Step 6

Click Include or Exclude.

IncludeA popup window appears, allowing you to include ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Include List window.

ExcludeA popup window appears, allowing you to exclude ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Exclude List window.

Click Check Syntax to validate the rules expression syntax.

If the syntax is correct, an information box appears with a message, The rule syntax is valid.
If the syntax is incorrect, an error box appears with a message, You have entered an invalid
rule. Enter a valid rule. See the Help for examples of valid rules.

For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7

Click Next.
The Summary page appears, displaying the group properties. See Understanding the Summary.

Administration of Cisco Prime LAN Management Solution 4.2

5-40

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

Note

You can also include modules or ports for the selected devices, without specifying a rule, by clicking
Include.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have a higher priority.
Rule Attributes for Port and Module Creation

The following table lists the available attributes that you can use to define rules to create port and module
groups.
Object Type Attribute

Description

Module

AdminStatus

Administrative status of the module. For example,


Enabled/Commissioned.

FW_Version

Firmware version of the module. For example, 12.1(27b)E1

ModuleName

Name of the module. For example, Linecard

OperStatus

Operational status of the module. For example, Dormant

SlotNumber

Slot number of the module. For example, 6

SW_Version

Software version of the module. For example, 12.1(27b)E1

VendorType

Vendor type of the module. For example, cevAS53004ct1

AdminStatus

Administrative status of the port. For example, Disabled/Decommissioned

CM.AccessStatus

Whether the port is an Access port or not.

CM.Channel

Whether the port is a channel port.

CM.Duplex

The duplex mode of the port. The values could be unknown-duplex,


full-duplex, half-duplex, default, disagree, auto-duplex.

CM.JumboFrameEnabled

Whether the port is JumboFrame enabled or disabled.

CM.L2L3

Whether the port is in switched or routed mode.

CM.LinkStatus

Link status of the port. Whether the link is up or down.

CM.Neighbor

Whether the port is connected to a device, IP Phone, or End Host.

CM.TrunkStatus

Whether the port is a Trunk port. If trunk is configured in the port, then it
is a trunk port.

CM.VLAN_ID

The index of the VLAN configured on the port.

CM.VLAN_NAME

Name of the VLAN configured on the port.

CM.VTP_DOMAIN

Name of the VTP Domain that the port is associated with.

EnergyWise_Importance

EnergyWise Importance of the device.

Port

This value prioritizes the devices in a domain based on their power usage.
EnergyWise_Role

Role or function of the device in the EnergyWise domain.

EnergyWise_Keyword

A word that will help you identify a specific device or group of devices in
the EnergyWise domain.

FlexLink

Whether the FlexLink status of the port is enabled or disabled.

IFIndex

IFIndex of the port. For example, 10

IsEnergyWisePort

Specifies if the port is EnergyWise-enabled.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-41

Chapter 5

Managing Groups

Port and Module Group Administration

Object Type Attribute

Description

Port
(contd.)

Specifies the security mode, based on the level of security you wish to
implement in your network. The three types of security modes are:

Identity_Security_Mode

Monitor Mode

Low Impact Mode

High Security Mode

MACsecStatus

You can enable or disable MACsec on the interface. MACsec provides


secure, encrypted communication on wired LANs.

OperStatus

Operational Status of the port. For example, Stopped/Suspended

PortDescription

Description of the port. For example, FastEthernet0/1

PortName

Name of the port. For example, Fa0/1

SpanEnabled

Whether the port is Span enabled.

Speed

Speed of the port. For example, 10000000 (for 10 Mbps)

Type

Enter the value for the port type.


For example, if you want to define a rule for the port type ethernetCsmacd,
you need to enter 6 as the value.
For information on the port type values, see
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift
ype&translate=Translate&submitValue=SUBMIT&submitClicked=true

Note

For the port attributes that start with name CM. , the data collection for the attributes must be successful.
Examples for Port and Module Groups

This section shows examples of a valid rule.


The following are some examples for grouping tasks:

Rule to select all the Ports whose Port Description contains the string: Ethernet

Rule to select all the Ports that are connected to another device

Rule to select all the Modules whose Slot number is 1

Rule with OR Operator

Rule with AND Operator

Rule to select all the Ports whose Port Description contains the string: Ethernet

This rule filters all ports whose Port description consists of the string Ethernet.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1

Select Port from the Object Type drop down listbox

Step 2

Select PortDescription from the Variable drop down listbox

Step 3

Select contains from the Operator drop down listbox

Administration of Cisco Prime LAN Management Solution 4.2

5-42

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

Step 4

Enter Ethernet in the Value textbox

Step 5

Click Add Rule Expression


The following rule gets added to the Rule Text:
Port.PortDescription contains "Ethernet"

Rule to select all the Ports that are connected to another device

This rule filters all Ports that are connected to another device.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1

Select Port from the Object Type drop down listbox

Step 2

Select CM.LinkStatus from the Variable drop down listbox

Step 3

Select = from the Operator drop down listbox

Step 4

Select Configured in the Value drop down list box.

Step 5

Click Add Rule Expression


The following rule gets added to the Rule Text:
Port.CM.LinkStatus = "Configured"

Rule to select all the Modules whose Slot number is 1

This rule filters all the modules that are placed in slot number 1.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1

Select Module from the Object Type drop down listbox

Step 2

Select SlotNumber from the Variable drop down listbox

Step 3

Select = from the Operator drop down listbox

Step 4

Enter 1 in the Value textbox

Step 5

Click Add Rule Expression


The following rule gets added to the Rule Text:
Module.SlotNumber = "1"

Rule with OR Operator

Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet.
To provide rule expression for this scenario:
Step 1

From the Create Rules dialog box:


a.

Select Port from the Object Type drop down listbox

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-43

Chapter 5

Managing Groups

Port and Module Group Administration

b.

Select PortDescription from the Variable drop down listbox

c.

Select StartsWith from the Operator drop down listbox

d.

Enter Ethernet from the Value drop down listbox

e.

Click Add Rule Expression


The following rule gets added to the Rule Text:
Port.PortDescription StartsWith "Ethernet"

Step 2

Select the OR option from the logical operator list box.

Step 3

From the Create Rules dialog box:


a.

Select Port from the Object Type drop down listbox

b.

Select PortDescription from the Variable drop down listbox

c.

Select StartsWith from the Operator drop down listbox

d.

Enter FastEthernet in the Value textbox

e.

Click Add Rule Expression


The following rule gets appended to the Rule Text:
Port.PortDescription StartsWith "Ethernet" OR
Port.PortDescription StartsWith "FastEthernet"

The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected
based on either or both of the matching criteria.

Rule with AND Operator

Rule to select all the FastEthernet Ports whose Operational status is up.
To provide rule expression for this scenario:
Step 1

From the Create Rules dialog box:


a.

Select Ports from the Object Type drop down listbox

b.

Select OperStatus from the Variable drop down listbox

c.

Select = from the Operator drop down listbox

d.

Select OK from the Value drop down listbox

e.

Click Add Rule Expression


The following rule gets added to the Rule Text:
Port.OperStatus = "OK"

Step 2

Select the AND option from the logical operator list box.

Step 3

From the Create Rules dialog box:


a.

Select Ports from the Object Type drop down listbox

b.

Select PortDescription from the Variable drop down listbox

c.

Select StartsWith from the Operator drop down listbox

d.

Enter FastEthernet in the Value textbox

e.

Click Add Rule Expression

Administration of Cisco Prime LAN Management Solution 4.2

5-44

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

The following rule gets appended to the Rule Text:


Port.OperStatus = "OK" AND
Port.PortDescription StartsWith "FastEthernet"

The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both
the criteria are selected.

Include and Exclude

Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and
Module Group Administration.
Table 5-5

Include and Exclude Window Fields Description

Window

Fields/Buttons

Description

Include List

Device Selector

Devices selected for group creation.

Port Name/Module Name Name of the port or module in the device.


For some of the devices, if ports or module names
are not available in the device, the message Not
Available will be shown.
Description/Vendor Type Description of the port or module.
For some of the devices, if ports description or
module vendor type is not available in the device,
the message Not Available will be shown.
Slot Number

Slot number of the module.


This field is available only for modules.

Include

The selected ports or modules are included for


group creation.

(Button)
Filter by Port/Module
Name

Enter the filter expression and click Filter to filter


the port or modules in the device.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-45

Chapter 5

Managing Groups

Port and Module Group Administration

Table 5-5

Include and Exclude Window Fields Description

Window

Fields/Buttons

Description

Exclude List

Device Selector

Devices selected for group creation.

Port Name/Module Name Name of the port or module in the device.


For some of the devices, if ports or module names
are not available in the device, the message Not
Available will be shown.
Description/Vendor Type Description of the port or module.
For some of the devices, if ports description or
module vendor type is not available in the device,
the message Not Available will be shown.
Slot Number

Slot number of the module.


This field is available only for modules.

Exclude

The selected ports or modules are excluded from


group creation.

(Button)
Filter by Port/Module
Name

Enter the filter expression and click Filter to filter


the port or modules in the device.

Understanding the Summary


The final step in creating the port or module group is a summary page that displays the new group
definition.
The Summary page contains the following information. (See Table 5-6):
Table 5-6

Fields on the Summary page.

Field

Description

Group Name

Name of the group you are creating.

Description

Text description of the group.

Rule

Rules used to filter the group.

Devices/Groups in Rule

List of devices or groups to which the rule will be applied.

After reviewing the group summary, either:


Step 1

Click Finish to complete the procedure for Creating Groups.


A confirmation box appears.

Step 2

Click OK.
You can view the newly created group in the Port and Module Group Browser page.
Or
Click Back to change the group properties.

Administration of Cisco Prime LAN Management Solution 4.2

5-46

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

Viewing Port and Module Group Details


To view the existing port or module group details:
Step 1

Either:

Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Or

Select Inventory > Group Management > Port and Module.


The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Step 2

Select the group name and click View.


The View Group Details page appears, displaying Group: Details dialog box with the following details:

Field/Button

Description

Group Name

Name of the group you are viewing.

Parent Group

Parent group of the group you are viewing.

Type

Type of the objects that belong to the group.

Description

Text description of the group.

Rule

Rules used to create the group.

Created By

User who created the group. This also displays the time at which the
group was created.

Last Modified By

User who last modified the group. This also displays the time at which
the group was last modified.

Devices/Groups

Devices or Device Groups that are part of the port or module group.

Membership Details

Used to view the list of devices that belong to the group. See Viewing
Membership Details.

(Button)
Cancel
(Button)

Closes the page and takes you back to the Port and Module Group
Browser page.

Viewing Membership Details

You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.
Step 1

Either:

Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Or

Select Inventory > Group Management > Port and Module.


The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-47

Chapter 5

Managing Groups

Port and Module Group Administration

Step 2

Select the group name for which you want to view the membership details and click View.
The Group: Details dialog box appears.

Step 3

Click Membership Details.


The View Group Members dialog box appears with the following information:

Field/Button

Description

Device Selector

Devices selected for group creation.

Port Name/Module Name

Name of the port or module in the device that are part of the group.

Description

Description of the ports or modules in the device that are part of the
group.

Filter by Port/Module Name

Enter the filter expression and click Filter to filter the port or modules
in the device that are part of the group.

Close

To close the View Group Members dialog box.

(Button)

Editing Port and Module Groups


You can edit all attributes that are defined while creating a group, except Group Name.
To edit a port and module group:
Step 1

Either:

Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Or

Select Inventory > Group Management > Port and Module.


The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).

Step 2

Select the group by checking the check box.

Step 3

Click Edit.
The Group Properties page appears, displaying Port and Module Group Properties dialog box. See
Entering the Port and Module Group Properties Details.
You cannot:

Modify the Group Name field.

Click Finish to complete the edit flow.

Administration of Cisco Prime LAN Management Solution 4.2

5-48

OL-25947-01

Chapter 5

Managing Groups
Port and Module Group Administration

Step 4

Click Next.
The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box.

Device Selection
If you have selected devices using Device Selector in the Create flow.
If you have created the group by including the ports or modules without specifying the rule in

the Create flow. In this case, only the devices for which you selected ports or modules are
displayed.
Or

Group SelectionIf you have selected device groups using Group Selector in the Create flow.

You can modify the devices or groups that you have selected, based on your requirement.
Step 5

Click Next.
The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression
for Port or Module Groups.
You can modify and define new rules.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have the higher priority.

Step 6

Click Next.
The Summary page appears, displaying the group details. Understanding the Summary.

Step 7

Either:
Click Finish to complete the editing procedure for the group.
Or
Click Back to change the group properties.

Note

You can click Finish at any point in the workflow.

Deleting Port and Module Groups


To remove an existing port or module group:
Step 1

Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups.

Step 2

Select the group to remove from the Port and Module Group Browser dialog box.

Step 3

Click Delete.
A confirmation dialog box shows that the group will be deleted.

Step 4

Click OK.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-49

Chapter 5

Managing Groups

Working with Fault System-defined Groups

Working with Fault System-defined Groups


The group selector displays some groups such as Access Port Groups, Trunk Port Groups, and Interface
Port Groups. See Fault System Defined Groups for more information.
You can control the polling and thresholds settings for these groups using Monitor > Threshold
Settings > Fault. See Monitoring and Troubleshooting Online Help for more information.
These system defined groups can be used when searching for devices using the Advanced Search option
in the device selector.
This section contains:

LMS System-defined Groups

Fault System Defined Groups

LMS System-defined Groups


The LMS system defined groups are visible to all Cisco Prime users, and are the factory default groups
administered by LMS. Device Groups appear in the group selector when they have device members, that
is, devices in the DCR that belong to that group.
The following are the LMS system defined groups:

Broadband Cable

Content Networking

DSL and LRE

Interfaces and Modules

Network Management

Non Cisco Devices

Optical

Routers

Security and VPN

Server Fabric Switches

Storage Networking

Switches and Hubs

Server Fabric Switches

Universal Gateways and Access Servers

Unknown Device Types

Voice and Telephony

Wireless

Administration of Cisco Prime LAN Management Solution 4.2

5-50

OL-25947-01

Chapter 5

Managing Groups
Working with Fault System-defined Groups

Fault System Defined Groups


The fault system defined groups are visible to all Cisco Prime users, and are the factory default groups
that are administered by the Fault Management module in LMS 4.0.
The following are the Fault Management system defined groups:

System defined access port groups:


1 GB Ethernet
10 GB Ethernet
10MB-100MB Ethernet
ATM
Others

System defined interface groups:


1 GB Ethernet
10 GB Ethernet
10MB-100MB Ethernet
ATM
Backup
Dial-on-Demand
FDDI
ISDN B channel
ISDN D channel
ISDN physical interface
Others
Serial
Token Ring

System defined trunk port groups:


1 GB Ethernet
10 GB Ethernet
10MB-100MB Ethernet
ATM
Others

A 10 GB Ethernet interface device, during an upgrade, behaves in the following ways:

If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group,
then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB
Ethernet Group, you must set the priority of the group to high.

If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group,
then the 10GB device falls under 10 GB group.

For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-51

Chapter 5

Managing Groups

Working with Customizable Groups

Working with Customizable Groups


Customizable groups are the only user-defined groups for which you can set polling and threshold
parameters. They are provided so you can create groups that fit your needs. Fault Management in
LMS 4.0 provides 28 customizable groups, which are divided into four categories:

Access Port Groups

Trunk Port Groups

Interface Groups

Device Groups

Table 5-7 lists the seven customizable groups that appear in each of the four categories.
Table 5-7

Polling and Thresholds: Customizable Groups

Customizable
Groups

Intended Use

Consider reserving customizable groups A, B, and C to troubleshoot

Add one device to any of these groups when you need to test. For example, to test a
changed threshold or interval value for a polling setting.

C
1
2

Consider using customizable groups 1, 2, 3, and 4 when you want to override polling
settings and thresholds for more than one device.

3
4
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section
in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups
before you can set polling parameters or threshold values for them. To do so, see Working with
Customizable Groups.
Since you cannot change the rules for system defined groups, Fault Management provides groups that
you can customize so that they contain devices, ports, or interfaces.
Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold
Settings > Fault).
After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
Table 5-8

Fault Management Customizable Groups

Use this group to


monitor...

Settings you can


configure for this group:

Customizable Access Port


Groups

Access ports

Thresholds

Customizable Groups

Devices

Polling and thresholds

Customizable Interface Groups

Interfaces

Thresholds

Customizable Trunk Ports


Groups

Trunk ports

Thresholds

Group Name

Administration of Cisco Prime LAN Management Solution 4.2

5-52

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable
subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Table 5-9

Fault Management Customizable GroupsRestrictions

Group Name
Customizable Group A

Restrictions

Use to troubleshoot a single device (but can


contain more than one device)

Cannot be deleted

Cannot have subgroups

Cannot have name changed

Customizable Group 1

Can contain multiple devices

Customizable Group 2

Cannot be deleted

Customizable Group 3

Cannot have subgroups

Customizable Group 4

Cannot have name changed

Customizable Group B
Customizable Group C

Managing Fault Groups


The Fault Group Administration and Configuration page is where all group management activities take
place.
To open the Group Administration and Configuration page:
Either:
Select Admin > System > Group Management > Fault.
Or
Select Inventory > Group Management > Fault.

Note

If you are connecting to the LMS server for the first time, a Security Alert window is displayed
when you select an option. Do not proceed without viewing and installing the self-signed
security certificate.

See Editing and Creating Fault Groups for information on how to use Group Administration to create
and edit groups. In addition to creating and editing groups, Group Management provides the following
functions:

Refreshing Fault Membership

Deleting Fault Groups

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-53

Chapter 5

Managing Groups

Managing Fault Groups

Table 5-10 describes the fields in the Group Administration and Configuration page.
Table 5-10

Fields on Group Administration and Configuration Page

Field/Button

Description

Group Selector

Hierarchical display of all available groups.

Group Info

When you select an item from the Group Selector, the Group Info pane displays the
following information:

Group NameName of the group you selected.

TypeType of objects in the selected group.

DescriptionText description of the group.

Created ByPerson who created the group.

Last Modified ByLast person to modify the group settings.

Create

Starts the Group Creation Wizard for creating a group, as described in Editing a
Fault Group.

Edit

Starts the Group Edit Wizard for editing user defined groups, as described in Editing
a Fault Group. Not supported for view groups created from the Alerts and Activities
Defaults page.

Details

Opens the Properties: Details page, as described in Viewing Fault Group Details.

Refresh

Refreshes a group memberships, as described in Refreshing Fault Membership. Not


supported for port and interface groups.

Delete

Deletes a group, as described in Deleting Fault Groups.

Editing and Creating Fault Groups


The processes for editing and creating groups are similar. Keep these points in mind:

You can edit user defined customizable subgroups. For example, the subgroup Customizable
Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with
Customizable Groups.

You can create or edit user defined miscellaneous groups. These groups can be used with views in
the Alerts and Activities display, or with notification groups in Notification Services.
You cannot edit or view groups created from the Alerts and Activities Defaults page.

This section contains information on:

Editing a Fault Group

Creating a Fault Group

Understanding Rules

Finalizing Fault Group Membership

Viewing the Fault Group Summary

Administration of Cisco Prime LAN Management Solution 4.2

5-54

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group.
The wizard consist of four steps:
1.

Setting properties (for details, see Editing a Fault Group)

2.

Creating rules (for details, see Understanding Rules).

3.

Modifying group membership (for details, see Finalizing Fault Group Membership).

4.

Viewing the summary (for details, see Viewing the Fault Group Summary).

Editing a Fault Group


You can edit the properties of user defined customizable port, interface, and device groups. You can also
edit miscellaneous user defined groups you created using Group administration.
Procedure
Step 1

Either:

Select Admin > System > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Or

Select Inventory > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Step 2

In the Group Selector, select the group you want to edit, click Edit.
The Properties: Edit page appears.
You can modify the following in the Properties: Edit page:

Group Name
Will be automatically populated when editing customizable subgroups; for example, Customizable
Group 1 under Customizable Access Port Groups.

Description

Membership update type (not supported for port and interface groups)
The parent group is displayed, but it cannot be modified.

Step 3

Visibility Scope

Click Next.
The Rules: Edit page appears. For more information on creating rules, see Understanding Rules.
To return to any of the previous pages in the wizard, click Back.

Note

If you edit a device-type group, you can launch the Preview.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-55

Chapter 5

Managing Groups

Managing Fault Groups

This section contains:

Adding and Deleting Rules from the Rules:Edit Page

Adding and Removing Objects from the Rules: Edit Page

Adding and Deleting Rules from the Rules:Edit Page


You can add new rules or delete existing rules in the Rules: Edit page.
To add a new rule:
Step 1

From the first list, select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.+

Step 2

From the Object Type list, select an object type.

Step 3

From the Variable list, select a variable.

Step 4

From the Operator list, select an operator.

Step 5

In the Value field, enter a value.

Step 6

Click Add Rule Expression.


The rule expression appears in the Rule Text box.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
(AccessPort.Mode equals OR
AccessPort.Mode contains BACKUP OR
AccessPort.Mode contains NORMAL) AND
AccessPort.DuplexMode contains HALFDUPLEX OR
AccessPort.DuplexMode contains FULLDUPLEX)

Step 7

Verify whether the syntax of the rule is correct by clicking Check Syntax.
A dialog box appears, stating that the syntax is valid.

Step 8

Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.

Step 9

Click Next.
The Membership: Edit page appears.

Administration of Cisco Prime LAN Management Solution 4.2

5-56

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

To delete a rule:
Step 1

In the Rule Text box, select the entire rule text and press the Delete key.
After deleting the rule, you must click the page so that the page can refresh, removing the list of logical
operators.

Step 2

Click Next.
The Membership: Edit page appears.

Adding and Removing Objects from the Rules: Edit Page


You can add or remove specific objects from the group membership. This feature is not supported for
port and interface groups.
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1

In the Available Objects from Parent Group column, select the device you want to add.

Step 2

Click Add.

Step 3

Click Next.
The groups information appears in the Summary: Create page.

Step 4

Click Finish.
A dialog box appears, stating that changes to the group have been saved.

Step 5

Click OK.

To remove an object:
Step 1

In the Objects Matching Membership Criteria column, select the device you want to remove.

Step 2

Click Remove.

Step 3

Click Next.
The groups information appears in the Summary: Create page.

Step 4

Click Finish.
A dialog box appears, stating that changes to the group have been saved.

Step 5

Click OK.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-57

Chapter 5

Managing Groups

Managing Fault Groups

Creating a Fault Group


Creating fault groups is supported only for user defined miscellaneous groups. Once created, you can
edit these groups.

Note

When you create a fault group, at least one device must be in the managed state.
Procedure

Step 1

Either:

Select Admin > System > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Or

Select Inventory > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Step 2

In the Group Selector, select User Defined Groups.

Step 3

Click Create.
The Properties: Create page appears.

Step 4

Enter a group name for the new group.


If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If
you want to copy the attributes of an existing group to the new group, do the following:
a.

Click Select Group.


The Replicate Attributes page appears.

b.

Select the group from which you want to copy the attributes.

c.

Click OK.
All attributes except the group name are copied to the new group.

If you want to change the parent group (the location where the group will reside in the Group Selector),
do the following:
a.

Click Change Parent.


The Select Parent page appears.

b.
Step 5

Select the parent group.

Click OK.
Enter a description. This is optional.

Step 6

Choose how you want the group membership updated.


This choice is not displayed for port and interface groups):

If you want the membership for this group updated automatically, select Automatic.

If you want the membership for this group updated only when the Refresh button is clicked, select
Only Upon User Request.

Administration of Cisco Prime LAN Management Solution 4.2

5-58

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

Step 7

Step 8

Select a Visibility Scope:

Available to Created User Only

Available to All Cisco Prime Users

Click Next.
The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.)

Step 9

Do one of the following:

To create rules to apply to the group, go to Step 10.

Click Next and select the objects on the Membership: Create page (not supported for port and
interface groups). Then go to Step 10.
If you need to return to any of the previous pages in the wizard, click Back.

Step 10

Create all rules that you want to apply to the group:


a.

Select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.

b.

Select an object type.

c.

Select a variable.

d.

Select an operator.

e.

Enter a value.

f.

Click Add Rule Expression.


The rule expression appears in the Rule Text box.

You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
(AccessPort.Mode equals OR
AccessPort.Mode contains BACKUP OR
AccessPort.Mode contains NORMAL) AND
AccessPort.DuplexMode contains HALFDUPLEX OR
AccessPort.DuplexMode contains FULLDUPLEX)

g.

Verify that the rule syntax is correct by clicking Check Syntax.


A dialog box appears, stating the syntax is valid.

h.

Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.

i.

Click Next.

The Membership: Create page appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-59

Chapter 5

Managing Groups

Managing Fault Groups

Adding and Removing Objects from the Rules: Create Page


You can add or remove specific objects from the group membership. This feature is not supported for
port and interface groups.
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1

In the Available Objects from Parent Group column, select the device you want to add.

Step 2

Click Add.

Step 3

Click Next.
The groups information appears in the Summary: Create page.

Step 4

Click Finish.
A dialog box appears, stating that changes to the group have been saved.

Step 5

Click OK.

To remove an object:
Step 1

In the Objects Matching Membership Criteria column, select the device you want to remove.

Step 2

Click Remove.

Step 3

Click Next.
The groups information appears in the Summary: Create page.

Step 4

Click Finish.
A dialog box appears, stating that changes to the group have been saved.

Step 5

Click OK.

Administration of Cisco Prime LAN Management Solution 4.2

5-60

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
Rules are created to filter in the objects that you want to belong to the group, and to filter out those that
you do not want in the group. When determining the objects that belong to a group, Group Management
compares object information to the rule. If an object information satisfies all of the rule requirements, it
is placed in the group.
One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
Object Type.Variable Operator Value
For example:
Routers.Location equals "San Jose"

Complex rules that contain both OR and AND conditions require you to edit the rule manually. For
example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.Mode equals OR
AccessPort.Mode contains BACKUP OR
AccessPort.Mode contains NORMAL) AND
(AccessPort.DuplexMode contains HALFDUPLEX OR
AccessPort.DuplexMode contains FULLDUPLEX)

Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You
can define the following:

Logical Operators

Object Type

Variable

Operator

Value

Logical Operators

The logical operator field appears when you are defining multiple rules. The logical operators can be:

ORInclude devices that fulfill the requirements of either rule.


For interface, access port, and trunk port groups, this operator can only be used between the
variables of the same type, as in the following valid rule:
AccessPort.DuplexMode equals HALFDUPLEX OR
AccessPort.DuplexMode equals FULLDUPLEX

If you used an AND operator in the previous port rule, it would be invalid.

ANDInclude only objects that fulfill the requirements of both rules.


For interface, access port, and trunk port groups, this operator can only be used between the
variables of different types, as in the following example:
AccessPort.Mode equals AND
AccessPort.DuplexMode equals FULLDUPLEX

If you used an OR operator in the previous rule, it would be invalid.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-61

Chapter 5

Managing Groups

Managing Fault Groups

For device groups, this operator can only be used between variables of the same type, as in the
following example:
Routers.Model equals "12816" AND
Routers.Model equals 12810

The following would be an invalid rule for a device group:


Routers.Model equals "12816" AND
SwitchesAndHubs.Type equals "6509"

In the previous example, you would have to use the OR operator.

EXCLUDEDo not include these devices.

Object Type

The Object Type field lists the available objects that you can use to form a group.
Depending upon the type of group you are creating, the Object Type field may contain the following
choices:
AccessPort
TrunkPort
Interface
Cable
ContentNetworking
Device
DSLAndLRE
Group
InterfacesAndModules
NetworkManagement
Optical
Routers
SecurityAndVPN
ServerFabricSwitches
StorageNetworking
SwitchesAndHubs
UniversalGatewaysAndAccessServers
Unknown
VoiceAndTelephony
Wireless

Variable

The Variable field lists the possible attributes for the selected object type to be used for the rule. The list
of possible variables changes based on the object type that is selected. Some variables for port and
interface groups are described in Table 5-11.
Operator

The Operator field defines the operator to be used in the rule. The list of possible operators changes
based on the object type and the variable selected.
When using the equals operator, the rule is case-sensitive.
Value

The Value field describes the value of the rule expression. The possible values depend upon the object
type, variable, and operator selected. Depending on the operator selected, the value may be free-form
text or a list of values.

Administration of Cisco Prime LAN Management Solution 4.2

5-62

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some
of the objects in the Variables field have special meanings or restrictions on how to enter the related
attribute in the Value field.
Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need
further explanation.
Table 5-11

Explanations for the Values of Special Variables

Variable

Explanation

Description

Interface or port description.

DuplexMode

Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED).

InterfaceCode

Interface types, protocols, or encapsulations.

MaxSpeed

Maximum speed, in bits per second.

MaxTransferSpeed

Speed of the largest datagram that can be sent or received, specified in


octets.
For interfaces that use transmitting network datagrams, this is the speed of
the largest network datagram that can be sent.

Note

Mib2ifType

Type of interface, distinguished according to the physical or link protocols


immediately below the network layer in the protocol stack, represented as
a digit.

Mode

Intended purpose (for example, for interfaces, backup, dial-on-demand, and


so forth).

Name

Name of object.

SystemModel

Name of the system.

SystemName

Name of system containing this element.

SystemObjectID

System Object Identifier associated with vendor of system.

SystemVendor

Name of system supplier.

Type

Type of element (for example, interface), distinguished according to the


physical or link protocols immediately below the network layer in the
protocol stack.

After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page.
Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Table 5-12

Fields on the Rules: Edit Page

Field/Button

Description

Add Rule Expression

Used to add the rule expression to the group rules.

Rule Text

Displays the rule. For complex rules (which contain both OR and AND
conditions), you must manually add parentheses in this field. (In Editing a
Fault Group, see Step 10 and Step 6.)

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-63

Chapter 5

Managing Groups

Managing Fault Groups

Table 5-12

Fields on the Rules: Edit Page (continued)

Field/Button

Description

Check Syntax

Verifies that the rule syntax is correct.

View Parent Rules

Used to view the parent group rules.


All parent group rules apply to the subgroups.

Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location.
Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains Dallas

Interface

VariableDuplex.Mode

OperatorContains

ValueFULLDUPLEX

Logical OperatorAnd

VariableLocation

Operatorcontains

ValueDallas

You want to create a group that contains all of the security and VPN devices in the San Jose location.
Form the following rule:
SecurityAndVPN.Location contains "SanJose"

Object TypeSecurityAndVPN

VariableLocation

OperatorContains

ValueSan Jose

To understand the group rules, see the rules used for system defined groups. These rules appear in the
Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group
Details.

Finalizing Fault Group Membership


After the group rules have been defined, they are evaluated, and you can view the group members (except
for port and interface groups, which are only used for polling and threshold purposes). In addition, the
group membership can be modified by adding or removing specific objects.
The group rule will be automatically modified to reflect the objects that were added or removed from the
group. You add or remove specific objects from a group membership in the Membership: Edit page of
the Create Group Wizard.

Administration of Cisco Prime LAN Management Solution 4.2

5-64

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

Viewing the Fault Group Summary


The final step in the Create Group Wizard is viewing a summary page that displays the new group
definition. Table 5-13 describes the fields on the Group Summary page of the Group Creation Wizard.
Table 5-13

Fields on the Group Summary Page

Heading/Button

Description

Group Name

Name of the group you are creating.

Parent Group

Parent group of the group you are creating.

Description

Text description of the group.

Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button).
Rules

Rules used to filter group membership.

Visibility Scope

Setting that determines whether all Cisco Prime users or only the created user
can view the group.

Polling Overriding
Group preview

Click to display the Preview page. This page displays the priorities of the
Polling Overriding Groups.

Threshold
Overriding Group
preview

Click to display the Preview page. This page displays the priorities of the
Threshold Overriding Groups.

Viewing Fault Group Details


Information about a group is displayed on the Properties: Details page.
To view the Fault group details:
Step 1

Either:

Select Admin > System > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Or

Select Inventory > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Step 2

In the Group Selector, select the group for which you want to view details.

Step 3

Click Details.
The Properties: Details page appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-65

Chapter 5

Managing Groups

Managing Fault Groups

Table 5-14 describes the fields on the Properties: Details page.


Table 5-14

Fields on the Properties: Details Page

Heading/Button

Description

Group Name

Name of the group you are viewing.

Parent Group

Parent group of the group you are viewing.

Type

Type of the objects that belong to the group.

Description

Text description of the group.

Membership Update

Automatic (updated whenever the group is accessed) or upon user request


(updated only when you click the Refresh button)

Created By

Person who created the group.

Last Modified By

Last person to modify the group.

Rules

Rules used to filter group membership.

View Parent Rules

Used to view the parent group rules. All parent group rules apply to the
subgroups.

Membership Details

Used to view the list of devices that belong to the group. Does not apply to
port and interface groups.

Cancel

Closes the page and takes you back to the Group Administration and
Configuration page.

Viewing Fault Membership Details


You can view a list of the objects that belong to a group by accessing the Properties: Details page.
Membership is not displayed for port and interface groups, which are used only for polling and threshold
purposes.
Procedure
Step 1

Either:

Select Admin > System > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Or

Select Inventory > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Step 2

In the Group Selector, select the group for which you want to view details.

Step 3

Click Details.
The Properties: Details page appears.

Step 4

Click Membership Details.


The Membership: Details page appears.

Administration of Cisco Prime LAN Management Solution 4.2

5-66

OL-25947-01

Chapter 5

Managing Groups
Managing Fault Groups

Table 5-15 describes the fields on the Membership: Details page.


Table 5-15

Fields on the Membership: Details Page

Heading/Button

Description

Name

Name of the device for which you want to view membership details.

Object Type

Type of object for which you want to view details.

Property Details

Takes you back to the Properties: Details page.

Cancel

Closes the page and takes you back to the Group Administration and
Configuration page.

Refreshing Fault Membership


Refreshing a group membership forces the group to recompute its membership by reevaluating its rules
and obtaining membership information from the data collectors. Port and interface group membership
lists are not supported, because these groups are only used for polling and threshold purposes.
Procedure
Step 1

Either:

Select Admin > System > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Or

Select Inventory > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Step 2

In the Group Selector, select the group you want to refresh.

Step 3

Click Refresh.

Step 4

In the confirmation dialog box, click Yes.

Step 5

In the next dialog box, click OK.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-67

Chapter 5

Managing Groups

Understanding Collector Group Rules

Deleting Fault Groups


You can only delete user defined groups that are not one of the seven customizable groups.
Procedure
Step 1

Either:

Select Admin > System > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Or

Select Inventory > Group Management > Fault.


The Fault Group Administration and Configuration page appears.

Step 2

In the Group Selector, select the group you want to delete.

Step 3

Click Delete.

Step 4

In the confirmation dialog box, click Yes.

Step 5

In the next dialog box, click OK.

Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a
period of high CPU utilization after these processes are triggered.

Understanding Collector Group Rules


Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
You can access the IPSLA Collector groups using either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group page appears.

Rules are created to filter in the devices that you want to include in the group, and to filter out those that
you do not want in the group.
While determining the devices that belong to a group, Group Management compares device information
to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the
group.
The devices are filtered based on the data present in the IPSLA Performance database.
One or more rule expressions can be applied to form a rule.
Each rule expression contains the following:
object type.variable operator value

Administration of Cisco Prime LAN Management Solution 4.2

5-68

OL-25947-01

Chapter 5

Managing Groups
Understanding Collector Group Rules

This section contains:

IPSLA Collector Group Administration Process

Understanding IPSLA Collector Group Administration

Table 5-16 lists the various operators that can be used to create rules to group Collectors.
Table 5-16

Understanding Collector Group Rules

Field/Button

Description

OR, AND, EXCLUDE,


INCLUDE

Logical operators.

ORInclude objects that fulfill the requirements of either rule.

ANDInclude only objects that fulfill the requirements of both rules.

EXCLUDEDo not include these objects.

INCLUDE Include these objects

The Rule Text field appears only after a rule expression is added.
Object Type

Type of object (collector) that is used to form a group.

Variable

Collector components, based on which you can define the group.


For more information, see Collector Components.

Operator

Operator to be used in the rule. The list of possible operators changes based on the Variable
selected.
When using the equals operator the rule is case-sensitive.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-69

Chapter 5

Managing Groups

Understanding Collector Group Rules

Table 5-16

Understanding Collector Group Rules

Field/Button

Description

Value

Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-from text or a list of
values.
Wildcard characters are not supported.
The following are the values for the corresponding operations:

1 = echo

2 = pathEcho

5 = udpEcho

6 = tcpConnect

7 = http

8 = dns

9 = jitter

10 = dlsw

11 = dhcp

12 = ftp

14 = RTP

16 = icmpjitter

18 = VoipCallSetupPostDialDelay

19 = VoipGKRegDelay

1019-Ethernetping

1020-Ethernetjitter

1119-EthernetPingAutoIPSLA

1120-EthernetJitterAutoIPSLA

Add Rule Expression

Used to add the rule expression to the group rules.

Rule Text

Displays the rule.

Check Syntax

Verifies if the rule syntax is correct.


Use this button if you have entered the rules manually.

View Parent Rules

Used to view the parent group rules.


All parent group rules apply to the subgroups.

Administration of Cisco Prime LAN Management Solution 4.2

5-70

OL-25947-01

Chapter 5

Managing Groups
Understanding Collector Group Rules

Collector Components

Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Table 5-17

Collector Components

Component Type

Description

Source Address

Device IP address.

Target Address

Device IP address.

Operation Type

All IPSLA operations available for LMS

Operation Name

Name of a user-defined operation.

VRF

Name of the VRF (Virtual Routing and Forwarding).

IPSLA Collector Group Administration Process


The IPSLA Collector Group Administration depends on the IPMOGSServer processes. If these
processes are not running, then an error message appears:
Error in communicating with Group Administration Server.
It may be down or not yet up. Please make sure that the Group Administration Server is
up and running, then refresh the page.

You can resolve this error by starting the IPMOGSServer process.


You can start this process using Admin > System > Server Monitoring > Processes.
The Process Management page appears with all Cisco Prime processes listed. In the Process
Management page, select the IPMOGSServer and click Start.
If the IPMOGS Server is down, do the following:

You can start the IPMOGS Server either from the CLI, or from the LMS UI.
To start IPMOGS Server from the CLI:
Enter NMSROOT/bin/pdexec IPM OGSServer
where NMSROOT is the Cisco Prime installation directory.
To start IPMOGS server from the LMS UI:
Step 1

Select Admin > System > Server Monitoring > Processes.


The Process Management page appears with all Cisco Prime processes listed.

Step 2

Select IPM OGSServer in the Process Management dialog box.

Step 3

Click Start.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-71

Chapter 5

Managing Groups

Understanding Collector Group Rules

If the CMFOGS Server is down, do the following:

You can start the CMFOGS Server either from the CLI, or from the LMS UI.
To start CMF OGS Server from the CLI:
Enter NMSROOT/bin/pdexec CMFOGSServer
where NMSROOT is the Cisco Prime installation directory.
To start CMFOGS server from the LMS UI:
Step 1

Select Admin > System > Server Monitoring > Processes.

Step 2

Select CMFOGSServer in the Process Management dialog box.

Step 3

Click Start.

Understanding IPSLA Collector Group Administration


This section explains the various tasks that you can perform on the IPSLA Collector Group
Administration.
Table 5-18 lists the Fields and buttons available in the Group Administration page.
Table 5-18

IPSLA Collector Group Administration Page

Field/Buttons

Description

Group Selector

Hierarchical display of all available groups.

Group Info

Displays the following collector group information:

Group NameThe name of the group you selected.

TypeThe type of objects in the selected group.

DescriptionA text description of the group.

Created ByThe person who created the group. You can also view the time at which the
group was created.

Last Modified ByThe last person to modify the group settings. You can also view the time
at which the group was modified.

Create

Starts the Group Creation Wizard for creating a group, as described in the Creating and
Modifying User-Defined Collector Groups.

Edit

Starts the Group Edit Wizard for editing an existing group, as described in the Creating and
Modifying User-Defined Collector Groups.

Details

Opens the Properties: Details page, as described in the Viewing Collector Group Details and
Viewing Membership Details.

Refresh

Refreshes a group membership, as described in the Refreshing User-Defined Collector Group


Membership.

Delete

Deletes a group, as described in the Deleting User-Defined Collector Groups.

Administration of Cisco Prime LAN Management Solution 4.2

5-72

OL-25947-01

Chapter 5

Managing Groups
Working with User-Defined Collector Groups

Working with User-Defined Collector Groups


These are collector groups created by the user based on a set of criteria such as operation name, operation
type, source address, and target address.
For example, if you want to create a location-based collector groups, you must select the devices used
by that location and define the collector groups based on the criteria mentioned above.
You can perform the following tasks on user-defined collector groups:

Creating and Modifying User-Defined Collector Groups

Deleting User-Defined Collector Groups

Viewing User-Defined Collector Groups

Refreshing User-Defined Collector Group Membership

Creating and Modifying User-Defined Collector Groups


LMS provides a single wizard-based approach that leads you through the procedure to create multiple
user-defined collector groups. This wizard process involves the following four steps:
1.

Setting Collector Group Properties

2.

Defining Collector Group Rules

3.

Assigning Collector Group Membership

4.

Viewing the Collector Group Summary

You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard
at any stage using Cancel, the details you have specified will be lost and the collector groups will not be
created.

Setting Collector Group Properties


In this step, you can enter the group properties such as name and description, copy the attributes from
another group, change the parent group, and modify the parent group and membership update details, if
required.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-73

Chapter 5

Managing Groups

Working with User-Defined Collector Groups

To set or edit the collector group properties:


Step 1

Either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group page appears.

Step 2

Select the required group from the Group Selector pane.


For example:

Step 3

If you want to create or edit a group, select the User Defined Group folder from the Group Selector
pane.

If you want to create or edit a subgroup, select the required collector group under the User Defined
Groups folder.

You can either:

Click Create to create a group or subgroup.


Or

Click Edit to edit a group or subgroup.

The Properties page appears.


Step 4

Specify the collector group name and description in the Group Name and Description fields.
The Group Name must be unique within the parent group. However, you can specify the same name in
some other groups.
For example, if you already have a group named MyGroup in a group named Views under
User-Defined Groups, you cannot use the same name for another subgroup in the group Views.
However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups.
After entering the group name and description, you can either copy the attributes of an existing group to
the new group or proceed to Step 5.
To copy the attributes of an existing group to the new group, do the following:
a.

Click Select Group.


The Replicate Attributes window appears.

b.

Select the required collector group from the User Defined Groups folder.

c.

Click OK.
All attributes except the group name are copied to the new group.
The parent group you have selected for the group does not change even if you are copying attributes
from a group that belongs to a different parent group.

Administration of Cisco Prime LAN Management Solution 4.2

5-74

OL-25947-01

Chapter 5

Managing Groups
Working with User-Defined Collector Groups

To change the parent group, do the following:


a.

Click Change Parent.


The Select Parent window appears.

b.

Select the required group.

c.

Click OK.
The Properties page appears with the new parent group.

Step 5

Select the Membership Update and Visibility Scope for the group.
For more information, see Table 5-19.

Step 6

Click Next.
The Rules page appears.

Table 5-19

Setting Collector Group Properties

Field

Description

Group Name

Name of the group you are creating.

Copy Attributes from


Group

Copy the attributes of an existing group to your new group using Select Group.

Parent Group

Parent group of the group you are creating. You can change the parent group using Change
Parent.

Description

Text description of the group.

Membership Update

Group Membership is updated.

Visibility Scope

Automatic: Updates whenever the group is accessed.

Only Upon User Request: Click Refresh.

Private Groups: Visible only to users who created the group.

Public: Visible to all users.

Defining Collector Group Rules


In this step, you can define the rules for the collector groups. This rule determines the contents and the
collectors to be included in the collector group.
This rule allows you to add collectors and VRFname based on the variables such as operation name,
operation type, source address, and target address. You can use one or a combination of variables while
defining the rule. The collectors that satisfy the rule will be added to the collector group.
If you have created the collector group copying the attributes of another group, the rules specified for
that group appears in the Rule Text field. You can retain these and add more rules, or delete these rules
and create a new set of rules.

Note

All rules assigned to a parent group also apply to any of its subgroups.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-75

Chapter 5

Managing Groups

Working with User-Defined Collector Groups

In the Rules page, you can either enter the rules directly in the Rule Text field or select the components
of the rule from the Rule Expression fields and define a rule.
Table 5-20 lists the various Fields and Buttons available in the Rules page.
Table 5-20

Defining Collector Group Rules

Field/Buttons

Description

OR, AND, EXCLUDE

Logical operators.

ORInclude objects that fulfill the requirements of either rule.

ANDInclude only objects that fulfill the requirements of both rules.

EXCLUDEDo not include these objects.

The Rule Text field appears only after a rule expression is added.
Object Type

Type of object (Collector) that is used to form a group. All IPSLA Collector group rule
expressions begin with the same Object Type, IPM:Collector Management: Collector.

Variable

Collector attributes, based on which you can define the group.


For more information, see Collector Components.

Operator

Operator to be used in the rule. The list of possible operators change based on the Variable
selected.
When using the Equals operator, the rule is case sensitive.

Value

Value of the rule expression. The possible values depend upon the variable and operator selected.
Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.

Add Rule Expression

Used to add the rule expression to the group rules.

Rule Text

Displays the rule.

Check Syntax

Verifies that the rule syntax is correct.


Use this button if you have entered the rules manually.

View Parent Rules

Used to view the parent group rules.


All parent group rules apply to the subgroups.
For group rule restrictions and examples, see Understanding Collector Group Rules.

Administration of Cisco Prime LAN Management Solution 4.2

5-76

OL-25947-01

Chapter 5

Managing Groups
Working with User-Defined Collector Groups

To define the collector group rules:


Step 1

Either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group Administration page appears.

Step 2

Select the Object Type from the drop-down list.

Step 3

Select the required variables from the Variable drop-down list. You can select one or a combination of
variables.
The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target
Address.
For more information, see Table 5-20.

Step 4

Select the Boolean operator from the Operator drop-down list.


The Boolean operators change based on the variable you have selected.
For more information, see Table 5-20.

Step 5

Specify the Value for the variable you have selected.

Step 6

Click Add Rule Expression.


The IPSLA Collector Group Administration creates the rule based on the parameters you specified and
adds it to the rules already present in the Rules Text field. You can use the same procedure to add more
rules.
If you want to delete a rule expression, you have to select the complete expression including the logical
operator and press the Delete key on your keyboard.

Step 7

Click Check Syntax to validate the rules expression syntax.


If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is
incorrect, an error message appears with syntax error messages along with the line and column number.

Step 8

Click View Parent Rules to view the parent and group rules.

Step 9

Click Next.
The Membership page appears.

Assigning Collector Group Membership


The Membership page allows you to create a highly customized user-defined collector group. This page
lists the collectors in two panes, namely Objects From Parent Group and Objects Matching Membership.

Objects From Parent GroupLists the collectors in the parent group.

Objects Matching MembershipLists the collectors that satisfy the rule defined by you. You can
add or delete collectors from this pane. You can also add collectors from the parent group to create
the collector group.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-77

Chapter 5

Managing Groups

Working with User-Defined Collector Groups

To assign collector group membership:


Step 1

Select the required collectors from the Objects From Parent Group pane.

Step 2

Click Add.
The selected collectors are added to the Objects Matching Membership pane.

Step 3

Click Next.
The Summary page appears with the User-Defined Group properties.

To remove collectors from the group:


Step 1

Select the required collectors from Objects Matching Membership pane.

Step 2

Click Remove.
The selected collectors are removed from the Objects Matching Membership pane and added to the
Objects From Parent Group pane.

Step 3

Click Next.
The Summary page appears with the summary of the user-defined collector group.

Viewing the Collector Group Summary


The final step is the Summary page that displays the new group definition as in Table 5-21.
Table 5-21

Understanding Collector Group Summary

Field

Description

Group Name

Name of the group you are creating.

Description

Text description of the group.

Parent Group

Parent group of the group you are creating. You can change the parent group using Change
Parent.
You can select only IPSLA Collector User-Defined groups.
You cannot edit this field in the Edit flow.

Membership Update

Updates group membership.


Membership updates can be automatic (updated every time the group is accessed) or upon user
request only (updated only when you click Refresh).

Rules

Rules used to filter group membership.

Visibility Scope

Describes if the group is public (all users) or private (only for the group owner).

Administration of Cisco Prime LAN Management Solution 4.2

5-78

OL-25947-01

Chapter 5

Managing Groups
Working with User-Defined Collector Groups

To view the collector group summary:


Step 1

Click Finish to complete the procedure for creating collector groups.


A confirmation message appears.

Step 2

Click OK.
You can view the newly created user-defined collector group in the Group Selector pane.
Or
Click Back to modify the group properties.

Deleting User-Defined Collector Groups


In the The IPSLA Collector Group Administration page, you can use the Delete option to delete the
user-defined collector groups. During the deletion process, only the collector group is deleted , and the
associated collectors are not deleted. You cannot delete the system-defined collector groups.
To delete user-defined collector groups:
Step 1

Select the group for which you want to view details from the Group Selector pane.

Step 2

Click Delete.
A confirmation message appears.

Viewing User-Defined Collector Groups


This section explains how to view the group and membership details and refresh the same.

Viewing Collector Group Details

Viewing Membership Details

Refreshing User-Defined Collector Group Membership

Viewing Collector Group Details


The Property Details page displays the group details.
To view the collector group details:
Step 1

Either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group Administration page appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-79

Chapter 5

Managing Groups

Working with User-Defined Collector Groups

Step 2

Select the group for which you want to view details from the Group Selector pane.

Step 3

Click Details.
The Property Details page appears. For more information, see Table 5-22.

Table 5-22

Viewing Collector Group Details

Field/Button

Description

Group Name

Name of the group you are viewing.

Parent Group

Parent group of the group you are viewing.

Type

Type of the objects that belong to the group.

Description

Text description of the group.

Membership Update

How group membership is updated.

Created By

Person who created the group. This also displays the time at which it was created.

Last Modified By

Last person to modify the group. This also displays the time at which it was modified.

Rules

Rules used to filter group membership.

Visibility Scope

Indicates whether the group is Public (visible to all users) or Private (visible only for the group
owner).

View Parent Rules

Allows you to view the parent group rules.


All parent group rules apply to the subgroups.

Membership Details

Allows you to view the membership details.

Cancel

Takes you back to the Group Administration page.

Viewing Membership Details


The Property Details page allows you to view a list of the objects that belong to a group.
To view the membership details:
Step 1

Either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group Administration page appears.

Step 2

Select the group for which you want to view details from the Group Selector pane.

Step 3

Click Details.
The Property Details page appears.

Administration of Cisco Prime LAN Management Solution 4.2

5-80

OL-25947-01

Chapter 5

Managing Groups
Working with User-Defined Collector Groups

Step 4

Click Membership Details.


The Membership Details page appears. For more information, see Table 5-23.
Table 5-23

Viewing Membership Details

Field/Button

Description

Name

Name of the device.

Object Type

Type of object.

Property Details

Takes you back to the Property Details page.

Cancel

Takes you back to the Group Administration page.

Refreshing User-Defined Collector Group Membership


Refreshing a group membership forces the group to recompute its membership by reevaluating its rules
and obtaining membership information from the data available.
To refresh the membership of the group:
Step 1

Either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group Administration page appears.

Step 2

Select the group for which you want to view details from the Group Selector pane.

Step 3

Click Refresh to refresh the membership of the selected group.


The Refresh Group Confirmation dialog box appears.

Step 4

Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

5-81

Chapter 5

Managing Groups

Operation-Based Collector Groups (System-Defined)

Operation-Based Collector Groups (System-Defined)


The operation-based collector groups are predefined groups available with IPSLA module in LMS by
default. They are also referred as system-defined collector groups.
The various operation-based collector groups available are Echo, Path Echo, UDP Echo, ICMP Jitter,
UDP Jitter, Call Setup Post Dial Delay, Gatekeeper Registration Delay, RTP, DNS, DHCP, HTTP, FTP,
DLSW, TCP Connect, Ethernet Jitter, Ethernet Ping, Ethernet Jitter Auto IP SLA and Ethernet Ping Auto
IP SLA.
You can perform the following tasks on operation-based collector groups:

Viewing Operation-Based Collector Details

Refreshing Operation-Based Collector Groups

To view the details of an operation-based collector group:


Step 1

Either:

Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.

Or

Select Inventory > Group Management > IPSLA Collector.


The IPSLA Collector Group Administration page appears.

Step 2

Select the default operation name from the Group Selector pane for which you want to view the collector
group details.

Step 3

Click Details.
The system-defined collector group details appear.

Step 4

Click Membership Details to know the membership details of this system-defined collector group.
The Membership Details page appears.

To refresh the membership of an operation-based group:


Step 1

Select the group for which you want to view details from the Group Selector pane.

Step 2

Click Refresh to refresh the membership of the selected group.


The Refresh Group Confirmation dialog box appears.

Step 3

Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.

Administration of Cisco Prime LAN Management Solution 4.2

5-82

OL-25947-01

CH A P T E R

Administering Data Collection


Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
This section explains:

Modifying Data Collection SNMP Timeouts and Retries.

Scheduling Data Collection.

Data Collection Critical Device Poller.

Compliance and Audit Settings

Modifying Data Collection SNMP Timeouts and Retries


You can modify the SNMP timeouts and retries when Data Collection fails for a particular device with
SNMP timeout exceptions.
The SNMP fallback methodology applicable for Data Collection, UT Acquisition, and Dynamic UT is
as follows:

If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially
queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1.

If you have configured a device with SNMPv3 settings in DCR, then the device is queried with
SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.

To modify SNMP timeouts and retries:


Step 1

Select Admin > Network > Timeout and Retry Settings > Data Collection SNMP Timeouts and
Retries.
The SNMP Timeouts and Retries dialog box appears.

Step 2

Modify the SNMP settings as given in Table 6-1.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

6-1

Chapter 6

Administering Data Collection

Modifying Data Collection SNMP Timeouts and Retries

Table 6-1

Modify Data Collection SNMP Timeouts and Retries

Field

Description

Target

Denotes the Target device.


You should enter IPv4 or IPv6 address of the target device in this field.
You can also use wildcard characters or range of numbers to specify the
target device.
For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB]
as the target device

Timeouts

Time period after which the query times out.


This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If timeout is increased, discovery time could also increase. Enter the value in
seconds.
For every retry, the timeout value is doubled.
For example, If the timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which LMS stops
querying the device.

Retries

Number of attempts made to query the device. The allowed range is 0-8.

Step 3

Click Add to add SNMP settings.

Step 4

Select a row and either:

Click Edit to edit the timeouts and retries values.

Or

Click Delete to delete the timeouts and retries values.

Click OK to save the changes or click Cancel to exit.


Step 5

Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2

6-2

OL-25947-01

Chapter 6

Administering Data Collection


Scheduling Data Collection

Scheduling Data Collection


Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
You can also schedule the day and time of data collection using this feature.
You can start data collection immediately for all or failed devices and schedule data collection for all
devices. All devices is a default option. You can select the Failed devices option to run data collection
for failed devices.
To schedule data collection:
Step 1

Select Admin > Collection Settings > Data Collection > Data Collection Schedule.
The Data Collection Schedule dialog box appears.

Step 2

Modify the data collection settings as described in Table 6-2.


Table 6-2

Data Collection Schedule Settings

Field

Description

Usage Notes

Days on which and the time at


which data collection is
scheduled.

The optimum data collection schedule depends


on the size of the network and the frequency of
network changes.

Schedule

Days, Hour, Min

The default data collection schedule is every 4


hours, on the 4-hour mark, daily: 04.00, 08.00,
12.00, 16.00, 20.00, 24.00 Note that time is in
the 24-hour format.

Step 3

Select a schedule and click Edit to edit the schedule.

Select a schedule and click Delete to delete the schedule.

Click Add to add a new schedule.

Click OK to save the changes or click Cancel to exit.

Best Practices

Be cautious while scheduling Data Collection:

Data Collection consumes significant resources on the network management system.

Use the Polling option to see the device and link status without running data collection. For more
details on polling see, Data Collection Critical Device Poller

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

6-3

Chapter 6

Administering Data Collection

Data Collection Critical Device Poller

Data Collection Critical Device Poller


LMS polls the entire network for device and link status periodically.This feature allows you to:

Configure the time interval at which the network is polled.

Poll only a critical set of devices.


Use this option to see the device and link status without running Data Collection.
Since Data Collection consumes significant system resources, you can simply poll the network and
view the device and link status in Topology maps.

Adding Critical Devices to the Device Poller

To add a device to the Critical Devices list from Topology Map:


Step 1

Launch a Topology map.

Step 2

Right click a device and select Add device to Critical Poller.

To add a device to the Critical Devices list from N-Hop View Portlet:
Step 1

Launch N-Hop View Portlet.

Step 2

Go to the configuration screen and select Poll devices.

Caution

If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle
will use a large amount of bandwidth.
To configure Device Poller:

Step 1

Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller.
The Device Poller screen appears.

Step 2

Configure the device poller options as specified in Table 6-3.


Table 6-3

Field

Device Poller Options

Description

Usage Notes

Polling Details

All Devices

Specifies that all devices in the network will By default the whole network is polled every 2
be polled at the specified interval.
hours.

Critical Devices

Specifies that only critical devices in the


network will be polled at the specified
interval.

You can configure this option when you need to


poll a few devices in the network more frequently.
By default, the critical devices are polled every
five minutes.

Administration of Cisco Prime LAN Management Solution 4.2

6-4

OL-25947-01

Chapter 6

Administering Data Collection


Compliance and Audit Settings

Table 6-3

Device Poller Options

Field

Description

Usage Notes

Time Interval

Time interval at which the specified devices Configure this option to change the interval from
the default value.
are polled.
The time interval is added to the completion
time of Data Collection.
For example, you have configured the
following:

Data Collection is scheduled to run at


07:00 hours

Time interval is set to 4 hours.

If Data Collection completes at 08:00 hours,


the next polling will happen at 12:00 hours
(8 + 4).
Show Devices

For Critical Devices:


Displays the list of critical devices in the
network.

The following information about the Critical


Devices is displayed:

IP Address

DeviceName

You can choose any device and click Delete to


remove it from the Critical Device poller list.
For All Devices:
Launches the Data Collection report.

Step 3

The following information about the devices in the


network is displayed:

IP Address

DeviceName

DeviceType

Neighbors

Click Apply to save the configuration.

Compliance and Audit Settings


The following topics are discussed in this section:

Compliance Data Collection

Import Contracts

Import Policy Updates

Compliance Data Collection


The Compliance Data Collection allows you to schedule the Compliance Data Collection System Job.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

6-5

Chapter 6

Administering Data Collection

Compliance and Audit Settings

The Compliance Data Collection job runs daily by default. The user can schedule a Compliance Data
Collection Job.
To schedule a Compliance Data Collection System Job do the following:
Step 1

Select Admin > Compliance and Audit Settings > Compliance Data Collection > Compliance Data
Collection System Job Schedule.
The Compliance Data Collection System Job Schedule page appears.

Step 2

Enter the information required to scheule a Compliance Data Collection System Job

Field

Description

Job Type

Command Output Collection Job .

Scheduling

Run Type

Specifies the type of schedule for the job:

DailyRuns daily at the specified time.

WeeklyRuns weekly on the day of the week and at the specified time.

MonthlyRuns monthly on the day of the month and at the specified time.

For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
Date

1.

Enter the start date in the dd mmm yyyy format, for example, 06 Oct 2011, or click on the
calendar icon and select the date.

2.

Enter the start time by selecting the hours and minutes from the drop-down list.

Job Info

Job Description

The default job description is, System-defined job for Compliance data Collection.

E-mail

Enter e-mail addresses to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,
Step 3

Click Apply.
The scheduled job appears in the Compliance Data Collection Jobs.

Administration of Cisco Prime LAN Management Solution 4.2

6-6

OL-25947-01

Chapter 6

Administering Data Collection


Compliance and Audit Settings

Compliance Data Collection Jobs


The Compliance Data Collection Jobs enables you to view the status of all the Compliance Data
collection jobs.
Table 6-4

List of Compliance Data Collection Jobs

Column

Description

Job ID

Unique number assigned to this task at scheduling time. This


number is never reused. There are two formats:

Job ID:
Identifies the task. This does not maintain a history. For
Example:1002

JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1002.1, 1002.2

Status

Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.

Description

Description of the job.

Owner

Username of the job creator.

Job Type

Type of job e.g. system compliance.

Scheduled At

Date and time at which the job was scheduled.

Completed At

Date and time at which the job was completed.

Schedule Type

Frequency of the job. This can be:

Daily

Weekly

Montly.

Work Order

Displays information about the Job Description, Owner, Schedule


Type, Schedule Time, E-mail Notification, E-mail IDs and Devices
List.

Device Details

Displays the Device IP, Job Status and Message Summary.

Job Summary

Displays the Job Status, Job Message, Start Time, End Time and
Device Updates.

Import Contracts
The Import Contracts enables you to import customer contracts into the Compliance and Audit Manager
Database.
The contract summary report can be generated only after importing contracts into the Compliance and
Audit Manager Database.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

6-7

Chapter 6

Administering Data Collection

Compliance and Audit Settings

The following steps should be performed for importing contracts into the Compliance and Audit
Manager Database:
Step 1

Go to
http://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do?method=viewContractMgr.

Note
Step 2

Open the link in Internet Explorer and use your Cisco.com credentials.

A contract Manager screen listing the contracts associated with your Cisco.com ID appears.

Note

If you do not see the contracts then there are no contracts associated with your Cisco.com ID.
Open a case with Cisco to get access to your contracts.

Step 3

Select Download Contract or Selected Data option from the Action drop-down menu.

Step 4

Select the contracts from the Contract Table.

Step 5

Click Go.
A Download Contract or Selected Data window appears

Step 6

In the Download Contract or Selected Data window, perform the following:


a.

Select Products + Configurations.

b.

Click Save Now radio button, to save a Zip file containing a CSV file in your local system.

c.

Click Send by Email to radio buttion, to receive a zip file containing a CSV file by Email.

Step 7

Go to Import Contracts page and Click Browse to select the downloaded contract file from your local
system.

Step 8

Click Import Contracts File to import the contracts file into the Compliance Engine.

Import Policy Updates


The Import Policy Updates allows a user to manually download policy updates patch file from
cisco.com.
The following steps should be performed for manually downloading the policy updates patch file from
Cisco.com and importing the downloaded policy patch file into the Compliance and Audit Manager
Engine:
Step 1

Go to Admin > Compliance and Audit Settings > Import Policy Updates

Step 2

In Cisco.com, navigate to Home > Products > Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN
Management Solution 4.2 > Compliance Policy Updates.

Step 3

You will be prompted to enter your Cisco.com credentials.

Step 4

Login using your Cisco.com credentials to open the LMS Compliance Policy Updates page in the
browser.

Administration of Cisco Prime LAN Management Solution 4.2

6-8

OL-25947-01

Chapter 6

Administering Data Collection


Compliance and Audit Settings

Step 5

Download the CompliancePolicyUpdates.vX-y.jar patch file, where X is the major version and y is the
minor version.

Step 6

Save the CompliancePolicyUpdates.vX-y.jar patch file in your local system.

Step 7

Go to Import policy updates page and click Browse to select the downloaded
CompliancePolicyUpdates.vX-y.jar file from your local system

Step 8

Click Import Policy Updates to import the CompliancePolicyUpdates.vX-y.jar patch file into the
Compliance Engine.
A message appears indicating the successful importing of policy into the Compliance Engine.

Note

Ensure that the CAAM Server process is re-started to effect the changes.
Restarting CAAM server from User Interface

Perform the following to restart CAAM server from user interface:


Step 1

Go to Admin > System > Server Monitoring > Processes.


The Process Management page appears.

Step 2

Select CAAM Server from the Process Management Grid and click stop.

Step 3

After the CAAM server stops, click start to restart the CAAM server.

Restarting CAAM server from CLI

Perform the following to restart the CAAM Server from CLI:


Step 1

Enter NMSRoot/bin/pdterm CAAMServer to stop the CAAM server.

Step 2

Enter NMSRoot/bin/pdexec CAAMServer to start the CAAM server.


where NMSROOT is the root directory of the LMS Server.

Note

The policy updates patch file can be automatically downloaded and posted into the CAAM server by
scheduling a system defined job under Admin > Network > Compliance Policy/PSIRT/EOS/EOL
Settings.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

6-9

Chapter 6

Administering Data Collection

Compliance and Audit Settings

Administration of Cisco Prime LAN Management Solution 4.2

6-10

OL-25947-01

CH A P T E R

User Tracking and Dynamic Updates


User Tracking application of LMS allows you to track end stations. This chapter contains the following
sections:

Understanding User Tracking

Using User Tracking Administration

Understanding Dynamic Updates

Using User Tracking Utility

Understanding User Tracking


User Tracking helps you to locate and track the end hosts in your network. In this way, you get the
information required to troubleshoot and analyze connectivity issues. The application identifies all end
users connected to the discovered Cisco access layer switches on the network, including printers,
servers, IP phones PCs and wireless hosts.
User Tracking collects the details of the end users and the layer 2 connections, and updates User
Tracking table in the LMS database. This is done through automated polling of the network, by User
Tracking (UT) Major Acquisition process.
In addition to polling the network, the Dynamic UT process receives details from the end users and
updates the database dynamically. User Tracking also computes subnet related data and updates the
database with complete host information. Thus you get latest information about the changes in the
connections on your network.
You can also configure User Tracking to collect usernames of the end hosts connected in the network.
The user names are collected from the UTLite process installed in UNIX hosts, Primary Domain
Controller (PDC), or Novell Directory Services (NDS). This makes it easier for you to locate and track
specific users in your network.
You can sort and query the User Tracking table that contains details such as VLANs, switches and switch
ports to which the end users are connected. Predefined reports such as the reports on duplicate IP
addresses or MAC addresses, multiple MAC addresses enable you to accurately locate the end users.
Switch Port reports give you information on:

Recently down ports

Ports that are in unused condition for the specified interval

Connected ports and Free ports

Percentage utilization of ports for each device

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-1

Chapter 7

User Tracking and Dynamic Updates

Understanding User Tracking

These reports give a clear picture of the switch port utilization in the network and help you in doing
capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from
the megamenu.
This topic covers:

Using User Tracking

Accessing UT Data

Various Acquisitions in User Tracking

Using User Tracking


You can use User Tracking to:

Display information about the connectivity between the devices, users, and hosts in your network.
For example, you might want to identify all users connected to a particular subnet, or all hosts on a
particular switch.

Display information about the IP phones registered with discovered Media Convergence Servers.

Use simple queries to limit the amount of information User Tracking displays.

Configure or limit the User Tracking acquisition by subnets.

Create and save simple and advanced queries.

Modify, add, and delete username and notes.


You can configure User Tracking Acquisition settings to collect usernames during UT Major
Acquisition and update the UT table. The user names are collected from the UTLite process.

Customize User Tracking table layouts.


For example, you can design a layout that displays only the MAC addresses of hosts on your
network.

View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC
addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses.
You can also view History Reports for Switch port utilization, and the connection and disconnection
of endhosts and users from your network.
You can set the schedule for generating the reports, and also generate the reports for a subset of
devices.

Launch Device Center, host center, phone center.

Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports

You can generate End hosts or IP Phones report based on the given filter criteria
For example, you can generate reports on end hosts that belong to a specific VLAN.
To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.

Administration of Cisco Prime LAN Management Solution 4.2

7-2

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Understanding User Tracking

Scheduled Reports

You can schedule reports that run at the specified date and time. You can generate immediate reports or
schedule them to run once or at repetitive intervals.
Custom Reports

You can customize the layout and columns displayed in the reports to suit your needs. To generate these
reports select Reports > Report Designer > User Tracking > Custom Reports.
Command Line Interface

You can generate various User Tracking reports from the Command Line Interface also.
For more details, see User Tracking Command Line Interface.
Data Extraction Engine

Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format.
For more details, see Overview of Data Extraction Engine.
User Tracking Utility

Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful
information about users or hosts discovered by LMS User Tracking application.
You can use UTU search band to search for the users or hosts in your network. You can search using user
name, host name or IP address, or MAC address.

Various Acquisitions in User Tracking


This section explains the various acquisitions that can be done using LMS, to get information about the
end users.
User Tracking Major Acquisition

Discovers all the end hosts that are connected to the devices managed by LMS.
For details on the various options that can be set before starting an acquisition, see Modifying UT
Acquisition Settings.
User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following
command:
NMSROOT/campus/bin/ut cli

performMajorAcquisition u

userid -p password

where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User
Tracking Command Line Interface.
User Tracking Minor Acquisition

Minor acquisition occurs on a device if any of the following changes take place:

A new endhost or IP phone is added to the network.

Port state changes (when the port comes up or goes down).

A new VLAN is added to the network.

There is a change in the existing VLAN.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-3

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Minor acquisition updates the LMS database with just the changes that have happened in the network. It
is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the
interval at which the acquisition takes place.
For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
User Tracking IP Phone Acquisition

Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.
Subnet based User Tracking Major Acquisition

User tracking subnet based acquisition would run only on those subnets that are configured in LMS.
LMS discovers end hosts on all the VLANs available in the configured subnets.
Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet
or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by
LMS.
For details on running subnet based acquisition, see Configuring UT Subnet Acquisition
Single device on-demand User Tracking Acquisition

This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is
useful for collecting information only on end hosts connected to the specified device.
For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions

Using User Tracking Administration


You can perform the following administrative tasks using User Tracking Administration:

Modify Acquisition settings.


Before you start collecting information about the hosts in your network, you can set various options
that control the way in which Acquisition happens.
For example, you can set LMS to perform DNS lookup, while resolving the IP address of a host.
For complete details, see Modifying UT Acquisition Settings

Schedule Acquisition.
You can set the day and time of the week when you want to run Major Acquisition. The time interval
at which Minor Acquisition happens in the network can also be set.
For more details, see Modifying UT Acquisition Schedule

Configure Ping Sweep options for Acquisition.


You can configure LMS to perform Ping Sweep on selected subnets, during Acquisition.
For more details, see Modifying Ping Sweep Options

Configure Subnet Acquisition.


You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition
collects details about the end hosts that are connected to a particular subnet or a select set of subnets.
This Acquisition completes faster, since it is not run on all devices managed by LMS.
For more details, see Configuring UT Subnet Acquisition

Administration of Cisco Prime LAN Management Solution 4.2

7-4

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Configure end host and IP phone data delete interval.


You can modify the time interval for deleting entries from the End Host Table, IP Phone Table, or
the History Table from the database.
For more details, see Deleting User Tracking Purge Policy Details

Configure UT Acquisition to discover end hosts connected to non-link trunk ports.


Normally UT Acquisition only discovers end hosts that are connected to access ports. If you enable
this feature, UT Acquisition also discovers end hosts that are connected to non-link trunk ports.
For more details, see Configuring UT Acquisition in Trunk for End Host Discovery

Specify Purge Policy.


You can specify the intervals at which you want old reports and jobs to be purged. You can save the
Purge Policy, so that the older jobs and archives are purged at the specified interval.
For more details, see Specifying User Tracking Report Purge Policy

Specify Domain Name display.


You can specify the way in which domain names are to be displayed in User Tracking Reports.
For more details, see Specifying Domain Name Display.

Import information on end hosts.


You can import user names and notes of end hosts that are already discovered by User Tracking,
from a file.
For more details, see Importing Information on End Host Users

Enable Dynamic User Tracking.


Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. LMS
tracks changes about the end hosts and users on the network to provide real-time updates, based on
these traps.
For more details, see Understanding Dynamic Updates

Enable Debugging options.


When you face issues in running User Tracking, logging can be enabled for debugging purposes.
For more details, see Debugging Options for User Tracking Server and Debugging Options for User
Tracking Reports

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-5

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Viewing User Tracking Acquisition Information


You can view acquisition information.
To view acquisition information:
Step 1

Either:

Select Admin > Collection Settings > User Tracking > Acquisitions Info.
Or

Select Inventory > User Tracking Settings > Acquisition Summary.

The acquisition information appears with the following information:


Field

Description

Acquisition status

Status of the User Tracking Major Acquisition process. It can be


either Idle or Running.

Last acquisition type

Type of User Tracking acquisition that you had performed last time.
Types of acquisition are:

MajorUser Tracking Major Acquisition

DevicesUser Tracking Acquisition for a device

SubnetsUser Tracking Acquisition for subnets

IP PhonesUser Tracking Acquisition for IP phones

Acquisition start time

Date and time at which User Tracking started the Acquisition


process. This is displayed in the format dd mon yyyy hh:mm:ss.

Acquisition end time

Date and time at which User Tracking stopped the Acquisition


process. This is displayed in the format dd mon yyyy, hh:mm:ss
time zone.

Number of acquisitions

Number of major and minor acquisitions performed.

Number of host entries

Number of hosts found after User Tracking acquisition.

Number of duplicate MAC

Number of MAC addresses that have duplicate entries in the list of


hosts found.

Number of duplicate IP

Number of IP addresses that have duplicate entries in the list of end


hosts found.

Number of CCM hosts

Number of Cisco CallManagers in the list of devices found after


Data Collection.

Number of IP phone entries

Number of IP phones available in the LMS managed network.

Last Campus data collection


completed at

Date and time of the previous LMS Data Collection process. This
is displayed in the following format: dd mon yyyy hh:mm:ss time
zone.

Data collection status

Status of the LMS Data Collection process. It can be either Idle or


Running.

Administration of Cisco Prime LAN Management Solution 4.2

7-6

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Configuring User Tracking Acquisition Actions


You can trigger the following acquisitions from this page:

Device based Acquisition

Subnet based Acquisition

IP Phone Acquisition

To configure the required acquisition:


Step 1

Either:

Select Admin > Collection Settings > User Tracking > Acquisition Action.
Or

Select Inventory > User Tracking Settings > Acquisition Actions.

The Acquisition Actions dialog box appears.


Step 2
Table 7-1

Configure Acquisition Actions as specified in Table 7-1.

Acquisition Actions

Field

Description

Select a type

You can select the type of acquisition. Type When you select a type of acquisition the appropriate
of acquisition can be:
fields are displayed.

Scope Selection

Device

Subnet

IP Phones

Usage Notes

Select the All hosts and users check box to


acquire information about all hosts and
users in your network.

If you do not select the All hosts and users check box, the
device selection field is enabled and you can enter the
name or IP address of the device for which you require
data.

Device Name or IP Enter the name or IP address of the device


Address
about which data is to be acquired.

Click Select to select the device from the list of available


devices.

Device Selection

Subnets

Type Selection

You can choose to get data about a particular If you choose to acquire data about a particular subnet, the
subnet or about all the configured subnets. subnet selection fields are enabled.

Subnet Selection

Subnet ID

Select the IDs of the subnets on which you


need to get data.

This field is enabled only if you select the Subnet option


in the Type Selection area.
Click Select to select the subnet ID from the list of
available subnets.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-7

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Table 7-1

Acquisition Actions (continued)

Field

Description

Usage Notes

Subnet Mask

Enter the subnet mask.

If you select the subnet ID, the subnet mask is


automatically entered.

Acquire Only
VLAN Specific to
Subnet

Select this check box to get data only about


the VLANs specific to the subnet.

If you select this check box, only the work stations


associated with the VLANs that are mapped to the
selected subnets will be acquired.

If you do not select this check box, work stations


associated with all the available VLANs in the
selected subnets will be acquired.

You do not have to specify any details for the IP Phones option.
Step 3

Click Start Acquisition.

Using User and Host Acquisition


You can modify the Acquisition settings and Acquisition schedule using the User and Host Acquisition
option.
This section contains:

Modifying UT Acquisition Settings

Configuring Rogue MAC List

Modifying UT Acquisition Schedule

Modifying Ping Sweep Options

Configuring UT Subnet Acquisition

Deleting User Tracking Purge Policy Details

Configuring UT Acquisition in Trunk for End Host Discovery

Specifying User Tracking Report Purge Policy

Importing Information on End Host Users

Modifying UT Acquisition Settings


You can modify User Tracking Acquisition settings.
This section contains:

Modifying Acquisition Settings from UI

UT Behaviour in DHCP Environment for Missing IP address

Configuring Properties That Support Duplicate MAC Addresses

Configuring User Tracking Properties from the Backend

Administration of Cisco Prime LAN Management Solution 4.2

7-8

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Modifying Acquisition Settings from UI

To modify acquisition settings:


Step 1

Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The Acquisition Settings dialog box appears.

Step 2
Table 7-2

Modify the acquisition settings as specified in Table 7-2.

Acquisition Settings Field Description

Field

Description

Usage Notes

Enable User Tracking for


DHCP Environment

Enables User Tracking for DHCP


Environment.

If you enable this property, it allows you to control


inclusion and exclusion of Duplicate MAC addresses in the
Acquisition.
To understand the behavior of User Tracking in case of
missing IP address, see UT Behaviour in DHCP
Environment for Missing IP address.
For details on properties that support Duplicate MAC
addresses, see Configuring Properties That Support
Duplicate MAC Addresses.

Enable User Tracking on


Access Points

Enables User Tracking on Access


Points

This is enabled by default and allows UT Major Acquisition


process to collect Access point information. However,
WlseUHIC cannot collect Wlse related end host
information.
If disabled, it precludes Access point acquisition. However,
WlseUHIC collects Wlse related end host information.

Get user names from


UNIX hosts

Select this option to allow


Acquisition to collect the active
usernames of UNIX hosts.

Collects information only for users, who are logged into the
console port of the UNIX hosts.

UNIX user names are updated at


the end of major acquisitions.
Get user names from hosts Allows LMS to collect active user This option helps you to:
in NT and NDS
names on the Windows or Novell
Collect information only for users who are currently
Directory Service (NDS) servers.
logged into the network.

Collect information from NDS hosts. You must use


NDS 5.0 or later.

For this option you need to install the UTLite script.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-9

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Table 7-2

Acquisition Settings Field Description (continued)

Field

Description

Usage Notes

Use DNS to resolve host


names

Resolves host names using DNS.

User Tracking performs DNS Lookup for a host to resolve


its IP address.
When you choose this option the Advanced button is
enabled. Click on this to launch the Advanced UT
Acquisition Settings window.
The following options are available:

DNS threads
Number of parallel threads allowed for name
resolution. The default value is 1. Maximum number of
threads allowed is 12.

DNS Timeout
Time duration for which UT waits for a response from
the DNS server, for name resolution. The value should
be entered in milli seconds. The default value is 2000
milliseconds (2 seconds).

Enter values and click OK to save changes.


User Port Number

Specify the UDP port number from You must use the default port number unless it is already in
where logon and logoff messages use. This port number must match the port indicated in the
login script.
are received from hosts in
Windows and NDS.

Rogue MAC Detection

Enable notification when Rogue


LMS sends e-mails to the specified addresses, when
MACs are detected in the network. unauthorized end hosts are detected in the network.

E-Mail

Specify the E-mail IDs to be


notified when Rogue MACs are
detected in the network.

Define Rogue MACs

Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List.
the screen that is launched.

New MAC Detection

Enable notification when new


LMS sends e-mails to the specified addresses, when new
MACs are detected in the network. end hosts are detected in the network.

E-Mail

Specify the E-mail IDs to be


notified when new end hosts are
detected in the network.

You can enter multiple E-mail IDs separated by commas.


This field is enabled only when you check the Rogue MAC
Detection field.

You can enter multiple E-mail IDs separated by commas.


This field is enabled only when you check the New MAC
Detection field.

Step 3

Click Apply to save the modifications in the settings.

Step 4

Click Start Acquisition to start User Tracking Acquisition with the modified settings.

Administration of Cisco Prime LAN Management Solution 4.2

7-10

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

UT Behaviour in DHCP Environment for Missing IP address

Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion
and exclusion of Duplicate MAC addresses in UT Acquisition.
LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In
such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment
property, is explained in Table 7-3.
The conventions used in Table 7-3 are:

Note

Table 7-3

MACx MAC address of the endhost

IPx IP address of the endhost

Device x Device to which the end host is connected.

Time in xx:xx format Time entries in the Last seen column

NA Not Available.

The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User
Tracking for DHCP Environment property.

UT Behaviour in DHCP Environment for Missing IP address

Scenario

Explanation

What gets Updated in Database

For an endhost, if the IP address is


not available in the first UT
acquisition, but is available in the
next, the IP address field in the
database is updated with the value
that is currently discovered.

MAC1

IP1

Device 1

6:40

For an endhost, if the IP address is MAC1


available in the first UT acquisition,
but is not available in the next, the
older value for IP address is
retained in the database.

IP1

Device 1

6:50

MAC1
For an endhost with Single MAC
address but multiple IP addresses, if MAC1
UT does not get the IP address in
the current acquisition, it retains the MAC1
older values in the database.

IP1

Device 1

7:00

IP2

Device 1

7:00

IP3

Device 1

7:00

Scenario1: Missing IP Address


MAC1

NA

Device 1

6:35

MAC1

IP1

Device 1

6:40

Scenario 2: Missing IP Address


MAC1

IP1

Device 1

6:45

MAC1

NA

Device 1

6:50

Scenario 3: Single MAC, Multiple IP


Addresses
MAC1

IP1

Device 1

6:55

MAC1

IP2

Device 1

6:55

MAC1

IP3

Device 1

6:55

MAC1

NA

Device 1

7:00

Scenario 4: Dynamic change in IP


Address

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-11

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Table 7-3

UT Behaviour in DHCP Environment for Missing IP address

Scenario

Explanation

What gets Updated in Database

MAC1

IP1

Device 1

4:00

MAC1

IP1

Device 1

4:00

MAC1

IP2

Device 1

5:00

IP2

Device 1

5:00

MAC1

IP3

Device 1

6:00

IP3

Device 1

7:00

MAC1

NA

Device 1

7:00

MAC1
For an endhost with different IP
addresses at different points of
MAC1
time, if UT does not get the IP
address in the current acquisition, it
retains the value that was last
discovered.

When an end host moves between MAC1


devices, if UT does not find the IP
address in the current acquisition, it
retains the IP address value that was
last discovered for that device.

IP1

Device 1

6:00

Scenario 5: Endhost moving between


devices
MAC1

IP1

Device 1

4:00

MAC1

IP1

Device 2

5:00

MAC 1

NA

Device 1

6:00

Configuring Properties That Support Duplicate MAC Addresses

The following properties can be configured in the ut.properties file stored in


NMSROOT/campus/etc/cwsi/
where NMSROOT is the root directory where you installed Cisco Prime.
Table 7-4 lists the properties that support Duplicate MAC Addresses
Table 7-4

Properties Supporting Duplicate MAC Addresses

Property

Description

UT.DuplicateMac.Include_SwitchPorts

List of switchports connected to endhosts, for which


duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

UT.DuplicateMac.Exclude_SwitchPorts

List of switchports connected to endhosts, for which


duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

UT.DuplicateMac.Include_Switches

List of switches connected to end hosts, for which


duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

UT.DuplicateMac.Exclude_Switches

List of switches connected to end hosts, for which


duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

UT.DuplicateMac.Include_Vlans

List of VLANs associated with endhosts, for which


duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

Administration of Cisco Prime LAN Management Solution 4.2

7-12

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Table 7-4

Properties Supporting Duplicate MAC Addresses

Property

Description

UT.DuplicateMac.Exclude_Vlans

List of VLANs associated with endhosts, for which


duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

UT.DuplicateMac.Include_Subnets

List of subnets associated with endhosts, for which


duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

UT.DuplicateMac.Exclude_Subnets

List of subnets associated with endhosts, for which


duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.

For the above list of properties:

Values should be separated by commas.

IP addresses of the devices should be given.

Port numbers should be given along with the device IP address as deviceip:port.

The Exclude list takes precedence over the Include list.

The usage scenario for the above lists is as follows:

If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included
or excluded as specified.
For example, if you set the Include list as,
UT.DuplicateMac.Include_Switches=X,Y
Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y.
Duplicate addresses will not be allowed for any other endhost.

If you set both Include and Exclude list as,


UT.DuplicateMac.Include_Switches=X,Y
UT.DuplicateMac.Exclude_Switches=A,B
Duplicate MAC addresses will not be allowed for endhosts connected only to Switches A and B.
Duplicate addresses will be allowed for all other end hosts, even for those connected to switches not
specified in the Include list. Thus when an Exclude list is set, the Include list is ignored.

The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs.

The order of priority for the property list is as follows:


a. SwitchPorts
b. Switches
c. VLANs
d. Subnets

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-13

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list.
For example, if you set
UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2
UT.DuplicateMac.Exclude_Switches=10.77.211.33
Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also
present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch.
Thus the SwitchPorts list has higher priority over the Switches list.
Configuring User Tracking Properties from the Backend

This section explains the new user configurable properties that have been added to UT.
You can configure properties that control DNS name resolution and history reports, by editing them in
the file ut.properties, stored in
NMSROOT/campus/etc/cwsi/
where NMSROOT is the root directory where you installed Cisco Prime.

Administration of Cisco Prime LAN Management Solution 4.2

7-14

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Table 7-5 lists the new properties added to UT:


Table 7-5

Configuring User Tracking Properties

Property

Default Value

Description

HistoryHostPurgeTime

10 days

Purges history entries that are older than the specified time.
The value should be provided in minutes.
For example,
If you want to purge entries older than 10 days, set
HistoryHostPurgeTime=14400

UT.nameResolution

both

Name resolution for end hosts using Java APIs JNDI and
InetAddres.This property can have the following values:

wins (Use only InetAddress)

dns (Use only JNDI)

wins,dns (First InetAddress then JNDI)

both (JNDI first and InetAddress next)

UT.nameResolution.dnsTimeout

2000

Time duration for which UT waits for response from the DNS
server, for name resolution. The value should be entered in
milliseconds.

UT.nameResolution.winsTimeout

2000

Time duration for which UT waits for response from the DNS
server, for name resolution.The value should be entered in
milliseconds.
This property must be enabled only for windows server.

UTMajorUseDNSCache

false

Uses cache memory for name resolution in subsequent User


Tracking discoveries.
User Tracking performs DNS Lookup for a host only if the IP
address of the host is being resolved for the first time.It does
not perform DNS Lookup for every Major Acquisition.
This helps the application to reduce the number of queries
during User Tracking Acquisition. This in turn reduces the
time taken for Acquisition process.

UT.RunLookupAnalyzer

OFF

To analyze the performance of DNS servers and provide the


following information in the NMSROOT\log\ut.log file:

DNS Server Efficiency for each DNS Server

Overall Summary of DNS Servers

Namelookup related settings in ut.properties file

Issues found and recommendations to overcome them

Set the value to ON to turn on the feature.


You need not enable debugging for UT to get the
LookupAnalyzer data in the ut.log file.
For details on running Lookup Analyzer utility from the
command prompt and example output of the utility, see Using
Lookup Analyzer Utility

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-15

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Configuring Rogue MAC List


MAC Addresses that are not authorized to exist in your network are termed as Rogue MAC addresses.
When you enable the Rogue MAC notification feature, you need to define the list of MAC addresses that
are to be classified as unauthorized addresses in the network.
You can also import MAC addresses to Acceptable OUI either from a file or directly from UT.
If you import the MAC Addresses from a file or directly from UT, the MAC addresses in the file are
converted to OUIs before you add them to the Acceptable OUI list.
To do so:
Step 1

Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The User Tracking Acquisition settings window appears.

Step 2

Click Define Rogue MACs.


The Rogue MAC Configuration window appears. The lists displayed in the window are:
Rogue MAC/OUI List
Acceptable MAC/OUI List

Step 3

Click Add MAC/OUI to add new entries to the list.


The Add MAC/OUI window appears.
The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely
identify the vendor, manufacturer, or a worldwide organization.
An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses,
and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC),
network protocol, or MAC addresses for Ethernet.
In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three
octets of the address are the OUI.

Administration of Cisco Prime LAN Management Solution 4.2

7-16

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

The Add MAC/OUI page is as explained in Table 7-6:


Table 7-6

Populating the MAC/OUI list

Property

Description

Select Mode

Provides the following options to add MAC addresses to


MAC/OUI List:

Add MAC/OUI

Manual Enables you to add MAC/OUI to either the


Acceptable MAC/OUI List or to the Rogue MAC/OUI
list. The Manual Add option is selected by default.

Import from file Enables you to import MAC


Addresses from a file to the Acceptable MAC/OUI List

Import from UT Enables you to import MAC


Addresses directly from UT to Acceptable MAC/OUI
List

Enter the MAC Address or OUI in the text box provided.


The values should be separated by spaces, tabs, or commas.
You can also enter values on separate lines.
The address can have only hexa decimal numbers separated
by hyphen.
Example:
00-c0-1d-99-06-b6

OUI List

Displays predefined values in LMS. You can select values


from the list, to add to the Rogue OUI or Acceptable OUI
list.
To add more values to the list, add them to the Property file:
NMSROOT/campus/etc/cwsi/OUI.properties
where NMSROOT is the directory where you installed
Cisco Prime.
To get the latest OUIs listed by IEEE, see
http://standards.ieee.org/regauth/oui/index.shtml

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-17

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Step 4

Select any of the following:

Manual Add

a.

Select the required OUIs from the list displayed in OUI List.

b.

Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your
requirement.
The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list
that you selected.

Import From File

a.

Click Browse and browse to the folder location and choose the file to be imported

b.

Click the Import to Acceptable OUI list.


The MACs are converted to OUIs before you add them to the Acceptable MAC/OUI list.

Import From UT
Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to
the Acceptable MAC/OUI List.
It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header MAC Address followed by MAC Address entries.
For example: In the example, the file to be imported includes a MAC Address column with MAC
Address entries.
MAC Address
MAC 1
MAC 2
MAC 3

The newly added values are reflected in the Rogue MAC Configuration screen.
Step 5

Check Consider unqualified MAC as Rogue


When you check this, LMS treats any new MAC address coming into the network as Rogue MAC. This
is if it is not defined in the Acceptable MAC list.

Step 6

Click any of the following:

Save
Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle.
If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the

network, are sent immediately.


If WLSE is integrated with LMS, notification for wireless MACs detected in the network is sent.

Delete
Deletes entries.

Cancel
Cancels changes and closes the window.

Administration of Cisco Prime LAN Management Solution 4.2

7-18

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Modifying UT Acquisition Schedule


You can modify UT acquisition schedule.
To modify acquisition schedule:
Step 1

Select Admin > Collection Settings > User Tracking > Acquisition Schedule.
The Acquisition Schedule dialog box appears.

Step 2

Start the user tracking major acquisition for all or failed devices as specified below:

Select either All devices or Failed devices .

Click Start to start the user tracking major acquisition immediately for the selected devices.
The UT Acquisition Confirmation pop up appears.

Click OK to start user tracking acquisition. A success message appears. Click OK.
To cancel the user tracking acquisition process, click Cancel.

Step 3
Table 7-7

Modify the acquisition schedule as specified in Table 7-7.

Acquisition Schedule Field Description

Field

Description

Usage Notes

Minor Acquisition

Specify, in minutes, the periodicity at which a


minor acquisition should take place.

None.

Major Acquisition

Specify the time at which a major acquisition is to None.


take place.
Specify the days of the week on which a major
acquisition is to be scheduled.

Days, Hour, Min

Days on which and the time at which a major


acquisition is to be carried out.

You can add new schedules and edit or delete


existing schedules.

Recurrence Pattern

Select the days of the week on which a major


acquisition is to be scheduled.

This field is available only when you are adding


or editing a schedule.

Step 4

Select the schedule and do any of the following:

Click Edit to edit the schedule.

Click Delete to delete the schedule.

Click Add to add a new schedule.

Step 5

Click OK to save the changes or Cancel to cancel the changes.

Step 6

Click Apply after adding or editing a schedule.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-19

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Modifying Ping Sweep Options


A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine
the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out
whether a specific end host exists on the network.
A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple
hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older
and slower methods used to scan a network.
When Ping Sweep is enabled in LMS, the UTPing program in NMSROOT/campus/bin will be invoked
during acquisition to send out a sweep of pings for each subnet.
Before collecting information from a device, the subnets connected to the device are pinged. This serves
as a connectivity check, as well as loads the ARP table of the layer 3 device with the latest information.
After pinging, acquisition process starts collecting end host information from the device.
To modify Ping Sweep options:
Step 1

Select Admin > Collection Settings > User Tracking > Ping Sweep.
The Ping Sweep dialog box appears.

Step 2

Choose any of the following:

Disable Ping Sweep

Perform Ping Sweep on all subnets

Exclude subnets from Ping Sweep


When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude
from Ping Sweep. You can select subnets from the list of available subnets and add to the list of
subnets to be excluded.

Step 3

Specify the Wait Interval, if Ping Sweep is enabled.


Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not
flooded with ping packets.
For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10
seconds.
If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10
seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on
Device 1. Same happens with Device 2.

Step 4

Click Apply.
User Tracking does not perform Ping Sweep on large subnets.
For more details, see Notes on Ping Sweep Option.

Administration of Cisco Prime LAN Management Solution 4.2

7-20

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Notes on Ping Sweep Option


User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A
and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not
display the IP addresses.
Ping Sweep will not refresh the ARP cache, if firewall or Access Control List is enabled to block the
ICMP packets to the network devices. Hence, User Tracking will not display the IP addresses of the
associated hosts.
In larger subnets, the Ping process leads to numerous ping responses that might increase the traffic on
your network and result in extensive use of network resources.
You can increase the value of the wait interval. Wait interval helps the ping response traffic to settle,
which may appear as Denial Of Service (DOS) or may affect the functioning of router by high CPU
usage.
To perform Ping Sweep on larger subnets, you can:

Configure a higher value for the ARP cache time-out on the routers. To configure the value, you
must use the arp time-out interface configuration command on devices running Cisco IOS.

Use any external software, that will enable you to ping the host IP addresses. This will ensure that
when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.

Configuring UT Subnet Acquisition


You can configure LMS to perform User Tracking Acquisition on selected subnets. These configurations
are used for User Tracking Major Acquisition and Configured Subnets based acquisition. You can choose
to include or exclude specified subnets to perform User Tracking major acquisition.
To configure Subnet acquisition:
Step 1

Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration.
The Configure Subnet Acquisition dialog box appears.

Step 2

Select either of the following options:

Perform acquisition on all subnets


All the subnets are included for User Tracking Major Acquisition. If you select this option do not
perform steps 4 and 5.

Or

Perform Subnet-based acquisition


The action depends on the Filter value.

Step 3

Select either of the following Filter values:

Perform major acquisition on selected subnets


All subnets added to the Selected Subnets list are included for User Tracking acquisition.

Or

Do not perform major acquisition on selected subnets


All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-21

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Administration

Step 4

Select subnets from the list of Available Subnets and add them to the list of Selected Subnets.
In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking >
Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.

If you select this check box, only the work stations associated to the VLANs that are mapped to the
selected subnets will be acquired.

If you do not select this check box, work stations associated to all the available VLANs in the
selected subnets will be acquired.

For more information, see Configuring User Tracking Acquisition Actions.


Step 5

Click Apply.

Deleting User Tracking Purge Policy Details


Using this option, you can modify the time interval and delete entries from the End Host Table, IP Phone
Table, or the History Table from the database.
To delete user tracking purge policy details:
Step 1

Select Admin > Network > Purge Settings > User Tracking Purge Policy.
The Delete Interval dialog box appears.

Step 2

Specify delete intervals for end host, IP phone and history tables.

Step 3

Either:

Click Delete now to delete the entries immediately.


If you select this step do not perform Step 4.

Or

Select Delete After Every Major Acquisition.


If you select this option, LMS will delete records older than the specified interval, after every UT
Major Acquisition.

Step 4

Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2

7-22

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Administration

Configuring UT Acquisition in Trunk for End Host Discovery


Normally UT Acquisition discovers end hosts connected only to access ports. If you enable this feature
UT Acquisition discovers end hosts connected to non-link trunk ports also.
LMS classifies trunk ports as follows:

Link ports Trunk ports connected to Cisco devices (Switch or Router).

Non-link ports Trunk ports connected to end hosts or IP phones.

Scenarios where a Trunk port is connected to an end host:

In a switched network, many clients from different VLANs might access an enterprise resource, such as
a database server.
If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a
different VLAN would have to send their traffic to a router. The router forwards the frames to the
database server. The problem with this approach is the latency introduced by the router.
To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN
information. With this arrangement, an end station need not send its frame to the router. Instead it can
directly access the file server. This makes the access much faster.
To configure trunk ports:
Step 1

Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk.
The Configure Trunk for End Hosts Discovery page appears.

Step 2

You can:
Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT

Major Acquisition. After choosing this option, go to Step 8.


Select Enable End Host Discovery on selected Trunks to include only the required set of

non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the

end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing
this option, go to Step 8.
Step 3

Select the list of switches where end hosts are connected to trunk ports, from the device selector.

Step 4

Click Show Trunks.


This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down
state are also listed here.
If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the
same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display
the ports. Link ports are not listed here.

Step 5

Select the list of trunk ports where end hosts are connected from the Available Trunks list.

Step 6

Click Add.
The selected ports are displayed under the Selected Trunks list.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-23

Chapter 7

User Tracking and Dynamic Updates

Understanding Dynamic Updates

Step 7

Select either

Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition.

Or

Step 8

Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition.

Click Apply.
This saves the configuration on the server.
After saving the configuration, run Data Collection. End hosts connected to trunk ports will be
discovered in successive UT Major Acquisitions.
For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these
ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.

Importing Information on End Host Users


You can import from a file, user names and notes for end hosts already discovered.
To import information in end host users:
Step 1

Select Admin > Collection Settings > User Tracking > Table Import.
The End Host Table Import dialog box appears.

Step 2

Specify the name of the file from which you are importing the end host table data.

Step 3

Click Apply.

Note

We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory
headers: MAC Address, User Name and Notes.
For example:
MAC1 Peter Finance department

Understanding Dynamic Updates


User Tracking generates reports on various functions and attributes of the end hosts and devices
connected to your network that are managed by LMS. These reports are generated by polling the network
at intervals set by the network administrator.
In addition to polling the network at regular intervals, LMS tracks changes in the end hosts and users on
the network to provide real-time updates.
Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.
When an endhost is connected to a switch managed by LMS, an SNMP MAC notification trap is sent
immediately from the switch to the LMS Server, indicating an ADD event. This trap contains the MAC
address of the end host connected to the switch.

Administration of Cisco Prime LAN Management Solution 4.2

7-24

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Understanding Dynamic Updates

Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from
the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts
coming into and moving out of the network.
Traps from suspended devices are not processed by LMS.
The difference between a UTMajor Acquisition and a Dynamic UT process is:
LMS collects data from the network at regular intervals for UTMajor Acquisition.
In Dynamic UT, the devices send traps to LMS as and when changes happen in the network.
This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have
happened in your network. This is an improvement over the earlier versions, where updates on endhost
information happened based on the polling cycle.
As a result of Dynamic updates, the following reports contain up-to-date information:

End-Host Report
Contains information from UT Major Acquisition and the recently added end-hosts.

History Report
Contains information from UT Major Acquisition and the recently disconnected end-hosts or
end-hosts that have moved between ports or VLANs.

Switch Port reports


Contains information about the utilization of switch ports.

SNMP Traps are generated when a host is connected to the network, disconnected from the network or
when it moves between VLANs or ports in the network.
To enable the Dynamic Updates feature:

Switches must be managed by LMS.

Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP
MAC Notification Listener.

Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port
number that you would have configured on LMS Administration screen). For more details, see
Enabling SNMP Traps on Switch Ports.

Configure DHCP snooping on the switches


Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that filters untrusted
DHCP message received from outside the network or Firewall, and builds and maintains a DHCP
snooping binding table.
LMS queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected.
For details on configuring DHCP, see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati
on/guide/scg.html

User Tracking collects username and IP address through UTLite for Windows environment. For
more details, see Understanding UTLite.

In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address
of the end host. They can also co-exist.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-25

Chapter 7

User Tracking and Dynamic Updates

Understanding Dynamic Updates

If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host
connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device
should be populated with the IP address, for UT Major Acquisition to discover it.
The User Tracking Dynamic Updates process includes:

MAC User-Host Information Collector (MACUHIC) Process

User Tracking Manager (UTManager) Process

UTLite

MAC User-Host Information Collector (MACUHIC) Process


MAC User-Host Information Collector tracks wired end users dynamically. It receives MAC
notifications from the switches either directly or through LMS or HPOV.
After receiving the MAC notifications, MACUHIC validates the traps as follows:

Checks whether the traps are generated from a switch managed by LMS.

Checks whether the source is an access port.

If the traps are from valid sources:

Updates LMS database.

Informs UTManager if the trap is received for an ADD event.

User Tracking Manager (UTManager) Process


UTManager receives the information from MACUHIC about the ADD MAC notification trap that is
received. This information is not complete and can be completed using updates from DHCP or UTLite
or from both.
In the UTLite process, UTLite receives details of changes in username, and the time at which the host
has logged in or logged out of the network.

UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
For complete information, see Understanding UTLite.
When an end-host is connected to your network, the following happens in the background.
1.

The switch to which it is connected sends a MAC notification.

2.

The MACUHIC process in LMS receives the MAC notification either directly from the switch or
through other applications like LMS Monitor and Troubleshoot module or HPOV.

3.

After processing this MAC notification, MACUHIC informs the UTManager.

Administration of Cisco Prime LAN Management Solution 4.2

7-26

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Understanding Dynamic Updates

4.

LMS updates the database with the username and IP Address received from the UTLite. Database
does not contain the complete information about the end host.

5.

UTManager finds the following details:


Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data

Collection.

Hostname from DNS Server

LMS updates the database with the complete User Tracking information for the host.
The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients,
duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating
reports.

Viewing Dynamic Updates Process Status


You can check whether the Dynamic Updates processes are running or not.
To check the status:
Step 1

Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status.
The Dynamic Updates Process Status window appears.
If you have started the process already, the status window shows Dynamic Updates Processes are
RUNNING.

Step 2

Click Stop to stop the Dynamic Updates processes.


The Stop button then toggles to Start, and the status window shows Dynamic Updates Processes are
When you stop these processes, LMS stops processing traps sent by devices.

STOPPED.

Step 3

Click Start to restart the Dynamic Updates processes.


The Start button again toggles to Stop.

Enabling SNMP Traps on Switch Ports


You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a
host is connected to or disconnected from that port.
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
You can configure the ports CLI (see the Appendix Commands to Enable MAC Notification Traps on
Devices ) or Through LMS Interface.
Ensure that you have configured System Identity User under Admin > Trust Management > Multi
Server > System Identity Setup, and the same username and password is configured under Admin >
System > User Management > Local User Setup.
If you do not have Configuration Management functionality enabled on your LMS Server, you have to
manually configure the switches, for the switches to send MAC Notifications to the LMS server.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-27

Chapter 7

User Tracking and Dynamic Updates

Understanding Dynamic Updates

Note

LMS supports only those switches that contain the Management Information Base (MIB) named MAC
Notification, for enabling the SNMP traps.
Through LMS Interface

Prerequisites to enable MAC Notification on switches through LMS UI:

The switches must be managed by LMS.


If the devices are managed in SNMP version 2 (SNMPv2), you need to configure the Read as well
as the Write community strings to enable MAC Notification in the switches.

Note

Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection
Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.

LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic
Updates.
To enable MAC notification in switches:

Step 1

Select Admin > Collection Settings > User Tracking > Device Trap Configuration.
The Configure Trap on Devices dialog box appears.

Step 2

Select the switches for which you want to enable the traps, from the Device Selector.

Step 3

Click Configure to see the devices that you have selected.

Step 4

Click Configure to configure MAC notification on the ports in the devices.


The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in
the Configure MAC-Notification Trap on Ports dialog box.
Table 7-8

Configure MAC-Notification Trap on Ports Field Description

Field

Description

Add LMS Server as Trap


Receiver

Check the check box to configure devices, to send SNMP traps to LMS.

Trap Community

Set a community string for the SNMP traps sent by devices. This property
is enabled only when LMS is the Primary receiver for SNMP traps. This
string is added to the list of valid strings in the Dynamic User Tracking
Configuration screen.

Set as Dynamic User


Tracking Default

Check the check box to make this community string as the default for
future configurations, if LMS is the Primary Trap receiver.

Filter

Allows you to filter the ports listed, based on port name, device name and
the device address (IP address of the device).

Trap Receiver Port

Port number that you entered for receiving traps.

To configure LMS to listen to traps sent from devices, see Configuring


SNMP Trap Listener.

The default trap receiver port number of the LMS server is 1431.
Port

Name of the port.


Access ports as well as Non-link Trunk ports are listed.

Administration of Cisco Prime LAN Management Solution 4.2

7-28

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Understanding Dynamic Updates

Table 7-8

Configure MAC-Notification Trap on Ports Field Description (continued)

Field

Description

Device Name

Name corresponding to IP address of the switch.

Device Address

IP address of the switch.

Rows per page

Select to view 10 to 50 rows on a page.

Step 5

Check the check boxes to select the ports that you want to enable SNMP traps.

Step 6

Click Configure to enable the SNMP traps.


An Information window appears.

Step 7

Click OK.

SNMP MAC Notification Listener


You must enable the switches to send SNMP MAC notifications to the listener, to avail the Dynamic
Updates feature. After you enable the switches, you can choose either LMS Monitor and Troubleshoot
module, or HP OpenView (HPOV) as the primary listener for MAC notifications.

Note

If you select LMS as the Primary listener, the MAC notifications reach the application directly from
the switches.

If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module
as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and
Troubleshoot module.

Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
To select the MAC notification listener, see the following sections:

Configuring SNMP Trap Listener

HPOV as Primary Listener

LMS Fault Monitor Module as Primary Listener

Configuring SNMP Trap Listener


LMS receives SNMP traps directly from the switches, unless you configure the port to direct the traps
through HP Open View (HPOV) or Cisco Prime Monitoring Services.
To configure the trap listener:
Step 1

Select Admin > Collection Settings > User Tracking > Trap Listener Configuration.
The Trap Listener Configuration dialog box appears.

Step 2

Check Listen traps from Device to configure the trap reception directly from the devices
This makes LMS as the primary listener for receiving SNMP traps from devices.
OR

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-29

Chapter 7

User Tracking and Dynamic Updates

Understanding Dynamic Updates

Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications.
In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They
forward it to LMS which acts as the secondary listener for traps.
If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS
Fault Monitor module.
Step 3

Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port
field.
The default trap listener port number of the LMS server is 1431.

Step 4

Click Apply to save the details.

HPOV as Primary Listener


If you select HPOV as the primary listener, you must perform the following to receive the Dynamic
Updates through LMS:

Install Cisco Works Integration Utility

Install Trap Adapter for HPOV

The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.
Install Cisco Works Integration Utility

You must have Cisco Prime Integration Utility (Integration Utility) installed on your system. Integration
Utility is a utility that integrates Cisco Prime applications with third-party Network Management
Systems (NMS).
This utility is available as part of the DVD in the LMS 4.0.
This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from
NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications.
See User Guide for Cisco Prime Integration Utility 1.11, for more details on the integration utility.

Note

You must install the Integration Utility on the same machine on which you have installed HPOV.

Install Trap Adapter for HPOV

LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems.
To install the adapter on Windows:
Step 1

Locate the TrapListener.conf file in the NMSROOT/campus/hpovadapter/WIN/ directory.

Step 2

Modify the Trap Receiver address and the port number to the LMS values, in the file.

Step 3

Set the LIB environment variable to HP OpenView lib directory.

Step 4

Run the fwdTrap.exe program located in the same directory.


The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.

To install the adapter on Solaris/Soft Appliance:

Administration of Cisco Prime LAN Management Solution 4.2

7-30

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Understanding Dynamic Updates

Step 1

Locate the TrapListener.conf file in the /opt/CSCOpx/campus/hpovadapter/SOL directory.

Step 2

Modify the Trap Receiver address and the port number to the LMS values, in the file.

Step 3

Set the LD_LIBRARY_PATH environment variable to HP OpenView lib directory.

Step 4

Run the fwdTrap program located in the same directory.


The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-31

Chapter 7

User Tracking and Dynamic Updates

Understanding Dynamic Updates

Supported Platforms (Operating Systems)

The supported platforms for the HP NNM and HPOV adapters are:
Network Management System
HP OpenView 9.1
HP OpenView 9.01
HP OpenView 9.0

Supported Platforms

Solaris 10

Windows 2008 R2 Standard x 64 Edition

Solaris 10

Windows 2008 R2 Standard x 64 Edition

Solaris 10

Windows Server 2008 x64 with Service Pack 2

Windows Server 2008 x64 R2 with Service Pack 2

LMS Fault Monitor Module as Primary Listener


If you select Fault Monitor Module as the primary listener, you must perform the following to receive
MAC Notifications.
The default port number of the Fault Monitor Module for receiving Traps from the switches is 9000. You
must configure or verify this port number on the device, for the device to forward the Traps to the Fault
Monitor Module. The trapd.conf file has the details of the port number that receives the Traps from the
Fault Monitor server.
To enable Fault Monitor Module to forward the MAC Notifications, you must modify the trapd.conf file
in the Fault Monitor Module server, at NMSROOT/object/smarts/conf/trapd directory. You can modify
the file through the command line interface or through the application interface.
You can configure the application to forward the MAC Notifications to LMS Server in two ways:

From LMS

From the LMS Fault Monitor Server

From LMS
Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
The Notification Services page appears.

Step 2

Enter the Hostname and the port number of the LMS server to which you want to forward the MAC
Notifications.

Step 3

Click Apply to configure.


The trapd.conf file is modified and the DFMServer process is restarted.

Note

If you configure through Cisco Prime, LMS server receives all Traps including MAC Notification.
From the LMS Fault Monitor Server

Step 1

Access the LMS Fault Monitor server using Telnet.

Administration of Cisco Prime LAN Management Solution 4.2

7-32

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Understanding Dynamic Updates

Step 2

Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server.

Step 3

Navigate to NMSROOT/object/smarts/conf/trapd directory.

Step 4

Edit the trapd.conf file in the directory to reflect the following changes.
Enter:
FORWARD:

address OID generic type specific type \ host [:port] | [:port:community] [host [:port] |
[:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.

Step 5

Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.

Configuring Dynamic User Tracking


You can configure certain properties in Dynamic User Tracking to enhance the security of the system.
These properties make the server receive traps only from specified devices and with specified
community strings.
To configure properties for filtering SNMP Traps:
Step 1

Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration.
The Dynamic User Tracking Configuration page appears.

Step 2

Select the Validate SNMP Community check box.


LMS validates the community string in SNMP traps, with the values you have set. You can add
community strings only after checking this check box.

Step 3

If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried
with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1.

If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3.
However, if the query fails, the same device will not be queried with SNMP v2 or v1.

Enter the community string in the Valid Community List text box and click Add.
You can add the community strings one at a time. You can use the Delete button to remove the extra or
erroneous strings.
The default Trap community string that you might have added in the Device Trap configuration screen
is also listed here.

Step 4

Select the Validate Trap Source check box.


LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking
this check box.

Step 5

Enter the IP Address in the text box provided and click Add.
You can use the Delete button to delete extra or erroneous entries.

Step 6

Click Apply to save changes to the server.


To revert to the default values, click Reset.

You can use any one of the options to filter SNMP traps.
For example:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-33

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box)
Community String = private, test
Validate Trap Source =false

then traps from all sources with community string private or test will be processed by LMS.
To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true
Community String = private, test
Validate Trap Source =true
Valid IP Addresses = 10.77.210.211, 10.77.210.212

then traps from the listed IP addresses, with the community string private or test will be processed by
LMS. In this case, LMS first validates the community string, and if it matches, validates the source
address.

Using User Tracking Utility


Cisco Prime User Tracking Utility (UTU) is a Windows desktop utility that provides quick access to
useful information about users, hosts, or IP Phones discovered by LMS User Tracking application.
This section contains the following:

Understanding UTU

Hardware and Software Requirements for UTU

Downloading UTU

Installing UTU

Accessing UTU

Configuring UTU

Searching for Users, Hosts or IP Phones Using UTU

Uninstalling UTU

Upgrading to UTU 2.0

Re-installing UTU 2.0

Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones
discovered by LMS User Tracking application. UTU comprises a server-side component and a client
utility.
UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and
LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.2, Network Topology, Layer 2 Services and
User Tracking must be enabled and accessible through the network.
UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS
server in Secure Sockets Layer (SSL) mode.
The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:

Administration of Cisco Prime LAN Management Solution 4.2

7-34

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Utility

Windows Vista Support

Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts.
UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this,
UTU 2.0 now works on Windows Vista client systems
Support for Phone Number Search

In this release, UTU supports searching phone numbers in addition to existing search criteria.

Hardware and Software Requirements for UTU


Table 7-9 lists the minimum system requirements for UTU.
Table 7-9

System Requirements for UTU

Requirement Type Minimum Requirements


System hardware
System software

Memory (RAM)
Additional
required software

IBM PC-compatible computer with Intel Pentium processor.

Windows 2008

Windows XP with SP2 or SP3

Windows Vista

512 MB

LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or
LMS 3.2 (Campus Manager 5.2.1), or LMS 4.2 (Network Topology, Layer 2
Services and User Tracking)

Microsoft .Net Runtime 3.5 Service Pack 1


You can download Microsoft .Net Runtime 3.5 Service Pack 1 from
http://www.microsoft.com

Network
Connectivity

LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS
3.2 (Campus Manager 5.2.1) or LMS 4.0 (Network Topology, Layer 2 Services and
User Tracking) must be running, and accessible through the network

Downloading UTU
UTU requires Cisco PrimeUserTrackingUtility2.0.exe file to be downloaded and installed.
To download UTU 2.0:
Step 1

Click http://www.cisco.com/cisco/software/navigator.html.
You must be a registered Cisco.com user to access this Software Download site. The site prompts you to
enter your Cisco.com username and password in the login screen, if you have not logged in already.

Step 2

From the Software Product Category, select Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution.

Step 3

Select the latest version of Cisco Prime LAN Management Solution.

Step 4

Select the appropriate product software type.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-35

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

Step 5

Select a product release version from the Latest Releases folder and locate the software update to
download.

Step 6

Locate the file CiscoWorksUserTrackingUtility2.0.zip


This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent
installation).

Step 7

Click the Download Now button to download and save the device package file to any local directory on
LMS Server.

Step 8

Extract the file using any file extractor such as WinZip.

Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode.
Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware
and Software Requirements for UTU.
This section explains:

Installing UTU in Silent Mode

Installing UTU in Normal Mode

Installing UTU in Silent Mode


To install UTU in silent mode, run the following command at the command prompt:
exe-location\CiscoWorksUserTrackingUtility2.0.exe a s f1file-location\setup.iss
where
exe-location is the directory where you have extracted the

CiscoWorksUserTrackingUtility2.0.exe file
file-location is the directory where you have the setup.iss file.

Do not use space after the -f1 option. Use the complete path for file-location.
For example, if the install directory for UTU is c:\utu, enter the following at the command prompt:
c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss

Editing Setup.iss File

UTU is installed in the C:\Program Files\CSCOutu2.0 directory, by default.


If you want to install UTU in some other directory, you must edit the content of the setup.iss file. Change
the value of the szDir attribute in the setup.iss file.
For example, if you want to set the installation directory as D:\utu20, change
szDir=C:\Program Files\CSCOutu2.0 to szDir=D:\utu20 in the setup.iss file.
Setup.log File

The setup.log file is created during the installation in the same directory where you have extracted the
setup.iss file.
You should see the setup.log file to check the installation completion status.

Administration of Cisco Prime LAN Management Solution 4.2

7-36

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Utility

The value of the ResultCode attribute in the setup.log informs you whether the installation has completed
successfully. The value 0 denotes that the UTU installation in silent mode is successful.
When the value of the ResultCode attribute is other than 0, you must install UTU again.

Installing UTU in Normal Mode


To install UTU in normal installation mode:
Step 1

Log into the system with local system administrator privileges.

Step 2

Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe.

Step 3

Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation.


The User Tracking Utility Welcome screen appears.

Step 4

Click Next.
A warning message appears if you have not installed .Net Framework 3.5 SP1.
You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before
completing the current UTU installation.

Step 5

Click Next.
A confirmation message appears.

Step 6

Click Yes.
The Choose Destination Location dialog box appears. By default, UTU is installed in the directory
C:\Program Files\CSCOutu2.0.

Note

If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to
the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome
screen.

If you click No in the confirmation message, the warning message appears again stating that you have
not installed .Net Framework 3.5 SP1.
You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7

Click Next to install UTU in the default directory.


or
a.

Click Browse to choose a different directory and click OK.

b.

Click Next to continue with the installation.

The installation continues.


Step 8

Click Finish to complete the installation. User Tracking Utility is installed at the destination location
you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see
Accessing UTU.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-37

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

Accessing UTU
To access UTU, click either:

Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0

Or

UTU 2.0 shortcut available on the desktop

The UTU band appears. See Figure 7-1 for UTU 2.0 band.
You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
Figure 7-1

User Tracking Utility - Search Band

1 - Settings Icon

2 - Minimize icon

3 - Close icon

4 - UTU task bar icon

After a system restart and during the startup, the system launches the UTU automatically.

Administration of Cisco Prime LAN Management Solution 4.2

7-38

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Utility

Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2
server configurations.
To configure UTU:
Step 1

Click the Settings icon.


Or
a.

Right-click the UTU search band.


A popup menu appears.

b.

Click Settings.

The Cisco Prime Server Settings dialog box appears.


Step 2

Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS
4.0), or LMS 4.2 is installed.

Step 3

Enter the port number of the LMS Server.


The default HTTP port number is 1741.
You can modify the port number if required.

Step 4

Click Enable SSL for communicating with an SSL enabled server.


The port is changed to 443, which is the default port for SSL.
You can modify the port number if required. See Figure 7-2.
Figure 7-2

Step 5

Enabling SSL

Enter a valid Cisco Prime Server user name and password.


This is used to verify the validity of the user when searching for users, hosts, or IP Phones.

Step 6

Confirm the password by re-entering it.

Step 7

Select the Remember me on this computer checkbox if you want the client system to remember your
credentials.
The credentials are preserved only for the current user of Windows system. The credentials are not
available when you log into the Windows system with a different user name.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-39

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

Step 8

Click Apply to save the changes.

Searching for Users, Hosts or IP Phones Using UTU


You can use the UTU Search Band to search for the users, hosts, or IP Phones in your network.

Note

UTU search is case-insensitive.


To search for users, hosts, or IP Phones:

Step 1

Right-click the UTU search band.


A popup menu appears with the default search criterion Host name/IP Address selected.

Step 2

Select a search criterion from the popup menu.


You can search using:

User name

Host name or IP Address

Device name or IP Address

MAC Address

Phone number

The default search criterion is host name or IP Address of the host.


The selected criterion is set for future searches until you change the criterion.
Step 3

Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC
Address in the UTU search field.
For example, you can enter 10.77.208 in the search field.

Step 4

Press Enter.
If your server is not SSL enabled, go to Step 7.
When you query for data from an SSL enabled server, the Certificate Summary dialog box appears.

Step 5

Click Details to view the certificate details.


You can verify the authenticity and correctness of the SSL server here. See Figure 7-3.

Administration of Cisco Prime LAN Management Solution 4.2

7-40

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Utility

Figure 7-3

Certificate Details

You can click Summary to go back to the Certificate Viewer dialog box.
Step 6

Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the
certificate.
SSL connection is established with the server.
If you click No, the certificate is not stored and no connection is established with the server.

Note

Step 7

The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes
the first time, you are not prompted to store the certificate during subsequent sessions.
Click the X Record(s) Found button to launch the results window.
X denotes the number of matches found.
For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See
Figure 7-4.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-41

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

Figure 7-4

UTU Search Band displaying the number of matching records

UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your
search if you want better and more accurate results.
Step 8

Select an entry in the Results window.


UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC
Addresses, in a Results window.
The Results window has the following options:

Copy to Clipboard, where you can copy the selected search result record.

Copy All to Clipboard, where you can copy all the search result records.

Close, which you can use to close the window.

For a selected search result record, the Results window displays the details as described in:

Table 7-10 for all search criteria except Phone Number

Table 7-11 for search based on Phone Number

See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results
window.
Table 7-10

Details for Each Entry in Results Window For a User or Host Search

Entry

Description

User Name

Name of the user logged in to the host.

MAC Address

Media Access Control (MAC) address of network interface card in end-user


node.

Host IP Address

IP Address of the host.

Host Name

Name of the host discovered by User Tracking.

Subnet

Subnet to which the host belongs.

Subnet Mask

Subnet mask of the host

Device name

Name of the switch.

Device IP Address

IP Address of the switch

VLAN

VLAN to which the port of the switch belongs.

Port

Port number to which the host is connected.

Port Description

Description of the port number to which the host is connected.

Port State

State of the port: Static or Dynamic.

Port Speed

Bandwidth of the port of the switch.

Administration of Cisco Prime LAN Management Solution 4.2

7-42

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Utility

Table 7-10

Details for Each Entry in Results Window For a User or Host Search

Entry

Description

Port Duplex

Port Duplex configuration details on the device.

Last Seen

Date and time when User Tracking last found an entry for this user or host
in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.

Figure 7-5

Table 7-11

MAC Address Search Results Window

Details for Each Entry in Results Window For a Phone Number Search

Entry

Description

Phone Number

IP Phone number

MAC Address

Media Access Control (MAC) address of network interface card on the


phone.

Phone IP Address

IP Address of the phone.

CCM Address

IP Address of the Cisco Call Manager

Status

Status of the phone, as known to Cisco Call Manager

Phone Type

Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus,
30VIP, SoftPhone, or unknown.

Phone Description

Description of the phone.

Device Name

Name corresponding to IP Address of device.

Device IP Address

IP Address of the device

Port

Port number to which the phone is connected.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-43

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

Table 7-11

Details for Each Entry in Results Window For a Phone Number Search

Entry

Description

Port Description

Description of the port to which the phone is connected.

Last Seen

Date and time when User Tracking last found an entry. Last Seen is
displayed in the format yyyy/mm/dd hh:mm:ss.

Figure 7-6

IP Phone Number Search Results Window

The search results for the value you enter in the search field depends on the default search
criteria.

Note

Using Search Patterns for UTU


UTU searches for the users, hosts, or IP Phones that match the search criterion. See Searching for Users,
Hosts or IP Phones Using UTU for more information.
You can search for users, hosts, or IP Phones by entering a search pattern or substring of a search pattern.
For example, entering Cisco displays host names that start with, end with or contain Cisco for a search
on host names.
You do not have to use wildcard character * to match a pattern or substring of the pattern.
To search for a MAC Address, you can use one of the following MAC Address patterns or a substring of
these patterns:

xxxx.xxxx.xxxx

Administration of Cisco Prime LAN Management Solution 4.2

7-44

OL-25947-01

Chapter 7

User Tracking and Dynamic Updates


Using User Tracking Utility

xx:xx:xx:xx:xx:xx

xxxxxxxxxxxx

xx-xx-xx-xx-xx-xx

Here x denotes a hexadecimal number.

Uninstalling UTU
Ensure that UTU is not running while uninstalling.
If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates.
To uninstall UTU:
Step 1

Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall Cisco Prime User Tracking Utility 2.0
from the windows task bar.
The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation.

Step 2

Click Yes.
The Uninstallation continues.

Step 3

Click Finish to exit the uninstallation wizard.

Upgrading to UTU 2.0


You can install UTU 2.0 on the same system where UTU 1.1.1 is installed.
You can choose to install UTU 2.0 on any directory other than the directory where UTU 1.1.1 is installed.
See Installing UTU for installation instructions.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

7-45

Chapter 7

User Tracking and Dynamic Updates

Using User Tracking Utility

Re-installing UTU 2.0


Re-installation of UTU 2.0 is supported on the normal mode of installation.
In the normal mode of installation, you are prompted with a confirmation message to continue the
installation. You must provide your inputs to continue the installation.
See Installing UTU for installation instructions.
The user profiles that are created are not lost during re-installation.

Administration of Cisco Prime LAN Management Solution 4.2

7-46

OL-25947-01

CH A P T E R

Administering Collection Settings


All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout
settings are grouped under the collection settings in the Admin tab in the menu.
This section contains:

Using the Inventory Job Browser

Timeout and Retry Settings

Secondary Credentials

Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and
PSIRT/EOX System

PSIRT or End-of-Sale or End-of-Life Data Administration

Administering VRF Lite

Modifying Fault Management SNMP Timeout and Retries

Configuring Fault Management Rediscovery Schedules

Configuring Event Forensics

Fault Monitoring Device Administration

Device Management Functions

Performance Management SNMP Timeouts and Retry Settings

IPSLA Application Settings

Setting Up Archive Management

Defining the Configuration Collection Settings

Configuring Transport Protocols

Overview: Common Syslog Collector

Viewing Status and Subscribing to a Common Syslog Collector

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-1

Chapter 8

Administering Collection Settings

Using the Inventory Job Browser

Using the Inventory Job Browser


The Inventory Job Browser displays all user-defined jobs. It also displays the system-defined inventory
collection and polling jobs. You can create and manage inventory jobs using the Job Browser. You can
edit, stop, cancel or delete jobs using this Job Browser.

Note

View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
When you install LMS, a default job is defined for Inventory Collection and Inventory Polling.
When the default job runs, LMS evaluates the all devices group and executes the job. This way,
whenever new devices are added to the system, these devices are also included in the default
collection/polling job.
For the default system jobs, the device list cannot be edited. You can only change the schedule of those
jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the
scheduled job is not displayed in the Inventory Job Browser.
The default system jobs for Inventory Collection and Inventory Polling are created immediately after
installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers >
Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job
Browser (Admin > Jobs > Browser) only after some time has elapsed.
The jobs are displayed in the Job Browser when they are running, or after they are completed, with all
the details such as Job ID, Job Type, and Status.
User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are
running, and after they are completed.
You can do the following tasks from the Inventory Job Browser:

Viewing Job Details

Creating and Editing an Inventory Collection or Polling Job

Stopping, Cancelling or Deleting an Inventory Collection or Polling Job

Administration of Cisco Prime LAN Management Solution 4.2

8-2

OL-25947-01

Chapter 8

Administering Collection Settings


Using the Inventory Job Browser

To invoke the Inventory Job Browser, either:

Select Inventory > Job Browsers > Inventory Collection.


Or

Select Admin > Collection Settings > Inventory > Inventory Jobs.

The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs.
The columns in the Inventory Job Browser dialog box are:
Column

Description

Job ID

Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the
Job details (see Viewing Job Details.)
Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the
number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that
this is the third instance of the job ID 1001.

Job Type

Type of jobSystem Inventory Collection, System Inventory Polling, Inventory Collection and Inventory
Polling.

Status

Status of the jobScheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start.
The number, within brackets, next to Failed status indicates the count of the devices that had failed for
that job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions.

Description

Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values.
The field is restricted to 256 characters.

Owner

Username of the job creator.

Scheduled at

Date and time at which the job was scheduled.

Completed at

Date and time at which the job was completed.

Schedule Type

Type of schedule for the job:

ImmediateRuns the report immediately.

6 - hourlyRuns the report every 6 hours, starting from the specified time.

12 - hourlyRuns the report every 12 hours, starting from the specified time.

OnceRuns the report once at the specified date and time.

DailyRuns daily at the specified time.

WeeklyRuns weekly on the specified day of the week and at the specified time.

MonthlyRuns monthly on the specified day of the month and at the specified time.

For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will
start only at 10:00 a.m. on November 3.
Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-3

Chapter 8

Administering Collection Settings

Using the Inventory Job Browser

You can filter the jobs using any of the following criteria and clicking Filter:
Filter Criteria

Description

All

Select All to display all jobs in the Job Browser

Job ID

Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display.
Select Job Type and then select any one of the following:

Job Type

Status

Inventory Polling

System Inventory Polling

Inventory Collection

System Inventory Collection


Select Status and then select any one of these:

Schedule

Successful

Failed

Cancelled

Stopped

Running

Missed Start
Missed start is the status when the job could not run for some reason at the scheduled time.
For example, if the system was down when the job was scheduled to start, when the system comes up
again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the
specified job will be displayed as Missed Start.

Description

Select Description and enter the first few letters or the complete description.

Owner

Select Owner and enter the user ID or the beginning of the user ID.

Schedule
Type

Select the Schedule Type and select any one of these:

Refresh

Immediate

Once

6-hourly

12-hourly

Daily

Weekly

Monthly

Click on this icon to refresh the Inventory Job Browser.

(Icon)

Administration of Cisco Prime LAN Management Solution 4.2

8-4

OL-25947-01

Chapter 8

Administering Collection Settings


Using the Inventory Job Browser

To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.

Table 8-1

Inventory Browser Buttons, the Tasks they Perform and their Description

Button

Task

Description

Create

Create jobs

You can create a new job.

Edit

Edit jobs

You can edit only a scheduled job.


You can select only one job at a time for editing. If you select more than one job, the Edit button
is disabled.

Cancel

Cancel jobs

You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are
prompted to confirm the cancellation.
If it is a periodic job, you are prompted to confirm whether you want to cancel only the current
instance of the job or all future instances.
1.

Select a periodic job and click Cancel.


The Cancel Confirmation dialog box appears.

2.

Select one of the following options:


Cancel only this instance
Cancel this and all future instances

3.

Stop

Stop jobs

Click OK.

You can stop a running job.


However, the job will be stopped only after the devices currently being processed are completed.
This is to ensure that no device is left in an inconsistent state.

Delete

Delete jobs

You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However,
you cannot delete a running job.
You can select more than one job to delete, provided they are scheduled, successful, failed,
stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete
button is disabled.
If you are deleting a scheduled periodic inventory job, the following message is displayed:
If you delete periodic jobs, or instances of a periodic job, that are yet to be
run, the jobs will no longer run, nor will they be scheduled to be run again. You
must recreate the deleted jobs.

You are prompted to confirm the deletion.


Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a
default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge
Settings.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-5

Chapter 8

Administering Collection Settings

Using the Inventory Job Browser

Viewing Job Details


In the Inventory Job Browser, click on the Job ID hyperlink to view the following job details for
Inventory collection, or polling jobs:

Job DetailsExpand this node to display Job Summary and Job Results for the inventory collection
or polling job.

Job SummaryClick on this node to view the following for the inventory collection or polling job:
Job SummaryDisplays information about the job type, the job owner, the status of the job, the

start time, the end time, the schedule type, and details of email notification.
Device SummaryDisplays information about the total devices submitted for the job, the

number of devices that were scanned, the number of devices that were pending, the devices that
were successful with change, successful without change, and the failed devices.
Also, the Device Details and Not Attempted information appears.
Not Attempted displays the number of devices for which the Inventory collection module did
not attempt to collect the data.

Job ResultsDisplays information about the number of devices scanned, the names of the scanned
devices, the duration of scanning, the average scan time per device, and the job results description,
for the inventory collection or polling job.
To see more details, expand the Job Results node. You will see the following details:
FailedIf you click on this node, you will see the collective list of failed devices and the reason

for their failure in the right pane, for the inventory collection or polling job.
If you expand this node, the list of failed devices appears.
If you select a device, the right pane displays the device name and the reason for the failure. For
example, Device sensed, but collection failed, or Device not reachable.
Successful: With Changes

For a Inventory collection job:


Expand the Successful: With Changes node to display a list of devices.
If you select a device, the right pane displays the device name and a hyperlink: View Changes.
If you click on this hyperlink, the Inventory Change Details report appears for the device. The
report displays information about the attribute, the type of change, the time of change, the
previous value and the current value for the collection job.
If you do not expand this node, you will see the collective list of devices with the status Success:
With changes with their View Changes hyperlinks, in the right pane, for the collection job.
There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the
changes on the devices are displayed.
For a Inventory polling job:
Click on the Successful: With Changes node to display a list of devices that have changes, as a
comma separated list, in your right pane.
When there is a change in the config of a device and when the device is polled, the information
like Collection initated will appear in the job results. A separate job will be created for the
inventory collection as a result of changes occuring in the inventory .

Administration of Cisco Prime LAN Management Solution 4.2

8-6

OL-25947-01

Chapter 8

Administering Collection Settings


Using the Inventory Job Browser

Successful: Without Changes

If you click on this, you will see as a comma-separated list in your right pane, the devices that
were successful for the inventory collection or polling job.

Note

Inventory Poller creates a Collection job when it detects changes.

Creating and Editing an Inventory Collection or Polling Job


To create or edit an Inventory collection or polling job:
Step 1

Either:

Select Inventory > Job Browsers > Inventory Collection.


Or

Select Admin > Collection Settings > Inventory > Inventory Jobs.

The Inventory Job Browser appears.


Step 2

Select either:

Click Create.
The Create Inventory Job dialog box appears.
Or

Step 3

Select a job and click Edit.

Select either:

Device Selector, if you want to schedule report generation for static set of devices

Or

Group Selector, if you want to schedule report generation for dynamic group of devices.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-7

Chapter 8

Administering Collection Settings

Using the Inventory Job Browser

Step 4

Enter the information required to create a job:

Field

Description

Job Type

Select either Inventory Collection or Inventory Polling, as required.

Scheduling

Run Type

Specifies the type of schedule for the job:

ImmediateRuns the report immediately.

6 - hourlyRuns the report every 6 hours, starting from the specified time.

12 - hourlyRuns the report every 12 hours, starting from the specified time.

OnceRuns the report once at the specified date and time.

DailyRuns daily at the specified time.

WeeklyRuns weekly on the day of the week and at the specified time.

MonthlyRuns monthly on the day of the month and at the specified time.

For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
If you select Immediate, the date field option will be disabled.
Date

1.

Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the calendar icon and select the date.

2.

Enter the start time by selecting the hours and minutes from the drop-down list.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.

Job Info

Job Description

Enter a description for the report that you are scheduling. This is a mandatory field. Accepts alphanumeric values. This field is restricted to 256 characters.

E-mail

Enter e-mail addresses to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address,

Administration of Cisco Prime LAN Management Solution 4.2

8-8

OL-25947-01

Chapter 8

Administering Collection Settings


Timeout and Retry Settings

Step 5

Click Submit.
You get a notification that the job has been successfully created, and it appears in the Inventory Job
Browser.
To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit.
The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change
the Scheduling and Job Info fields as required, and click Submit.
The job is edited.

Stopping, Cancelling or Deleting an Inventory Collection or Polling Job


You can stop, cancel or delete Inventory Collection or Polling jobs.

Stopping a job, see Stop in Table 8-1.

Cancelling a job, see Cancel in Table 8-1.

Deleting a job, see Delete in Table 8-1.

Timeout and Retry Settings


This option enables you to set the default values for Inventory, Config timeout and retry settings. These
values are applicable to all devices in LMS.

SNMP RetryNumber of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero and the maximum value is 6.

SNMP TimeoutAmount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the total transaction time of SNMP Packets.
The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value
limit. Changing the SNMP timeout value affects inventory collection.

Telnet TimeoutAmount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the initial response time required to create a socket.
The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value
limit.
Changing the Telnet timeout value affects inventory collection.

Natted LMS IP AddressThe LMS server ID. This is the translated address of LMS server as seen
from the network where the device resides.
You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the
NAT boundary.
The default value is Not Available.

TFTP TimeoutAmount of time that the system should wait to get the result status of the copy
operation. Changing the TFTP timeout value affects Config collection.
The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit.

Read DelayAmount of time the system will sleep in between each read iteration.
The default read delay is 10 milliseconds.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-9

Chapter 8

Administering Collection Settings

Timeout and Retry Settings

Transport TimeoutAmount of time the socket will be blocked for read operation.
The default value is 45000 milliseconds.

Login TimeoutAmount of time in milliseconds after which it will start reading the user prompt.
The default value is 2000 milliseconds.

Tune SleepAmount of sleep time in milliseconds after sending tune command 3 to 4 times.
The default value is 50 milliseconds.

Delay After ConnectAmount of waiting time in milliseconds after initial socket connection. It
will wait for the set time before doing the next operation.
The default value is 300 milliseconds.

To edit the Inventory, Config timeout and retry settings:


Step 1

Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings.
The Inventory, Config timeout and retry settings page appears.

Step 2

Step 3

Enter the default values for:

SNMP Retry

SNMP Timeout

Telnet Timeout

Natted LMS IP Address

TFTP Timeout

Read Delay

Transport Timeout

Login Timeout

Tune Sleep

Delay After Connect

Click Apply.

Note

Step 4

Modifying the default timeout values will apply to all the devices and impact the work flows of
all devices. To edit per device level attributes, go to Editing Device Attributes.

Click OK.
A confirmation message appears:
The settings are updated successfully

Note

When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry
values will not be restored by default. To restore the values for all the devices, edit the default values in
Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection
Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings

Administration of Cisco Prime LAN Management Solution 4.2

8-10

OL-25947-01

Chapter 8

Administering Collection Settings


Secondary Credentials

Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device
Credential Repository (DCR).These credentials are:

Primary Credentials

Secondary Credentials

LMS uses either the primary or secondary credentials to access the devices using the following
protocols:

Telnet

SSH

The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried
out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as
a fallback mechanism in LMS for connecting to devices.
For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to
failure.
You can add or edit the Secondary Credentials information through the DCR page (Select Inventory >
Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is
not available for a device.

Note

The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials
fallback when the Primary Credentials for a device fails. This is a global option which you can use to
enable or disable the use of Secondary Credential fallback for all LMS applications.
To enable or disable the Secondary Credentials fallback:

Step 1

Select Admin > Collection Settings > Config > Secondary Credential Settings.
or
Select Admin > Collection Settings > Inventory > Secondary Credential Settings.
The Secondary Credentials dialog box appears.

Step 2

Do either of the following:

Check Fallback to Secondary Credentials check box if you want to enable the Secondary
Credential fallback.

Or

Step 3

Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary
Credential fallback.

Click either Apply to apply the option or click Cancel to discard the changes.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-11

Chapter 8
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System

Administering Collection Settings

Changing the Schedule for System Inventory Collection or


Polling, Compliance Policy and PSIRT/EOX System
At the time of LMS installation, system jobs are created for both Inventory collection and polling, with
their own default schedules. A periodic inventory collection job collects inventory data from all
managed devices and updates your inventory database.
Similarly, the periodic polling polls devices and updates the inventory database. You can change the
schedule of these default, periodic system jobs.
For inventory collection or polling to work, your devices must have accurate read community strings
entered. The changes detected by inventory collection or polling, are reflected in all associated inventory
reports.
This section contains the following topics:

Changing the Schedule for System Inventory Collection or Polling Settings

Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings

Changing the Schedule for System Inventory Collection or Polling Settings


Note that the inventory poller allows you to collect inventory less often. The poller detects most changes
in managed devices, with much less impact on your network. If the poller detects changes, it initiates
inventory collection.
To collect inventory or poll devices as a one-time event or for selected devices only, create user-defined
inventory collection or polling jobs (see Creating and Editing an Inventory Collection or Polling Job).

Note

Step 1

View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
Select Admin > Collection Settings > Inventory > Inventory System Job Schedule.
The System Job Schedule dialog box displays the current collection or polling schedule.

Step 2

Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2.
Inventory data does not change frequently, so infrequent collection is better. However, if you are
installing much new equipment, you may need more frequent collection.
Infrequent collection reduces the load on your network and managed devices. Collection is also best
done at night or when network activity is low.
Also, make sure your collections do not overlap, by checking their duration using the Inventory Job
Browser (see Using the Inventory Job Browser), and scheduling accordingly.

Step 3

Click Apply.
The new schedule is saved.

Administration of Cisco Prime LAN Management Solution 4.2

8-12

OL-25947-01

Chapter 8

Administering Collection Settings


Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System

Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Note

View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.

Step 1

Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and
Psirt/Eox System Job Schedule.
The Compliance Policy and PSIRT/EOX System Job Schedule page appears.

Step 2

Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2.

Step 3

Click Apply.
The new schedule is saved.

Table 8-2

Details of Inventory system schedule and CAAM Policy and PSIRT/EOX System Job Schedule

Field

Description

Scheduling

Run Type

Select the run type or frequency for inventory collection or polling, CAAM Policy and PSIRT/EOXDaily,
Weekly, or Monthly.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If
the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.

Date

Select the date for the collection or polling to begin, using the date picker.

at

Enter the time for the collection or polling to begin, in the hh:mm:ss format.

Job Info

Job Description

Has a default Job Description:


If the Job Type is Inventory Collection, the description is, System Inventory Collection Job.
If the Job Type is PSIRT and EOX Or Compliance Policy, the description is, System Compliance Policy and
PSIRT/EOX Job.

E-mail

Enter e-mail addresses to which the job sends messages when the collection or polling job has run.
You can enter multiple e-mail addresses, separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin
> System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the senders address.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-13

Chapter 8

Administering Collection Settings

PSIRT or End-of-Sale or End-of-Life Data Administration

Compliance Policy and PSIRT/EOX Job Report

Perform the following steps to view the Compliance Policy and PSIRT/EOX Job Report:
Step 1

Go to Admin > Jobs > Browser.

Step 2

Select Type in the Filter by field and SystemPsirtJob in the drop-down list.

Step 3

Click Filter.
The SystemPsirtJob will be filtered and displayed.

Step 4

Click the JOB ID e.g 1005.1 to view the Compliance Policy and PSIRT/EOX Job Report.

PSIRT or End-of-Sale or End-of-Life Data Administration


Product Security Incident Response Team (PSIRT) of Cisco is a dedicated, global team that manages the
receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco
products and networks.
For every security vulnerability, a PSIRT document is created with a PSIRT Document ID. This
document consists of definitions of the vulnerabilities, the IOS image version that is affect by the PSIRT,
as well as the device that is impacted.

Note

System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or
End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the
selected devices.
The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1.

If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not
configured the Cisco.com credentials.

2.

If the system PSIRT job fails due to problems in the downloaded local XML file.

3.

If there is no PSIRT/EoX data in the database for the selected devices.

LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and
End-of-Sale or End-of-Life (EOX) job runs.
LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You
can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see
Changing the Data Source for PSIRT/EOS/EOL Reports.

Changing the Data Source for PSIRT/EOS/EOL Reports


You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or
End-of-Sale or End-of-Life report.
To access this option, select Reports > Fault and Event > PSIRT Summary
This section contains:

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location

Administration of Cisco Prime LAN Management Solution 4.2

8-14

OL-25947-01

Chapter 8

Administering Collection Settings


PSIRT or End-of-Sale or End-of-Life Data Administration

When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the
data either from Cisco.com or from a local text file with XML data, depending upon the option you have
set.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-15

Chapter 8

Administering Collection Settings

PSIRT or End-of-Sale or End-of-Life Data Administration

To change the PSIRT or End-of-Sale/End-of-Life report settings:


Step 1

Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option.
The PSIRT/EOX Reports dialog box appears.

Step 2

Either:

Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data
from Cisco.com
Or

Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from
local file.
The local file location is shown if you have selected Local.

Step 3

Click Apply
The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com


You can use the Cisco.com option, if you have access to Cisco.com from the LMS server. When you
schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data from
Cisco.com. The report so generated consists of latest data from the system PSIRT and EOX job.
If you have opted to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com,
you must setup the Cisco.com user account using Admin > System > Cisco.com Settings > User
Account Setup. If you do not configure the Cisco.com user account, the System PSIRT and EOX job
will fail.

Note

While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com
method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy
Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy
Password fields are also enabled.

Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location


You can use the Local option, if you do not have an internet connection from the LMS server. The local
file is a text file with XML data in it.
Downloading the text file with XML data from Cisco.com

You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store
it in the local file location on the LMS server.
To download the text file with XML data from Cisco.com:
1.

Use a server other than LMS server with internet connection as the external server.

2.

From this external server, access the following link to download the XML data:

Administration of Cisco Prime LAN Management Solution 4.2

8-16

OL-25947-01

Chapter 8

Administering Collection Settings


PSIRT or End-of-Sale or End-of-Life Data Administration

For EoS/EoL Hardware Report:


1.

Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=
latest#

2.

Login to Cisco.com by entering the Cisco.com user name and password.

3.

Download the PSIRT_EOX_OFFLINE.zip file.

4.

Extract the text file with XML data to the external server.

5.

Copy the text file from the external server into the LMS Server under:

On Solaris/Soft Appliance,

/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml

The text file with XML data gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
For EoS/EoL Software Report:
1.

Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=
latest#

2.

Login to Cisco.com by entering the Cisco.com user name and password.

3.

Download the EOX_SOFTWARE.zip file to the external server.

4.

Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under:

On Solaris/Soft Appliance,

/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml

Note

You must not extract the EOX_SOFTWARE.zip file in the LMS Server.
The EOX_SOFTWARE.zip file gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.

When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data
from the XML file.
To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1.

Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external
server which has internet connection.

2.

Store this retrieved XML information in the local file location.

3.

Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report.


For more information, see:
Downloading the text file with XML data from Cisco.com

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-17

Chapter 8

Administering Collection Settings

Administering VRF Lite

Administering VRF Lite


From the Admin tab in the mega menu you can administer the following features of VRF Lite:

Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings.

Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector.

Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and
Retries.

You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select
Admin > System > Debug Settings.
You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view
only VRF Lite jobs.
You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select
Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging
VRF Management Reports Jobs and Archived Reports.
This section contains:

Using VRF Lite Collector Settings

Scheduling VRF Lite Collector

Modifying VRF Lite SNMP Timeouts and Retries

Using VRF Lite Collector Settings


You can perform the following administrative tasks using the VRF Lite Collector Settings page:

Schedule VRF Lite Collector


You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite
Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and
VRF Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs.
To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link.
For details, see Scheduling VRF Lite Collector.

VRF Lite SNMP Timeouts and Retries Settings


You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular
device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries
Settings, click VRF Lite SNMP Timeouts and Retries Settings link.
For details, see Modifying VRF Lite SNMP Timeouts and Retries.

Administration of Cisco Prime LAN Management Solution 4.2

8-18

OL-25947-01

Chapter 8

Administering Collection Settings


Administering VRF Lite

Scheduling VRF Lite Collector


You can schedule the day and the time of VRF Lite Collection using this feature. You can add a new
schedule, edit or delete existing schedules.
To schedule VRF Lite Collector:
Step 1

Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule.
The VRF Lite Collector Schedule dialog box appears.

Step 2
Table 8-3

Enter the details as mentioned in Table 8-3.

VRF Lite Collection Schedule Settings

Field

Description

Usage Notes

Schedule

Run VRF Lite


Collector After
Every Data
Collection

Allows you to enable or disable VRF Lite


Collection after every Data Collection.

Enable: Check the check box to enable VRF Lite


Collection after every Data Collection and click Apply.

The VRF Lite Collection collects VRF


Lite-specific details.

Disable: Uncheck the check box to disable VRF Lite


Collection after every Data Collection and click Apply.

Job ID

Job ID of the VRF Lite Collector Schedule Display only.


job.

Schedule VRF Lite Collector

Days, Hour, Min

Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the
Lite collection is scheduled.
size of the network and the frequency of network changes.
By default, the VRF Lite collection process is scheduled to
run after the Data Collection process has completed.

Recurrence
Pattern

Select the days of the week on which VRF This field is available only when you are adding or editing a
Lite collection is to be scheduled.
schedule.

Job Description

Description of the VRF Lite Collector


Schedule job.

Step 3

Enter the description of the VRF Lite Collector Schedule job.

Select a schedule and click Edit to edit the schedule

Select a schedule and click Delete to delete the schedule

Click Add to add a new schedule

Click OK to save the details


Or
Click Cancel to exit the VRF Lite Collection Schedule dialog box.

You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use
the filter to view VRF Lite Collector Schedule job.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-19

Chapter 8

Administering Collection Settings

Administering VRF Lite

Modifying VRF Lite SNMP Timeouts and Retries


You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device
with SNMP timeout exceptions.
To modify SNMP timeouts and retries:
Step 1

Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries.
The VRF Lite SNMP Timeouts and Retries dialog box appears.

Step 2

Modify the SNMP settings as given in Table 8-4.


Table 8-4

Modify VRF Lite SNMP Timeouts and Retries

Field

Description

Target

IP address of the target device. For example, 10.*.*.*

Timeouts

Time period after which the query times out.


This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If Time out is increased, Discovery time could also increase. Enter the value
in seconds. The allowed range is 0-60.
For every retry, the Timeout value is doubled.
For example, If the Timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which Virtual
Network Manager stops querying the device.

Retries

Number of attempts made to query the device. The allowed range is 0-8.

Step 3

Click Add to add VRF Lite SNMP settings.

Step 4

Select a row and either:

Click Edit to edit the VRF Lite SNMP Timeouts and Retries value.

Or

Click Delete to delete the VRF Lite SNMP Timeouts and Retries value.

Click OK to save the changes or click Cancel to exit.


Step 5

Click Apply.

Administration of Cisco Prime LAN Management Solution 4.2

8-20

OL-25947-01

Chapter 8

Administering Collection Settings


Modifying Fault Management SNMP Timeout and Retries

Modifying Fault Management SNMP Timeout and Retries


If an SNMP query does not respond in time, Fault Management will time out. It will then retry contacting
the device for as many times as displayed when you select Admin > Network > Timeout and Retry
Settings > Fault Management SNMP Timeouts and Retries.
The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds
and the retries value is 3, LMS waits for 4 seconds before the first retry, 8 seconds before the second
retry, and 16 seconds before the third retry.
The SNMP timeout and retries are global settings.
The default values are:

Timeout4 seconds

Retries3

Note

Changing the settings on this page will modify the settings on all devices managed by LMS.

Note

Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
To modify the Fault Management SNMP timeout and retries:

Step 1

Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and
Retries. The SNMP Configuration page appears.

Step 2

Select a new SNMP timeout setting.

Step 3

Select a new Number of Retries setting.

Step 4

Click Apply.

Step 5

In the confirmation box, click Yes.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-21

Chapter 8

Administering Collection Settings

Configuring Fault Management Rediscovery Schedules

Configuring Fault Management Rediscovery Schedules


Note

Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
LMS rediscovery probes the devices to discover their configuration and verify their manageable
elements in inventory.
LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you
cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional
schedules.
For more information, see

Suspending and Resuming a Rediscovery Schedule

Adding and Modifying a Rediscovery Schedule

Suspending and Resuming a Rediscovery Schedule


LMS includes a default rediscovery schedule, Default_Schedule. You cannot edit or delete
Default_Schedule, but you can suspend it. To completely suspend rediscovery for a period of time, you
may have to repeat this procedure to suspend multiple schedules.
To suspend and resume a rediscovery schedule:
Step 1

Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
The Rediscovery Schedule page appears.

Step 2

You can either:

Select a schedule that does not have a Suspended status, and click Suspend.
The status for the schedule changes to Suspended and the schedule does not run until you resume
the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it.
Or

Select a schedule with a status of Suspended and click Resume.


The status for the schedule changes to Scheduled.

Administration of Cisco Prime LAN Management Solution 4.2

8-22

OL-25947-01

Chapter 8

Administering Collection Settings


Configuring Fault Management Rediscovery Schedules

Adding and Modifying a Rediscovery Schedule


See Performing Scheduling Tasks to plan the rediscovery schedule for maximum efficiency and
minimum system impact.
Performing Scheduling Tasks

You should plan the rediscovery schedule for maximum efficiency and minimum system impact.
When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are
scheduled by default to ensure that they do not run concurrently. You can configure the schedules for
these tasks to meet the requirements of your site. However, you should still avoid running them
concurrently.
Table 8-5

Scheduling Considerations

Configuration Task

Default Schedule

Comments and Notes

Database purging

Run daily at
midnight.

The amount of time it takes to purge the database


depends on the size of the database.
For more information on how to configure the Daily
Fault History Purging Schedule, see Configuring the
Daily Fault History Purging Schedule.

Rediscovery

Run weekly on
Monday at 2:00 a.m.

By default, rediscovery starts 2 hours after database


purging.

In addition to configuring schedules, a system administrator can schedule database backups. Be careful
while coordinating the database backup schedule to avoid running concurrently with the tasks listed in
Table 8-5.
To add or edit a rediscovery schedule:
Step 1

Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.

Step 2

Select either:

Click Add.

Or

Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit
Default_Schedule.

Step 3

Enter a name for the schedule.

Step 4

Select how often the schedule should run:

Once

Daily

Weekly (default)

Monthly

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-23

Chapter 8

Administering Collection Settings

Configuring Event Forensics

Step 5

Select the date, hour, and minute on which to start the rediscovery schedule and click Next.

Step 6

Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule
page appears, listing the new schedule.

Deleting a Rediscovery Schedule

To delete a rediscovery schedule:


Step 1

Select a rediscovery schedule and click Delete.


A confirmation dialog box appears.

Note
Step 2

You cannot delete Default_Schedule.

Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job
Browser.

Configuring Event Forensics


Event Forensics refer to additional information related to the specific events that are polled by LMS
server. The polled data are stored on the server and you can use this for troubleshooting.
You must enable the Event Forensics collection feature on LMS server to start collecting the event
forensics data.
To enable collection of Event Forensics:
Step 1

Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event
Forensics Configuration page appears.

Step 2

Select the Event Forensics Enable check box to enable LMS to collect forensics data.

Step 3

Click Apply.
LMS polls for Event Forensics data for the following events only:

Device unavailability or unresponsiveness

Flapping

Operationally Down

To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see
the event forensics results when you move your mouse over the Annotations in the Faults table of Fault
Monitor Device Fault Summary view tab.

Administration of Cisco Prime LAN Management Solution 4.2

8-24

OL-25947-01

Chapter 8

Administering Collection Settings


Fault Monitoring Device Administration

Fault Monitoring Device Administration


To rediscover and delete specific devices, select Admin > Collection Settings > Fault > Fault
Monitoring Device Administration.
The Fault Monitoring Device Administration page contains two panes.

The left pane displays a device selector, from which you select the device or group that you want to
rediscover or delete. The left pane includes a search option

The right pane displays the information for the selected object.

Click the Refresh button to refresh the view.

Note

If the IP addresses of the device and its components such as interface or port are added separately in
DCR then only device IP will be managed in fault Management and the components IP will not be
managed separately as the components are already managed under the device IP.
The devices that appear in the device selector are organized in folders by device state as shown in the
Table 8-6. The folders appear only if there is a device to go in the folder.

Table 8-6

Device Summary and Device States

Heading

Description

Status

Lists the state the devices are in, from the following possibilities:
Known

The device has been successfully imported, and is fully managed by Fault
Management.

Learning

Fault Management is discovering the device. This is the beginning state,


when the device is first added or is being rediscovered. Some of the data
collectors may still be gathering device information.

Questioned

Fault Management cannot successfully manage the device.

Pending

The device is being deleted. (Fault Management is waiting for


confirmation from all of its data collectors before purging the device and
its details.)

Unknown

IPv6 device or the selected algorithm is not supported in Fault


Management.

Rediscovering Devices

When rediscovery takes place, if there are any changes to a device or group configuration, the new
settings will overwrite any previous settings.
Rediscovery occurs only for managed devices, and not suspended devices.
Rediscovery also occurs when:

Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection
Settings > Fault > Fault Management Rediscovery Schedule)

A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured
to import that device type (or LMS automatically imports all DCR devices). Such DCR changes
include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type)
changed in the DCR.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-25

Chapter 8

Administering Collection Settings

Device Management Functions

Note

A device is manually added to LMS using the Device Import page.

Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and
Rediscovery is a process that affects only the LMS inventory.
To rediscover devices:

Step 1

Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.

Step 2

Select the device or group that you want to rediscover.


With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the device selector.

Note

Step 3

If you are connecting to the LMS server for the first time, a Security Alert window is displayed
after you select nearly any option. Do not proceed without viewing and installing the security
certificate. You should contact a user with System Administrator privileges to create a
self-signed security certificate, and then install it. If you do not install the self-signed security
certificate, you may not be able to access some LMS application pages.

Click Rediscover.
Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage
Device State.

Note

If the number of components managed by fault management exceeds 40000/domain then the remaining
devices will be moved to Question State with the error message Network Adapter Limit Exceeded.
Question State Device Report

Creating a question state device report involves the following steps:


Step 1

Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.

Step 2

Click Question State Devie Report.


The question state device report containing the device name, device IP, discovery start time and error
details is displayed.

Device Management Functions


Till LMS 3.2 there were 8 different applications like Common Services, Portal and applications covering
functionalities in FCAPS model.

Administration of Cisco Prime LAN Management Solution 4.2

8-26

OL-25947-01

Chapter 8

Administering Collection Settings


Performance Management SNMP Timeouts and Retry Settings

LMS 4.2 removes application boundaries and provides tighter integration among the components. It
groups all the related functionalities in one place, thus making the product more user friendly.
LMS 4.2 consists of the following five functionalities:

Inventory, Config and Image Management

Network Topology, Layer 2 Services and User Tracking

Fault Management

IPSLA Performance Management

Device Performance Management

To view the functionality settings:


Select Admin > System > Device Management Functions.
By default, all the functions will be enabled.
If you have a 10K license, only Inventory, Config and Image Management will function. You should
disable all functions except Inventory, Config and Image Management from this page.

Note

If you disable a function, the function will stop collecting device information. For IPSLA Management,
history data will be deleted.

Performance Management SNMP Timeouts and Retry Settings


Cisco Prime LMS allows you to configure the Performance Management SNMP timeout and SNMP
retries using the Poll Settings option. The Performance Management SNMP timeout and SNMP retries
are based on the device and network response time.

SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to
query the device again.

SNMP retry is the maximum number of times LMS retries to query the device.

You can also set the notification interval time in case of poller failures and the e-mail ID to which the
notification should be sent.
You can also configure Poll Settings to send the polling failure report as an e-mail.
To configure Poll Settings:
Step 1

Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP
timeouts and retry settings.
The Poll Settings dialog box appears.
Table 8-7 describes the fields in the Poll Settings dialog box.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-27

Chapter 8

Administering Collection Settings

IPSLA Application Settings

Table 8-7

Poll Settings Fields

Field

Description

Poll Details

SNMP Timeout

Specify the SNMP timeout interval in seconds.


The default SNMP timeout value is 3 seconds. You can change the default
SNMP timeout value to a value between 1 to 15 seconds.

SNMP Retries

Specify the SNMP retries count.


The default SNMP retry count value is 1. You can set the default SNMP retry
count to a value from 0 to 3.

Polling Failure

Notification Interval

Specify the polling failure notification interval.


You can select any of these predefined values. The default option is 6 hours.

01 - HourPolling failures notified every 1 hour.

06 - HoursPolling failures notified every 6 hours.

24 - HoursPolling failures notified every 24 hours.

48 - HoursPolling failures notified every 48 hours.

WeeklyPolling failures notified every week.

Polling failure notification report is generated periodically based on


notification interval. This report contains information on the SNMP polling
failures with device details.
E-mail ID

Enter the e-mail address.


The E-mail address must be in the format: user@domain.com.
The poll failure report is send to the E-mail address based on the Notification
Interval.

Step 2

Update the necessary fields in the following panes:

Poll Details

Polling Failure

See Table 8-7 for the description of fields that appear in the Poll Settings dialog box.
Step 3

Click Apply to update the poll settings or Reset to cancel the poll settings.
A message appears confirming that poll settings are updated successfully.

IPSLA Application Settings


The IPSLA Application Settings page allows you to copy IP SLA (Internet Protocol Service Level
Agreement) configuration to running-config, and set managed source interface.

Copying IPSLA Configuration to Running-Config

Managed Source Interface Setting

Administration of Cisco Prime LAN Management Solution 4.2

8-28

OL-25947-01

Chapter 8

Administering Collection Settings


IPSLA Application Settings

Copying IPSLA Configuration to Running-Config


You can see the IPSLA (Internet Protocol Service Level Agreement) probes for the collectors that you
configure in LMS at the command line interface of the router in the running configuration by selecting
the Copy IP SLA Configuration to running-config option on the Application Settings page.
This option is not selected by default. You cannot view the IPSLA probes in the running configuration
of the source router if this option is not set.

Note

The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and
saved the IP SLA probes of the LMS collectors in the startup configuration.
To view the configured collectors in the running configuration:

Step 1

Select Admin > Collection Settings > Performance > IPSLA application settings.
The IPSLA Application Settings page appears.

Step 2

Select the Copy IPSLA Configuration to Running-config check box.

Step 3

Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.

Step 4

Click OK.

Managed Source Interface Setting


Managed Source Interface configures the source router with appropriate IP address for
sending/receiving the IPSLA (Internet Protocol Service Level Agreement) operation packets.
You can set a source interface address for the source router by selecting the Use Managed Source
Interface Address option on the Application Settings page. After this option is set, the source router uses
the managed interface address while configuring the collectors on the source device.
However, you can also specify a source interface address while configuring a collector. In this case, the
source router uses the specified interface. If the Use Managed Source Interface option is not set, then by
default, the source router selects the source interface for the collector from the Routing Table based on
the IP address of the destination.
To set a source interface address:
Step 1

Select Admin > Collection Settings > Performance > IPSLA application settings.
The Application Settings page appears.

Step 2

Select the Use Managed Source Interface Address check box.

Step 3

Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.

Step 4

Click OK.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-29

Chapter 8

Administering Collection Settings

Setting Up Archive Management

Setting Up Archive Management


You can move the directory for archiving the LMS device configuration and enable and disable the usage
of Shadow directory. You can also list the commands that need to be excluded while comparing
configuration
To do this select Configuration > Configuration Archive > Summary.
This section contains:

Preparing to Use the Archive Management

Entering Device Credentials

Modifying Device Configurations

Modifying Device Security

Moving the Configuration Archive Directory

Enabling and Disabling the Shadow Directory

Configuring Exclude Commands

Configuring Fetch Settings

Preparing to Use the Archive Management


Before you start using the Archive Management, you must:

Enter Device Credentials (See Entering Device Credentials for details)

Modify Device Configurations (See Modifying Device Configurations for details)

Modify Device Security (See Modifying Device Security for details)

Entering Device Credentials


Enter the following device credentials in the Device and Credentials window (Admin > Network >
Configuration Job Settings > Config Job Policies):

Read and write community strings

Primary Username and Password

Primary Enable Password

If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin >
Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs,
you are prompted for the following device credentials:

Login User name

Login Password

Enable Password

Administration of Cisco Prime LAN Management Solution 4.2

8-30

OL-25947-01

Chapter 8

Administering Collection Settings


Setting Up Archive Management

The supported Device authentication prompts are:

Routers
Username:, Username:
Password:, Password:

Switches
username: , Username:
password: , "Password:

Cisco Interfaces and ModulesNetwork Analysis Modules


login:
Password: password:

Security and VPNPIX


username: , Username:
passwd: , password: , Password:

Content NetworkingContent Service Switch


Username: , username: , login: ,Username: , username: , login:
Password: , password: , passwd: ,Password: , password: , passwd:

Content NetworkingContent Engine


Username: ,login:
Password:

Storage NetworkingMDS Devices


Username:, Username:
Password:, Password:

If you enabled TACACS for a device and configured custom TACACS login and passwords prompts,
you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more
information.
Handling Custom Telnet Prompts

To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located
at:
NMSROOT/objects/cmf/data (on Solaris/Soft Appliance)
NMSROOT \objects\cmf\data (on Windows)
where NMSROOT is the location where you have installed Cisco Prime LMS.
The format of this ini file is:
[TELNET]
USERNAME_PROMPT=
PASSWORD_PROMPT=

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-31

Chapter 8

Administering Collection Settings

Setting Up Archive Management

For example, if you have configured username and password prompts as MyUserName: and
MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini
file must be configured as:
[TELNET]
USERNAME_PROMPT=MyUsername:, Secret Username:
PASSWORD_PROMPT=MyPassword:, Secret Password:

Note

You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only
the custom prompts need to be added.

Modifying Device Configurations


To enable the configuration archive to gather the configurations, modify the device configurations for
the following:

Enabling rcp

Enabling scp

Enabling https

Configuring Devices to Send Syslogs

Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your
device configurations.
Make sure the devices are rcp-enabled by entering the following commands in the device configurations:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
Where ip_address | host is the IP address/hostname of the machine where LMS is installed.
Alternatively, you can enter the hostname instead of the IP address. The default remote_username and
local_username are cwuser.
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS
server. To do this, use the command,
no ip rcmd domain-lookup for rcp to fetch the device configuration.

Administration of Cisco Prime LAN Management Solution 4.2

8-32

OL-25947-01

Chapter 8

Administering Collection Settings


Setting Up Archive Management

Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your
device configurations.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local

username admin privilege 15 password 0 system


ip ssh authentication-retries 4
ip scp server enable

To configure TACACS User name:


aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default none
aaa authorization exec default group tacacs+

ip ssh authentication-retries 4
ip scp server enable

User on the TACACS Server should be configured with priv level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}

Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify
your device configurations.
To modify the device configuration, follow the procedure as described in this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html

Configuring Devices to Send Syslogs


Configure your devices for Syslog Analysis if you want the device configurations to be gathered and
stored automatically in the configuration archive when Syslog messages are received.
After you perform these tasks and the devices become managed, the configuration files are collected and
stored in the configuration archive.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-33

Chapter 8

Administering Collection Settings

Setting Up Archive Management

Modifying Device Security


Configuration Management must be able to run certain commands on devices to archive their
configurations.
You must have the required permissions to run these Configuration Management commands:

Router Commands

Switches Commands

Content NetworkingContent Service Switch Commands

Content NetworkingContent Engine Commands

Cisco Interfaces and ModulesNetwork Analysis Modules

Security and VPNPIX Devices

For example, you can use the LMS server to access the devices using Telnet or SSH to archive their
configurations. Ensure that the user credentials provided by you in DCR has the required permissions to
access the devices and execute the above mentioned configuration CLI commands on the devices to fetch
the configurations.
These configuration information fetched from the devices by the LMS server is stored in the LMS
database.

Router Commands
Command

Description

terminal length 0

Sets the number of lines on the current terminal screen for the
current session

terminal width 0

Sets the number of character columns on the terminal screen for the
current line for a session

show privilege

Displays your current level of privilege

Show running

Gets running configuration.

Show startup

Gets startup configuration

Show running-brief1

Gets the running configuration in brief by excluding the encryption


keys.

1. This is applicable for the IOS release 12.3(7)T release or later.

The commands in the above tables also apply to the following device types:

Universal Gateways and Access Servers

Universal Gateways and Access Servers

Optical Networking

Broadband Cable

Voice and Telephony

Wireless

Storage Networking

Administration of Cisco Prime LAN Management Solution 4.2

8-34

OL-25947-01

Chapter 8

Administering Collection Settings


Setting Up Archive Management

Switches Commands
The switches commands are:
Command

Description

set length 0

Configures the number of lines in the terminal display screen

set logging session


disable

Disables the sending of system logging messages to the current login


session.

write term

Gets running configuration.

Content NetworkingContent Service Switch Commands


The Content Service Switch commands are:
Command

Description

no terminal more

Disables support for more functions with the terminal.

show running-config

Gets all components of the running configuration.

show startup-config

Gets the CSS startup configuration (startup-config).

Content NetworkingContent Engine Commands


The Content Engine commands are:
Command

Description

terminal length 0

Sets the number of lines on the current terminal screen for the current
session

show run

Gets running configuration.

show config

Gets startup configuration.

Cisco Interfaces and ModulesNetwork Analysis Modules


The Network Analysis Modules commands are:
Command

Description

terminal length 0

Sets the number of lines on the current terminal screen for the current
session

show autostart

Displays autostart collections

show configuration

Gets startup configuration.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-35

Chapter 8

Administering Collection Settings

Setting Up Archive Management

Security and VPNPIX Devices


The PIX devices commands are:
Command

Description

terminal width 0

Sets the number of character columns on the terminal screen for the
current line for a session

show config

Gets startup configuration.

show running

Gets running configuration.

show curpriv

View the current logged-in user.

no pager

Removes paging control

Moving the Configuration Archive Directory


You can move the directory where the configuration of the devices can be archived on the LMS server.
The default Configuration Archive directory is:
On LMS Solaris/Soft Appliance server,
/var/adm/CSCOpx/files/rme/dcma

On LMS Windows server,


NMSROOT\files\rme\dcma
Where NMSROOT is the Cisco Prime installed directory.
The new archive directory location should have the permission for casuser:casusers in Solaris and
casuser should have Full Control in Windows. The new archive directory location should not be the root
of any drive (F:\) and must be a subdirectory (F:\LMSarchives).

Note

View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for moving the configuration archive location:

Step 1

Stop the ConfigMgmtServer process. To do this:


a.

Select Admin > System > Server Monitoring > Processes.


The Process Management dialog box appears.

Step 2

b.

Select the ConfigMgmtServer process.

c.

Click Stop.

Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.

Step 3

Enter the new location in the Archive Location field, or click Browse to select a directory on your
system.

Administration of Cisco Prime LAN Management Solution 4.2

8-36

OL-25947-01

Chapter 8

Administering Collection Settings


Setting Up Archive Management

Step 4

Click Apply.
A message appears confirming the changes.

Step 5

Restart the ConfigMgmtServer process. To do this:


a.

Select Admin > System > Server Monitoring > Processes.


The Process Management dialog box appears.

b.

Select the ConfigMgmtServer process.

c.

Click Start.

Enabling and Disabling the Shadow Directory


The configuration archive Shadow directory is an image of the most recent configurations gathered by
the configuration archive.
The Shadow directory contains subdirectories that represent each device class and the latest
configurations supported by the configuration archive.
Each file name is DeviceName.cfg, as defined in the Device and Credential Repository. Each time the
archive is updated, the Shadow directory is updated with the corresponding information.
The Shadow directory can be used as an alternative method to derive the latest configuration information
programmatically by using scripts or other means.
To access to the Shadow directory, you must be root or casuser on Solaris, or in the administrator group
for Windows.
You can find the Shadow directory in the following locations:

Note

On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow

On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS


is installed (the default is C:\Program Files\CSCOpx).

View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
You can enable or disable the use of Shadow directory by following this workflow:

Step 1

Stop the ConfigMgmtServer process. To do this:


a.

Select Admin > System > Server Monitoring > Processes.


The Process Management dialog box appears.

Step 2

b.

Select the ConfigMgmtServer process.

c.

Click Stop.

Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.

Step 3

Select the Enable Shadow Directory check box.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-37

Chapter 8

Administering Collection Settings

Setting Up Archive Management

Step 4

Click Apply.
A message shows that the changes were made.

Step 5

Restart the ConfigMgmtServer process. To do this:


a.

Select Admin > System > Server Monitoring > Processes.


The Process Management dialog box appears.

b.

Select the ConfigMgmtServer process.

c.

Click Start.

Configuring Exclude Commands


You can list the commands that have to be excluded while comparing configuration. To do this select
Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
You can enter multiple commands separated by commas.
LMS provides default exclude commands for some Device Categories.
For example, the default exclude commands for Router device category are,
end,exec-timeout,length,width,certificate,ntp clock-period
You can specify Exclude Commands at all these levels:

Device Category (For example, Routers, Wireless, etc.)

Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)

Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)

While comparing configurations, if you have specified exclude commands in the Device Type, Device
Family and Device Category, these commands are excluded only at the Device Type level. The
commands in the Device Family and Device Category are not excluded.
Example 1:

If you have specified these commands at,

Routers (Device Category) level


end,exec-timeout,length,width,certificate,ntp clock-period

Cisco 1000 Series Routers (Device Family) level


banner incoming,snmp-server location

Cisco 1003 Router (Device Type) level


ip name-server,banner motd,snmp-server manager session-timeout

While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are
excluded.

Administration of Cisco Prime LAN Management Solution 4.2

8-38

OL-25947-01

Chapter 8

Administering Collection Settings


Setting Up Archive Management

Example 2:

If you have specified these commands only at Device Family and Device Category,

Routers (Device Category) level


end,exec-timeout,length,width,certificate,ntp clock-period

Cisco 1000 Series Routers (Device Family) level


banner incoming,snmp-server location

Cisco 1003 Router (Device Type) level


No commands specified.

While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands
are excluded.
If the commands are specified only at the Device Category level, these commands are applicable to all
devices under that category.
To configure Exclude Commands:
Step 1

Select Admin > Collection Settings > Config > Config Compare Exclude Commands
Configuration.
The Configure Exclude Commands dialog box appears.

Step 2

Step 3

Select one of these from the Device Type Selector pane:

Device Category (For example, Routers, Wireless, etc.)

Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)

Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)

Enter the command in the Exclude Commands pane to add new commands.
You can enter multiple commands separated by commas.
You can also edit or delete the existing commands in the Exclude Commands pane.

Step 4

Click Apply.
A message appears, The commands to be excluded are saved successfully.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-39

Chapter 8

Administering Collection Settings

Understanding Configuration Retrieval and Archival

Configuring Fetch Settings


You can configure the Job Result Wait Time per device for the Sync Archive Jobs. The default value is
120 seconds. The minimum value can be set to 60 seconds.
Job Result Wait Time is the maximum wait time that Archive Management waits to get the
configurations from the device during the sync-archive job execution.
To configure the Job Result Wait Time:
Step 1

Select Admin > Collection Settings > Config > Config Job Timeout Settings.
The Fetch Settings dialog box appears.

Step 2

Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device
(seconds) field.

Step 3

Click either of these:

Click Apply, if you want to submit the Job Result Wait Time entered.

Click Cancel if you want to cancel the changes made to the Job Result Wait Time.

Understanding Configuration Retrieval and Archival


LMS supports different ways to trigger the retrieval of configuration files from the device for archival
purposes.
This section contains:

Schedule Periodic Configuration File Archival

Schedule Periodic Configuration Polling

Manual Updates (Sync Archive function)

Using Version Summary

Timestamps of Configuration Files

How Running Configuration is Archived

Change Audit Logging

Schedule Periodic Configuration File Archival


LMS will archive both the startup and running configuration files for all devices at the scheduled time
(6-hourly, 12-hourly, daily, weekly, monthly), as configured by the user.
Since this method collects the full running configuration and startup configuration files for the entire
network, we recommend that you schedule this to run at no more than once per day, especially if the
network is large and outside the LAN.
See Defining the Configuration Collection Settings for further details.

Administration of Cisco Prime LAN Management Solution 4.2

8-40

OL-25947-01

Chapter 8

Administering Collection Settings


Understanding Configuration Retrieval and Archival

Schedule Periodic Configuration Polling


LMS can be configured to periodically poll configuration MIB variables on devices that support these
MIBs according to a specified schedule, to determine if either the startup or running configuration file
has changed.
If it has, LMS will retrieve and archive the most current configuration file from the device.
Polling uses fewer resources than full scheduled collection, because configuration files are retrieved
only if the configuration MIB variable is set.
On IOS devices the variables ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged
from the CISCO-CONFIG-MAN-MIB MIB, and on CATOS the variable sysConfigChangeTime from
CISCO-STACK-MIB are used to detect the change.
Any change in the value of these variables causes the configuration file to be retrieved from the device.
SNMP change polling works only in case of IOS and CATOS devices which support these MIBs.
If these MIBs are not supported on the devices, then by default, configuration fetch will be initiated
without checking for the changes.
By default, the Periodic Collection and Polling are disabled.
See Defining the Configuration Collection Settings for scheduling the periodic polling.

Note

The Syslog application triggers configuration fetch, if configuration change messages like
SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.

Manual Updates (Sync Archive function)


This feature allows the LMS user to force the configuration archive to check specified devices for
changes to the running configuration file only. Use Sync Archive if you need it to synchronize quickly
with the running configuration.
You can also poll the device and compare the time of change currently on the device with the time of
last archival of the configuration to determine whether the configuration has changed on a device.
The Startup configuration is not retrieved during manual update archive operation. However, you can
retrieve the Startup configuration by enabling the Fetch startup Config option while scheduling Sync
Archive job. To use this function select Configuration > Configuration Archive > Synchronization.

Using Version Summary


You can trigger a configuration file retrieval by clicking on the Running or Startup configuration in the
Configuration Version Summary report (select Configuration > Configuration Archive > Views >
Version Summary).
After a configuration file is fetched from the device, as described above, LMS submits the configuration
file for archival.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-41

Chapter 8

Administering Collection Settings

Understanding Configuration Retrieval and Archival

Timestamps of Configuration Files


These are timestamps of a running configuration file, or the change time (in change audit), indicate the
time at which LMS system archived the configuration file.
This is not the time at which the configuration actually changed on the device. If changes are detected
immediately using Syslog messages, the timestamp should be very close to the actual configuration
change time on the device.
Startup configurations are handled differently by LMS. Startup configs are simply saved into the system,
as they are retrieved from the device (unlike running configurations, which are compared and saved in
versioned archives, if different).
The timestamps of Startup Configuration files are just the archival times, and do not indicate the change
time.
In the version summary reports, the Running and Startup are links, which when clicked will retrieve in
real time, the respective configuration from the device. This column does not have a timestamp
associated with it.
In the Out-Of-Sync report (select Configuration > Compliance > Out-of-Sync Summary), the Startup
configuration column indicates the last archived startup configuration along with its timestamp, and the
Running configuration column indicate the last archived running config along with its timestamp.

How Running Configuration is Archived


The workflow for archiving the Running configuration is:
1.

If LMS detects an effective change, the new configuration is queued for Archival.

2.

The archiver, calculates the exact effective changes, assigns a new version number for the newly
collected archive, and archives it in the system.

3.

The archiver, at the end, logs a change audit record that the configuration of the device has changed,
along with other Audit information.

4.

If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select
Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration
file is also stored in a raw format for manual TFTP purposes to restore the configuration on the
device, in the directory location:
On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which

LMS is installed (the default is C:\Program Files\CSCOpx)

Note

Startup configurations are not versioned and only one copy of the startup configuration of devices
(which supports startup configuration), is saved in the system. No change audit records are logged for
changes in the Startup Configuration files.
LMS first compares the collected configuration file, with the latest configuration in the archive, and
checks to see if there are effective configurations changes from what was previously archived.

Administration of Cisco Prime LAN Management Solution 4.2

8-42

OL-25947-01

Chapter 8

Administering Collection Settings


Defining the Configuration Collection Settings

Change Audit Logging


Config change audit records include information about, who changed (which user) the configuration,
when the configuration change was identified by LMS, and other change information.

Any configuration change made through the LMS system (example, using Config Editor or
Netconfig), will have the user name of the user who scheduled the change job.

Any configuration change that was done outside of LMS and detected through the configuration
retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB
variable (ccmHistoryEventTerminalUser).

Changes identified through syslog messages, contain the user name identified in the Syslog
message, if present.

Defining the Configuration Collection Settings


The configuration archive can be updated with configuration changes in two ways:

Periodic configuration archival (with and without configuration polling). To do this select Admin >
Network > Collection Settings > Config > Config Collection Settings.

Manual configuration archival. To do this select using Configuration > Configuration Archive >
Synchronization.

You can modify how and when the configuration archive retrieves configurations by selecting one or all
of the following:
Periodic Polling

The configuration archive performs a SNMP query on the device. If there are no configuration changes
detected in the devices, no configuration is fetched.
Periodic Collection

The configuration is fetched without checking for any changes in the configuration.
By default, the Periodic Collection and Polling are disabled.

Note

View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for defining the configuration collection setting:

Step 1

Select Admin > Config > Config Collection Settings.


The Config Collection Settings dialog box appears.

Step 2

Select one or all of the following options:


Periodic Polling
a.

Select Enable for Configuration archive to performs a SNMP query on the device to retrieve
configuration.

b.

Click Schedule.
The Config Collection Schedule dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-43

Chapter 8

Administering Collection Settings

Defining the Configuration Collection Settings

Enter the following information:

c.

Field

Description

Scheduling

Run Type

You can specify when you want to run the configuration polling job.
To do this, select one of these options from the drop-down menu:

DailyRuns daily at the specified time.

WeeklyRuns weekly on the day of the week and at the specified time.

MonthlyRuns monthly on the day of the month and at the specified time.

The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date

You can select the date and time (hours and minutes) to schedule.

Job Information

Job Description

The system default job description, Default config polling job is displayed.
You cannot change this description.

E-mail

Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d.

Click OK.

Periodic Collection
a.

Select Enable for Configuration archive to perform a periodic check on the device to retrieve
configuration.

b.

Click Schedule.
The Config Collection Schedule dialog box appears.

Administration of Cisco Prime LAN Management Solution 4.2

8-44

OL-25947-01

Chapter 8

Administering Collection Settings


Defining the Configuration Collection Settings

Enter the following information:

c.

Field

Description

Scheduling

Run Type

You can specify when you want to run the configuration collection job.
To do this, select one of these options from the drop-down menu:

DailyRuns daily at the specified time.

WeeklyRuns weekly on the day of the week and at the specified time.

MonthlyRuns monthly on the day of the month and at the specified time.

The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date

You can select the date and time (hours and minutes) to schedule.

Job Information

Job Description

The system default job description, Default config collection job is displayed.
You cannot change this description.

E-mail

Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d.

Click OK.

VLAN config Collection


a.

Check the Disable VLAN config collection check box.

b.

Click Apply.

The VLAN config collection will be disabled for both manual and system config collection jobs. By
default the Disable VLAN Config collection checkbox is unchecked.
Step 3

Either click Apply to accept the new values provided.


Or
Click Cancel if you want to discard the changes and revert to previously saved values.
If you had clicked Apply, a message appears:
New settings saved successfully.

You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-45

Chapter 8

Administering Collection Settings

Configuring Transport Protocols

Configuring Transport Protocols


You can set the protocol order for Configuration Management features such as Archive Management,
Config Editor, and NetConfig jobs to download configurations and to fetch configurations. For NetShow
and VLAN Fetch, you can set the protocol order to download configurations.
This setup allows you to use your preferred protocol order for fetching and downloading the
configuration.
The available protocols are:

Telnet

TFTP (Trivial File Transport Protocol)

RCP (remote copy protocol)

SSH (Secure Shell)

SCP (Secure Copy Protocol)

HTTPS (Hyper Text Transfer Protocol Secured)

This section also explains:

Requirements to Use the Supported Protocols

Defining the Protocol Order

Requirements to Use the Supported Protocols


If the following requirements are not met, an error message appears.
To use this
Protocols

You must...

Telnet

Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authentication, enter Primary Username and Primary Password.

TFTP

Know read and write community strings for device.

RCP

Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the
following commands in the device configuration:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default
remote_username and local_username are cwuser. For example, you can enter:
# ip rcmd remote-host cwuser 123.45.678.90 cwuser enable
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server.
To do this, use the command,
no ip rcmd domain-lookup for RCP to fetch the device configuration.

Administration of Cisco Prime LAN Management Solution 4.2

8-46

OL-25947-01

Chapter 8

Administering Collection Settings


Configuring Transport Protocols

To use this
Protocols
SSH

You must...
Know the username and password for the device. If device is configured for TACACS authentication, enter
the Primary Username and Primary Password.
Know password for Enable modes.
When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor, and NetShow) the underlying transport mechanism checks whether the device is running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2.
If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the
device that is being accessed.
Some useful URLs on configuring SSHv2 are:

Configuring Secure Shell on Routers and Switches Running Cisco IOS:


http://www.cisco.com/warp/public/707/ssh.shtml

How to Configure SSH on Catalyst Switches Running Catalyst OS:


http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml

Configuring the Secure Shell Daemon Protocol on CSS:


http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/c
onfiguration/security/guide/sshd.html

Configuration Examples and TechNotes:


http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples

_list.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-47

Chapter 8

Administering Collection Settings

Configuring Transport Protocols

To use this
Protocols

You must...

SCP

Know the SSH username and password for the device.


To make sure the device is scp-enabled, enter the following commands in the device configuration.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local

username admin privilege 15 password 0 system


ip ssh authentication-retries 4
ip scp server enable

To configure TACACS User name:


aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default none
aaa authorization exec default group tacacs+

ip ssh authentication-retries 4
ip scp server enable

User on the TACACS Server should be configured with privilege level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}

HTTPS

Know the username and password for the device. Enter the Primary Username and Password in the Device
and Credential Repository.
To enable the configuration archive to gather the configurations using https protocol you must modify your
device configurations:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configuration_guides_list.html
This is used for VPN 3000 device.
The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family
devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and
Enable passwords.

Administration of Cisco Prime LAN Management Solution 4.2

8-48

OL-25947-01

Chapter 8

Administering Collection Settings


Configuring Transport Protocols

If you enabled TACACS for a device and configured custom TACACS login and passwords prompts,
you may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom
Telnet Prompts.
For module configs, the passwords on the module must be same as the password on the supervisor.
This section also explains Supported Protocols for Configuration Management Applications.

Supported Protocols for Configuration Management Applications


For supported protocol at individual device-level, you can either see:

The LMS device packages Online help. You can launch the LMS device packages Online help using
Help > Device Packages.
or

The Supported Protocols for Configuration Management table on Cisco.com:

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html

Defining the Protocol Order


The following is the workflow for defining the protocol order for Configuration Management
applications to perform either Config fetch or Config update:

Note

Step 1

View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Select Admin > Collection Settings > Config > Config Transport Settings.
The Config Transport Settings dialog box appears.

Step 2

Go to the first drop-down list box, select the application for which you want to define the protocol order.

Step 3

Select a protocol from the Available Protocols pane and click Add.
If you want to remove a protocol, select the protocol and click Remove.
The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of
protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons.
When a configuration fetch or update operation fails, an error message appears. This message displays
details about the supported protocol for the particular device and it modules, if there are any.
For the list of supported protocols, see Supported Device Table for Configuration Management
application on Cisco.com.

Step 4

Click Apply.
A message appears, New settings saved successfully.

Step 5

Click OK.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-49

Chapter 8

Administering Collection Settings

Overview: Common Syslog Collector

Overview: Common Syslog Collector


Common Syslog Collector (CSC) is a service to receive, filter and forward syslogs to one or more Syslog
Servers, thus reducing traffic on the network as well as processing load on the server.
The Common Syslog Collector can be installed on the LMS Server, or on a remote UNIX or Windows
machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want
to run it on a remote UNIX or Windows server.
Common Syslog Collector is a service that runs independently, listens for syslogs and forwards them to
the registered applications after necessary filtering. This way, the parsing/filtering is taken away from
the applications and each device sends only one copy of the processed, valid syslogs to the Common
Syslog Collector. Although CSC runs independently, it can run either remotely or locally on the machine
where an application is running.
The LMS server and the Syslog Collector exchange updates such as status, and filters.
You can configure the service to read syslogs from a specified file. This can be provided in a properties
file located at:
On Solaris/Soft Appliance:
NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/
Collector.properties
On Windows:
NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\
Collector.properties
See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details.
In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be
marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the
format is not correct.
The device considers day-light-saving settings appropriately while putting the timestamps. CSC
supports all the time zones that LMS supports, and alternatively you can provide the time zone
information. See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the
complete details.
After the Syslog Analyzer has been registered with the Collector, it:

Receives the filters it needs from the LMS server to filter Syslog messages.

Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from
the Analyzer, including the number of messages read, number of messages filtered, and number of
messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process.
If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the
Analyzer without filtering.

If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on
the current filters, it continues to filter the syslogs and stores them in a local file:
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server
name_port\DowntimeSyslogs.log
The Syslog Analyzer will automatically restore the connection after LMS server restart.
For the complete instructions on installing the Common Syslog Collector, see the Installing and
Migrating to Cisco Prime LAN Management Solution 4.2.

Administration of Cisco Prime LAN Management Solution 4.2

8-50

OL-25947-01

Chapter 8

Administering Collection Settings


Viewing Status and Subscribing to a Common Syslog Collector

Viewing Status and Subscribing to a Common Syslog Collector


Using the Syslog Collector Status dialog box you can:

Note

View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status)

Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog


Collector)

Test Syslog Collector Subscription (see Testing Syslog Collector Subscription)

Understanding the Syslog Collector Properties File

View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform this task.

Viewing Common Syslog Collector Status


To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to,
follow this procedure:
Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears, with this information:
Column

Description

Name

Hostname or the IP address of the host on which the Collector is installed.

Forwarded

Number of forwarded Syslog messages

Invalid

Number of invalid Syslog messages.

Filtered

Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network >
Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.)

Dropped

Number of Syslog messages dropped.

Received

Number of Syslog messages received.

Up Time

Time duration for which the Syslog Collector has been up.

Update Time Date and time of the last update.


Time and time zone are those of the LMS Server.
Test
Collector
Subscription

Click to test a Syslog collector thats already subscribed or thats going to be subscribed.

Subscribe

Click to subscribe a Syslog collector.

Unsubscribe

Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector.
If you want to refresh the information in this dialog box, click Update.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-51

Chapter 8

Administering Collection Settings

Viewing Status and Subscribing to a Common Syslog Collector

If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin >
Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze
processes come up. In this interval you may see the following message:
Collector Status is currently not available.
Check if the SyslogAnalyzer process is running normally.

Wait for the Syslog Collector status process to come up and try again.
To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common
Syslog Collector.

Subscribing to a Common Syslog Collector


Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met:
Check whether:
1.

The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on
both the servers.

2.

The Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa.
To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
See Setting up Peer Server Certificate for more information.

3.

The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server,
are restarted after Step 2.

4.

Both hosts are reachable by host name.

To subscribe to a Common Syslog Collector:


Step 1

Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears. For the information in the columns in the dialog box, see
Viewing Common Syslog Collector Status:

Step 2

Click Subscribe.
The following message appears:
Check if:
Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa. You can perform this operation from Admin > System Administration >
Multiserver Management > Peer Server Certificate Setup screen.
2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this
server is restarted after step 1.
3. Both hosts are reachable by host name.
4. Certificates are valid.
The Subscribe Collector dialog box appears.

Step 3

Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to.

Step 4

Click OK.
The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.

Administration of Cisco Prime LAN Management Solution 4.2

8-52

OL-25947-01

Chapter 8

Administering Collection Settings


Viewing Status and Subscribing to a Common Syslog Collector

If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and
click the Unsubscribe button.
If you want to test the Syslog collector subscription, select the collector and click Test Collector
Subscription. For more information see Testing Syslog Collector Subscription.

Testing Syslog Collector Subscription


You can test the status of the Syslog Collector that you have already subscribed or that you are going to
subscribe using the Test Collector Subscription button.
To test a Syslog collector:
Step 1

Select Admin > Collection Settings > Syslog > Syslog Collection Settings.

Step 2

The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common
Syslog Collector Status.

Step 3

Either:

Select a Syslog collector and click Test Collector Subscription.

Test Collector Subscription popup window appears with the Syslog collector address.

Or

Step 4

Click Test Collector Subscription.

Enter the Syslog collector in the Test Collector Subscription popup window.

Click OK.
The Test Collector Subscription Status popup window appears, displaying the following status of the
Syslog collector:

SSL certificate statusStatus of the SSL Certificates. For example, SSL certificates are valid and
are properly imported. For more information see Syslog Collector Subscription Messages.

Collector statusStatus of the Syslog collector. For example, Collector is up and reachable. For
more information see Syslog Collector Subscription Messages.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-53

Chapter 8

Administering Collection Settings

Viewing Status and Subscribing to a Common Syslog Collector

Syslog Collector Subscription Messages

The following table provides the Syslog collector subscription status messages shown when you test the
subscription of a Syslog Collector:
Subscription
Status
SSL Certification

Problem/Info

Message

When there is an
issue with SSL
Certificate

SSL certificate issue occurred, check if:

1.

The Self-signed Certificates are valid. For


example, Check the certificate expiry date on the
servers.

2.

The Self-signed Certificates of this server are


copied to the Syslog Collector server and
vice-versa.
To do this, go to Admin > System Administration >
Multiserver Management > Peer Server Certificate
Setup and add the certificate. See the
Administration User Guide for LMS for more
details.

Collector

3.

The SyslogCollector process on Syslog Collector


server and the SyslogAnalyzer process in the
current working server are restarted after Step
2.

4.

Both hosts are reachable by hostname.

When the SSL


certificates are
valid

SSL certificates are valid and properly imported.

When the
hostname is not
DNS resolvable

Unknown host address. Check if the host is DNS


resolvable.

If the
SyslogCollector
process is down

SyslogCollector process is down. Check if the


SyslogCollector process is running on the port
<<port number>>.

Cannot check SSL connectivity because the Syslog


If the Syslog
Collector is down Collector is down.

If the Syslog
Collector is
reachable

Syslog Collector <<collector name> is up and


reachable.

Administration of Cisco Prime LAN Management Solution 4.2

8-54

OL-25947-01

Chapter 8

Administering Collection Settings


Viewing Status and Subscribing to a Common Syslog Collector

Understanding the Syslog Collector Properties File


After installing the Syslog Collector on a remote system, you need to check the Syslog Collector
Properties file to ensure that the Collector is configured properly.
The Syslog Collector Properties file is available at this location:
On Solaris/Soft Appliance:
$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.pr
operties
On Windows:
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.
properties
The following table describes the Syslog Collector Properties file:
Timezone-Related Properties

Description

TIMEZONE

The timezone of the system where the Syslog Collector is running. Enter
the correct abbreviation for the timezone. For example, the time zone for
India is IST.
For the correct Timezone abbreviation, see the Timezone file in the
following location:
On Solaris/Soft Appliance,
/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/n
m/LMSng/fcss/data/TimeZone.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\LMSng\fcss\data\TimeZone.lst
See Timezone List Used By Syslog Collector.

COUNTRY_CODE

Country code for the Syslog Collector.


We recommend that you set the country code variable with the appropriate
country code, to make sure that the Syslog timestamp conversion works
correctly.
For example, if you are in Singapore, you must set the country code
variable as COUNTRY=SGP.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-55

Chapter 8

Administering Collection Settings

Viewing Status and Subscribing to a Common Syslog Collector

Timezone-Related Properties

Description

TIMEZONE_FILE

The path of the Timezone file. This file contains the offsets for the time
zones.
After installing the Syslog Collector, ensure that the offset specified in
this file is as expected. If it is not present or is incorrect, you can add the
Timezone offset as per the convention.
The default path is:
On Solaris/Soft Appliance,
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/fcss/data/TimeZone.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\rmeng\fcss\data\TimeZone.lst

General Properties
SYSLOG_FILES

Filename and location of the file from which syslog messages are read.
The default location is:
On Solaris/Soft Appliance:
/var/log/syslog_info
On Windows:
%NMSROOT%\log\syslog.log

DEBUG_CATEGORY_NAME

Name Syslog Collector uses for printed ERROR or DEBUG messages.


The default category name is SyslogCollector.
We recommend that you do not change the default value.

DEBUG_FILE

Filename and location of the Syslog Collector log file containing debug
information:
The default location is:
On Solaris/Soft Appliance,
/var/adm/CSCOpx/log/CollectorDebug.log
On Windows,
%NMSROOT%\log\CollectorDebug.log

DEBUG_LEVEL

Debug levels in which you run the Syslog Collector.


We recommend that you retain the default INFO, which reports
informational messages. Setting it to any other value might result in a
large number of debug messages being reported.
If you change the debug level, you must restart the Syslog Collector.
The values for the Debug levels are:

Warning

Debug

Error

Info

Administration of Cisco Prime LAN Management Solution 4.2

8-56

OL-25947-01

Chapter 8

Administering Collection Settings


Viewing Status and Subscribing to a Common Syslog Collector

Timezone-Related Properties

Description

DEBUG_MAX_FILE_SIZE

Maximum size of the log file containing the debug information.


The default is set to 5 MB.
If the file size exceeds the limit that you have set, Syslog Collector writes
to another file, based on the number of backup files that you have
specified for the DEBUG_MAX_BACKUPS property.
For example, if you have specified the number of backups as 2, besides
the current log file, there will be two backup files, each 5MB in size.
When the current file exceeds the 5 MB limit, Syslog Collector overwrites
the oldest of the two backup files.

DEBUG_MAX_BACKUPS

The number of backup files that you require. The size of these will be the
value that you have specified for the DEBUG_MAX_FILE_SIZE
property.

Miscellaneous Properties
READ_INTERVAL_IN_SECS

Interval at which the Collector polls the syslog file.


The default is set to 1 second.

QUEUE_CAPACITY

Size of the internal buffer, for queuing syslog messages.


The default is set to 100000

PARSER_FILE

File that contains the list of parsers used while parsing syslog messages.
The default path of the parser file:
On Solaris/Soft Appliance,
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/LMSng/fcss/data/FormatParsers.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\rmeng\fcss\data\FormatParsers.lst

SUBSCRIPTION_DATA_FILE

Syslog Collector data file that contains the information about the Syslog
Analyzers that are subscribed to the Collector.
The default path of the data file:
On Solaris/Soft Appliance,
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/csc/data/Subscribers.dat
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco
\nm\rmeng\csc\data\Subscribers.dat

FILTER_THREADS

Number of threads that operate at a time for filtering syslog messages. The
default is set to 1.

COLLECTOR_PORT

Default port of the Syslog Collector. The default is set to 4444.


The port where the collector listens for registration requests from Syslog
Analyzers.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

8-57

Chapter 8

Administering Collection Settings

Viewing Status and Subscribing to a Common Syslog Collector

Timezone List Used By Syslog Collector


The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties
file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector
Properties File.
For the correct Timezone abbreviation, see the Timezone file in the following location:
$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.l
st
Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each
offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and
the corresponding entry here is 55.
You must use the same method while modifying it.
The following is the timezone list used by Syslog Collector:
Time Zone List Used by Syslog Collector
ACT=95

ADT=30

AET=100

AEST=100

AGT=-30

AHST=-100

ART=20

AST=-90

AT=-20

BET=-30

BST=10

BT=30

CAT=10

CCT=80

CDT=-50

CEST=20

CET=10

CNT=-35

CST=-60

CTT=80

EADT=-110

EAST=100

EAT=30

ECT=10

EDT=-40

EET=20

EST=-50

FST=-20

FWT=10

GMT=0

GST=100

HDT=90

HST=-100

IDLE=120

IDLW=-120

IET=-50

IST=55

JST=90

MDT=-60

MEST=-20

MESZ=-20

MET=10

MEWT=10

MIT=-110

MST=-70

MYT=80

NET=40

NST=120

NT=-110

NZDT=130

NZST=120

NZT=120

PDT=-70

PLT=50

PNT=-70

PRT=-40

PST=-80

SST=110

SWT=10

UTC=0

VST=70

WADT=-80

WAST=70

WAT=-10

YDT=-80

YST=-90

ZP4=40

ZP5=50

ZP6=50

Administration of Cisco Prime LAN Management Solution 4.2

8-58

OL-25947-01

CH A P T E R

Monitoring and Troubleshooting Settings


Monitoring and Troubleshooting Settings in the Admin menu groups all the administrative tasks that you
need to perform to monitor and troubleshoot your network using LMS.
This section contains:

Configuring Fault Poller Settings For Topology

Loading MIB Files

Configuring RMON

Configuring Topology Settings

Configuring Fault Poller Settings For Topology


To display Fault Poller information in Topology Maps and N-Hop view portlet, you have to enable
polling as follows:
Step 1

Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology.
The Fault Monitor Poller Settings page appears.

Step 2

Select the Poll Fault Monitor Server for alerts check box.
If you try to apply the settings when Fault Monitor module is not installed on a local or remote server,
you will get an error message indicating the same.
If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

9-1

Chapter 9

Monitoring and Troubleshooting Settings

Loading MIB Files

You can enable this option, only if:


Fault Monitor module is installed in the local LMS Server or on a remote LMS Server in the

master slave mode.


AND
LMS has detected the Fault Monitor server.

If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart
ANI Server before enabling the above setting.
Step 3

Set the time interval at which the polling should occur.


Fault Monitor updates the latest event information every 6 minutes. So the time interval can be a value
between six minutes and fifty nine minutes, fifty nine seconds.

Step 4

Click Apply. The settings are saved to the server and polling starts within six minutes of the
configuration.
In addition to this, you can restrict the type of LMS event displayed in your machine. For example you
can choose to display only critical events in Topology maps.
The event information fetched from Fault Monitorserver can be launched from Topology Maps and
N-Hop view portlet, by right clicking on the required device.

Loading MIB Files


You can load a new MIB file into LMS using the Load MIB option. The new MIB file is compiled and
stored in LMS. You can use the new MIB file to create new templates by grouping MIB variables, to do
this select Monitor > Performance Settings > Setup > Templates. For more information, see Creating
a Template in Monitoring and Troubleshooting Online Help.
You can load MIB files with the file extension .my.
To load a MIB file:
Step 1

Select Admin > Network > Monitor / Troubleshoot > Load MIB.
The Load MIB dialog box appears.
Table 9-1 describes the field in the Load MIB dialog box.
Table 9-1

Load MIB Fields

Field

Description

MIB file

Use the Browse button to load a MIB file from a directory location.
For example, RFC1213-MIB.my
You are allowed to load a MIB file only from the following directory path:

In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs

In Solaris/Soft Appliance, $NMSROOT/hum/mibmanager/mibcompiler/mibs

$NMSROOT is the default Cisco Prime LMS installation directory.

Administration of Cisco Prime LAN Management Solution 4.2

9-2

OL-25947-01

Chapter 9

Monitoring and Troubleshooting Settings


Loading MIB Files

Step 2

Click Browse to select the MIB file from a directory location.


The Server Side File Browser dialog box appears.

Step 3

Double-click the MIB file from the directory location.

Step 4

Click Apply to load the MIB file into LMS or Cancel to cancel the operation.
You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are
available in the directory location.
For example,
To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and
RFC-1212) must also be available at the same directory location. If the dependent MIB files are not
available, an appropriate error message is displayed and RFC1213-MIB does not compile.
The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same
as the MIB files names present in the definition files. Load only version2 MIB.
The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:

RMON2-MIB.my

BRIDGE-MIB.my

RFC-1215.my

INET-ADDRESS-MIB.my

P-BRIDGE-MIB.my

Q-BRIDGE-MIB.my

CISCO-NETFLOW-MIB.my

CISCO-STACK-MIB.my

TOKEN-RING-RMON-MIB.my

RFC-1212.my

RMOM-MIB.my

RFC1155-SMI.my

RFC1213-MIB.my

SNMP-FRAMEWORK-MIB.my

CISCO-SMI.my

ENTITY-MIB.my

FDDI-SMT73-MIB.my

CISCO-VTP-MIB.my

SNMPv2-TC.my

SNMPv2-SMI.my

SNMPv2-MIB.my

SNMPv2-CONF.my

IF-MIB.my

IANAifType-MIB.my

EXPRESSION-MIB

CISCO-CLASS-BASED-QOS-MIB

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

9-3

Chapter 9

Monitoring and Troubleshooting Settings

Loading MIB Files

CISCO-VOICE-DIAL-CONTROL-MIB

CISCO-IPSEC-MIB

HOST-RESOURCES-MIB

CISCO-POP-MGMT-MIB

RMON-MIB

CISCO-PORT-QOS-MIB

DIAL-CONTROL-MIB

CISCO-DIAL-CONTROL-MIB

CISCO-VOICE-COMMON-DIAL-CONTROL-MIB

CISCO-VOICE-DNIS-MIB

PerfHist-TC-MIB

CISCO-QOS-PIB-MIB

INT-SERV-MIB

CISCO-ENERGYWISE-MIB

CISCO-FRAME-RELAY-MIB

CISCO-POWER-ETHERNET-EXT-MIB

CISCO-TC

CISCO-VTP-MIB

DS1-MIB

RFC1271-MIB

To view the list of more dependent MIBs go to:


http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file
appears in the Show MIB drop-down list in Select MIB Variables page.

Administration of Cisco Prime LAN Management Solution 4.2

9-4

OL-25947-01

Chapter 9

Monitoring and Troubleshooting Settings


Configuring RMON

Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology.
Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth
utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best
estimate of the mean physical layer network utilization on the links, during the sampling time interval.
In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them.
You can customize the filters to display bandwidth utilization.
For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting
Online Help.
This section contains:

Note

Modifying the Parameters

Enabling RMON on All Ports in Selected Devices

Enabling RMON on Selected Ports in Selected Devices

Disabling RMON

LMS computes bandwidth utilization only on ethernet links, and not on any other type of link.
To compute bandwidth utilization in Campus Manager , you must enable Remote Monitoring (RMON).
Enabling RMON depends on two parameters.
Parameters to Compute Bandwidth Utilization

Enabling RMON depends on the following parameters:

Bucket SizeNumber of samples (incoming and outgoing packets) that will be examined for a
given point of time.

IntervalDuration for which samples are to be collected.

The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the
values through the user interface of Campus Manager , you can reconfigure these values through
command line interface. For more details see Modifying the Parameters.
Campus Manager computes bandwidth utilization only for those devices that have the same parametric
values as configured and displayed in the RMON Settings page. This application allows you to configure
only the same parametric values on all link ports. This is to avoid conflicts in computation.
Enabling RMON on Ports

LMS allows you to enable RMON on:

All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices

Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices

Campus Manager highlights links in the Topology Map even if the devices are managed by other
applications such as HPOV, or CiscoView.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

9-5

Chapter 9

Monitoring and Troubleshooting Settings

Configuring RMON

Modifying the Parameters


The default Bucket Size is 10 and the Interval is 300 seconds. Campus Manager does not compute
bandwidth utilization for the links whose ports have different Interval values.
You can configure new values for the parameters in the ANIServer.properties file. To reconfigure the
values, you must restart the ANI server so that the file takes the new value.
For computing bandwidth utilization, Campus Manager takes only the latest values in the
ANIServer.properties file. You must reconfigure the link ports according to the values set in the
properties file for Topology Map to highlight the links.
You must reconfigure the parametric values before you enable RMON on ports.

Note

You must configure the same value for Interval across the devices.
To reconfigure the values:

Step 1

Enter pdterm ANIServer at the command line to stop the ANI server.

Step 2

Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.

Step 3

Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket
Size.
The maximum value that you can enter for RMON.interval is 3600 seconds (One hour).

Step 4

Enter pdexec ANIServer at the command line to start the ANI server.

After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON
on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices.
You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for
the Interval in a range. This is a hidden property that creates a range for the Interval value.
The property adds a value to the current interval that forms the upper limit and subtracts a value from
the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the
interval.
For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330.
Thus, the samples are collected for the range of 270 to 330 seconds.
If you want to change this default value, you must:
Step 1

Stop the ANI server.

Step 2

Enter pdterm ANIServer at the command line to stop the ANI server.

Step 3

Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.

Step 4

Enter RMON.percentageTolerance=value.

Step 5

Start the ANI server.

Step 6

Enter pdexec ANIServer at the command line to start the ANI server.

Administration of Cisco Prime LAN Management Solution 4.2

9-6

OL-25947-01

Chapter 9

Monitoring and Troubleshooting Settings


Configuring RMON

Enabling RMON on All Ports in Selected Devices


To enable RMON on all ports in selected devices:
Step 1

Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices.

Step 2

Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization
across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.

Step 3

Check the Configure on all links check box to configure all the ports of the selected devices in the
Device Selector.

Step 4

Click Configure to enable RMON on all the ports in the selected devices.
The following command is configured on the selected ports:
rmon collection history

integer owner ownername buckets bucket-number interval seconds

Example:
rmon collection history

4 owner campusmanager buckets 10 interval 300

Enabling RMON on Selected Ports in Selected Devices


To enable RMON on selected ports in selected devices:
Step 1

Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays the list of devices.

Step 2

Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, Campus Manager collects 10 samples of bandwidth
utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.

Step 3

Uncheck the Configure on all Links check box since it is checked by default.

Step 4

Click Select links to select the ports for which you want to enable RMON.
It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2.
The Select Links check box is enabled only when you uncheck the Configure on all links check box.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

9-7

Chapter 9

Monitoring and Troubleshooting Settings

Configuring Topology Settings

Table 9-2

Select Links for RMON Configuration Column Description

Column

Description

Port

Name of the port.

Device Name

Name of the device where the port is connected.

Device Address

The IP address of the device.

isLink

True

is displayed for link ports and False for a non-link port.

Step 5

Select check boxes corresponding to the ports for which you want to enable RMON.

Step 6

Click Configure to enable RMON on the selected ports.


The following command is configured on the selected ports:
rmon collection history

integer owner ownername buckets bucket-number interval seconds

Example:
rmon collection history

4 owner campusmanager buckets 10 interval 300

Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line
Interface (CLI) only.
Commands to Disable RMON

For a device running Cisco IOS, enter the following command at the CLI prompt:
no rmon

For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable

Configuring Topology Settings


You can configure the following Topology Settings:

Restrict Topology Maps to display only authorized devices.


For details, see Viewing Restricted Topology.

Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps.
For details, see Configuring Fault Poller Settings For Topology.

Administration of Cisco Prime LAN Management Solution 4.2

9-8

OL-25947-01

Chapter 9

Monitoring and Troubleshooting Settings


Configuring Topology Settings

Viewing Restricted Topology


Topology Maps display all the devices discovered by LMS.
To view the Restricted Topology:
Step 1

Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View.
The configuration screen is displayed.

Step 2

Select Display Only the Authorized devices in Topology Maps.

Step 3

Click Apply.
Topology Maps display only the devices you are authorized to view. If Topology Services is already
launched, close it and relaunch for the change to take effect.

Important Notes

If you change the management IP address of an authorized device:

It becomes an unauthorized device.

The device is not shown in Topology maps in the consecutive relaunches.

When the changed IP address is given as root in N-hop view portlet, it results in an error.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

9-9

Chapter 9

Monitoring and Troubleshooting Settings

Configuring Topology Settings

Administration of Cisco Prime LAN Management Solution 4.2

9-10

OL-25947-01

CH A P T E R

10

Notification and Action Settings


The Notification and Action Settings groups all the administrative tasks involved in setting up
notification, syslog settings. You can also customize the names and event severity, create and activate a
notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs.
This section contains:

Understanding Notifications and Subscriptions

Customizing LMS Events

Configuring Event Sets and Notification Groups for Subscriptions

Managing Fault SNMP Trap Notifications

Managing Fault E-Mail Configurations

Managing Fault Syslog Notifications

Configuring Fault SNMP Trap Receiving and Forwarding

Performance SNMP Trap Notification Groups

Performance Syslog Notification Groups

Defining Automated Actions

Defining Syslog Message Filters

Inventory and Config Collection Failure Notification

IPSLA Syslog Configuration

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-1

Chapter 10

Notification and Action Settings

Understanding Notifications and Subscriptions

Understanding Notifications and Subscriptions


To use Notification Services, you must create and activate a notification subscription. The subscription
requires a Notification group component. This component specifies the notification criteria (the devices
to monitor, how severe an event must be to be reported, and so forth).
Optionally the notification group can also contain an Event set listing the events you want to monitor;
this is useful when you do not want to monitor all events that occur on a device. Notification groups can
be static or dynamic. The Fault Management module in LMS 4. 0 can be set up to have either static
notification groups or dynamic notification groups.

If you work with static groups, no further devices can be added to those groups.

If you set up dynamic groups, then any device that fits the criteria for the groups will be added to
those groups.

After you have configured your subscription, you can name it according to your needs. Regardless of
whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a
subscription containing a notification group. The final step in configuring your notification subscription
is specifying the notification recipients.

Note

If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
Notification Services tracks events on device types, not on device components.
For details on Notifications and Subscriptions, see the following topics:

Creating a Notification Subscription

Notification Types

Notification Replay

Subscriptions

Events

Creating a Notification Subscription

To create a notification subscription, perform the following steps:


1.

If you want to monitor a specific set of events, create an event set that contains the events you want
to monitor. Otherwise, all events will be monitored.

2.

Create a notification group that specifies the criteria the Fault Management module should use when
generating notifications:

One or more event sets (if no event set is specified, all events are monitored)

Devices, event severity and status

You can specify the notification group name, along with entering identifying information (using the
Customer ID and Customer Revision fields).

Administration of Cisco Prime LAN Management Solution 4.2

10-2

OL-25947-01

Chapter 10

Notification and Action Settings


Understanding Notifications and Subscriptions

3.

Create a subscription by doing the following:


a. Select the notification type (SNMP Trap, E-Mail, or Syslog).
b. Name the subscription and apply a notification group to it.
c. Specify the recipients (hostname, e-mail address).
d. Save the subscription. It will automatically start running.

4.

Customize the subject of the e-mail by doing the following:


a. Select the subject from the available list
b. Add to the selected list
c. Arrange the order of the subjects
d. Save the customization of the e-mail subject

Notification Types

The Fault Management module in LMS 4.2 provides three types of notifications:

SNMP Trap NotificationFault Management module generates traps with information about the
events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For
more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can
also generate SNMP trap notifications for specified events.
Using SNMP trap notification is different from forwarding raw traps to another server before they
have been processed by LMS.

E-mail NotificationLMS generates e-mail messages containing information about the events that
caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail
in text format. You can specify that you want the e-mail to only contain an informational subject
line or can customize the e-mail subject. For information on the customizing the e-mail subject, see
Managing Fault E-Mail Subject Customization.

Syslog NotificationLMS generates Syslog messages that can be forwarded to Syslog daemons on
remote systems.

All notifications have a default maximum message size of 250 characters. You can reset this variable to
any value between 250 and 1024 characters by editing the notification properties file.
To do this:
Procedure
Step 1

Open the configuration file NMSROOT/objects/nos/config/nos.properties.

Step 2

Locate the following lines and change the value to any value up to 1024 characters:
MAX_TRAP_DES=250
MAX_EMAIL_DES=250
MAX_SYSLOG_DES=250

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-3

Chapter 10

Notification and Action Settings

Understanding Notifications and Subscriptions

Step 3

Stop and restart the Cisco Prime daemon manager on the LMS server.
a.

Stop the daemon manager:


On Windows:
net stop crmdmgmt

On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop

b.

Restart the daemon manager:


On Windows:
net start crmdmgmt

On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop

Notification Replay

You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file
/opt/CSCOpx/objects/nos/config/nos.properties as follows:
To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to
the default value (0), the notifications will not be replayed.
Subscriptions

LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification
subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following
common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:

DevicesThe devices or device groups of importance to the recipients.

Event severity and statusOne or more event severity levels and status. You can also customize the
names of the events used by Notification Services, and Fault History. See Customizing LMS Events.

RecipientsOne or more hosts to receive SNMP traps or users to receive e-mail. For Syslog
notifications, the recipient would be the remote host containing a Syslog daemon configured to
listen for Syslog messages.

NameA user-defined name to identify the subscription.

Subscriptions are based on user-configured event sets and notification groups. See Configuring Event
Sets and Notification Groups for Subscriptions for more information.
Events

LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS
compares the device, severity, and state against subscriptions and sends a notification when there is a
match. Matches can be determined by user-configured event sets and notification groups.
The procedure for configuring notification groups is described in Configuring Event Sets and
Notification Groups for Subscriptions.

Administration of Cisco Prime LAN Management Solution 4.2

10-4

OL-25947-01

Chapter 10

Notification and Action Settings


Customizing LMS Events

LMS assigns one severity to each event and changes the state of an event over time, responding to user
input and changes on the device. Table 10-1 lists values for severity and explains how the state of an
event changes over time.

Note

You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Table 10-1

Event Severity and Status

LMS categorizes events by severity and status


Severity

Critical
Informational

Status

ActiveThe event is live.

ACKA user has manually acknowledged the event. A user can


acknowledge only active events.

ClearedThe event is no longer active.

Events that have been cleared either expire or, if associated with a suspended
device, remain in LMS until a user resumes or deletes the device.

Customizing LMS Events


Notification Services allows you to customize the names and event severity in LMS.

Customizing Names: When you customize an event name, that name is reflected in all notifications,
and in Fault History. The new event name is used for all instances of an event, regardless of the
component on which the event occurs. You can easily revert to the default event names as needed.
The Notification Customization page also lists the new name and default name, so you can easily
check which names have been changed.

Customizing Event Severity: The event severity can be customized using the New Event Severity
feature. You can select Critical or Warning or Informational from the drop-down list.

To customize names and event severity:


Step 1

Select Admin > Network > Notification and Action Settings > Fault Notification Customization.
The Notification Customization page appears.

Step 2

Select the event names you want to customize by clicking the check box beside each event name.

Step 3

Enter your new names in the New Event Description fields.

Step 4

Select the event severity from the New Event Severity drop-down list.
You can select Critical or Informational.

Step 5

Enter any notes for information in the Troubleshooting Information field.

Step 6

Click Save to save your changes locally.

Step 7

Click Apply for the saved settings to take effect.


The confirmation window appears.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-5

Chapter 10

Notification and Action Settings

Configuring Event Sets and Notification Groups for Subscriptions

Step 8

Click Yes.
The changes are applied to LMS.
To revert to default event names:
a.

From the Notification Customization page, select the events you want to restore to their default
names, and click Restore factory settings.

b.

Apply your changes by clicking Yes when the confirmation window appears.

Configuring Event Sets and Notification Groups for


Subscriptions
Before you can create an SNMP trap or an e-mail or Syslog notification subscription, you must create a
notification group. Creating event sets is optional.

Event sets list the events you want monitored for notifications

Notification groups contain the criteria that LMS should use when generating a notification:
One or more event sets, or all events
Devices
Event status and severity
Fields for user-specified additional information you want to include with the subscription

Creating event sets and notification groups are described in the following topics:

Configuring Event Sets

Configuring Fault Notification Groups

Configuring Event Sets


Event sets are groups of the events you want to monitor. You can create up to nine event sets, labeled A
through I.
After you have created an event set, you can apply as many of them as you want to a notification group,
thereby tracking the specific events in which you are interested. If you do not specify an event set, LMS
will monitor all events for notifications.

Note

If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.

Administration of Cisco Prime LAN Management Solution 4.2

10-6

OL-25947-01

Chapter 10

Notification and Action Settings


Configuring Event Sets and Notification Groups for Subscriptions

To configure event sets:


Step 1

Select Admin > Network > Notification and Action Settings > Event Sets:
The Event Sets page appears. The page contains the following information:
Field

Description

Select/Unselect All for Event Set Select an Event Set from the drop-down list.

Step 2

Step 3

Event Code

Notification Services code for the event. This number cannot be


changed and is used to map default names to customized names.

Description

Event description (user-defined or default).

Severity

Event severity.

A-I

Event set label. If an X appears in this column, the corresponding


event belongs to that event set.

For each event set you want to configure, select events by doing either of the following:

Select specific events by clicking the editable field under the label, and selecting X.

Select or deselect all events for an event set using the Select or the Deselect button.

Click Apply.
If you want to create a notification subscription, first create a notification group that uses your event set.
See Configuring Fault Notification Groups.

Configuring Fault Notification Groups


When you set up a subscription, LMS lets you choose from existing notification groups. You can then
configure an SNMP trap or an e-mail or Syslog notification to use a specific notification group. The
notification groups contains the following information:

One or more event sets, if desired (otherwise, the notification group will contain all events)

Devices

Event status and severity

Fields for user-specified additional information you want to include with the subscription

Whether the group is static or dynamic

You can configure a maximum of 64 notification groups.


Notification Services will not refilter the devices if there is a change in the device list you may access.
This section contains: Setting Up a Fault Notification Group as Static or Dynamic

Note

You cannot delete a notification group that is being used by a running subscription.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-7

Chapter 10

Notification and Action Settings

Configuring Event Sets and Notification Groups for Subscriptions

To configure Fault Notification groups:


Step 1

Select Admin > Network > Notification and Action Settings > Fault Notification Group.

Step 2

Click Add to create a notification group.


The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click
the appropriate button and follow the instructions.)

Step 3

Specify the devices, event sets (if desired), and event severity and status. Click Next.
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the mega menu.

Step 4

Specify the notification group name, and enter any desired identifying information in the Customer ID
and Customer Revision fields.

For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the
notification.

For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any
notifications:
Customer ID: Customer Revision: *

Step 5

Click Next.

Step 6

Create the notification group by clicking Finish.

Step 7

To create a notification subscription, follow the instructions in one of these topics:

Adding an SNMP Trap Notification Subscription

Adding and Editing an E-Mail Notification Subscription

Adding a Syslog Notification Subscription

Setting Up a Fault Notification Group as Static or Dynamic


Fault Notification groups in LMS can be static or dynamic. If you set up LMS to include static groups,
mappings between the list of the devices and the notification events for those devices are generated. You
cannot add devices to or delete devices from a static group.
If you set up LMS to have dynamic groups, then any device that fits the criteria for a group will be added
to that group. You can also delete devices from a dynamic group.
When a device is added to a group, all similar devices are also added. For example, if you have ten
routers in the network and create a dynamic group that contains five of these routers, when you add an
eleventh router, that router is added to the group along with the other five routers. The group would then
contain all eleven routers.

Note

Notification groups can be static or dynamic; you cannot have a mix of group types.

Administration of Cisco Prime LAN Management Solution 4.2

10-8

OL-25947-01

Chapter 10

Notification and Action Settings


Managing Fault SNMP Trap Notifications

To set up LMS to include dynamic groups, edit the file /opt/CSCOpx/objects/nos/config/nos.properties


and set the following value:
DYNAMIC_NOTIF_GROUPS=1
For additional information, see the following topics:

Customizing LMS Events

Configuring Event Sets

Managing Fault SNMP Trap Notifications


The SNMP Trap Notifications page displays the following information:

SubscriptionThe name of the user-defined request for notification.

StatusThe subscription status; can be either of the following:


RunningLMS is using the subscription while monitoring events to determine when to send a

notification.
SuspendedLMS will not use the subscription unless you resume it.

Notification GroupThe name of notification group that is applied to the subscription.

You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances.
From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.
Table 10-2

Task

SNMP Trap Notification Subscriptions

Sample Usage

Reference

Add

Add a subscription that will send SNMP trap notification Adding an SNMP Trap
for one device with an event of any severity (critical or Notification Subscription
informational) and any status (active, acknowledged, or
cleared).

Edit

View the notification group and hosts that comprise the


subscription.

Change the trap recipients/notification groups that


comprise the subscription.

Temporarily stop sending SNMP trap notifications to a


host.

Temporarily stop sending SNMP trap notifications about


a device group.

Start sending SNMP trap notifications to a host again.

Start sending SNMP trap notifications about a device


group using a previously suspended subscription.

Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap
Notification Subscription
longer useful.

Remove redundant SNMP trap notification


subscriptions.

Suspend

Resume

Delete

Editing an SNMP Trap


Notification Subscription

Suspending an SNMP
Trap Notification
Subscription
Resuming an SNMP Trap
Notification Subscription

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-9

Chapter 10

Notification and Action Settings

Managing Fault SNMP Trap Notifications

Adding an SNMP Trap Notification Subscription


After you add a subscription for SNMP trap notification, generated SNMP traps are forwarded to the
hosts you specify until you change, suspend, or delete the subscription.

Note

Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Before You Begin

You must create a notification group before you can create an SNMP trap notification subscription. Refer
to Configuring Fault Notification Groups.
To add an SNMP trap notification subscription:
Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.

Step 2

Click Add.

Step 3

Complete the Trap Subscription Save: Add window:


a.

Enter a subscription name.

b.

Select a notification group.


If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)

c.
Step 4

Click Next.

Enter one or more hosts as recipients for traps:


a.

For each host, enter:

An IP address or DNS name for the hostname.


Restart the NOSServer to pick up the change in the host name when host name is used for the
trap server and there is a change in that host name.

b.
Step 5

A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 5.)

A comment. (This is optional).

Click Next.

Review the information that you entered and click Finish.


The SNMP Trap Notifications page is displayed, showing the new subscription.

Note

No information is saved until you complete Step 5.

Administration of Cisco Prime LAN Management Solution 4.2

10-10

OL-25947-01

Chapter 10

Notification and Action Settings


Managing Fault SNMP Trap Notifications

Editing an SNMP Trap Notification Subscription


You can edit an SNMP trap notification subscription regardless of its status (Running or Suspended).
After you edit an SNMP trap notification subscription, if the subscription status is Running, traps are
forwarded as specified until you edit, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.

Note

Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.

Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.

Step 2

Select the subscription you want to edit by clicking the radio button beside it.

Step 3

Click Edit.
No information is saved until you complete Step 5.

Step 4

Edit the Trap Subscription Save: Edit window:


a.

Change the subscription name.

b.

Select another notification group.


If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)

c.
Step 5

Add or delete a recipient host or change the port number for a host:
a.

Step 6

Click Next.
To add one or more recipients, for each host, enter:

An IP address or DNS name for the hostname.

A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 6.)

A comment. This is optional.

b.

To delete a recipient, delete the hostname, port number, and comment, if any.

c.

Click Next.

Review the information that you entered and click the Finish.
The SNMP Trap Notifications page is displayed.

Suspending an SNMP Trap Notification Subscription


After you suspend an SNMP trap notification subscription, LMS stops using the subscription to select
and forward traps. The subscription status changes to Suspended.
To do this:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-11

Chapter 10

Notification and Action Settings

Managing Fault SNMP Trap Notifications

Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.

Step 2

Select the subscription you want to suspend by clicking the radio button beside it.

Step 3

Click Suspend.

Step 4

Click OK in the confirmation dialog box.


The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.

Resuming an SNMP Trap Notification Subscription


You can resume an SNMP trap notification subscription only when the subscription status is Suspended.
After you resume a subscription, LMS starts using it to identify events for which to forward traps. The
subscription status changes to Running.
To do this:
Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.

Step 2

Select the subscription you want to resume by clicking the radio button beside it.

Step 3

Click Resume.

Step 4

Click OK in the confirmation dialog box.


The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Running.

Deleting an SNMP Trap Notification Subscription


You can delete an SNMP trap notification subscription regardless of the subscription status. Deleting a
subscription removes it permanently from LMS.

Note

You can also suspend a subscription. Suspending a subscription causes the subscription to not be used
until a user resumes it.
To delete an SNMP trap notification subscription:

Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.

Step 2

Select the subscription you want to delete by clicking the radio button beside it.

Step 3

Click Delete.

Step 4

Click OK in the confirmation dialog box.


The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.

Administration of Cisco Prime LAN Management Solution 4.2

10-12

OL-25947-01

Chapter 10

Notification and Action Settings


Managing Fault E-Mail Configurations

Managing Fault E-Mail Configurations


This section contains the following topics:

Managing Fault E-Mail Notification Subscriptions

Managing Fault E-Mail Subject Customization

You can use the E-Mail Configuration page to configure E-mail notification subscription and to
customize the E-mail subject.
The E-Mail Configuration page displays the following information:

Note

E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are
based on Notification Groups.

E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.

You may not be able to use some of these functions if you do not have the required privileges.

Managing Fault E-Mail Notification Subscriptions


The E-Mail Notification Subscription page displays the following information:

SubscriptionThe name of the user-defined request for notification.

StatusThe subscription status; can be either of the following:


RunningLMS is using the subscription while monitoring events to determine when to send a

notification.
SuspendedLMS will not use the subscription unless you resume it.

Notification GroupThe name of notification group that is applied to the subscription.

You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.
Table 10-3

E-Mail Notification Subscriptions

Task

Sample Usage

Add

Add a subscription that will send e-mail notification to a user for one device with
an event of any severity (critical or informational) and any status (active,
acknowledged, or cleared).
See Adding and Editing an E-Mail Notification Subscription for more information.

Edit

Suspend

View the notification group and e-mail recipients that comprise the
subscription.

Change the e-mail recipients/notification group that comprise the subscription.

Temporarily stop sending e-mail notifications to a user.

Temporarily stop sending e-mail notifications about a device group.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-13

Chapter 10

Notification and Action Settings

Managing Fault E-Mail Configurations

Table 10-3

E-Mail Notification Subscriptions (continued)

Task
Resume

Delete

Sample Usage

Start sending e-mail notifications to a user again.

Start sending e-mail notifications about a device group using a previously


suspended subscription.

Remove e-mail notification subscriptions that are no longer useful.

Remove redundant e-mail notification subscriptions.

Adding and Editing an E-Mail Notification Subscription


After you add or edit a subscription for e-mail notification, LMS sends e-mail to the users you specify
whenever an event occurs that matches the subscription.

Note

Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin

You must create a notification group before you can create an E-Mail Notification subscription. Refer
to Configuring Fault Notification Groups.
To add or edit a subscription for e-mail notification:
Step 1

Select Admin > Network > Notification and Action Settings > Fault - Email notification.
The E-Mail Notification Subscriptions page appears.

Step 2

You can do one of the following:

Click Add.

Click Edit.
You can edit an e-mail notification subscription regardless of its status (Running or Suspended).
After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is
forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.

Click Delete.
Click OK in the confirmation dialog box.
The E-Mail Subscriptions page appears. The subscription is no longer displayed.

Select the subscription you want to suspend by clicking the radio button beside it and click Suspend.
Click OK in the confirmation dialog box.
The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended.
After you suspend an e-mail notification subscription, LMS stops using the subscription to send
e-mail notification.

Select the subscription you want to resume by clicking the radio button beside it and click Resume.
Click OK in the confirmation dialog box.

Administration of Cisco Prime LAN Management Solution 4.2

10-14

OL-25947-01

Chapter 10

Notification and Action Settings


Managing Fault E-Mail Configurations

The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After
you resume an e-mail notification subscription, LMS starts using the subscription to determine when
e-mail notification should be sent in response to an event.
Step 3

When you add or edit a subscription for e-mail notification, a page appears with the following fields:
Field

Description

Subscription Name

Enter a subscription names.

Notification Group

Select a notification group.


If you are upgrading LMS and want to use the
e-mail recipients from an earlier configuration,
activate the Recipients from Upgrade check box.
(This choice is only available for systems that
have been upgraded from earlier versions of
LMS.)

Step 4

Click Next.

Step 5

Enter the following e-mail information:


Field

Description

SMTP Server

The name of the default Simple Mail Transfer Protocol (SMTP) server
may already be displayed. The server is specified using Admin >
System > SMTP Default Server. You may also enter a fully qualified
DNS name or IP address for an SMTP server.
To select from any non-default SMTP servers in use by existing
subscriptions, click the SMTP Servers button.

Sender Address

Enter the e-mail address that notifications should be sent from. If the
senders e-mail service is hosted on the SMTP server specified, you need
enter only the username. You do not need to enter the domain name.

Recipient Addresses

Enter one or more e-mail addresses that notifications should be sent to,
separating multiple addresses with either a comma or a semicolon. If a
recipients e-mail service is hosted on the SMTP server specified, you
need to enter only the username. You do not need to enter the domain
name.
By default, e-mail notification supplies a fully detailed e-mail message.
To omit the message body and send only a subject line, select the
Headers Only check box.

Headers Only (check box)

Step 6

Click the Next button located at the bottom of the page.

Step 7

Review the information that you entered and click Finish.


The E-Mail Notification Subscriptions page is displayed, showing the new subscription.

Note

No information is saved until you complete Step 7.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-15

Chapter 10

Notification and Action Settings

Managing Fault E-Mail Configurations

Managing Fault E-Mail Subject Customization


You can use the E-Mail Subject Customization page to customize the e-mail subject for forwarded
events. You need to select the subject attributes and the order in which they are to be displayed. When
you apply and save the selections, the e-mails are sent in the customized order.
The E-Mail Subject Customization page displays the following information:

Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You
can use these subjects along with the default available subjects while sending e-mail notifications.
By default, following list of e-mail subject attributes are displayed in the Available Subjects for
E-Mail box:
ifAlias
sysLocation
sysContact
user_defined_field_0
user_defined_field_1
user_defined_field_2
user_defined_field_3

When you import devices from DCR, the subject information gets updated into LMS database and
they are displayed as available subjects for e-mails.

Selected Subjects for E-mail: The selected subjects including the default ones in the selected order
displayed by the side of the available subjects.

To customize the e-mail subject:


Step 1

Select Admin > Network > Notification and Action Settings > Fault - Email subject customization.
The available and selected lists of the subject attributes for e-mail are displayed.
To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list.
By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail
box.

Event ID

Device Name

Time

Severity

Event Name

Status

To add a subject:
a.

Select the subject attribute from Available Subjects for E-Mail.

b.

Click Add.
The selected subject attribute is added to the Selected Subjects for E-Mail list.
You can add a subject attribute only from the Available Subjects list to the Selected Subjects list.
You cannot add a subject attribute from the Selected subject list to the Available Subject list.

Administration of Cisco Prime LAN Management Solution 4.2

10-16

OL-25947-01

Chapter 10

Notification and Action Settings


Managing Fault Syslog Notifications

To remove a subject attribute:


a.

Select the subject attribute from Selected Subjects for E-Mail.

b.

Click Remove.
The selected subject attribute is removed from the Selected list and added to the Available subjects
for E-Mail list.
You can remove a subject attribute only from the Selected Subjects list and not from the Available
Subjects list.

Step 2

Click Up or Down to rearrange the order of the selected e-mail subject attributes.

Step 3

Click Apply to save the customized e-mail subject attributes.

Managing Fault Syslog Notifications


The Syslog Notifications page displays the following information:

SubscriptionThe name of the user-defined request for notification.

Notification GroupThe name of notification group that is applied to the subscription.

StatusThe subscription status; can be either of the following:


RunningFault Management module is using the subscription while monitoring events to

determine when to send a notification.


SuspendedFault Management module will not use the subscription unless you resume it.

You are completely in control of subscriptions. Fault Management module does not change or delete
subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks
listed in Table 10-4.
Table 10-4

Task

Syslog Notification Subscriptions

Sample Usage

Reference

Add

Add a subscription that will send a Syslog notification to Adding a Syslog


Notification Subscription
a remote machine for one device with an event of any
severity (critical or informational) and any status (active,
acknowledged, or cleared).

Edit

View the notification group and Syslog recipient that


comprise the subscription.

Change the Syslog recipients/notification group that


comprise the subscription.

Temporarily stop sending Syslog notifications to a


remote host.

Temporarily stop sending Syslog notifications about a


device group.

Suspend

Editing a Syslog
Notification Subscription

Suspending a Syslog
Notification Subscription

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-17

Chapter 10

Notification and Action Settings

Managing Fault Syslog Notifications

Table 10-4

Task

Syslog Notification Subscriptions (continued)

Sample Usage

Reference

Start sending Syslog notifications to a remote host again. Resuming a Syslog


Notification Subscription
Start sending Syslog notifications about a device group
using a previously suspended subscription.

Resume

Delete

Remove Syslog notification subscriptions that are no


longer useful.

Remove redundant Syslog notification subscriptions.

Deleting a Syslog
Notification Subscription

Adding a Syslog Notification Subscription


After you add a subscription for Syslog notification, LMS sends a Syslog message to the specified
remote hosts whenever an event occurs that matches the subscription.

Note

Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin

Step 1

You must create a notification group before you can create a Syslog Notification subscription. Refer
to Configuring Fault Notification Groups.

A remote machines Syslog daemon must be configured to listen on a specified port, and you must
enter this information in Step 3 of the following procedure. LMS uses the default port 514.

Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.

Step 2

Click Add.
a.

Enter a subscription name.

b.

Select a notification group.

c.

Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity are used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:

Critical = 2

Information = 6

You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d.
Step 3

Click Next.

Enter one or more hosts as recipients for Syslog notifications.


a.

For each host, enter:

An IP address or DNS name for the hostname.

Administration of Cisco Prime LAN Management Solution 4.2

10-18

OL-25947-01

Chapter 10

Notification and Action Settings


Managing Fault Syslog Notifications

b.

A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 5.)

A comment. This is optional.

Click Next.

Step 4

Enter the name of the subscription in the Save As field and click Next.

Step 5

Review the information that you entered and click Finish.


The Syslog Notification Subscriptions page is displayed with the new subscription.

No information is saved until you complete Step 5.

Note

Editing a Syslog Notification Subscription


You can edit a Syslog notification subscription regardless of its status (Running or Suspended).
After you edit a Syslog notification subscription, if the subscription status is Running, Syslog messages
are forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.

Note

Step 1

Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.

Step 2

Select the subscription you want to edit by clicking the radio button beside it.

Step 3

Click Edit.

Step 4

Edit the Syslog Subscription Save: Edit window:


a.

Change the subscription name.

b.

Select a different notification group.

c.

Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity is used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:

Critical = 2

Informational = 6

You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d.
Step 5

Click Next.

Add or delete a recipient host or change the port number for a host:
a.

To add one or more recipients, for each host, enter:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-19

Chapter 10

Notification and Action Settings

Managing Fault Syslog Notifications

An IP address or DNS name for the hostname.

A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 7.)

A comment. This is optional.

b.

To delete a recipient, delete the hostname, port number, and comment, if any.

c.

Click Next.

Step 6

Click the Next button located at the bottom of the page.

Step 7

Review the information that you entered and click Finish.


The Syslog Notification Subscriptions page is displayed.

Suspending a Syslog Notification Subscription


After you suspend a Syslog notification subscription, LMS stops using the subscription to send Syslog
notifications. The subscription status changes to Suspended.
Step 1

Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.

Step 2

Select the subscription you want to suspend by clicking the radio button beside it.

Step 3

Click Suspend.

Step 4

Click OK in the confirmation dialog box.


The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.

Resuming a Syslog Notification Subscription


After you resume a Syslog notification subscription, LMS starts using the subscription to determine
when Syslog notifications should be sent in response to an event. The subscription status changes to
Running.
To resume a syslog notification subscription:
Step 1

Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.

Step 2

Select the subscription you want to resume by clicking the radio button beside it.

Step 3

Click Resume.

Step 4

Click OK in the confirmation dialog box.


The Syslog Notification Subscriptions page is displayed. The subscription status is Running.

Administration of Cisco Prime LAN Management Solution 4.2

10-20

OL-25947-01

Chapter 10

Notification and Action Settings


Configuring Fault SNMP Trap Receiving and Forwarding

Deleting a Syslog Notification Subscription


You can delete a Syslog notification subscription regardless of the subscription status. Deleting a
subscription removes it permanently from LMS.

Note

You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes
it.
To delete a syslog notification subscription:

Step 1

Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.

Step 2

Select the subscription you want to delete by clicking the radio button beside it.

Step 3

Click Delete.

Step 4

Click OK in the confirmation dialog box.


The Syslog Subscriptions page appears. The subscription is no longer displayed.

Configuring Fault SNMP Trap Receiving and Forwarding


LMS can receive traps on any available port and forward them to a list of devices and ports. This
capability enables LMS to work with other trap processing applications.
This section contains the following topics:

Enabling Devices to Send Traps to LMS

Enabling Cisco IOS-Based Devices to Send Traps to LMS

Enabling Catalyst Devices to Send SNMP Traps to LMS

Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs

Updating the SNMP Trap Receiving Port

Configuring SNMP Trap Forwarding

LMS will only forward SNMP traps from devices in the LMS inventory.
It will not change the trap formatit will forward the raw trap in the format in which the trap was
received from the device. However, you must enable SNMP on your devices and you must do one of the
following:

Note

Configure SNMP to send traps directly to LMS

Integrate SNMP trap receiving with an NMS or a trap daemon

The ports and protocols used by Cisco Prime are listed in Installing and Migrating to Cisco Prime LAN
Management Solution 4.2.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-21

Chapter 10

Notification and Action Settings

Configuring Fault SNMP Trap Receiving and Forwarding

Enabling Devices to Send Traps to LMS


Note

If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs.
Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your
devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must
be enabled and the device must be configured to send SNMP traps to the LMS server.
Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface
appropriate for your device:

Enabling Cisco IOS-Based Devices to Send Traps to LMS

Enabling Catalyst Devices to Send SNMP Traps to LMS

Administration of Cisco Prime LAN Management Solution 4.2

10-22

OL-25947-01

Chapter 10

Notification and Action Settings


Configuring Fault SNMP Trap Receiving and Forwarding

Enabling Cisco IOS-Based Devices to Send Traps to LMS


For devices running Cisco IOS software, enter the following commands:
(config)# snmp-server [community string] ro
(config)# snmp-server enable traps
(config)# snmp-server host [a.b.c.d] traps [community

string]

where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
To enable Cisco IOS-Based devices to send traps to LMS:
Step 1

Log into Cisco.com.

Step 2

Select Products & Services > Cisco IOS Software.

Step 3

Select the Cisco IOS software release version used by your IOS-based devices.

Step 4

Select Technical Documentation and select the appropriate command reference guide.

Enabling Catalyst Devices to Send SNMP Traps to LMS


For devices running Catalyst software, provide the following commands:
(enable)# set snmp community read-only [community string]
(enable)# set snmp trap enable all
(enable)# set snmp trap [a.b.c.d] [community string]

where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
Step 1

Log into Cisco.com.

Step 2

Select Products & Services > Cisco Switches.

Step 3

Select the appropriate Cisco Catalyst series switch.

Step 4

Select Technical Documentation and select the appropriate command reference guide.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-23

Chapter 10

Notification and Action Settings

Configuring Fault SNMP Trap Receiving and Forwarding

Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs


You might need to complete one or more of the following steps to integrate SNMP trap receiving with
other trap daemons and other Network Management Systems (NMSs):

If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the
appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to Cisco
Prime LAN Management Solution 4.2. This guide also provides information on supported versions).
You do not need to install any adapters if HP OpenView or NetView is installed locally.

Add the host where LMS is running to the list of trap destinations in your network devices. See
Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another
NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS
will use by default.)

If your network devices are already sending traps to another management application, configure that
application to forward traps to LMS.

Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.
Table 10-5

Configuration Scenarios for Trap Receiving

Scenario

Advantages

Network devices send traps to port 162 of the host where


LMS is running. LMS receives the traps and forwards
them to the NMS.

NMS receives traps on default port 162 and forwards


them to port 162 on the host where LMS is running.

No reconfiguration of the NMS is required.

No reconfiguration of network devices is required.

LMS provides a reliable trap reception and forwarding


mechanism.

NMS continues to receive traps on port 162.

Network devices continue to send traps to port 162.

No reconfiguration of the NMS is required.

No reconfiguration of network devices is required.

LMS does not receive traps dropped by the NMS.

Updating the SNMP Trap Receiving Port


By default, LMS receives SNMP traps on port 162 (or, if port 162 is occupied, port 9000). If you need
to change the port, you can do so. LMS supports SNMP V1, V2, and V3 traps for trap receiving.
Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings.

Step 2

Enter the port number in the Receiving Port text box.

Step 3

Click Apply.

For a list of ports that are already in use, see Installing and Migrating to Cisco Prime LAN Management
Solution 4.2. If you have two instances of the DfmServer process running, traps will be forwarded from
the first instance to the second instance.

Administration of Cisco Prime LAN Management Solution 4.2

10-24

OL-25947-01

Chapter 10

Notification and Action Settings


Performance SNMP Trap Notification Groups

Configuring SNMP Trap Forwarding


Note

Your login determines whether or not you can perform this task. View the Cisco Prime Permission
Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user
role.
LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap
formatit will forward the raw trap in the format in which it was received from the device. All traps are
forwarded in V1 (SNMP Version) format. In LMS 4.2, trap support is provided for SNMPv3 configured
devices, unknown devices and non-Cisco devices.

Step 1

Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.

Step 2

For each host, enter:

Step 3

An IP address or DNS name for the hostname.

A port number on which the host can receive traps.

Click Apply.

Performance SNMP Trap Notification Groups


Cisco Prime LMS allows you to create SNMP Trap Receiver Groups using the Trap Receiver Groups
option.This is group of hosts that receives specified trap notifications, when any TrendWatch or
Threshold violation occurs in LMS.
The Trap destination is defined by the IP address or it can be a host name. From the Trap Receiver
Groups page, you can create a Trap Receiver Group, modify the configuration of a Trap Receiver Group,
and delete a Trap Receiver Group.
To access the Trap Receiver Group page, Admin > Network > Notification and Action Settings >
Performance - SNMP Trap notification. The Trap Receiver Groups page appears.
Table 10-6 describes the fields in the Trap Receiver Groups.
Table 10-6

Trap Receiver Groups Fields

Field

Description

Trap Group Name

Name of the Trap Receiver Group.


Click on the Name hyperlink to view the details of the Trap Receiver Group
created.

Number of Receivers

Number of Trap Receivers added to the Trap Receiver Group.

Create

Creates a Trap Receiver Group. See Creating a Trap Receiver Group.

(button)
Edit
(button)

Modifies an existing Trap Receiver group. See Editing a Trap Receiver


Group.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-25

Chapter 10

Notification and Action Settings

Performance SNMP Trap Notification Groups

Table 10-6

Trap Receiver Groups Fields

Field

Description

Delete

Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver


Group.

(button)
Filter

Filters information based on the criteria that you select from the drop-down

(button)

list. The drop-down list contains the following criteria:


All
Group Name
See Filtering Trap Receiver Groups

You can perform the following tasks from the Trap Receiver Groups dialog box:

Creating a Trap Receiver Group

Editing a Trap Receiver Group

Deleting a Trap Receiver Group

Filtering Trap Receiver Groups

Creating a Trap Receiver Group


To create a Trap Receiver group
Step 1

Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups page appears.

Step 2

Click Create.
The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box.
Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Table 10-7

Trap Group Configuration

Field

Description

Group Name

Enter the name of the Trap Receiver Group. For example, Trap Receiver
Group 1.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).

Receiver Details

Host

Enter the host name or IP address. For example 10.77.201.52


Enter the IP address or hostname of the destination to which the trap message
should be delivered.

Port

Enter the Port Number on which Trap Receiver is listening for traps.
The default port value is 162. This field is optional.

Administration of Cisco Prime LAN Management Solution 4.2

10-26

OL-25947-01

Chapter 10

Notification and Action Settings


Performance SNMP Trap Notification Groups

Table 10-7

Trap Group Configuration

Field

Description

Community

Enter the community string that appears in the trap message.


The default community string is public. This field is optional.

Create

Creates the Trap Receiver Group.

(button)
Add More

Adds more hosts to the present Group.

(button)
Cancel

Cancels the creation of Trap Receiver Group.

(Button)
Step 3

Enter a descriptive name for the Trap Group name in the GroupName field.

Step 4

Enter the IP address or hostname of the destination to which the trap should be delivered in the Host
field.

Step 5

Enter the Port Number on which Trap Receiver is listening for traps in the Port field.

Step 6

Enter the community string that appears in the trap message in Community field.
The community string will be displayed as asterisks.

Note

You can add as many as five hosts or devices to the Trap Group by default.

To add more than five hosts to the Trap Group,


Step 1

Click Add More to add another host information to the Trap Group. Go to Step 4 to continue.

Step 2

Click Create to create the Trap Group.


Or
Click Cancel to cancel the operation.
The Trap Receiver Group dialog box appears, displaying the Trap Groups.

Editing a Trap Receiver Group


You can edit a Trap Receiver Group to update or change the hosts, ports and community string of the
selected Trap Receiver Group using the Edit button in the List of Trap Receiver Groups.
You can edit only one Trap Receiver Group at a time. If you select multiple Trap Receiver Groups using
the check box, the Edit button is disabled. You cannot edit the Trap Receiver Group Name field.
To edit a Trap Receiver Group:

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-27

Chapter 10

Notification and Action Settings

Performance SNMP Trap Notification Groups

Step 1

Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups dialog box appears.

Step 2

Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver
Group Name.

Step 3

Click Edit.
The Edit Trap Receiver Group dialog box appears, displaying the earlier settings.
Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Table 10-8

Trap Group Configuration

Field

Description

Group Name

Name of the Trap Receiver Group.


For example, Trap Receiver

Receiver Details

Host

Enter the host name or IP address. For example 10.77.201.52


Enter the IP address or hostname of the destination to which the trap message
should be delivered.

Port

Enter the Port Number on which Trap Receiver is listening for traps.
For example, 162

Community

Enter the community string that appears in the trap message.


The default community string is public.

Update

Updates the Trap Receiver Group.

(button)
Add More

Adds more hosts to the present Group.

(button)
Cancel

Cancels the modification of the Trap Receiver Group.

(Button)
Step 4

Make the necessary changes to the Receiver Details.


To add more receivers to the present configuration,

Step 1

Click AddMore in the Trap Group Configuration dialog box.

Step 2

Make necessary changes to the Receiver Details.

Step 3

Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver
Group.
Or
Click Cancel to cancel the operation.
The Trap Receiver Group dialog box appears, displaying the Trap Groups.

Administration of Cisco Prime LAN Management Solution 4.2

10-28

OL-25947-01

Chapter 10

Notification and Action Settings


Performance SNMP Trap Notification Groups

Deleting a Trap Receiver Group


You can delete one or more Trap Receiver Groups using the Delete button on the List of Trap Receiver
Groups dialog box.
You cannot delete a Trap Receiver Group that is associated with any Threshold or TrendWatch. If you
want to delete such Trap Receiver Groups, first remove the Trap Receiver Group from the associated
Threshold or TrendWatch.
Before a Trap Receiver Group is deleted, you are prompted to confirm the deletion because you cannot
restore a Trap Receiver Group that you have deleted from the database.
To delete a Trap Receiver Group:
Step 1

Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The List of Trap Receiver Groups dialog box appears.

Step 2

Select the Trap Group Name by checking the appropriate check box.
You can select multiple Trap Receiver Groups by checking their respective check boxes.

Step 3

Click Delete.
A message appears, prompting you to confirm the deletion,

Step 4

Click OK to delete the Trap Receiver Groups.


Or
Click Cancel to cancel the operation.
If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully.
The Trap Receiver Groups dialog box appears.

Filtering Trap Receiver Groups


This section describes how you can use the filter option to display the Trap Receiver Group information
based on a specific criteria.
To filter a Trap Receiver Groups:
Step 1

Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The List of Trap Receiver Group dialog box appears.

Step 2

Select a criteria for filtering from the drop-down list.

Step 3

Enter the data to be filtered.

Step 4

Click Show.
The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information
based on the filter criteria.
Table 10-9 describes the criteria to filter.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-29

Chapter 10

Notification and Action Settings

Performance SNMP Trap Notification Groups

Table 10-9

Trap Receiver Groups Field Description

Filter Criteria

Description

Group Name

Select Group Name and enter the data. You can use either of the following
methods to filter by entering:

Complete Group name

Any wildcard characters of the Trap Receiver Group name (such as


*trap, trap*)

Administration of Cisco Prime LAN Management Solution 4.2

10-30

OL-25947-01

Chapter 10

Notification and Action Settings


Performance Syslog Notification Groups

Performance Syslog Notification Groups


Cisco Prime LMS allows you to create Syslog Receiver Groups using the Syslog Receiver Groups
option. Syslog Receiver Groups is a group of hosts that receives Syslog messages when any TrendWatch
or Threshold violation occurs in LMS.
From the Syslog Receiver Groups page you can create a Syslog Receiver Group, modify the
configuration of a Syslog Receiver Group, and delete a Syslog Receiver Group.
To access the Syslog Receiver Group page, select Admin > Network > Notification and Action
Settings > Performance - Syslog notification. The List of Syslog Receiver Groups dialog appears.
Table 10-10 describes the fields in the Syslog Receiver Groups.
Table 10-10

Syslog Receiver Groups Fields

Field

Description

Syslog Group Name

Name of the Syslog Receiver Group.


For example, Syslog Group

Number of Receivers

Number of Syslog Receivers added to the Syslog Receiver Group.

Create

Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group.

(button)
Edit
(button)
Delete

Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver


Group.

(button)

Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver


Group.

Filter

Filters information based on the criteria that you select from the drop-down

(button)

list. The drop-down list contains the following criteria:

All

Group Name

See Filtering Trap Receiver Groups


Update Facility
(button)

Sends the Syslog message to the receiver, based on the facility level selected
in the drop-down list. The drop-down list contains the following criteria:

local 0

local 1

local 2

local 3

local 4

local 5

local 6

local 7

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-31

Chapter 10

Notification and Action Settings

Performance Syslog Notification Groups

You can perform the following tasks from the Syslog Receiver Groups dialog box:

Creating a Syslog Receiver Group

Editing a Syslog Receiver Group

Deleting a Syslog Receiver Group

Filtering Syslog Receiver Groups

Creating a Syslog Receiver Group


To create a Syslog Receiver group:
Step 1

Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog appears.

Step 2

Click Create.
The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-11

Syslog Groups Configuration

Field

Description

Group Name

Enter the name of the Syslog Group name. For example, Syslog Group.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).

Receiver Details

Host

Enter the host name or IP address. For example 10.77.201.52


Enter the IP address or hostname of the destination to which the syslog
message should be delivered. This IP address should be DNS resolvable.

Port

Enter the Port Number on which Syslog Receiver is listening for syslog
messages.
The default port value is 514. This field is optional.

Create

Creates the Syslog Receiver Group

(button)
Add More

Adds more hosts to the present Group

(button)
Cancel

Cancels the creation of Syslog Receiver Group

(Button)
Step 3

Enter a descriptive name for the Syslog Group name in the GroupName field.

Step 4

Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in
the Host field.

Step 5

Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.

Administration of Cisco Prime LAN Management Solution 4.2

10-32

OL-25947-01

Chapter 10

Notification and Action Settings


Performance Syslog Notification Groups

Note

You can add as many as five hosts or devices to the Syslog Group by default.
To add more than five hosts to the Syslog Group,

Step 1

Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue.

Step 2

Click Create to create the Syslog Group.


Or
Click Cancel to cancel the operation.
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.

Editing a Syslog Receiver Group


You can edit a Syslog Receiver Group to update or change the hosts and ports of the selected Syslog
Receiver Group using the Edit button in the List of Syslog Receiver Groups.
You can edit only one Syslog Receiver Group at a time. If you select multiple Syslog Receiver Groups
using the check box, the Edit button is disabled. You cannot edit the Syslog Receiver Group Name field.
To edit a Syslog Receiver Group:
Step 1

Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog box appears.

Step 2

Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver
Group Name.

Step 3

Click Edit.
The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-12

Syslog Groups Configuration

Field

Description

Group Name

Name of the Syslog Group name.


For example, Syslog Group.

Receiver Details

Host

Enter the host name or IP address. for example 10.77.201.52


Enter the IP address or hostname of the destination to which the Syslog
message should be delivered.

Port

Enter the Port Number on which Syslog Receiver is listening for Syslog
messages.
The default port number is 512.

Administration of Cisco Prime LAN Management Solution 4.2


OL-25947-01

10-33

Chapter 10

Notification and Action Settings

Performance Syslog Notification Groups

Table 10-12

Syslog Groups Configuration

Field

Description

Update

Updates the Syslog Receiver Group.

(button)
Add More

Adds more hosts to the present Group.

(button)
Cancel

Cancels the modification of the Syslog Receiver Group.

(Button)
Step 4

Make the necessary changes to the Receiver Details.


To add more receivers to the current configuration:

Step 1

Click AddMore in the Syslog Group Configuration dialog box.

Step 2

Make the necessary changes to the Receiver Details.

Step 3

Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver
Group.
Or
Click Cancel to cancel the operation.
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.

Deleting a Syslog Receiver Group


You can delete one or more Syslog Receiver Groups using the Delete button on the List of Syslog
Receiver Groups dialog box.
You cannot delete a Syslog Receiver Group which is associated with any Threshold or TrendWatch. If
you want to delete such Syslog Receiver Groups, first remove the Syslog Receiver Group from the
associated Threshold or TrendWatch.
Before a Syslog Receiver