Professional Documents
Culture Documents
Admin
Admin
Administration in Cisco Prime LAN Management Solution (LMS) 4.2 groups all the activities and tasks
that a user with Network or System Administrator privileges needs to perform.
This preface details the related documents that support the Admin feature, and demonstrates the styles
and conventions used in this guide. This preface contains:
• Audience
• Document Conventions
• Product Documentation
Audience
This guide is for users who are skilled in network administration and management, and for network
operators who use this guide to make configuration changes of devices using LMS. The network
administrator or operator should be familiar with the following:
• Basic Network Administration and Management
• Basic Solaris System Administration
• Basic Windows System Administration
• Basic Soft Appliance System Administration
• Basic LMS Administration
Document Conventions
Table 1 describes the conventions followed in the user guide.
Item Convention
Commands and keywords boldface font
Variables for which you supply values italic font
Displayed session and system information screen font
Information you enter boldface screen font
Item Convention
Variables you enter italic screen font
Menu items and button names boldface font
Selecting a menu item in paragraphs Option > Network Preferences
Selecting a menu item in tables Option > Network Preferences
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].
This guide is intended for Local Area Network (LAN) administrators and management professionals
who perform LAN configurations and monitor LAN performance.
The Admin menu groups all the activities and tasks that a user with Network or System Administrator
privileges can perform.
This section explains:
• How the guide is organized?
• Administration Tasks
• Understanding the System Dashboard
Chapter Description
Chapter 1, “Overview of Administration” Provides information on the organization of Administration with Cisco Prime
LMS user guide, and describes the System Dashboard portlets in LMS.
Chapter 1, “Setting up Security” Describes the security mechanisms that help to prevent unauthenticated access
to LMS server, Cisco Prime applications, and data. LMS provides features for
managing security while operating in single-server and multi-server modes.
Chapter 1, “Administering LMS Server” Describes how to use administrative features to ensure that the server is perform-
ing properly.
You can manage processes, set up backup parameters, update licensing informa-
tion, collect server information, manage jobs and resources, and configure sys-
tem-wide information on the Cisco Prime LMS Server.
Chapter 1, “Administering Discovery Describes how to configure discovery settings, and perform administrative tasks
Settings and Device and Credential Repos- in DCR.
itory”
Chapter Description
Chapter 1, “Managing Groups” Describes how to use the Grouping feature in LMS.
LMS 4.2 has a more robust device grouping which can support 600 device
groups. The other grouping services that are available in LMS are:
• Fault Group
• IPSLA Collector Group
• Port and Module Group
Chapter 1, “Administering Data Collec- Describes how to use Data Collection.
tion”
Chapter 1, “User Tracking and Dynamic Describes how to use User Tracking and Dynamic Updates.
Updates”
User Tracking allows you to track end stations.
Dynamic Updates are asynchronous updates that are based on SNMP MAC no-
tifications traps.which
Chapter 1, “Administering Collection Describes how to configure the various collection settings in LMS.
Settings”
Chapter 1, “Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform
ing Settings” to monitor and troubleshoot your network using LMS.
Chapter 1, “Notification and Action Describes how to configure the the administrative tasks involved in setting up no-
Settings” tification, syslog settings.
You can also customize the names and event severity, create and activate a noti-
fication subscriptions, and setup up automated actions for Change Audit tasks
and syslogs.
Chapter 1, “Administering Change Audit Describes how to perform Change Audit tasks and set your preference to
and Software Management” download images.
Chapter 1, “Managing Jobs” Describes how to manage jobs in LMS, and set up job approval for certain
modules in LMS.
Chapter 1, “Working With Software Describes how to use the Software Center to check for software and device
Center” support updates, download them to their server file system along with the related
dependent packages, and install the device updates.
Chapter 1, “Discrepancies and Describes how to use the Discrepancies Reporting module of LMS to view the
Best Practices Deviations” discrepancies and best practices deviations in your network.
Chapter 1, “Report Setting” Describes how to configure some settings for generating reports and set a report
publish location.
Chapter 1, “Purge Settings” Describes how to configure the purge settings of all modules in LMS.
Chapter 1, “Debugging Options” Describes how to configure the debugging settings of all modules in LMS.
You can also view the details of all the log files.
Chapter 1, “Understanding LMS Tasks” Describes all LMS tasks.
Appendix 1, “CLI Tools” Describes all the CLI utilities that are available for the administrator in LMS 4.2.
Appendix 1, “Troubleshooting and FAQs” Provides troubleshooting and FAQs.
Appendix 1, “Data Extraction Engine” Describes how to export User Tracking, Topology, and Discrepancy application
data using Data Extraction Engine
Chapter Description
Appendix 1, “Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS.
Security”
Appendix 1, “Commands to Enable MAC Provides information on the list of commands that needs to run on each device
Notification Traps on Devices” to enable MAC Notification traps
Administration Tasks
The System Administration tasks are grouped into:
• Authentication Mode Setup
• Backup
• Cisco.com Settings
• Debug Settings
• Group Management
• License Management
• Log Rotation
• Server Monitoring
• SMTP Default Server
• Device Management Functions
• Software Center
• System Preferences
• User Management
The Network Administration tasks are grouped into:
• Change Audit Settings
• Discovery Settings
• PSIRT, EOS and EOL Settings
• Configuration Job Settings
• Device Credential Settings
• Best Practises Deviation Settings
• Display Settings
• Monitor and Troubleshoot
• Notification and Action Settings
• Purge Settings
• Resource Browser
• Software Image Management
The Collection Settings are grouped into:
• Config
• Data Collection
• Fault
• Inventory
• Performance
• Syslog
• User Tracking
• VRF Lite
Apart from the system administration and network administration tasks, you can also perform:
• Trust Management
– Local Server
– Multi Server
• Job Management
– Job Browser
– Job Approval
The two dashboards in the Admin menu are:
• System Dashboard. For more information, see Understanding the System Dashboard
• Device Status Dashboard.
This section is explained in the Inventory Online Help.
Note The data in these portlets does not appear based on any role-based authorization, both device-level or
user-level authorization.
• Single Sign On (SSO) master unreachability, which is applicable only for a slave server.
You can use the space in Cisco Prime LMS drive in the following ways:
• Delete the unwanted log files from the NMSROOT directory.
• Use the log rotate functionality, to rotate the logs to other drives.
• Remove unwanted files from the NMSROOT drive.
Note The Authentication modes appear in the Critical Message Window portlet (in red) if you do not
have full privileges in the Device Credential and AAA Information portlet.
Details Description
Cisco Prime Drive Utilization Displays the utilization of the drive for Windows, Solaris
and Soft Appliance.
For Windows:
Drive is where the product is installed.
For example, 'C' drive in case of "C/Program
Files/CSCOpx"
For Solaris/Soft Appliance:
The portlet displays the File System utilization of the
following:
/opt - Product Installed location
/var - Log file details location.
Processes xyz are down. Displays the processes that are down.
For example:ESS, EssMonitor, Proxy All the processes that are down are displayed in red in the
and so on. portlet.
However, when Fault processes such as DFMCTMStartup
and Data Purge are down, they are not displayed in the
Critical Message Window portlet.
Field Description
Authentication Mode Mode selected to authenticate the LMS server when logging into the LMS
application. For example, TACACS+, MS Active Directory.
• If the status is displayed in green, authentication is successful in the local or
external server.
• The status is in red when you log into the Cisco Prime application in fallback
mode.
Authorization Mode Mode used to authorize the user after authentication. From LMS 4.0, only the
Local Authentication mode is used to authenticate users, and authorize them to
access Cisco Prime LMS. ACS mode is not available.
Single Sign On (SSO) Mode SSO mode such as Stand alone and Master/Slave.
No. of Devices Number of devices. Click on the number to view the DCR Device Management
page details.
DCR Mode DCR mode such as Standalone, Master, Slave.
For more information about DCR mode, see DCR Architecture in Inventory
Management Online Help.
For more information on changing the DCR mode, see Changing DCR Mode.
Device Polling Status
Device Polling Status Status of the device polling.
The status can be either enabled or disabled.
If the status is enabled, then it displays the scheduled jobs along with the Job ID.
For example Job ID: 1034.
Device Polling Frequency Polling frequency of the devices.
This frequency can be:
• Every 6 hours
• Every 12 hours
• Daily
• Weekly
• Monthly
Total Unreachable Devices Total number of devices that are not reachable.
Click the unreachable device link to view the report.
Next Polling Schedule Time at which the next polling is scheduled.
Field Description
Log File Name of the log file such as syslog.log, EDS.log upm_base.log, and
so on.
The asterisk (*) displayed along with some log file name denotes
that there are multiple files available.
Directory Displays the location of the logfile.
For instance, var/adm/CSCOpx/log.
File Size Current size of the log file in kilo bytes.
You can click the portlet name in the title bar of the portlet to navigate to Log File status report page
(Reports > System > Status > Log File).
For more information on the list of log files, see Maintaining Log Files.
Process Status
In Process Status portlet, you can manage all the activities or jobs.
Table 1-5 lists the Process Status portlet details.
Field Description
State Status of the process, such as Failed to start, Running normally and
Shutdown.
No. of Process Number of processes in each state.
You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page
(Reports > System > Status > Process).
You can click the link displayed in the portlet to start or stop the process.
Field Description
Backup Schedule Date and time at which the backup was scheduled.
You can click the link corresponding to the Backup Schedule to
view/schedule the respective Backup Job details.
Last Backup Completed at Date and time when the last backup was completed.
Last Backup Status Status of the last backup.
Last Backup Location Location of the last backup.
You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.
Field Description
No. of Logged-in Users Number of users who have logged in.
You can click the number of logged-in users to view the Who is Logged on
Report page (also available from Reports > System > Users > Who is Logged
On).
Users Log-in details of all users and the number of sessions opened by each user.
Note You can send broadcast messages to logged-in users by clicking the Send Message to all users
link displayed in the User Login Information and the users will receive the message within 60
seconds by default.
You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report
page.
For more information on setting up local users, see Setting up Local Users.
Field Description
Job ID Unique ID assigned to the job by the system, when the job is created. The Job IDs are
displayed in ID.No.of.Instances format in periodic jobs.
For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job
whose ID is 1002.
When you click the Job ID, the job details, if available, are displayed.
Job Type Type of the job.
For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job.
Status Status of the scheduled jobs that are completed.
The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected.
The status of the succeeded jobs are displayed in green and the Failed, Crashed,
Cancelled, and Rejected jobs are displayed in red.
Job Description Description of the job provided by the job creator.
It can contain alphanumeric characters.
Owner Name of the user who created the job.
Scheduled At Date and time at which the job is scheduled to run.
Field Description
User Name Name of the person who performed the change. This is the name entered
when the person logged in.
It can be the name under which the LMS application is running, or the name
under which the Telnet connection is established.
Application Name Name of the LMS component involved in the network change. For example,
Change Audit, Device Management, ICServer, NetConfig, and NetShow.
Creation Time Date and the time at which the changes were performed on the LMS server.
Description Brief summary of the change that occurred on the LMS server.
You can click the portlet name in the title bar to navigate directly to the Report Generator page.
Job Approval
In Job Approval portlet, you can view the list of all jobs.
To configure Job Approval portlet, see Configuring the Job Approval portlet.
Table 1-10 lists the Job Approval portlet details.
Field Description
Job ID ID of the job that has been given for approval.
The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so
on, the job IDs are in the number x format. The x represents the number of instances of
the job.
For example, 1001.3, indicates that this is the third instance of the job ID 1001.
Click the Job ID hyperlink to view the job details.
Job Description Description of the job.
Job Schedule Date and time for which the job is scheduled.
The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will
run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it,
the job is moved to its rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other
instances are also considered as approved.
You are notified by e-mail, when a job approved by you is created.
This portlet enforces the approval process by sending job requests through e-mail to people on the
approved list.
You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details
page in LMS.
In the Job Approval portlet, you can view the list of Job details.
You can configure the Job Approval portlet to set the number of records to be displayed in the portlet,
and refresh time both manually and automatically.
Field Description
Name Host name or the IP address on which the collector is installed.
Status Status of the Remote Syslog Collector. For example, whether it is
connected.
Received Number of packets received.
Step 1 Move the mouse over the title bar of the Syslog Collector
Step 2 Click the configuration icon. You can:
• Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The
items in the portlet get refreshed at the changed Refresh frequency.
• Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to
view the respective columns in the Syslog Collector portlet.
– Filtered—Number of filtered messages. Filters are defined with the option Message Filters
option. See Defining Syslog Message Filters for more information.
– Invalid—Number of invalid Syslog messages.
– Dropped—Number of Syslog messages dropped.
– Forwarded—Number of forwarded Syslog messages.
Step 3 Click Save to view the portlet with the configured settings.
• Get the latest updates on devices that are supported and those that will be supported in the upcoming
releases.
• Raise a request through mail to support a new device that is not supported.
You can search the support of devices added to the DCR using the following search options:
• IP Address
• Host Name
• Device Name
• Model Name
• SysObjectID
To search using Supported Device Finder portlet:
Step 1 There are three scenarios when the device is not supported:
• If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.
• If the requested device is supported in later releases, and not available with your present installation,
the following message appears:
Not supported in Installed version <<version number>>. Support available in version
<< version number>>
Note If the device is not currently supported with your existing package, you can install the latest IDU
from Cisco.com to get the device support.
• If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.
Step 2 Click the click here link and a popup box appears:
The popup box has the following information:
• OK button to raise a request for the unsupported device.
• Disclaimer: Please note that all efforts will be made to provide support to this request, however we
are unable to commit to a time-line at this moment.
• Links to the latest device updates
• Link to the Supported Devices Table
Step 3 Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or
Model name.
The SysobjectID or the Model Name appears based on the entries made in the portlet.
The default mail client is launched.
The To field and Subject field has the following address and entries:
• To field: lms-dev-supreq@external.cisco.com
• Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>
The body lists the application names.
Step 4 Enter Yes against the respective application names for which device support is required.
IP Address
You can use the IP Address option to search the devices that are supported in the LMS application.
To search using the IP Address:
Host Name
You can use the Host Name option to search the devices that are supported in the LMS applications.
To search using the Host Name:
Note The valid Host Name characters are A-Z, a-z, 0-9, _.
All LMS functions are displayed. The supported servers are also displayed.
The LMS applications are:
• Inventory, Config and Image Management
• Network Topology, Layer 2 Services and User Tracking
• Fault Management
• IPSLA Performance Management
• Device Performance Management
For more information on the server supported details, see Step 2 of IP Address.
Device Name
You can use the Device Name option to search the devices that are supported in the LMS applications.
To search using the Device Name:
Note The valid Device Name characters are A-Z, a-z, 0-9, _.
Step 2 Enter a Device Name in the Device Name field and click Submit.
All LMS functions are displayed. The supported servers are also displayed.
For more information on the server supported details, see Step 2 of IP Address.
SysObjectID
You can use the SysObjectID option to search the devices that are supported in the LMS application.
To search using the SysObjectID:
Model Name
You can use the Model Name option to search the devices that are supported in the LMS application.
To search using the Model Name:
Note You can also use a wildcard search, (*), to search for the model name.
Field Description
VRF Collector Status Status of the VRF Collector. The two states are:
• Running—Indicates that the VRF collector is running.
• Idle—Indicates that the VRF collector is not running.
VRF Collector Last Completion Time Indicates the time when the VRF collection is completed.
Total VRFs Discovered Total number of VRFs discovered. Click the number to launch the Virtual Network
Manager Report.
VRF Supported Devices [H/W and S/W Number of VRF-supported devices. These devices have both VRF-supported
Supported] hardware and software. Click the number to launch the VRF Readiness report.
VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but
S/W Update Required] these devices do not have the supported IOS image for VRF. Click the number to
launch the VRF Readiness report.
Field Description
Collector Name Name of the Collector. The various collectors in LMS are:
• Inventory Collection
• Config Archive
• EnergyWise Collection
• Device Discovery
• Fault Discovery
• Topology Data Collection
• UT Major Acquisition
• VRF Collection
Succeeded Indicates if the respective collection has completed successfully.
Note In Inventory Collection, Succedded will give the count of devices that
were successfully inventory collected at least once. In Config Archive,
partial success state devices will not be shown in Succeeded or Failed
columns.
Field Description
Failed Indicates if the respective collection has failed.
Note In Inventory Collection, Failed will give the count of devices that are
recently failed. A device which was previously successfully inventory
collected and recently failed will have entry in both the columns. We
should not compare this with DCR device count.
Last Completion Time Indicates the time when the collection is completed.
Current Status Status of the Collector. The two states are:
• Running—Indicates that the collector is running.
• Idle—Indicates that the collector is not running.
Schedule Click the Schedule link next to the respective collector to launch the corresponding
page. You can now schedule the collector.
Step 1 Move the mouse over the title bar of the Collection Summary Portlet.
Step 2 Click the configuration icon.
Step 3 Select the Auto Refresh check box.
Step 4 Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Step 5 Click Save to view the portlet with the configured settings.
Note The data in the above portlets is not populated based on device-level or user-level authorization.
Role-based access control is not applicable to the portlets.
Note From LMS 4.2.2, the Collection Summary Portlet page will display the total number of managed devices
in LMS server. The customer can view the detailed list of the devices managed by the LMS server by
clicking the Managed Device count link on the Collection Summary Portlet page.
LMS 4.2 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS
applications, and data. LMS provides features for managing security while operating in single-server and
multi-server modes.
You can specify the user authentication mode using the Authentication Mode Setup.
This chapter explains the following:
• Managing Security in Single-Server Mode
• Managing Security in Multi-Server Mode
• Setting up the Authentication Mode
• Managing Roles
• Managing Cisco.com Connection
• Support Settings
Step 1 Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2 Select the Enable option to enable SSL.
Step 3 Click Apply.
Step 4 Log out from your Cisco Prime session and close all browser sessions.
Step 5 Restart the Daemon Manager from the LMS Server CLI:
On Windows:
a. Enter net stop crmdmgtd
b. Enter net start crmdmgtd
On Solaris/Soft Appliance:
a. Enter /etc/init.d/dmgtd stop
b. Enter /etc/init.d/dmgtd start
Step 6 Restart the browser and the Cisco Prime session.
When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following
changes:
• The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
• Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to https mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Step 1 Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2 Select the Disable option to disable SSL.
Step 3 Click Apply.
Step 4 Log out from your Cisco Prime session, and close all browser sessions.
Step 5 Restart the Daemon Manager from the LMS Server CLI:
On Windows:
a. Enter net stop crmdmgtd
b. Enter net start crmdmgtd
On Solaris/Soft Appliance:
a. Enter /etc/init.d/dmgtd stop
b. Enter /etc/init.d/dmgtd start
Step 6 Restart the browser, and the Cisco Prime session.
When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the
following changes:
• The URL should begin with http instead of https to indicate that connection is not secure.
• Change the port number suffix from 443 to 1741.
The port numbers mentioned above are applicable for LMS Server running on Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Step 1 Select Admin > System > User Management > Local User Policy Setup.
The Local User Policy Setup page appears.
Step 2 Select Allow Special Characters in username to allow special characters in the username.
You can include the following special characters in the username:
Note You can add the special characters including hyphen and period in local username only when
you have selected this check box. You cannot start a local username with special characters
except _ (Underscore).
Step 3 Select Allow Username to start with numbers to allow the first character of a local username to be a
numeral.
You can enter any number between 0 to 9 in the username as the first character if you have enabled this
option.
Step 4 Enter the minimum and maximum length of username of local users.
The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum username length field that is greater than the number
in maximum username length field.
Step 5 Enter the minimum and maximum length of password of local users.
The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum password length field that is greater than the number
in maximum password length field.
Step 6 Click Apply to save the changes.
Note The LMS Server Administrator can set the passwords for admin and guest users during installation.
Contact the LMS Server Administrator if you do not know the password for admin.
Note When you import local users, if there are no roles associated with the users, the default role will be
associated with them.
Step 1 Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2 You can do one of the following:
• Import:
– Click Import Users. You can import only files in the XML format.
– Click Browse and select a file from the client.
– Click Submit. To return to the Local User Setup page, click Cancel.
• Export:
– Select the users for whom you want to export information. If you want to select all the users,
you can check the check box next to the User field.
– Click Export. The files exported are in XML format.
A message appears prompting you to open or save the LMSuserExport.xml file. This file is
saved in the client. Click Cancel to return to the Local User Setup page.
Log Files
The information on the users added or imported into the LMS Server is stored in the following files,
when you use the import local user CLI commands:
• /var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)
• NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages, and other information that you can use for
troubleshooting.
Step 1 Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2 Click Add or Edit.
The User Information dialog box appears with the following fields:
Field Description
Username Enter the username. The value is case-insensitive.
You can control the length of the username, start the username with a
number, or include special characters in the local username.
To do this, you must set up the username and password policy in the Local
User Policy Setup page. See Setting up Local User Policy for information.
Password Enter the password.
You can control the length of the password when you set up policies for local
users. See Setting up Local User Policy for information.
Verify Password Re-enter the password.
E-mail Enter the e-mail ID. This is mandatory if you assign the approver role to the
local user. Otherwise, this is optional.
Authorization Type Select the radio button corresponding to the authorization type. You can
choose from:
• Full Authorization–Select this radio button to enable full authorization
to the user.
• Enable Task Authorization–Select this radio button to enable a role, and
the privileges and tasks associated with the roles, to the user.
After you select this option, you have to select the desired role from the
list of Roles. This is applicable for all devices.
• Enable Device Authorization–Select this radio button to enable
authorization to device groups.
After you select this option, you have to:
– Select the device group from the Device Group.
– Select the role you want to associate with the device group. The user
group can perform the tasks that are assigned to the chosen roles on
the chosen device groups.
Roles Select the check box corresponding to the role to specify the roles to be
assigned to the user from the Roles pane. The user group can perform the
tasks that are assigned to the chosen role on all devices and device groups.
The following roles are available:
• Help Desk
• Approver
• Network Operator
• Network Administrator
• System Administrator
• Super Admin
Network Level Login Enter the network device login credentials for LMS to communicate with the
Credentials network devices.
Username Enter the username.
Field Description
Password Enter the password.
Verify Password Re-enter the password.
Enable Password Enter the enable password.
Verify Password Re-enter the enable password.
Step 3 Click OK. To return to the Local User Setup page, click Cancel.
Note You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
• Username — Local username. The local username is case-insensitive.
• Password — Password for the local user account name.
You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.
• E-mail — E-mail address of the local user.
This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.
• Roles — Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
– Help Desk
– Approver
– System Administrator
– Network Administrator
– Network Operator
– Super Admin
• DeviceUname—Device login username
• DevicePassword—Device login password
• DeviceEnPassword —Device enable password.
The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes
Log Files
The user information added or imported into the LMS Server is stored in the following files, when you
use the import local user CLI command:
• /var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)
• NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages and other information that you can use for
troubleshooting.
Step 1 Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2 Click Modify My Profile to modify the credentials of the logged in user and the network device login
credentials.
Step 3 Enter the user login details like username, password, and e-mail address.
The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.
Step 4 Enter the network device login credentials for LMS to communicate with the network devices.
Enter the values for username, password, and enable password.
Step 5 Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.
Note If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break.
The peers need to re-import the certificate in this scenario.
Step 1 Select Admin > Trust Management > Local Server > Certificate Setup.
The Certificate Setup page appears.
Step 2 Enter the values required for the fields described in the following table:
Field Usage Notes
Country Name Two character country code.
State or Province Two character state or province code or the complete name of the
state or province.
City Two character city or town code or the complete name of the city or
town.
Organization Name Complete name of your organization or an abbreviation.
Organization Unit Name Complete name of your department or an abbreviation.
Server Name DNS name, IP Address, or hostname of the computer.
Enter the server name with a proper and resolvable domain name.
This is displayed on your certificate (whether self-signed or third
party issued). Local host or 127.0.0.1 should not be given.
Email Address E-mail address to which the mail has to be sent.
This section has the following information that helps you to understand better, the features that enable
secure communication between peer servers in a multi-server domain:
This section contains:
• Setting up Peer Server Account
• Setting up System Identity Account
• Setting up Peer Server Certificate
• Enabling Single Sign-On
Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2 Click Add.
The Peer Server Account Setup page appears.
Step 3 Enter the username in the Username field.
Step 4 Enter the password in the Password field.
Step 5 Re-enter the password in the Verify field.
Step 6 Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
Step 2 Click Edit.
The Peer Server Account Setup page appears.
Step 3 Enter the password in the Password field.
Step 4 Re-enter the password in the Verify field.
Step 5 Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2 Select the check box corresponding to the user you want to delete.
Step 3 Click Delete.
The confirmation dialog box appears.
Step 4 Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click
Cancel.
Step 1 Select Admin > Trust Management > Multi Server > System Identity Setup
Step 2 Enter the username in the Username field.
Step 3 Enter the password in the Password field.
Step 4 Re-enter the password in the Verify field.
Step 5 Click Apply.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
Step 1 Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
The Peer Server Certificate page appears with a list of certificates imported from other servers.
Step 2 Click Add.
Step 3 Enter the IP address/hostname of peer LMS Server in the corresponding fields.
If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address.
Step 4 Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the
peer LMS Server is 443.
Step 5 Click OK. To return to the Peer Server Certificate page, click Cancel.
Step 1 Select the check box corresponding to the certificate you want to delete.
Step 2 Click Delete.
The confirmation dialog box appears.
Step 3 Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.
You can also view the details of the client certificates. For this, select the check box corresponding to
the certificate and click View.
Single Sign-On is used only for authentication and not for authorization. In Single Sign-On,
authentication always takes place from the Single Sign-On Master server (Authentication Server-AS).
Hence, you need to provide the username and password as configured in Single Sign-On AS.
Authorization happens at the respective servers.
If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active
Directory (AD), and AS is configured for Local Authentication, then authentication happens as per the
credentials in Local Authentication (AS) and vice versa.
For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active
Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is
Local Authentication:
When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS)
and you get authenticated according to the username and password configured in AD. However,
authorization happens only in server B.
The privileges for the logged in user in any server within the Single Sign-On domain will depend upon
the user roles configured in that server. If the user is present only in the Single Sign-On Authentication
Server and not in the Regular Server, then that user gets authenticated according to the credentials in the
authentication server, but has only HelpDesk privileges in the Regular Server.
We recommend that you:
• Add the user across all servers within the Single Sign-On domain.
• Assign appropriate roles to the user, in each of the LMS Servers.
See Setting up System Identity Account for more information on how to set up System Identity User.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management >
Multi Server > Peer Server Certificate Setup.
The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it
would not be considered as a valid certificate.
You must specify the URL, with the context while registering the server link.
For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for
ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
In the above example, clicking on the registered link will launch the Cisco Prime home page of server
ABC.
Note We recommend that you do not use the IP address of the servers that are part of Single Sign-On or
localhost, while specifying the URL.
For example, suppose ABC and XYZ are part of an Single Sign-On domain.
Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If the
server is configured as an Single Sign-On Regular server (Slave), you should provide the following
details:
• Master server name
The Master server name must be DNS resolvable. If you change the name of the Single Sign-On
Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution
to reflect in the Slave.
If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master
server, you must ensure that you enter either the fully qualified domain name or hostname of the
Master consistently in all the Slave servers.
Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave
and hostname of the Master in another Single Sign-On Slave of the same Master server.
• Login Port of the Master (443)
To change the Single Sign-On mode to Standalone:
Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2 Select Standalone (Normal) radio button.
Step 3 Click Apply. To return to the Cisco Prime home page, click Cancel.
Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign On mode.
Step 2 Select the Master (SSO Authentication Server) radio button.
Step 3 Click Apply. To return to the Cisco Prime home page, click Cancel.
Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2 Select the Slave (SSO Regular Server) radio button.
Step 3 Enter the Master server name and port number.
If you select the Slave mode, ensure that you specify the Master server name and port. The default port
is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.
Option Description
Allow all Local Authentication users to fallback to All users can access Cisco Prime using the Local
the Local Authentication login. login if the current login module fails and only if
PAM is unreachable.
Only allow the following user to fallback to the Specified users can access Cisco Prime using the
Local Authentication login if preceding login Local login if the current login module fails. Use
fails: username. commas between user names.
Allow no fallbacks to the Local Authentication No access is allowed if the current login module
login. fails.
Debugging
Cisco Prime allows you to enable debugging on the current login module so that you have additional
information in the log files that you can use for troubleshooting. Turn debugging on only when requested
to do so by your customer service representative.
Enabling debugging does not alter the behavior of the modules.
Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the
following locations:
• NMSROOT/MDC/tomcat/logs/stdout.log (on Solaris/Soft Appliance)
• NMSROOT\MDC\tomcat\logs\stdout.log (on Windows)
where NMSROOT is the Cisco Prime installation directory.
• Local Authentication
• Local Unix System
• Local NT System
• MS Active Directory
• RADIUS
• TACACS+
The login username is case sensitive when you use the following login modules:
• Local Unix System
• RADIUS (only on Solaris)
• TACACS+ (only on Solaris)
Step 3 Select a login module.
Step 4 Click Change.
The Login Module Options popup window appears.
Step 5 Enter the corresponding login module information.
See the respective login module section for login module options.
Step 6 Click OK. To return to the Authentication Mode Setup page, click Cancel.
Field Description
Selected Login Module Local UNIX System.
Description Cisco Prime native Solaris module.
Field Description
Debug Set to False, by default.
Set to True for debugging purposes, when requested by your customer
service representative.
Login fallback options Set the option for fallback to the Local Authentication module if the
alternative service fails.
Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.
Field Description
Selected Login Module Local NT System.
Description Cisco Prime native NT login module.
Debug Set to False, by default.
Set to True for debugging purposes, when requested by your customer
service representative.
Domain Set to localhost.
Login fallback options Set the option for fallback to the Local Authentication module if the
alternative service fails.
Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.
You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to
RDN-Prefix when the user logs into Cisco Prime.
For example, a distinguished name could be represented as:
cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and
Usersroot is ou=org1 dc=embu, dc=cisco.
A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
You can specify more than one usersroot value. Each usersroot value should be separated by a
semicolon.
• User Principal Name (UPN)
User principal name is composed of two parts, User login and User Principal Name Suffix
(UPN-Suffix).
The User Principal Name suffix configured in Cisco Prime is appended to the login name when the
user logs into Cisco Prime.
The second part of the UPN, the UPN suffix, identifies the domain in which the user account is
located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name
created by an administrator and used just for log in purposes.
For example, a User Principal Name could be represented as user1@mydept.mycompany.com, where
user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix.
• Domain name
You should configure the Active Directory domain name in Cisco Prime that contains a set of users
which needs to be integrated, for a domain based authentication.
For example, if you want the users of MyDomain domain in MS Active Directory server to be
authenticated in LMS Server, you should specify MyDomain in this field.
Each domain also has a pre-Windows 2000 domain name for use by computers running operating
systems released earlier than Windows 2000 operating systems. Similarly each user account has a
pre-Windows 2000 user login name.
The user account in the DomainName\UserName format used to log into the operating systems
released earlier than Windows 2000 operating systems is called Security Account Manager (SAM)
account. You can also configure SAM account in the LDAP server and enter the same name in Cisco
Prime when you change the login module to Microsoft Active Directory.
When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime
attempts to authenticate the Active Directory server using the User Principal Name string.
When both the Distinguished Name based authentication and the User Principal Name based
authentication fails, LMS Server tries to authenticate using the Domain name.
To change login module to MS Active Directory:
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module Name of the login module (MS Active Directory) you have selected in the
Authentication Mode setup page.
Description Brief description about the login module you have selected.
For the MS Active Directory login module, the description displayed is
Cisco Prime MS Active Directory module.
Server Name of the LDAP server.
Default set to ldap://ldap.company.com.
Usersroot User objects in MS Active Directory.
Default set to cn=users, dc=servername, dc=company, dc=com.
For example, if users in the Active Directory have
ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN)
strings, you should specify the same in this field to integrate the LMS Server
with the MS Active Directory server.
You can also enter multiple usersroot values separated by semicolon.
For example, you can enter ou=myDept, dc=myCompany, dc=com;
ou=Dept1, ou=Dept2, dc=myCompany, dc=com.
When you integrate your LMS Server with MS Active server, you should
configure this field for a Distinguished Name based authentication.
If you are using Windows 2008 Active Directory, you have to provide the
complete Usersroot information (including cn=Username). This is because
Windows 2008 Active Directory implementation has disabled anonymous
search requests.
Otherwise, if your Active Directory Server allows anonymous binds, you
need to specify only dc=servername, dc=company, dc=com.
RDN-Prefix String prefixed with login username to form a Relative Distinguished Name
(RDN).
Default is set to cn=.
For example when you have configured this field as cn= and log into the
server as MyUser, the RDN formed is cn=MyUser.
When you integrate your LMS Server with MS Active server, you must
configure this field for a Distinguished Name based authentication.
UPN-Suffix String suffixed with login username, usually the domain in which the user
account is located to form a User Principal name.
You should configure this field for a UPN based authentication.
For example, if the UPN of Active Directory users who need to be
integrated with Cisco Prime are user1@mydept.mycompany.com,
user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you
should mention @mydept.mycompany.com in this field.
Field Description
AD-Domain Active Directory domain.
You should configure this field for a domain based authentication. Users of
the specified domain in MS Active Directory server are authenticated when
you integrate the LMS Server with MS Active Directory server.
Debug Set to False, by default.
Set to True for debugging purposes, when requested by your customer
service representative.
Login fallback options Set the option for fallback to the Local Authentication module if the
alternative service fails.
You can set any of the following options:
• Allow all Local Authentication users to fallback to the Local
Authentication login.
• Allow only the specified users to fallback to the Local Authentication
login.
When you select this option, you should enter one or more Local
Authentication usernames separated by commas.
This is the default login fallback option.
• Do not allow any fallback to the Local Authentication login.
Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.
After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with
an Active Directory username and the corresponding password.
MS Active Directory server provides authentication services to LMS Server by the default simple
authentication mechanism.
To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Step 1 Edit the Account Options of a user in the MS Active Directory Server and enable the Store password
using reversible encryption option.
Step 2 Reset the password of the user to authenticate properly.
Step 3 Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is
your Cisco Prime Installation directory.
You must change the following line in the cam.properties file from:
#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
If you want the secure authentication mechanism to fallback to simple authentication mechanism, you
must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property.
You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True
to
LDAP_FALLBACK_AUTHENTICATION_NEED=True
Step 4 Save the changes to the cam.properties file.
Digest-MD5 authentication supports only User Principal Name and Security Account Manager user
accounts. You cannot log into LMS Server with the User login name.
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name.
For example, to assign the System Administrator privileges to a MS Active Directory users User1 and
User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator
role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Field Description
Selected Login Module RADIUS.
Description Cisco Prime RADIUS module.
Server Set to module type servername, radius.company.com.
Port Set to 1645. Attempt to override it only if your authentication
server was configured with a non-default port.
Key Enter the secret key.
Debug Set to False, by default.
Set to True for debugging purposes, when requested by your
customer service representative.
Login fallback options Set the option for fallback to the Local Authentication module if
the alternative service fails.
Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.
Field Description
Selected Login Module TACACS+.
Description Cisco Prime TACACS+ login module.
Server Set to module type tacacs.company.com
Port Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Secondary Server Set to module type tacacs.company.com. This is the secondary
fallback server.
Secondary Port Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Field Description
Tertiary Server Set to module type tacacs.company.com. This is the tertiary
fallback server.
Tertiary Port Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Key Enter the secret key.
Debug Set to False, by default.
Set to True for debugging purposes, when requested by your
customer service representative.
Login fallback options Set the option for fallback to the Local Authentication module
if the alternative service fails.
Note The values True or False should not be entered in the Server, Secondary Server and Tertiary
Server fields, the corresponding Port fields or the Key field.
Step 4 Click OK. To return to the Authentication Mode Setup page, click Cancel.
After you change the login module, you do not have to restart Cisco Prime. The user who logs in after
the change, automatically uses the new module. Changes to the login module are logged in the following
files:
• NMSROOT/MDC/Tomcat/logs/stdout.log (On Solaris/Soft Appliance)
• NMSROOT\MDC\Tomcat\logs\stdout.log (On Windows)
where NMSROOT is your Cisco Prime Installation directory.
Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A
privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role.
The LMS authorization scheme provides you with the following system-defined roles.
• Help Desk — Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device or schedule a job which will reach the network.
• Approver — Can approve all tasks.
• Network Operator — Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
• Network Administrator — Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
• System Administrator — Can perform all Cisco Prime system administration tasks.
• Super Admin — Can perform all Cisco Prime operations including the administration and approval
tasks. This role has full privileges.
You can select a role and set it as the default role. After installing LMS 4.2, Help Desk will be the default
role.
If you do not want to use the system-defined roles, you can create custom roles and associate tasks to
them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool,
see, Removing Custom Roles Using CLI.
To manage roles:
Step 1 Select Admin > System > User Management > Role Management Setup. The Role Management
Setup Page appears with the available roles, their descriptions, and the default role.
Button Description
Add Click Add to add user-defined roles. The Role Management Page appears.
To add a role:
1. Enter the role name and description.
2. Select the tasks that have to be assigned to the new role.
The task can be identified using the search option. The search uses the task name and the task
description to perform a complete search. The search results and All tab contents are
synchronized. Any selections made on search results will reflected in all tab. For more details
see Searching LMS Tasks.
3. Click OK to add the new role or click Cancel to return to the Role Management Setup Page.
For more information on the various tasks in LMS 4.2, see Understanding LMS Tasks.
Edit Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit
a role:
1. Modify the role description if required.
2. Select or deselect the check box corresponding to the required tasks.
3. Click OK to save the changes, or click Cancel to return to the Role Management Setup Page.
Delete To delete a role:
1. Select one or more user-defined roles and click Delete to delete the roles.
2. Click OK to confirm or Cancel to return to the Role Management Setup Page.
If the deleted role is assigned to any user, then it will remove the association of this role with the user.
Copy You can use this option to modify a system-defined role.
To copy a role:
1. Select a role from the roles and click Copy. The Role Management Page appears.
2. Enter the role name and description.
3. Select or deselect the check box corresponding to the tasks.
4. Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.
Export You can export roles only in the XML format. The file will be saved in the client.
To export roles:
Select the user-defined roles that you want to export and click Export. A message appears prompting
you to open or save the LMSRoleExport.xml file.
Button Description
Import You can import roles only in the XML format.
To import roles:
1. Click Import.
2. Click Browse and select a file from the client.
3. Specify if you want to to overwrite, merge or backup the existing roles when you import roles:
4. Click Submit to import the roles or Cancel to return to the Role Management Setup Page.
You can choose to:
• Overwrite—Roles with the same names will be overwritten.
• Merge—Roles with the same names will be updated with details of the existing role and details
of the imported role.
• Backup—Roles with the same names will be overwritten. The existing role will be renamed as
CopyOf<Role name>.
Set as Default Default role will be assigned to users who:
• Do not have any role assigned to them.
• Have logged in using an external authentication server, like PAM, and are not available in the local
database.
When multiple roles are set as default role, the user will be assigned with all the roles selected as
default roles.
If there is no default role configured, then authorization will fail for users who:
• Do not have any role assigned to them.
• Have logged in using an external authentication server, like PAM, and are not available in the local
database.
To set a default role:
1. Select a role from the roles listed in the Role Management Setup Page.
2. Click Set as Default. The selected roles will be the default roles.
Clear Default Click Clear Default to clear the default role. After you clear the default role, authorization will fail
for any user assigned without this role.
Note After adding roles you must assign one or more roles to your users, select Admin > System > User
Management > Local User Setup.
Step 1 Specify the exact task name or the first few characters of the task name in the search text box and click
the search icon. The task name is case-insensitive.
For example enter admin or *admin or admin* or *change* in the search text box.
• admin – will search for the task and task description that contains the exact term admin.
• *admin – will search for the task and task description that ends with the term admin either in task
name or description.
• admin* – will search for the task and task description that begins with the term admin either in task
name or description.
• *change* – will search for the task and task description that contains the term change.
If there are no search results generated, then a pop-up window appears.
Note You are not allowed to use any other wildcard character apart from *.
Step 2 Click the Search Results tab to see the corresponding search result.
In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree
will be in the expanded state.
You will note that when you select or unselect a particular set of tasks in the Search Results tab, the
same set of tasks will be automatically selected or unselected in the All tab.
Support Settings
From LMS 4.2.2, Cisco Prime LAN Management Solution will support the Support Settings feature to
allow user to set the following two types of interactions:
• Enabling interactions directly from the LMS server
• Enabling interactions only through client system
For more information on creating a new service request and updating an existing service request, see
Creating/Updating Support Case section in Getting Started with Cisco Prime LAN Management
Solution 4.2.
LMS includes several administrative features to ensure that the server is performing properly. You can
manage processes, set up backup parameters, update licensing information, collect server information,
manage jobs and resources, and configure system-wide information on the LMS Server.
• Using Daemon Manager
• Managing Processes
• Backing Up Data
• Backup for Cisco Prime Infrastructure
• Licensing Cisco Prime LMS
• Compliane and Audit Manager (CAAM) Server License
This chapter has the following information:
• Using Daemon Manager
• Managing Processes
• Backing Up Data
• Licensing Cisco Prime LMS
• Configuring a Default SMTP Server
• Collecting Server Information
• Collecting Self Test Information
• Messaging Online Users
• Managing Resources
• Collecting Server Information
• Collecting Self Test Information
• Messaging Online Users
• Managing Resources
• Modifying System Preferences
• Configuring Log Files Rotation
• Modifying System Preferences
• Configuring Disk Space Threshold Limit
• Effects of Third Party Backup Utility and Virus Scanner
• Configuring TFTP
• Cisco Prime Integration Application Settings
Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager
will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute
before you start the Daemon Manager.
If the System resources are less than the required resources to install the application, Daemon Manager
restart displays warning messages that are logged into syslog.log.
Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The
process management tools enable you to manage these backend processes to optimize or troubleshoot
the LMS Server.
You can do the following activities:
• View the details of all processes
• Filter and show only processes of a specific state
• Start the processes
• Stop the processes
All mandatory processes are started when you start the system.
See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS.
You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for more
information.
Note Your role and privileges determine whether you can use this option.
Process States
The state of the Cisco Prime backend processes fall under either one of the following categories:
State Description
Running normally Processes are started and are running normally.
Sometimes, you find the state of a few processes as follows:
Program started - No mgt msgs received
This indicates that the processes are started automatically at boot and are
running normally.
Never started Processes that cannot start automatically and are to be started by operator
or administrator.
Failed to run Processes that failed to start because of an error in the system.
Administratively Processes that are stopped by the system or by the administrator.
shutdown
State Description
Transient Terminated Terminated transient processes.
Processes that are created or started by Daemon Manager whenever
required are called transient processes.
Waiting to Initialize Processes that are yet to run normally and are in initialization phase.
Step 1 Select Admin > System > Server Monitoring > Processes.
The Process Management page appears with all Cisco Prime processes listed.
You can see the following information of a Cisco Prime process in the Process Management window:
Column Description
ProcessName Name of the process. Describes how the process is registered. See LMS Back-end
Processes for more information on process description. For information on
suite-specific processes, see the relevant Online help.
You cannot view the details of Apache and Tomcat processes or restart them from
the user interface. But you can view the details of these processes in Process
Status report (Reports > System > Status > Process).
ProcessState Process status and a summary of the log file entries for the process. If the process
fails, this column is highlighted in red.
ProcessId Unique number by which the operating system identifies each running program.
ProcessRC Return code. 0 represents normal program operation. Any other number
represents an error. See the error log for details.
ProcessSigNo Signal number. 0 represents normal program operation. Any other number is the
last signal delivered to the program before it terminated.
ProcessStartTime Time and date on which the process was started.
ProcessStopTime Time and date on which the process was stopped.
Column Description
Process Name of the process.
Path File Location.
Flags Flags used to register the process with the Daemon Manager.
Startup Method used to start the process (manual or automatic).
Dependencies Other processes that are running, and that are required for this process to
run.
You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the
updated information of the processes.
Step 1 Select Admin > System > Server Monitoring > Processes.
The Process Management page appears.
Step 2 Select a process state from the Show Only process state.
You can select any one of the following process states:
• Never started
• Waiting to initialize
• Running normally
• Failed to run
• Transient terminated
• Administrator has shut down this server
• Program started — No mgt msgs received
See Process States for description of each of these process states.
The details of processes of the selected state appears.
Starting a Process
To start a process:
Step 1 Select Admin > System > Server Monitoring > Processes.
The Process Management page appears.
Step 2 Select the check box corresponding to the process.
Step 3 Click Start.
Stopping a Process
To stop a process:
Step 1 Select Admin > System > Server Monitoring > Processes.
The Process Management page appears.
Step 2 Select the check box corresponding to the process.
Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
CmfDbEngine Sybase database instance used by the Program started - None NMSRoot/MDC/log/
base Cisco Prime framework. No mgt msgs daemons.log
received (On Solaris/Soft
Appliance only)
CmfDbMonitor Monitors the CmfDbEngine process and Running CmfDbEngine NMSRoot\log\
periodically checks for connectivity and normally CmfDbMonitor.log
SQL errors. (On Windows)
/var/adm/CSCOpx/log
/CmfDbMonitor.log
(On Solaris/Soft Ap-
pliance)
CMFOGSServer Device grouping service in CS that Program started - CmfDbMonitor, NMSRoot\log\
provides grouping capability based on No mgt msgs EssMonitor, CMFOGSServer.log
device attributes stored in DCRServer. received DCRServer (On Windows)
/var/adm/CSCOpx/log
/CMFOGSServer.log
(On Solaris/Soft Ap-
pliance)
CSDiscovery Transient process created by Daemon Transient Termi- — NMSRoot\log\
Manager. This process initiates Device nated CSDiscovery.log
Discovery. (On Windows)
/var/adm/CSCOpx/log
/CSDiscovery.log
(On Solaris/Soft Ap-
pliance)
Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes
Dependency
Process Name (Sequential) Log Information Description
RMEDbEngine None NA System service: the database engine for
Inventory, Config and Image Management
applications.
ConfigMgmtServer EssentialsDM dcmaservice.log Configuration Management service performs
the following tasks,
• Collects the configuration for the LMS
managed devices on request from jobs or
user Interface.
• Archives new version if there is a
difference between the fetched
configuration and the latest configuration
in archive.
• Parses the configuration based on configlet
rules and generates differences between the
configurations.
• Logs change record for every new version
of archived running configuration.
• Detects config changes on the device and
triggers configuration collection
• Caches the device and NetConfig template
mapping information.
• Populates the database with NetShow
system-defined command sets and
NetShow commands by retaining them
from device packages.
ConfigUtilityService EssentialsDM cfgutilservice.log ConfigUtilityService parses the archived
configurations of the devices for assessing the
technology readiness of the devices. It does
config and CLI parsing.
ConfigUtilService also performs OGS grouping
attributes updates at the end of Inventory
collection.
SyslogCollector ESS SyslogCollector.log Filters and sends the syslog objects to various
SyslogAnalyzer services subscribed to it.
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes (continued)
Dependency
Process Name (Sequential) Log Information Description
EssentialsDM ESS EssentialsDM_Server.log It publishes a dummy Common Services
Transport Mechanism (CSTM) service name to
DCRServer
synchronize publishing of service names with
LMSDbEngine CSTM.
All other LMS services that publish service
names with CSTM are made dependant on this
service either directly or indirectly.
After adding devices to LMS, this service
triggers for Inventory and Configuration
collection.
System service that monitors the accessibility
of the LMS database engine that helps to ensure
that the system is not started until the database
engine is ready.
EnergyWise EssentialsDM ICServer EnergyWise.log EnergyWise process provides services for:
EnergyWiseUI.log • EnergyWise endpoint and device collection
EnergyWiseConfiguratio • EnergyWise monitoring
n.log
• EnergyWise compliance check
EnergyWiseMonitoring.l
• Auto-push of EnergyWise policies on the
og
devices.
EnergyWiseCollection.lo
g
EnergyWiseNative.log
EnergyWiseComplianceC
heck.log
EnergyWiseNativeCompl
iance.log
EnergyWise_Purge.log
EnergyWiseNativePolicy.
log
CTMJrmServer EssentialsDM CTMJrmServer.log This service is a proxy to the JRM service. This
is used by LMS to connect to the JRM service.
jrm
It hides all the direct interaction with JRM.
Tomcat
ChangeAudit EssentialsDM ChangeAudit.log Change Audit program that provides back-end
database services for applications that want to
CTMJrmServer
log network changes and for Change Audit
jrm reports and Automated actions
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes (continued)
Dependency
Process Name (Sequential) Log Information Description
ICServer ESS IC_Server.log This is a service that collects and stores
Inventory information from the device using
CTMJrmServer
SNMP.
It also detects changes that occurred between
the last time Inventory was collected for a
device, and the current Inventory collection.
SyslogAnalyzer ESS SyslogAnalyzer.log for It takes the filter definition from the user and
Windows sends it to the various Syslog Collectors it is
EssentialsDM
subscribed to.
AnalyzerDebug.log for
CTMJrmServer
Solaris/Soft Appliance Receives the syslogs from the Syslog collector
jrm and inserts them into the database and also takes
automated actions from the user.
PMCOGSServer LMSOGSServer PMCOGSServer.log Port and Module group administration service.
This is used for managing Port and Module
groups.
ANIDbEngine None None System service: Database engine for Topology
and Identity Services.
ANIServer EDS ani.log System service: Collects device information for
Topology and Identity Services.
ANIDbEngine
MACUHIC EssMonitor macuhic.log System service: Receives and processes SNMP
traps for Dynamic UT
ANIDbEngine
UTLITE EssMonitor utlite.log System service: Receives and processes the
UTLITE data
ANIDbEngine
UTMajorAcquisition ANIServer ut.log UTMajor Acquisition is a transient process.
System service: Collects end hosts information.
UTManager EssMonitor utm.log System service: Queries external system for
Dynamic UT
ANIDbEngine
DCRServer
VNMServer ANIDbEngine Vnmserver.log System service: Handles VRF Lite Services like
configuration, VRF Lite collector job
scheduling
WlseUHIC ANIDbEngine wlseuhic.log System service: Collects information from
Wlse Device
Compliance and Essentials DM caam_server.log The Compliance and Audit Manager server
Audit Manager collects information from the Inventory and
cammserverui.log
(CAAM) Server Configuration management servers and stores
caamservercollection.log the details in a database.
If you stop or restart any of these processes you must stop and restart their dependency processes. See
Table 3-2 for the list of dependent processes.
You can stop and restart the process using Admin > System > Server Monitoring > Processes.
Table 3-3 Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes
Dependency
Process Name (Sequential) Log Information Description
ANIDbEngine None None System service: Database engine for
Topology and Identity Services.
ANIServer EDS ani.log System service: Collects device information
for Topology and Identity Services.
ANIDbEngine
MACUHIC EssMonitor macuhic.log System service: Receives and processes
ANIDbEngine SNMP traps for Dynamic UT
Table 3-4 LMS 4.2 IPSLA Performance Management Process and the Dependency Processes
Dependency (Sequen-
Process Name Description tial) Default State Log Files
IPMProcess Provides core function of managing DCRServer, Program ipmserver.log,dmgtd.log
IPSLA Performance Management IpmDbEngine
Started
Devices, Collectors and Operations in
LMS. jrm
IPMOGSServer IPSLA Performance Management CmfDbMonitor, Program IPMOGSServer.log,
group administration service. This is EssMonitor,
Started
IPMOGSClient.log
used for managing IPSLA Performance
Management collector groups. It is also DCRServer,
used for IPSLA Performance Manage- IpmDbEngine
ment Collector selector.
IpmDbEngine IPSLA Performance Management NA Program dmgtd.log
Database Engine service. Started
It is used for managing and storing
IPSLA Performance Management
related information on the database
Table 3-5 Key Processes in LMS 4.2 Device Performance Management Module
Dependent Default
Process Name Description Process State Log Files
UPMDbEngine This is the Device None Started None
Performance Management
database engine process. If
this process is down, you will
not be able to access Device
Performance Management
module of LMS, and polling,
threshold monitoring, and
trendwatch monitoring will
fail.
Table 3-5 Key Processes in LMS 4.2 Device Performance Management Module
Dependent Default
Process Name Description Process State Log Files
UPMDbMonitor Responsible for monitoring UPMDbEngine Started UPMDbMonitor.log
the UPMDbEngine process.
UPMProcess Responsible for the Polling DCRServer, Started upm_process.log
engine, Threshold UPMDbMonitor
monitoring and Poller
Management features of
LMS. If this process is down,
poller management,
threshold management,
trendwatch management will
fail.
Default
Name Description Dependency State Log Files
AdapterServer/ Event adapter takes events from backend None Program adapterServer.log,
AdapterServer 1 servers. Started adapterServer1.log
, daemons.log
DataPurge Data Purge—Starts as scheduled in the GUI and jrm Administrato DPS.log,
purges the Fault History database. r has shut daemons.log
down this
server
Default
Name Description Dependency State Log Files
DfmBroker Fault Management Broker maintains a registry None Program brstart.log
about Fault Management domain managers, that Started
register the following information with the
broker when its initialization is complete:
• Application name of the domain manager
• Hostname on which the domain manager is
running
• TCP port at which the HTTP server is
listening
When a client needs to connect to the domain
manager, it first connects to the broker to
determine the hostname and TCP port the HTTP
service of that server is listening.
It then disconnects from the broker and
establishes a connection to the domain manager.
The DfmBroker log file is located at
NMSROOT/objects/smarts/local/logs/brstart.log
.
DFMLogServer Controls Fault Management logs. None Program DfmLogService.lo
Started g, daemons.log
DFMMultiProcLog Handles processes with multiple threads. None Program MultiProcLogger.l
ger Started og, daemons.log
DFMOGSServer Fault Grouping Service Server evaluates group CmfDbEngine, Program DFMOGSServer.l
membership. ESS, DCRServer, Started og
TISServer
DfmServer/DfmSe Infrastructure device domain manager, a DfmBroker Running DFM.log,
rver 1 program that provides backend services for Normally DFM1.log
Fault Management. Services include SNMP
data retrieval and event analysis. The
DfmServer log is
NMSROOT/objects/smarts/logs/DFM.log.
If there are two instances of the DfmServer
running, each will have a log file, DFM.log and
DFM1.log.
DFMCTMStartup Handles interprocess communication. None Administrato DFMCTMStartup.
r has shut log, daemons.log
down this
server
EPMDbEngine Event Promulgation Module (EPM) database None Program EPM.log
engine—Repository for the EPM module. Started
EPMServer Sends events to notification services. EPMDbEngine Running EPM.log
Normally
Default
Name Description Dependency State Log Files
FHDbEngine Fault History database engine—Repository for None Program daemons.log
alerts and events. Started
FHPurgeTask Fault History purge task. None Transient FHCollector.log,
terminated FHUI.log
FHServer Fault History server, a program that runs EPMServer, Running FHServer.log
backend services for Fault History. EPMDbEngine, Normally
FHDBEngine
Interactor Provides inventory and device information to InventoryCollect Program Interactor.log
the Detailed Device View (DDV); updates the or Started
DDV with events.
Interactor 1 Provides inventory and device information to Inventory Program Interactor1.log
the Detailed Device View (DDV); updates the Collector 1 Started
DDV with events.
InventoryCollector Synchronizes voice device inventory with ESS, TISServer, Running InventoryCollector
/ infrastructure device inventory. Handles all DFMOGSServer Normally/Pr .log,
InventoryCollector inventory events, such as adding and deleting ogram InventoryCollector
1 devices. Started 1.log
INVDbEngine Inventory database engine—Repository for None Program daemons.log
devices. Started
NOSServer Notification Server monitors alerts and sends EPMDbEngine, Running nos.log
notifications based on subscriptions. EPMServer, Normally
INVDbEngine,
DFMOGSServer
PTMServer Polling and thresholds server. DFMOGSServer Running PTMServer.log
Normally
PMServer PMServer is used for the Partition Manager INVDbEngine Running PMServer.log (For
funtionality for the Fault Management module EssMonitor Normally Windows)
of LMS. When you add a device to the Fault daemons.log (For
Management module, it is always added to the Solaris/Soft
default partition 0. Appliance)
All the debug logs related to PMServer can be
found at NMSROOT/log/dfmLogs/PM
TISServer Inventory server. EssMonitor, Program TISServer.log
INVDbEngine Started
Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule
immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges
to use this option.
You cannot back up the database while restoring the database. LMS uses multiple databases to store
client application data. These databases are backed up whenever you perform a backup.
Backup requires enough storage space on the target location for the backup to start.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
Caution You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes,
storing the backup data in this location may corrupt the Cisco Prime installation.
Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up
Data Using CLI for more information.
To schedule a backup:
Field Description
Backup Directory Location of the backup directory. We recommend that your target location be on
a different partition than the Cisco Prime installation location.
The backup directory should not contain any special character.
Generations Maximum number of backups to be stored in the backup directory.
Time From the lists, select the time period between which you want the backup to
occur. Use a 24-hour format.
Field Description
E-mail Enter a valid e-mail ID in this field.
You can enter multiple e-mail IDs separated by commas.
The system uses the e-mail ID or e-mail IDs to notify you the following:
• New backup schedules.
• Status of immediate or scheduled backup jobs upon their completion.
• Cancelled backup schedules.
Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from
versions 3.1, 3.2. The restore framework checks the version of the archive.
• If the archive is of the current version, then the restore from current version is run.
• If the backup archive is of an older version, the backup data is converted to LMS format, if needed,
and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and
restart Cisco Prime while restoring data.
In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is
restored on the same machine A, or on a different machine B.
Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data
of such tasks.
For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on
DCR and Effects of Backup-Restore on Groups.
Caution Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on the LMS
Server where you want to restore the data. You should not continue the restore when there is a mismatch,
as it may cause problems in the functionality of Cisco Prime applications.
This section explains the following:
• Restoring Data On Solaris/Soft Appliance
• Restoring Data On Windows
Step 1 Stop all processes by entering the following at the command line:
net stop crmdmgtd
Step 2 Restore the database by entering:
NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]
where NMSROOT is the Cisco Prime installation directory. See the previous section for command option
descriptions.
To restore the most recent version, enter the following command:
NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory
Step 3 Examine the log file in the following location to verify that the database was restored by entering:
NMSROOT\log\restorebackup.log
Step 4 Restart the system by entering:
net start crmdmgtd
Note For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.2 in
Installing and Migrating to Cisco Prime LAN Management Solution 4.2
Caution You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes
to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data.
Step 1 At the command line, make sure you have the correct permissions.
Step 2 Stop all processes by entering:
net stop crmdmgtd
Format Command
Format 1 detects the available datasource names On Solaris/Soft Appliance:
and databases and prompts you to enter and NMSROOT/bin/perl dbpasswd.pl all
confirm the passwords for each of them.
On Windows:
It also allows you to encrypt the password.
NMSROOT\bin\perl dbpasswd.pl all
Format 2 allows you to list all the databases and On Solaris/Soft Appliance:
datasource names (DSNs) available in the server.
NMSROOT/bin/perl dbpasswd.pl listdsn
On Windows:
NMSROOT\bin\perl dbpasswd.pl listdsn
Format3 allows you to change the database On Solaris/Soft Appliance:
password.
NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource
Format 4 allows you to change the database On Solaris/Soft Appliance:
password for a specific DSN. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
It also allows you to enter a new password in the
On Windows:
command line using the npwd option.
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
Format 5 allows you to encrypt the existing On Solaris/Soft Appliance:
database password. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes
Format 6 allows you to change the database On Solaris/Soft Appliance:
password for a specific DSN.
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
Format 6.0 also: encryption=yes
For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is
performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from
which the backup was taken (source machine), and the machine on which the data was restored
(target machine).
• Change Master/Slave relationships.
For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain
may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed,
the Slave will attempt to use Master A.
For detailed information on DCR, see Managing Device and Credentials in Inventory Management
Guide.
The following scenarios helps you understand the implications of Restore operations on DCR.
• Restoring Data From a DCR Standalone
• Restoring Data From S1 on S1
• Restoring Data From S1 to M1
• Restoring Data From S1 on M2
• Restoring Data From M1 on M1
• Restoring Data From M1 to M2
At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices.
Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However,
after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent
than the data on M1.
This ensures that Master has more recent data than the Slaves.
Note To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take
a back up of all machines at the same time.
Restore operations can affect Master-Slave relationships because they may modify these pre-configured
parameters.
For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server.
Suppose you take a backup from S1, and restore the backed up data, say S1b on X.
Now, X has to be in Slave mode.
Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1,
and S1 will have the certificate of M1.
After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not
present on M1, X will not be able to have M1 as its Master.
So you have to ensure that the certificates of the peer machines are in place, before you do a Restore.
Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer
Server Account user configuration might get affected by Restore operations.
For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user.
You take a backup from S1.
After you take the backup, say you change the Peer Server User and System Identity User to Bob.
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This
will upset the Master-Slave relationship.
During restore you are prompted to confirm whether you need to overwrite the SSL certificate.
SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it
on another, you should be careful not to overwrite the SSL certificate.
However, if you backup data from a machine and restore it to the same machine, you may overwrite the
SSL certificate.
• Exporting complete data of LMS—This option enables you to store data in an external server or
LMS server. The default backup location will be populated in the Backup location field at the bottom
of the Export Data to Prime Infrastructure page. If the user chooses storing data in external server,
the external server credentials namely Server IP or Host name, username, password and backup
location will be required.
Step 1 Copy the new license file to the LMS Server, with read permission for casuser/casusers.
Step 2 Select Admin > System > License Management.
The License Information page appears. The License Information page displays the name, version, size,
status and expiration date of the license.
Step 3 Click Update.
Step 4 Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 5 Click OK.
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise an error message is displayed.
To return to the License Information page, click Cancel.
Note You must have Compliance and Audit Manager (CAAM) server license for accesing the CAAM features
in LMS 4.2. For more details, refer Compliane and Audit Manager (CAAM) Server License.
Updating Licenses
You can view details of your current software license, or update to a new license from the License page.
To update to a new license from the Licensing page:
You can look into this collected information to find out the errors with grouping servers and debug them.
You can also collect server information using CLI. See Collecting Server Information Using CLI
To collect the server information:
Step 1 Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.
Step 2 Click Create to collect the current server information.
The Collect Server Information popup dialog box appears with a list of options. The available options
are:
• System Information — Displays the server type, operating system version, installation date of
operating system, and other system information.
• Event Logs — Displays the logs of events in the LMS Server.
• Cisco Prime Registry — Displays the registry entries of Cisco Prime components installed in the
server.
• Tomcat Log Files — Displays the log files corresponding to the application server.
• Grouping Service — Displays the information of grouping servers and the groups created in the
grouping server.
• Application Registry Details — Displays the information of applications registered with Cisco
Prime home page.
• Device Credentials Admin Information — Displays the details of DCR mode, status of DCR Master,
number of devices in DCR and the contents of DCR configuration files.
• ODBC Configuration — Displays the information about the configuration of database connection
in the LMS Server.
• Product Log Files — Displays the contents of log files of all Cisco Prime components.
• Environment Variables — Displays the list of environmental variables set up in the LMS Server.
• Process Status — Displays the name of processes, current state of the process, process ID, start and
finish time of the process, and other information.
• Network Configuration — Displays information about the various configurations in a network.
• Memory and Harddrive Status — Displays details of free space and total space of memory and hard
disk drives in the LMS Server.
• JRE Registry — Displays information about the Java Runtime Environment registry files.
Step 3 Select the check boxes corresponding to the options you need.
You can use the All check box to select or deselect all the available options.
By default all the check boxes are selected.
Step 4 Click OK.
The server information for the selected components is collected.
Collecting server information may take longer if more components are selected.
To return to the Collect Server Information page, click Cancel.
You can click Refresh in the Collect Server Information page to see the latest status.
Step 1 Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.
Step 2 Click Server Information at the date time link to view the collected server information.
The popup window displays the server information collected.
Step 3 View server information by clicking the corresponding link in the Table of Contents.
Step 1 Select Admin > System > Server Monitoring > Collect Server Information
The Collect Server Information page appears.
Step 2 Select the corresponding check box of the server information you want to delete.
Step 3 Click Delete.
Step 1 Select Admin > System > Server Monitoring > Selftest.
In LMS 4.2, the selftest report provides the following Hardware Parameters details:
• Memory availability
• Swap
• CPU
• DSN
• Backup status
• Number of MIB objects being polled
• Maximum number of MIB objects that can be managed
• Syslog database size
If the syslog database size exceeds 10 GB you need to purge the syslog records to reclaim space. Do the
following to purge syslog records and reclaim the database space:
Note If you want to backup the syslogs, refer Setting the Syslog Backup Policy.
Step 1 Perform a forced purge of Syslog messages, refer Performing a Syslog Forced Purge.
Step 2 Open RMEDebugToolsReadme.txt from
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools.
where NMSROOT is the Cisco Prime installation directory.
Step 3 Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and execute the
perl script DBSpaceReclaimer.pl.
Note The perl script will reclaim the space occupied by SyslogFirst.db, SyslogSecond.db and
SyslogThird.db files present in the server. The amount of space reclaimed will depend on the
purge criteria that you specify. The most effective way to reclaim the space is to purge the
records older than 1 day.
Step 1 Select Admin > System > User Management > Notify Users.
The Notify Users page lists all the users currently logged in.
Step 2 Enter the message in the Message field and click Send.
The Status field displays the status of the message.
Note If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every
visit to the page.
Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when
necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can
access the Resource browser page. The Refresh icon in the Resource browser is available for all users.
Note The System Identity user must configure all the Resource management related tasks. The Browse
Resources and Free Resources tasks should be enabled.
Item Description
Resource Name of the resource currently locked.
Job ID / Owner Number assigned to this task at creation time. Identifies all related locked
resources, and user who locked the resource.
Time Locked Time this lock was established.
Expire Time Lock expiration time.
Field Description
SMTP Server System-wide name of the SMTP server used by Cisco Prime applications to
deliver reports. The default server name is localhost.
Administrator Cisco Prime Administrator e-mail ID.
E-mail ID
This e-mail address is used as the From Address in all mails sent from LMS
Server.
There is no default e-mail ID.
Enable E-mail Allows you to enable e-mail attachments in the mails sent from LMS Server.
Attachment
This option helps you to attach PDF or CSV reports with the e-mail after the
scheduled jobs have completed.
This option is disabled by default.
Maximum Maximum size of the e-mail attachments that are allowed to be sent from LMS
Attachment Size Server.
You can specify the attachment size in KB or MB.
RCP User Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.
SCP User Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
SCP Password Enter the password for SCP User in this field.
The password you have entered here is used for authentication while
transferring software images using SCP protocol.
You must specify a user name that has SSH authentication on a Solaris system.
SCP uses this authentication for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
Field Description
SCP Verify Password Re-enter the SCP password in this field.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
Enable crmlogger Enable the Domain Name Service Resolution for the crmlog service using this
DNS resolution field. Note that enabling the DNS Resolution for the crmlog service will slow
down the Syslog performance.
The crmlog service will stop and start when you enable or disable the Domain
Name Service Resolution for crmlog service. If the crmlog registry does not
contain the CrmDnsResolution parameter, it will be created automatically when
you enable the service.
This field is available only on Windows systems.
Disable Idle Timeout By default this settings will be enabled and time interval for idle page will be
Settings 120 minutes.
Idle Timeout You can choose the time interval ranging from 15, 30, 45, 60 and 120 minutes.
A page is considered to be idle when there is no mouse or keyboard movement
in a particular screen.
If the page is kept idle for the set time period then a pop up redirecting the page
to idle page will be displayed. You can click cancel to avoid redirecting to the
idle page.
If you are redirected to the idle page then click the hyperlink click here to return
to your previous page.
Caution Set this information carefully. If you introduce errors, users may not be able to log in.
Step 3 Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution
for the crmlog service, on a Windows system.
Step 4 Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the
LMS Server:
• SCP User
• SCP Password
• SCP Verify Password
Step 5 Click Apply after making the changes. To cancel the changes, click Cancel.
To edit the log files that you have configured for rotation:
Step 1 Enter:
• NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows)
• Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance)
The Logrot configuration menu appears. You have the following options:
• Edit variables.
• Edit log files.
• Quit and save changes.
• Quit without saving change.
Step 2 Select Edit variables to set your Backup Directory.
If you do not set a backup directory, each log will be rotated in its current directory.
Step 3 Select Edit log files to add log files you wish Logrot to rotate.
You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log
file does not exist in that path, the default log file path for your operating system will be added during
rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).
Step 4 Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default)
for this option.
Step 5 Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in
kilobytes (KB). The default is 1024 KB or 1 MB.
Step 6 Specify the file compression type to be used. It can be:
• Z—UNIX compression (on Solaris/Soft Appliance only)
• gz—GNU gzip
• bz2—bzip2 (on Solaris/Soft Appliance only)
When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a
certain pattern.
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for
example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that
match the pattern *.log.
You can also specify the special pattern, *, which means delete all logfiles in the configuration.
Caution The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is
shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.
Example:
To view the job scheduled to run as root user, use the command:
crontab -l root
To view the job scheduled to run as casuser, use the command:
crontab -l casuser
Example:
To view the job scheduled to run as root user, use the command:
crontab -lu root
To view the job scheduled to run as casuser, use the command:
crontab -lu casuser
This process records the alert information in the system log files. The alert information is recorded in
diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and
daemons.log files in Solaris machines.
To configure the disk space threshold limit:
Step 1 Select Admin > System > Server Monitoring > DiskWatcher Configuration.
The DiskWatcher Configuration page appears.
Step 2 Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk
space in the Cisco Prime Installation directory. This is mandatory.
You should enter the threshold value in units of MB or GB.
Step 3 Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in
Solaris file systems. This is mandatory.
You should enter the threshold value in units of MB or GB.
The following are the scenarios where Assertion Error might appear:
• If you use any third-party backup software to back up a live, running database, the Assertion Error
might be thrown.
This is because some of the database pages that have been modified will be in the database server
cache, so the database file will be in an inconsistent state.
• If you use any anti-virus software.
The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O
operations, which contribute to the good performance of Adaptive Server Anywhere. However,
anti-virus software might detect this as a potential problem and quarantine the file.
This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption
by interfering with the normal functions of the database. Poor performance can also occur if the
anti-virus software is checking all I/O operations performed by the database server.
We recommend that you do not use third-party backup software for backing up a running database.
We also recommend that you configure your anti-virus software so that it must not scan the
NMSROOT/databases directory.
NMSROOT is the directory where you have installed Cisco Prime.
Configuring TFTP
This applies only to Solaris.
The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP
(Transmission Control Protocol) Wrappers.
If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the
jobs requiring TFTP may fail.
To ensure that TFTP works properly, check the following configuration files:
• If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the
command is not there in the file at all, add it as in.tftpd:ALL
• If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file
• If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any
changes
Note The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon
under its control. It provides logging support, returns messages to connections, and permits a daemon to
accept only internal connections.
Note By default, the option of displaying the LMS Server name with the application window title in the
browser is enabled.
For example, if the name of your LMS Server is lmsdocultra, then the title of the Cisco Prime home
page is displayed as lmsdocultra - CiscoPrime.
If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra
- LMS Home.
You can also enable or disable the display of server name with the browser title by changing the
configurations in a properties file.
Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:
• Enable or disable the option of displaying server name with browser title.
• Change the format of display from Hostname - ApplicationWindowTitle to
ApplicationWindowTitle - Hostname and vice versa.
• Replace hyphen (-) with any other delimiter except empty spaces.
• Trim the spaces between the Hostname, delimiter and Application window title.
Step 1 Select Admin > Cisco Prime Integration > Application Settings. The Application Settings page
appears.
Step 2 You can do the following:
• Add
– Click Add. The Server Configuration page appears.
– Select NAM from the drop-down list.
– Enter the IP Address in the NAM IP field.
– Enter the user name and password in the corresponding fields.
– Enter the SNMP read community.
– Select either HTTP or HTTPS as the protocol.
– Enter the port number.
– Click Add to add the new NAM configuration details or Cancel to return to the NAM
Configuration page.
• Edit
– Select a configuration detail that has to be edited.
– Click Edit. The Edit NAM Configuration page appears.
– Enter the IP Address in the NAM IP field.
– Enter the user name and password in the corresponding fields.
– Enter the SNMP read community.
– Select either HTTP or HTTPS as the protocol.
– Enter the port number.
– Click Edit to save the changes or Cancel to return to the NAM Configuration page.
• Delete
– Select a configuration detail that has to be deleted.
– Click Delete. A confirmation dialog box appears.
– Click OK to confirm or Cancel to return to the NAM Configuration page.
• Filter
– In the Filter By field, select the filter criteria e.g. ApplicationName from the drop-down list.
– In the Matches text box, enter the matching details e.g. NAM.
– Click Go, to execute the selected filter condition.
– Click Clear Filter, to clear the filter condition.
You can configure discovery settings, and perform some administrative tasks in DCR.
This chapter contains:
• Scheduling Device Discovery
• Configuring Device Selector
• Administering Device and Credential Repository
For details on configuring discovery logging, see Configuring Discovery Logging.
• Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple
Discovery Settings for Multiple Scheduled Jobs for details.
• View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing
Discovery Settings for Selected Discovery Schedule for details.
• Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery
Settings for Selected Discovery Schedule for details.
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Click Add.
The Add Discovery Schedule popup window appears.
The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add
button if you have not configured Device Discovery Settings.
The Add button is disabled on a fresh installation of LMS in LMS Server.
Step 3 Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should
start.
You should specify the time in 24-hour format.
Step 4 Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 5 Enter a description in the Job Description field. This is optional.
You cannot edit the description entered in this field later.
Note The job description should not contain special characters like , and #.
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Select a Device Discovery schedule from the list.
Step 3 Click Edit.
The Edit Discovery Schedule popup window appears.
Step 4 Edit the values in the Hour and Min drop-down list, if required.
Step 5 Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 6 Click Schedule to save the changes.
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Select a Device Discovery schedule from the list.
Step 3 Click Delete.
The Delete Confirmation dialog box appears.
Step 4 Click OK.
The selected Device Discovery schedule is deleted from the list of schedules.
Caution Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the
Device Discovery job is running, deleting the schedule will stop the job first and then will
remove it.
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Select a job from the list.
Step 3 Click Start Discovery. A popup window appears with the information on the immediate jobID.
The Start Discovery button will be disabled before setting any jobs or if a discovery is already running.
Step 4 Click OK. The Device Discovery summary screen appears.
You can view the status of the job in Job Browser page (Admin > Jobs > Browser).
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Select a Discovery schedule from the list.
Step 3 Click View Settings.
The View Discovery Settings dialog box appears.
Step 4 Click OK to return to the Discovery Schedule page after you have view the schedule.
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Select a Discovery schedule from the list.
Step 3 Click Edit Settings.
The Module Settings page of Discovery Settings wizard appears.
Step 4 Edit the required module settings and click Next. The Seed Devices Settings page appears.
Step 5 Edit the required seed devices settings and click Next. If you do not want to proceed further, click
Finish. The SNMP Settings page appears.
Step 6 Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish.
The Filter Settings page appears.
Step 7 Edit the Filter settings and click Next. If you do not want to proceed further, click Finish.
The Global Settings page appears.
Step 8 Edit the Global settings and click Next. If you do not want to proceed further, click Finish.
The Device Selector displays the number of devices selected by you at the bottom. When you click the
link provided, it launches the Selection Tab.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
This section contains the following information:
• Selecting Devices for Device Management Tasks
• Searching Devices
• Device Selector Settings
You can select the devices from the tree view. The Selection tab shows the flat list of selected devices
from the All tab.
You should expand the nodes of the top-level device groups and sub groups to see the list of devices
within a group and select the devices you want. We recommend that you do not expand all and leave all
the multiple group nodes open. This may affect the performance of the device selector.
Note You can perform more than one search and can accumulate your selection of devices.
Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an
Advanced search. In both cases, you do not need to remember the name of the devices and the groups in
which the devices are grouped.
• Device names starting with device2 and with only one character after device2
• Device names ending with .cisco1
• Device names containing the text string device10
Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression
contains:
• Device Type — Object type used for forming a group. All expressions start with the string Device
• Variables — Device attributes used to form a device group. The list of variables for advanced search
are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress,
MDFId, Model, Series, SystemObjectID, and the user-defined data, if any.
The list of device attributes are different across Cisco Prime modules. The Advanced Search window
in the Device Selector of Cisco Prime applications displays the respective device attributes as
variables.
• Operators — Various operators to be used with the rule. The list of operators includes equals,
contains, startswith, and endswith. The list of operators changes dynamically with the value of the
variable selected.
For the ManagementIpAddress variable, you can select the range operator other than the standard
list of operators. The range operator enables you to search for devices of the specified range of IP
Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.
• Value — Value of the variable. The value field changes dynamically with the value of the variable
and operator selected, and this may be a text field or a list box.
After you define the rule settings, click Add Expression to add the rule expression.
You can also enter multiple rule expressions using the logical operators. The logical operators include
OR, EXCLUDE and AND.
• Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
• Use the hyphen character (-) as a separator between the numbers within a range.
• Specify the range of IP Addresses within the [ and ] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
• Enter numbers lesser than 0 and greater than 255 in the IP Address range.
• Enter any characters other than the range separator (-).
• Enter the value of highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
Step 1 Click the Advanced Search icon in the Device Selector pane.
The Define Advanced Search Rule dialog box appears.
Step 2 Create a search rule expression. To do so:
a. Select Variable as DisplayName
b. Select Operator as equals
c. Enter the Value as TestDevice
Step 3 Click Add Rule Expression.
The rule is added into the Rule Text.
Step 4 Create another rule expression. To do this:
a. Select OR as the logical operator
b. Select Variable as ManagementIPAddress/IP.Address
c. Select Operator as range
d. Enter the Value as 10.10.[210-212].[207-247]
Step 5 Click Add Rule Expression.
The rule is appended into the Rule Text.
Step 6 Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.
You can use Rule Text Fields to directly enter a rule without building any expressions. Ensure the rule
you create follows the syntax Object type.Variable Operator Value.
You can also enter multiple rule expressions using the logical operators.
For example, if you want to search all the devices in the network whose device name contains
TestDevice or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:
Device.DisplayName contains "TestDevice" OR Device.SystemObjectID startswith
“1.3.12.1.4"
Note We recommend that you use expressions to construct a complex rule instead of creating them using the
Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.
Additional Notes
All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their device
names. The device names are defined when you have added the devices in DCR.
The Device Type Groups displays all devices in groups and subgroups based on their Device Category,
Series and Model. By default, the device grouping is based on their Device Categories such as Routers,
Switches and Hubs.
The Device Category Groups folder can contain devices in subgroups based on their Device Series. For
example, the Device Category Group Router can contain devices (Routers) in subgroups Cisco 7000
Router Series and Cisco 12000 Router Series.
The Device Series subgroup can contain subgroups of devices based on their Model. For example, the
subgroup Cisco 12000 Router Series can contain the devices Cisco 12012 Router and Cisco 12816
Router.
See Customization of Device Type Groups for information on customizing the display of devices under
Device Type Groups.
Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can
check the functionality settings at Admin > System Administration > Collection Settings >
Functionality Settings.
In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services,
then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups
folder in the Device Selector pane.
See Customization of Subnet Groups for information on customizing the display of devices under this
group.
The User Defined Groups are created by users to administer the applications. The User Defined Groups
are created in Groups Administration window based on defined group rules.
All User Defined Groups (shared groups) from all application group hierarchies are collated and shown
as subgroups under this group. In a Multi Server Setup, the top level User Defined Groups will be named
as User Defined Groups@Server Name.
When there two or more User Defined Groups with the same name, the Device Selector displays all of
them. You have to use the Tooltip to find the source server where the User Defined Group is created.
Tip We recommend you to provide unique and meaningful names to User Defined Groups when you create
them to avoid the display of multiple User Defined Groups with the same name.
See Customization of User Defined Groups for information on customizing the display of devices under
this group.
You can display or hide the Device Type Groups folder in the Device Selector pane using the Group
Customization option. You can customize the Device Type Based Groups folder to display:
• All devices in groups, based on their Device Category only
• All devices in groups and subgroups, based on their Device Category and Series
• All devices in groups and subgroups, based on their Device Category, Series and Model
By default, the Device Type Group folder displays the devices in sub groups based on their category only.
To display the devices in groups based on their Device Category:
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Check the Show Category Groups check box from the Device Type Based Groups panel.
Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.
To display the devices in groups and subgroups based on their Device Category and Series:
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Check the Show Series Groups check box from the Device Types Based Groups panel.
When you check the Show Series Groups check box, the Show Category Groups check box will also be
checked automatically and will be disabled.
Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.
To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Check the Show Model Groups check box from the Device Type Based Groups panel.
When you check the Show Model Groups check box, the Show Category Groups and Show Series
Groups check boxes will also be checked automatically and will be disabled to you.
Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.
To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Go to the Device Type Based Groups Panel and uncheck all the check boxes.
Step 3 Click Apply to save your changes.
The Subnet Groups contains device groups from the Topology and Identity Services. By default, the
Subnet Based Groups folder is not displayed in the Device Selector pane.
You can customize the Device Selector pane to display the Subnet Based Groups folder using the Group
Customization option.
To display the devices under Subnet Based groups in the Device Selector Pane:
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel.
Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.
You can customize the User Defined Groups folder in the Device Selector pane to contain the following:
• Only User Defined Groups created by you in the local server
• Only User Defined Groups created by you in all Peer Servers in a Multi Server setup
• All User Defined Groups created by any user in the local server
• All User Defined Groups created by any user in all Peer Servers in a Multi Server setup
By default, you can view all the User Defined Groups (irrespective of any user) created in the local server
in the Device Selector pane.
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel.
Step 3 Select either:
• Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
created by you in the local server.
Or
• All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups created by you in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4 Click Apply to save your preferences or click Restore Defaults to restore the default values.
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups
panel.
Step 3 Select either:
• Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
in the local server.
Or
• All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4 Click Apply to save your preferences or click Restore Defaults to restore the default values.
4. Subnet Groups
5. Application Specific Groups
You can change the order and save the configurations.
To change the order of the device groups:
Step 1 Select Admin > Network > Display Settings > Group Ordering.
The Group Ordering page appears.
Step 2 Select a group from the list displayed.
Step 3 Click Up to move the device group up in the displayed order or click Down to move down.
Step 4 Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.
Step 1 Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page
appears.
Step 2 Click Change Mode to change the current mode.
The DCR Mode dialog box appears. You can select the required mode from this dialog box.
Tip We recommend you to configure the Master and all its Slaves in the management domain with the same
version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory
Management Guide.
Note You must restart the daemon manager after the mode change to Slave is complete.
Step 1 Select Admin > Network > Timeout and Retry Settings > Device Poll Settings.
The Device Poll Settings page appears.
Step 2 Select the Activate Device Polling to Check Reachability check box to enable Device Polling.
Device Polling is not enabled by default. You must select this check box to activate Device Polling.
Step 3 Configure a Polling Policy. To do so:
a. Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for
polling:
– ICMP (Ping)
– SNMPv3
– SNMPv2c/SNMPv1
You must select at least one protocol to activate Device Polling.
b. Enter the timeout value for the selected protocols in the appropriate Timeout fields.
The timeout denotes the time period after which the ICMP or SNMP query of devices times out.
You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds
and the maximum value is 20000 milliseconds.
Default value is 1000 milliseconds.
You cannot leave this field blank.
c. Enter the value of retries for the selected protocols in the appropriate Retries fields.
The retry denotes the number of attempts made to query the device.
You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for
both ICMP and SNMP protocols.
You cannot leave this field blank.
d. Enter the number of instances in Notify when devices not reachable for, to receive notifications
when the devices are not reachable for a specific time period.
This is mandatory.
For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily,
you will receive notifications of devices that are not reachable for two days or more than 2 days.
If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will
receive notifications of devices not reachable for last 18 hours or more than 18 hours.
See Step 4 for details on the job frequencies available.
Step 4 Schedule the Device Polling task. To do this:
a. Select a job frequency from the Run Type drop-down list.
You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily,
Weekly, or Monthly.
b. Enter a date in the Date field or select a date from the date picker to start the scheduled job.
The current date on the client system is displayed in the Date field by default.
You can edit the schedule at a later point of time. See Step 5 for details.
If you do not want to edit the schedule, go to Step 7.
Step 5 Select the Change Schedule check box if you want to edit the schedule information (Run Type and
Starting Date).
This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not
been scheduled earlier.
If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager
(JRM) and a job is scheduled. The device reachability status is also reset.
A warning message appears if you select this check box.
Step 6 Click OK.
Step 7 Enter the Job information. To do this:
a. Select the Report Attachment field if you want to receive the report through e-mail.
b. Select the Attachment Option as either PDF or CSV.
c. Enter a brief description about the Device Polling job in the Job Description field.
d. Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device
Polling job.
You can enter multiple e-mail addresses separated by commas.
Entering an e-mail ID is mandatory when you have selected the Report Attachment field.
Step 8 Click Apply for the Device Polling settings to take effect.
The Device Polling schedule is created and assigned with a job ID.
Notification is sent to the e-mail address you have configured in the Device Polling Settings page.
You can add six more UDFs through the user interface. You can rename or delete all the UDFs including
the four default UDFs provided by the user interface.
This section explains the following:
• Adding User Defined Fields
• Renaming User Defined Fields
• Deleting User Defined Fields
Step 1 Select Admin > Network Administration > Device Credential Repository Settings > User Defined
Fields.
The User Defined Fields page appears with the current settings.
Step 2 Click Add to add a UDF.
Step 3 Enter the field label and description in the corresponding fields.
Step 4 Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.
Step 1 Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2 Select the radio button corresponding to the UDF you want to rename.
Step 3 Click Rename.
The User Defined Field dialog box opens in a new window.
Step 4 Enter the UDF label and description in the corresponding fields.
Step 5 Click Apply. To return to the User Defined Fields page, click Cancel.
Step 1 Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2 Select a UDF and click Delete.
A confirmation message window appears.
Step 3 Click OK. To return to the User Defined Fields page, click Cancel.
When other applications manage the newly added device, the management operations fail if they
cannot retrieve the required credentials from DCR. To prevent the management operations failing,
you can use the default credentials while adding devices through Discovery.
• Import devices into DCR
Importing devices from a file, NMS or any other third party applications into DCR populates the
SNMP read-only community string and the SNMP read/write community string.
When other applications manage the newly imported devices, the management operations fail if they
could not retrieve the required credentials from DCR. To prevent the management operations from
failing, you can use the default credentials while importing devices from NMS or any other third
party application.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Click Next or select Credential Sets name from the Default Credentials list panel and enter the
respective credential information.
Step 3 Enter a name of the credential set in the Credential Set Name field. This is mandatory.
The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9).
You can include the following special characters in the Credential Set Name:
Step 4 Enter a description of the credential set in the Set Description field.
Step 5 Click Next or select a credential type from the Default Credentials list panel and enter the respective
credential information. You can select any of the credential types from the panel.
• Standard Credentials
• SNMP Credentials
• HTTP Credentials
• Auto Update Server Managed Device Credentials
• Rx-Boot Mode Credential
Step 6 Enter the following credentials as required:
• Standard Credentials
– Primary Credentials (Username, Password, Enable Password)
– Secondary Credentials (Username, Password, Enable Password)
• SNMP Credentials
– SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
– SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm)
You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these
fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is
AuthPriv.
• HTTP Credentials
– Primary Credentials (Username, Password)
– Secondary Credentials (Username, Password)
– Other Information (HTTP Port, HTTPS Port, Current Mode)
• Auto Update Server Managed Device Credentials (Username, Password)
• Rx-Boot Mode Credentials (Username, Password)
You must enter a value for at least one credential before applying the default credentials.
Step 7 Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Click Next or select Credential Set Name from the Default Credentials list panel.
Step 3 Select a default credential set name from the Credential Set drop-down list box.
Step 4 Edit the description of the credential set in the Set Description field.
You cannot edit the name of the credential set.
Step 5 Click Next or select a credential type from the Default Credentials list panel.
Step 6 Edit the following credentials as required:
• Standard Credentials
– Primary Credentials (Username, Password, Enable Password)
– Secondary Credentials (Username, Password, Enable Password)
• SNMP Credentials
– SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
– SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm)
You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default,
these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode
is AuthPriv.
• HTTP Credentials
– Primary Credentials (Username, Password)
– Secondary Credentials (Username, Password)
– Other Information (HTTP Port, HTTPS Port, Current Mode)
• Auto Update Server Managed Device Credentials (Username, Password)
• Rx-Boot Mode Credentials (Username, Password)
Step 7 Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS
Servers. You cannot see this list item in DCR Slave Server.
Step 2 Select a credential set from Credential Set drop-down list box.
Step 3 Click Remove to delete a default credential set.
The selected default credential set is deleted from the LMS Server.
The default credential set policies that you have configured with this default credential set will also be
deleted.
Read the following notes before configuring a default credential set policy:
• You can include patterns when creating rules for IP Address based default credential set policies.
See Patterns in IP Address Default Credential Set Policy Rules for more information.
• Regular expressions are supported for policies based on Hostname and Device Names. IP Address
based policy types do not support regular expressions.
See Regular Expressions in Default Credential Set Policy Rules for more information.
• The expressions in default credential set policy rules are case insensitive.
• You can include the following characters in Device Name and Hostname:
– Lower case alphabets
– Upper case alphabets
– Numerals ( 0 to 9)
– Special characters such as hyphen (-), underscore (_), period (.) and colon (:)
• When you define more than one policy for a default credential set, all these policy rules work
together. The policies will be applied in the same order in which they appear on the Credentials Sets
Policy Configuration page.
See Defining the Order of Default Credential Set Policies for more information.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Default Credentials Sets Policy Configuration page appears.
The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master
and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct a policy rule. To do so:
a. Select a parameter from the Select a Policy Type drop-down dialog box.
The listed parameters are IP Range, Hostname and Device Name.
Based on the parameter that you have selected, the value field name changes dynamically.
b. Enter a value for the rule parameter.
If you have selected IP Range as the rule parameter, enter a value in the IP Range field.
If you have selected Hostname as the rule parameter, enter a value in the Hostname field.
If you have selected Device Name as the rule parameter, enter a value in the Device Name field.
See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default
Credential Set Policy Rules for more information.
The expressions in credential set policy rules are case insensitive.
c. Select a credential set name from the Credentials Set drop-down list box to associate the rule
expression with the default credential set.
Select No Default if you do not want to enter a credential set name.
Step 4 Click OK to go back to Credentials Sets Policy Configuration page.
The policy that you have configured is listed in the Credentials Sets Policy Configuration page.
You can edit a default credential set policy later. To do so, you must select a default credential set policy
in the Credentials Sets Policy Configuration page and click Edit.
When you define a default credential policy type based on IP Address, you should follow these
guidelines:
• Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format.
• Any octet can have one of the following:
• The octets in an IP Address policy type can also contain the combination of wildcard characters and
range of numbers. Some examples of IP Address filter combinations include:
– 10.77.[210-230].*
– 10.77.*.[110-210]
– 001:DB8:*:*:FF:[C0A-DD8]:0:[5-D]
– [10-20]:[10-20]:[A-F]:2:4:*:*:*
Characte
r Description Purpose
. Period Matches any character
( Opening parenthesis Marks the beginning of a group of matched characters
) Closing parenthesis Marks the end of a group of matched characters
* Asterisk Matches zero or more occurrences of regular expression specified
earlier
+ Plus character Matches zero or more occurrences of regular expression specified
earlier
\ Trailing slash Identifies a special character within a regular expression
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct the policy:
a. Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b. Enter the IP Range value as 10.77.[210-230].*
c. Select the Default Credential Name as IPSet
Step 4 Click OK to go back to Default Credential Sets Policy Configuration page.
The policy that you have configured will be listed in a table format.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct the policy:
a. Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b. Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15]
c. Select the Default Credential Name as IPv6Set
Step 4 Click OK to go back to Default Credential Sets Policy Configuration page.
The policy that you have configured will be listed in a table format.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct the policy:
a. Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b. Enter the value as (.)*device
c. Select the Default Credential Name as SetName2
Step 4 Click OK to go back to Default Credential Sets Policy Configuration page.
The policy that you have configured will be listed in a table format.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2 Click Add to add a default credential set policy.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct the policy:
a. Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b. Enter the value as Che(.)*
c. Select the Default Credential Name as SetName1
Step 4 Click OK to go back to Default Credential Sets Policy Configuration page.
The policy that you have configured will be listed in a table format.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct the policy:
a. Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b. Enter the value as (.)*lab2(.)*.
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears.
The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR
Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2 Select a default credential set policy to delete.
You can also select multiple default credential set policies to delete.
Step 3 Click Delete to remove the default credential set policies.
You can specify the order in which the default credential set policies should be applied for devices that
are added or imported into DCR.
The default credential set policies are applied in the order they appear on the Credentials Sets Policy
Configuration page. The default credential set policies appearing at the top of the list are applied first.
You can create more than one default credential set policy for a default credential set.
When you define more than one policy for a default credential set, all these policy rules work together.
For example, consider 10.77.240.[50-52] as a first IP Address policy associated with a default credential
set name Test1 and 10.77.240.* as the second IP Address policy associated with a default credential set
name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.240.[50-52]
added or imported into DCR. The default credentials defined in Test2 will be applied for all devices in
the IP range 10.77.240.* except the devices with IP Addresses 10.77.240.50, 10.77.240.51 and
10.77.240.52.
For example, consider 10.77.*.* as a first IP Address policy for a default credential set name Test1 and
10.77.210.* as the second IP Address policy for a default credential set name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.*.* added
or imported into DCR. The policy rule 10.77.210.* will never be applied as 10.77.210.* is a subset of
10.77.*.*.
To specify the order of default device credentials policies:
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Credentials Sets Policy Configuration page appears with a list of default credential set policies.
LMS 4.2 combines the device grouping with a new attribute list.
The other grouping services that are available in LMS are:
• Fault Group - supports 50 groups
• IPSLA Collector Group - supports 100 groups
• Port and Module Group - supports 100 groups
The numbers of groups that LMS supports will vary according to the SKU that you use. For more details,
see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN
Management Solution 4.2 guide.
This chapter explains the following:
• Groups - Components and Basic Concepts
• Groups in Single-Server and Multi-Server Setup
• Device Group Administration
• DCR Mode Changes and Group Behavior
• Port and Module Group Administration
• Working with Fault System-defined Groups
• Working with Customizable Groups
• Managing Fault Groups
• Viewing Fault Group Details
• Viewing Fault Membership Details
• Refreshing Fault Membership
• Deleting Fault Groups
• Understanding Collector Group Rules
• IPSLA Collector Group Administration Process
• Understanding IPSLA Collector Group Administration
• Working with User-Defined Collector Groups
• Operation-Based Collector Groups (System-Defined)
Components
The following are the components of a group:
• Group Server:
Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by
the application. It interfaces with an application service adapter (ASA) to evaluate group rules and
retrieve devices of a particular group.
• Application Service Adapters (ASAs):
Application-specific information repository that serves as source of the devices and attributes that
are grouped by the Groups Server.
Till LMS 3.2, ASA was an interface between applications and Groups Server.
In LMS 4.2, there is only a single ASA.
• Group Admin:
Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.
Basic Concepts
The following are the basic concepts of a group:
• Group Class:
Representation of a set of devices belonging to DCR. In this context a device in Device and
Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set
of attributes and a unique device ID.
• Group Object:
Device in a group class. Each device in the group will have a set of attributes stored in DCR.
Associated with every device is a unique and immutable device ID.
• Group:
Named aggregate entity comprising a set of devices belonging to a single class or a set of classes,
with a common superclass. Groups can be shared between users or applications, subject to
access-control restrictions. The membership of a group is determined by a rule.
• Group Rule:
Consists of one or more rule expressions combined by operators, which can be AND, OR or
EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.
Once the master slave setup is done, when we add a group in master it will be synced with slave only
after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both
the OGS will act as a individual servers.
Note You can create groups in LMS even if the server on which it is installed is in Slave mode.
If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under
LMS@Slave hostname.
In a cluster, if you have M as the Master, and S1 and S2 as M’s slaves, and you want to evaluate S1’s
groups from S2, you need to import the certificate of S1 to S2 and vice versa.
Note Subnets groups will appear only after a successful Data Collection.
Note Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone
mode. The groups created in DCR Master will be copied to Group Administration instances on servers
where DCR is in Slave mode.
The following sections provide information on how to perform group administrative tasks in LMS 4.2:
• Migrating Device Groups from Previous Releases of LMS
• Creating Groups
• Viewing Group Details
• Modifying Group Details
• Refreshing Groups
• Deleting Groups
• Exporting Groups
• Importing Groups
• Overview of Subnet Based Groups
Common Services
LMS Version UDG/SDG RME UDG/SDG Campus Manager UDG/SDG
3.2.1 Group A Group A Group A
4.2 After migration to After migration to LMS After migration to LMS 4.2,
LMS 4.2, Group A is 4.2, Group A is not Group A is not available
Available available
3.2.1 — Group A Group A
4.2 — After migration to LMS After migration to LMS 4.2,
4.2, Group A will not be Group A will not be available
available
3.2.1 — — Subnet-based groups
4.2 You must create new — After migration to LMS 4.2, CM
subnet-based groups Subnet-based groups will not be
after a successful available.
Data Collection
Creating Groups
This section contains:
• Specifying Group Properties
• Defining Group Rules
• System Defined Attributes
• Assigning Group Membership
You can create device groups using this feature.
To create a new device group:
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2 Select the group from the groups listed in Group Selector to create a new subgroup.
The Group Info fields on the right, display details of the selected group.
The group you select here is the Parent group for the new group that you are about to create. You can
change the Parent group later, if required. You cannot create groups under System-defined Groups but
you can view details and refresh the group.
Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public
or Private). If you have the required permissions, you can create subgroups under groups.
Step 3 Click Create to create a new group.
The Group Administration Creation wizard is launched and guides you through the process of creating
a new group.
Perform the following tasks using the Groups Create wizard.
a. Specify group properties. See Specifying Group Properties for information.
b. Define group rules. See Defining Group Rules for information.
c. Assign group membership. See Assigning Group Membership for information.
The first page in the wizard is the Properties:Create window. While creating a new group you must complete
all of the above three tasks in this sequence to create a group.
If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the
group will not be created.
The recommended limit for creating User-Defined group is 200, but you are allowed to create upto 600
User-Defined groups in LMS.
Example
To create a group of all Energywise capable devices:
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2 Select User Defined Groups from the groups listed in Group Selector to create a new subgroup.
Step 1 Either:
• Select Admin > System > Group Management > Device. Click
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
Step 2 Click the Create button in the Group Administration.
The Properties page appears.
Step 3 Enter a name for the group in the Group Name field in the Properties:Create dialog box.
The group name should be unique within the Parent group. However, it need not be so across groups.
The same group name cannot be used in the same group hierarchy.
For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create
another group with the same name “MyView” under /LMS@Servername/User Defined Groups.
Step 4 Click Select Group, if you want to copy the attributes of an existing group.
The Replicate Attributes dialog box appears.
Step 5 Select the group you need from the Replicate Attributes list and click OK. To return to the Properties
page, click Cancel.
Step 6 Click Change Parent, to change the Parent group.
The Group Selector page appears.
Step 7 Select the group you need from the Select Parent list.
Step 8 Click OK.
The Group Administration wizard changes the Parent group to the one you selected. To return to the
Properties page, click Cancel.
Step 9 Enter a description for the group.
Typically, you can enter a detailed description of the group that identifies its characteristics in this field.
Step 10 Select the Membership Update mode for the group.
The modes of membership updates available are:
• Automatic:
The membership of the group is updated when you add a new device to the group, and each time the
group is invoked.
• Only Upon User Request:
The membership of the group is recomputed only when an explicit request is made, using the
Refresh option.
If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request,
the group will be a Static group.
Step 11 Select either Public or Private to specify the visibility scope.
• Private
The group created can be viewed only by user who creates the group.
• Public
The group created can be viewed by all users.
Step 12 Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and
composite group rules.
If you have created the group by copying the attributes of another group, the rules specified for that group
appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a
new set of rules.
The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this
facility to validate the rules you have created. If you leave the rule blank, it creates a Container group.
Click View Parent Rules to display the rules defined for its ancestor groups.
This section explains:
• Defining a Group Rule
• Defining Composite Group Rules
• Using IP Address Range Operator
• Examples
• System Defined Attributes
Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in
Properties:Create dialog box. See Specifying Group Properties for more information.
Step 1 Complete all the tasks in the Properties page. See Specifying Group Properties for more information.
Step 2 Delete the rules displayed in the Rule Text field, if any.
Step 3 Select appropriate parameters for the following:
• Object Type — Denotes the object type used for forming a group. All expressions start with the
string Device.
• Variables — Denotes the device attributes, which are used to form a device group.
See System Defined Attributes for details on the variables.
• Operators — Denotes the various operators to be used with the rule. The list of operators includes
equals, contains, startswith and endswith. The list of operators changes dynamically with the value
of the variable selected.
For the ManagementIpAddress variable, you can select a range operator other than the standard list
of operators. See Using IP Address Range Operator for more information.
• Value — Denotes the value of the variable. The value field changes dynamically based on the value
of the variable and operator selected, and the field type can be a text field or a list box.
Step 4 Click Add Rule Expression.
The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
For example, the rule type:
Device.DisplayName equals "joe"
A Composite rule contains more than one rule expression separated by a Boolean operator.
The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you
have entered at least one rule expression.
When the composite rule has more than two simple rule expressions, you can adjust priorities among the
expressions using opening and closing parenthesis.
To create a composite rule:
Step 1 Delete the rules displayed in the Rule Text field and click any other field.
Step 2 Form a simple rule. See Defining a Group Rule for details.
Step 3 Click Add Rule Expression.
The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.
Step 4 Select a Boolean Operator from the drop-down list.
Step 5 Select the appropriate parameters for Object Type, Variables, and Operators.
Step 6 Enter a value in the Value field.
Step 7 Click Add Rule Expression.
You can validate rules that are entered directly into the Rules Text field or rules formed using the Add
Rules Expression option in the dialog box.
• To check whether the syntax is valid, click Check Syntax.
• To view the rules defined for the parent groups, click View Parent Rules.
Step 8 Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
The range operator enables you to group the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:
• Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
• Use the hyphen character (-) as a separator between the numbers that indicate a range.
• Specify the range of IP Addresses within the [and] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
• Enter numbers less than 0 and greater than 255 in the IP Address range.
• Enter any characters other than the range separator (-).
• Enter the value of the highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on
the IP Address Range based device groups in a multi-server setup.
Examples
Step 7 Edit the rule expression in the text area to adjust the priorities among the group expressions.
You should place two rule expressions together within an opening and a closing parentheses. Ensure that
you leave a space between the parenthesis and the group expressions.
The edited composite rule is:
Device.DisplayName contains "TestDevice" AND
( Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77" )
You can also check the syntax of the group rule entered.
Step 8 Click Next to proceed further.
Note In LMS 4.2, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are
not available. If you backup and restore any group created in older versions of LMS using these
attributes, the groups will not be restored.
Memory.Size Total RAM size in MB. To create a group of all devices having
Memory size greater than 512 MB.
• Select the variable Memory.Size
• Select the operator >.
• Enter the value 512.
Memory.Type Memory type. To create a group of all devices having
processorMemory.
• Select the variable Memory.Type
• Select the operator equals.
• Enter the value processorMemory.
Memory.Used Used memory in MB. To create a group of all devices having
Memory used size less than 30 MB.
• Select the variable Memory.Used
• Select the operator <.
• Enter the value 30.
Model Model of the device. The third level To create a group of all Cisco 3101 Routers.
entries in the Device Type tree in DCR
• Select the variable Model
Device Management UI.
• Select the operator contains.
For example, the model Cisco 3101
Router falls under the Cisco 3100 • Enter the value Cisco 3101 Routers.
Series Routers, which comes under the
category Routers.
The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can
create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details,
see Adding User Defined Fields.
If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is
appended to the User-Defined Field you add, to distinguish these two attributes.
For example if you create a UDF called DisplayName (which is one of the predefined attributes present
in the Variable drop-down list), this will be displayed as DisplayName_UDF.
Note You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field
stands for any attribute listed in the above table.
By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum
number of UDFs that can be added in the Variable drop-down list is 10.
Note You can add devices from the list of available objects in the parent group even if they do not match
membership criteria.
Step 1 Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.
Step 2 Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
Note The newly added devices will not be included in the jobs scheduled prior to their addition to the group.
You must reschedule the job and select the group again.
Step 1 Select one or more devices in Object Matching Membership Criteria column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.
Step 2 Click Remove.
The selected devices are removed from the Object Matching Membership Criteria column and added to
Available Objects From Parent Group.
Step 3 Click Next.
The Summary:Create window appears. It displays the group name, the parent group, description, the
membership update type, group rules, and the visibility scope of the group you created.
If you want to change the parameters, click Back to go back to the previous windows and make changes.
Step 4 Click Finish to create the group based on the parameters specified.
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
Step 2 Select a group from the Group Selector pane.
The Group Info pane on the right side displays the high-level properties of the selected group.
Step 3 Click Details.
The Group Administration wizard displays the details of the group in Properties:Details window.
• Click View Parent Rules to display the rules set for the parent group.
The rules set for the parent group are displayed in the Show Parent Rules window.
• Click Membership Details to display a list of devices and their corresponding object types.
The membership details are displayed in Membership:Details window.
In the Membership:Details window, you can:
– Click on the column headers to sort the entries in the table.
– Select the number of rows to be displayed in the table in the Rows per page option.
• Click Property Details to return to the Property:Details window.
Step 4 Click Cancel to return to the Group Administration and Configuration page.
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
Step 2 Select a group from the Group Selector pane.
The Group Info fields on the right side displays details of the selected group.
Step 3 Click Edit.
The Group Administration wizard guides you through the process of editing a group. It displays the
details of the group in Properties:Edit window.
Step 4 Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit
dialog box.
You cannot change the Parent group or copy attributes from a different group in Edit mode.
Step 5 Click Next.
The wizard takes you to the Rules:Edit window.
Step 6 Change the rules as required. For details on creating the rules, see Defining a Group Rule.
Step 7 Click Next.
The wizard takes you to the Membership:Edit window.
Step 8 Add or remove devices from the list of objects in Objects Matching Membership Criteria as required.
For details on creating the rules, see System Defined Attributes.
Step 9 Click Next.
The wizard takes you to the Summary window.
If you want to change the parameters specified, click Back to go back to the previous windows and make
changes to the properties or rules.
Step 10 Click Finish to modify the group.
Step 11 Click OK.
The Group Administration wizard copies the attributes of the selected group and displays it in the
corresponding fields in Properties:Create window.
Note that the Parent group you have selected for the group does not change even if you are copying
attributes from a group that belongs to a different Parent group.
Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of
Automatic groups is recomputed dynamically.
The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with
this option.
Note Only users with read-write access can refresh the Only-upon-user-request groups.
To refresh a group:
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
Step 2 Select a group from the Group Selector pane.
The Group Info fields on the right pane displays details of the selected group.
Step 3 Click Refresh.
The Group Administration popup window prompts you for confirmation.
Step 4 Click Yes.
The selected group is recomputed and the window, refreshed.
Whenever you delete devices from a group, refresh the group so that group membership is recomputed.
Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the
group are also deleted. You can also delete the stale groups (groups that belong to users removed from
Cisco Prime).
To delete a group:
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
Step 2 Select the group from the Group Selector.
The Group Info fields on the right pane displays details of the selected group.
Step 3 Click Delete.
The Group Administration prompts you for confirmation.
Step 4 Click Yes.
The selected group is deleted.
See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.
Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file.
You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to
an output file.
Private User-defined groups created by other users will not be exported. However, the
privateUser-defined groups created by you will be exported.
You must have Network Administrator, System Administrator or Super Admin privileges to export
groups.
In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same
DCR domain. You can do this from a DCR Master Server and a Slave server.
Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are
not supported.
See Sample Export Groups Output File for sample XML file generated by the Grouping Services export
utility.
Note We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
• Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details.
or
• Export Groups through the CLI. See Exporting Groups Through CLI for details.
This section explains:
• Sample Export Groups Output File
• Exporting Groups From User Interface
<description> </description>
<rule/>
<evaluation-type>2</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_ID" tag-value="CS$216"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
</tags>
</ogs-group-definition>
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSStat</name>
<description/>
<rule>:CMF:DCR:Device.DisplayName contains "77"</rule>
<evaluation-type>1</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
<tag tag-name="__GROUP_ID" tag-value="CS$221"/>
</tags>
</ogs-group-definition>
</server>
</ogs-groups>
Step 1 Select Admin > System > Group Management > Device.
The Group Administration page appears.
Step 2 Select a User-defined Group hierarchy from the Group Selector.
Step 3 Click Export.
The Export Groups dialog box appears.
Step 4 Select either one of the following options:
• Export the selected User-defined Group hierarchy— Exports the selected User-defined Group and
its child groups.
Or
• Export All Applications User-defined Groups —Exports all User-defined Groups from all
applications installed on all LMS Server in the same DCR domain.
The browser-specific File Download window appears prompting you to open or save the output XML
OGSExport.xml file.
Step 5 Click either of the following buttons:
• Open to open the XML file
Or
• Save to store the file on the client system with the same or a different filename.
Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS
Server.
Note You cannot import User-defined groups from older versions of LMS to LMS 4.0 and later versions.
You can import User-defined groups from an input file to the LMS Server.
The private User-defined groups in the input XML file will be imported as your private User-defined
groups in LMS Server. They will not be visible to other users.
You must have Network Administrator, System Administrator or Super Admin privileges to import
groups.
In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave
server.
Note We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
• Importing Groups From User Interface
Or
• Importing Groups Through CLI
This section explains:
• Important Notes on Importing Groups
• Importing Groups From User Interface
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration page appears.
Step 2 Click Import.
The Import Groups - File Selection dialog box appears.
Step 3 Enter an input XML file name in the File Name field or click Browse to select a file from the client
system.
The Import Groups dialog box appears with a list of import groups specified in the input XML file.
Step 4 Select the list of groups to be imported from the Import Groups From field.
Step 5 Select a server location to which the groups are to be imported in the Import Groups to Servers field.
You can select multiple Grouping Server locations or All to select all the Grouping Server locations.
This field is disabled on LMS Servers operating in the DCR Standalone mode.
Step 6 Click OK.
A message appears indicating if the groups were imported or not.
See Important Notes on Importing Groupsfor the possible causes of the import job failure.
See Using Group Administration Features Through CLI for more information on using group
administration feature using CLI.
The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"
For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"
The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.
The examples provided here are simple. However, the Grouping Service allows complex rules to be
arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives
the administrator the power and flexibility to create view partitions tailored to the needs of their site.
The following table gives details of DCR mode changes and implications on Groups.
Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain.
The utility is useful in the following scenarios:
• Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone
or Master belonging to a different domain.
• When you uninstall Cisco Prime from the Slave.
• Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode
changes, the Master will not be aware of the Slave mode change, when it comes up.
The Master will not receive any data from the Slave, but the Slave information will still be in its registry.
A redundant group (such as LMS@Slave) will still appear in the Master Groups UI.
In the case of DCR, any device operation on Master will update the Slave list. However, this does not
happen in the case of Groups.
You can run the UnregisterSlave utility to remove any unwanted slave information:
From the CLI, run:
NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name
You have to enter the hostname of the machine you want to unregister.
For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of
Backup-Restore on DCR and Effects of Backup-Restore on Groups.
4. In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry
for the ifName will be considered and the duplicate entries will be dropped.
5. The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in
the device, then port configuration for the device will not work.
For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the
device. In this case, the port configuration for the device will not work.
The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Field/Button Description
Group Name Name of the group created.
By default, the following System-defined groups are displayed:
• 1 Gbps Ethernet Ports—Contains all 1 Gbps Ethernet ports in the network.
• 10 Gbps Ethernet Ports—Contains all 10 Gbps Ethernet ports in the network.
• 10 Mbps Ethernet Ports—Contains all 10 Mbps Ethernet ports in the network.
• 100 Mbps Ethernet Ports—Contains all 100 Mbps Ethernet ports in the network.
• Access Ports—Contains all the Access mode ports.
• DMP Ports—Contains all ports connected to DMP.
• End Hosts—Contains all ports connected to End Hosts.
• IP Phones—Contains all ports connected to IP Phones.
• IPVSC Ports—Contains all ports connected to IPVSC.
• Link Ports—Contains all ports connected to other devices.
Description Description of the group created.
Group Type Type of the group created. For example, Port or Module.
Created By User who created the group.
Last Modification Time at which the group settings were last modified.
Time.
Rows per page This page displays the number of rows you have set for display in the Rows per page field.
You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You
can navigate through the pages of the report using the navigation icons at the bottom right of this table.
Create Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module
Groups.
Edit Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module
Groups.
View Allows you to view the group details, as described in the Viewing Port and Module Group Details.
Delete Deletes the group, as described in the Deleting Port and Module Groups.
You can perform the following tasks from the LMS Port and Module Group Browser window:
• Creating Port and Module Groups
• Editing Port and Module Groups
Note Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
Table 5-3 Fields on the Port and Module Group Properties dialog box
Field Description
Group Name Name of the group you are creating.
Description Text description of the group.
To enter the values in Port and Module Group Properties dialog box:
Step 1 Either:
• Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
• Select Inventory > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2 Click Create.
The Group Properties page appears.
Step 3 Enter a unique name for the group in the Group Name field.
Step 4 Enter a description for the group in the Description field (optional).
Step 5 Click Next.
The Select Group Source page appears, displaying the Device Selection dialog box.
Fields Description
Device Selector Displays all LMS devices in the group.
Search Input Enter the search expression in this field.
You can enter single device names or multiple device names. If you are entering
multiple device names, separate them with a comma. You can also enter the
wildcard characters “*” and "?".
For example: 192.168.10.1*, 192.168.20.*
Search Use this icon to perform a simple search of devices based on the search criteria
you have specified in the Search Input text field.
For information on Search, see Performing Simple Search.
Advanced Search Use this icon to perform an advanced search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Advanced Search, see Performing Advanced Search.
All Lists all User-defined and System-defined groups for all applications that are
installed on LMS Server.
For more information, see Selecting Devices From All Tab.
Search Results Displays all the search results from Search or Advanced Search.
For more information, see Selecting Devices From Search Results.
Selection Lists all the devices that you have selected in the Search Results or All tab.
Using this tab, you can deselect devices from the list.
Group Selector Displays all groups in LMS.
Step 1 Either:
• Select Device Selector.
• Select the devices.
or
• Select Group Selector.
Field/Buttons Description
Object Type Select the following object types to form a group:
• Module
• Port
Variable Object type attributes, based on which you can define the group.
See Rule Attributes for Port and Module Creation.
Operator Operator to be used in the rule. The list of possible operators change, based on the variable
selected.
When using the equals operator the rule is case-sensitive.
Value Value of the rule expression. The possible values depend upon the variable and operator that you
select. Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.
Add Rule Expression Adds the rule expression to the group rules.
(Button)
Rule Text Displays the rule.
Check Syntax Verifies that the rule syntax is correct.
(Button) Use this button to verify the syntax of the rule that you have created before proceeding to the
next step.
Field/Buttons Description
Include Include List popup opens and lists all the modules or ports from the selected devices that do not
match the rule. You can choose to include those modules or ports for group creation.
(Button)
The Include List popup will also list the modules or ports that match the rule but will not be
enabled for selection.
Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in
the Include List window.
You can also include modules or ports for the selected devices, without specifying a rule, by
clicking Include.
Exclude Exclude List popup opens and lists all the modules or ports from the selected devices that match
the rule. You can choose to exclude those modules or ports for group creation.
(Button)
The Exclude List popup will also list the modules or ports that do not match the rule but will not
be enabled for selection.
Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields
in the Exclude List window.
For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7 Click Next.
The Summary page appears, displaying the group properties. See Understanding the Summary.
Note You can also include modules or ports for the selected devices, without specifying a rule, by clicking
Include.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have a higher priority.
Object
Type Attribute Description
Module AdminStatus Administrative status of the module. For example,
Enabled/Commissioned.
FW_Version Firmware version of the module. For example, 12.1(27b)E1
ModuleName Name of the module. For example, Linecard
OperStatus Operational status of the module. For example, Dormant
SlotNumber Slot number of the module. For example, 6
SW_Version Software version of the module. For example, 12.1(27b)E1
VendorType Vendor type of the module. For example, cevAS53004ct1
Object
Type Attribute Description
Port AdminStatus Administrative status of the port. For example, Disabled/Decommissioned
CM.AccessStatus Whether the port is an Access port or not.
CM.Channel Whether the port is a channel port.
CM.Duplex The duplex mode of the port. The values could be unknown-duplex,
full-duplex, half-duplex, default, disagree, auto-duplex.
CM.JumboFrameEnabled Whether the port is JumboFrame enabled or disabled.
CM.L2L3 Whether the port is in switched or routed mode.
CM.LinkStatus Link status of the port. Whether the link is up or down.
CM.Neighbor Whether the port is connected to a device, IP Phone, or End Host.
CM.TrunkStatus Whether the port is a Trunk port. If trunk is configured in the port, then it
is a trunk port.
CM.VLAN_ID The index of the VLAN configured on the port.
CM.VLAN_NAME Name of the VLAN configured on the port.
CM.VTP_DOMAIN Name of the VTP Domain that the port is associated with.
EnergyWise_Importance EnergyWise Importance of the device.
This value prioritizes the devices in a domain based on their power usage.
EnergyWise_Role Role or function of the device in the EnergyWise domain.
EnergyWise_Keyword A word that will help you identify a specific device or group of devices in
the EnergyWise domain.
FlexLink Whether the FlexLink status of the port is enabled or disabled.
IFIndex IFIndex of the port. For example, 10
IsEnergyWisePort Specifies if the port is EnergyWise-enabled.
Object
Type Attribute Description
Port Identity_Security_Mode Specifies the security mode, based on the level of security you wish to
(contd.) implement in your network. The three types of security modes are:
• Monitor Mode
• Low Impact Mode
• High Security Mode
MACsecStatus You can enable or disable MACsec on the interface. MACsec provides
secure, encrypted communication on wired LANs.
OperStatus Operational Status of the port. For example, Stopped/Suspended
PortDescription Description of the port. For example, FastEthernet0/1
PortName Name of the port. For example, Fa0/1
SpanEnabled Whether the port is Span enabled.
Speed Speed of the port. For example, 10000000 (for 10 Mbps)
Type Enter the value for the port type.
For example, if you want to define a rule for the port type ethernetCsmacd,
you need to enter 6 as the value.
For information on the port type values, see
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift
ype&translate=Translate&submitValue=SUBMIT&submitClicked=true
Note For the port attributes that start with name “CM.” , the data collection for the attributes must be successful.
Rule to select all the Ports whose Port Description contains the string: Ethernet
This rule filters all ports whose Port description consists of the string Ethernet.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1 Select Port from the Object Type drop down listbox
Step 2 Select PortDescription from the Variable drop down listbox
Rule to select all the Ports that are connected to another device
This rule filters all Ports that are connected to another device.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1 Select Port from the Object Type drop down listbox
Step 2 Select CM.LinkStatus from the Variable drop down listbox
Step 3 Select = from the Operator drop down listbox
Step 4 Select Configured in the Value drop down list box.
Step 5 Click Add Rule Expression
The following rule gets added to the Rule Text:
Port.CM.LinkStatus = "Configured"
Step 1 Select Module from the Object Type drop down listbox
Step 2 Select SlotNumber from the Variable drop down listbox
Step 3 Select = from the Operator drop down listbox
Step 4 Enter 1 in the Value textbox
Step 5 Click Add Rule Expression
The following rule gets added to the Rule Text:
Module.SlotNumber = "1"
Field Description
Group Name Name of the group you are creating.
Description Text description of the group.
Rule Rules used to filter the group.
Devices/Groups in Rule List of devices or groups to which the rule will be applied.
Step 1 Either:
• Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
• Select Inventory > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2 Select the group name and click View.
The View Group Details page appears, displaying Group: Details dialog box with the following details:
Field/Button Description
Group Name Name of the group you are viewing.
Parent Group Parent group of the group you are viewing.
Type Type of the objects that belong to the group.
Description Text description of the group.
Rule Rules used to create the group.
Created By User who created the group. This also displays the time at which the
group was created.
Last Modified By User who last modified the group. This also displays the time at which
the group was last modified.
Devices/Groups Devices or Device Groups that are part of the port or module group.
Membership Details Used to view the list of devices that belong to the group. See Viewing
Membership Details.
(Button)
Cancel Closes the page and takes you back to the Port and Module Group
Browser page.
(Button)
Step 1 Either:
• Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
• Select Inventory > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2 Select the group name for which you want to view the membership details and click View.
The Group: Details dialog box appears.
Step 3 Click Membership Details.
The View Group Members dialog box appears with the following information:
Field/Button Description
Device Selector Devices selected for group creation.
Port Name/Module Name Name of the port or module in the device that are part of the group.
Description Description of the ports or modules in the device that are part of the
group.
Filter by Port/Module Name Enter the filter expression and click Filter to filter the port or modules
in the device that are part of the group.
Close To close the View Group Members dialog box.
(Button)
Step 1 Either:
• Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
• Select Inventory > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Step 2 Select the group by checking the check box.
Step 3 Click Edit.
The Group Properties page appears, displaying Port and Module Group Properties dialog box. See
Entering the Port and Module Group Properties Details.
You cannot:
• Modify the Group Name field.
• Click Finish to complete the edit flow.
Step 1 Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups.
Step 2 Select the group to remove from the Port and Module Group Browser dialog box.
Step 3 Click Delete.
A confirmation dialog box shows that the group will be deleted.
Step 4 Click OK.
Customizable
Groups Intended Use
A Consider reserving customizable groups A, B, and C to troubleshoot
B Add one device to any of these groups when you need to test. For example, to test a
C changed threshold or interval value for a polling setting.
1 Consider using customizable groups 1, 2, 3, and 4 when you want to override polling
settings and thresholds for more than one device.
2
3
4
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section
in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups
before you can set polling parameters or threshold values for them. To do so, see Working with
Customizable Groups.
Since you cannot change the rules for system defined groups, Fault Management provides groups that
you can customize so that they contain devices, ports, or interfaces.
Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold
Settings > Fault).
After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable
subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed
when you select an option. Do not proceed without viewing and installing the self-signed
security certificate.
See Editing and Creating Fault Groups for information on how to use Group Administration to create
and edit groups. In addition to creating and editing groups, Group Management provides the following
functions:
• Refreshing Fault Membership
• Deleting Fault Groups
Table 5-10 describes the fields in the Group Administration and Configuration page.
Field/Button Description
Group Selector Hierarchical display of all available groups.
Group Info When you select an item from the Group Selector, the Group Info pane displays the
following information:
• Group Name—Name of the group you selected.
• Type—Type of objects in the selected group.
• Description—Text description of the group.
• Created By—Person who created the group.
• Last Modified By—Last person to modify the group settings.
Create Starts the Group Creation Wizard for creating a group, as described in Editing a
Fault Group.
Edit Starts the Group Edit Wizard for editing user defined groups, as described in Editing
a Fault Group. Not supported for view groups created from the Alerts and Activities
Defaults page.
Details Opens the Properties: Details page, as described in Viewing Fault Group Details.
Refresh Refreshes a group memberships, as described in Refreshing Fault Membership. Not
supported for port and interface groups.
Delete Deletes a group, as described in Deleting Fault Groups.
LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group.
The wizard consist of four steps:
1. Setting properties (for details, see Editing a Fault Group)
2. Creating rules (for details, see Understanding Rules).
3. Modifying group membership (for details, see Finalizing Fault Group Membership).
4. Viewing the summary (for details, see Viewing the Fault Group Summary).
Procedure
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Step 2 In the Group Selector, select the group you want to edit, click Edit.
The Properties: Edit page appears.
You can modify the following in the Properties: Edit page:
• Group Name
Will be automatically populated when editing customizable subgroups; for example, Customizable
Group 1 under Customizable Access Port Groups.
• Description
• Membership update type (not supported for port and interface groups)
The parent group is displayed, but it cannot be modified.
• Visibility Scope
Step 3 Click Next.
The Rules: Edit page appears. For more information on creating rules, see Understanding Rules.
To return to any of the previous pages in the wizard, click Back.
Note If you edit a device-type group, you can launch the Preview.
You can add new rules or delete existing rules in the Rules: Edit page.
To add a new rule:
Step 1 From the first list, select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.+
Step 2 From the Object Type list, select an object type.
Step 3 From the Variable list, select a variable.
Step 4 From the Operator list, select an operator.
Step 5 In the Value field, enter a value.
Step 6 Click Add Rule Expression.
The rule expression appears in the Rule Text box.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
(AccessPort.Mode equals ““ OR
AccessPort.Mode contains “BACKUP” OR
AccessPort.Mode contains “NORMAL”) AND
AccessPort.DuplexMode contains “HALFDUPLEX” OR
AccessPort.DuplexMode contains “FULLDUPLEX”)
Step 7 Verify whether the syntax of the rule is correct by clicking Check Syntax.
A dialog box appears, stating that the syntax is valid.
Step 8 Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.
Step 9 Click Next.
The Membership: Edit page appears.
To delete a rule:
Step 1 In the Rule Text box, select the entire rule text and press the Delete key.
After deleting the rule, you must click the page so that the page can refresh, removing the list of logical
operators.
Step 2 Click Next.
The Membership: Edit page appears.
You can add or remove specific objects from the group membership. This feature is not supported for
port and interface groups.
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1 In the Available Objects from Parent Group column, select the device you want to add.
Step 2 Click Add.
Step 3 Click Next.
The group’s information appears in the Summary: Create page.
Step 4 Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5 Click OK.
To remove an object:
Step 1 In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 2 Click Remove.
Step 3 Click Next.
The group’s information appears in the Summary: Create page.
Step 4 Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5 Click OK.
Note When you create a fault group, at least one device must be in the managed state.
Procedure
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Step 2 In the Group Selector, select User Defined Groups.
Step 3 Click Create.
The Properties: Create page appears.
Step 4 Enter a group name for the new group.
If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If
you want to copy the attributes of an existing group to the new group, do the following:
a. Click Select Group.
The Replicate Attributes page appears.
b. Select the group from which you want to copy the attributes.
c. Click OK.
All attributes except the group name are copied to the new group.
If you want to change the parent group (the location where the group will reside in the Group Selector),
do the following:
a. Click Change Parent.
The Select Parent page appears.
b. Select the parent group.
Step 5 Click OK.
Enter a description. This is optional.
Step 6 Choose how you want the group membership updated.
This choice is not displayed for port and interface groups):
• If you want the membership for this group updated automatically, select Automatic.
• If you want the membership for this group updated only when the Refresh button is clicked, select
Only Upon User Request.
You can add or remove specific objects from the group membership. This feature is not supported for
port and interface groups.
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1 In the Available Objects from Parent Group column, select the device you want to add.
Step 2 Click Add.
Step 3 Click Next.
The group’s information appears in the Summary: Create page.
Step 4 Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5 Click OK.
To remove an object:
Step 1 In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 2 Click Remove.
Step 3 Click Next.
The group’s information appears in the Summary: Create page.
Step 4 Click Finish.
A dialog box appears, stating that changes to the group have been saved.
Step 5 Click OK.
Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
Rules are created to filter in the objects that you want to belong to the group, and to filter out those that
you do not want in the group. When determining the objects that belong to a group, Group Management
compares object information to the rule. If an object information satisfies all of the rule requirements, it
is placed in the group.
One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
Object Type.Variable Operator Value
For example:
Routers.Location equals "San Jose"
Complex rules that contain both OR and AND conditions require you to edit the rule manually. For
example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.Mode equals ““ OR
AccessPort.Mode contains “BACKUP” OR
AccessPort.Mode contains “NORMAL”) AND
(AccessPort.DuplexMode contains “HALFDUPLEX” OR
AccessPort.DuplexMode contains “FULLDUPLEX”)
Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You
can define the following:
• Logical Operators
• Object Type
• Variable
• Operator
• Value
Logical Operators
The logical operator field appears when you are defining multiple rules. The logical operators can be:
• OR—Include devices that fulfill the requirements of either rule.
For interface, access port, and trunk port groups, this operator can only be used between the
variables of the same type, as in the following valid rule:
AccessPort.DuplexMode equals “HALFDUPLEX” OR
AccessPort.DuplexMode equals “FULLDUPLEX”
If you used an AND operator in the previous port rule, it would be invalid.
• AND—Include only objects that fulfill the requirements of both rules.
For interface, access port, and trunk port groups, this operator can only be used between the
variables of different types, as in the following example:
AccessPort.Mode equals “” AND
AccessPort.DuplexMode equals “FULLDUPLEX”
For device groups, this operator can only be used between variables of the same type, as in the
following example:
Routers.Model equals "12816" AND
Routers.Model equals “12810”
Object Type
The Object Type field lists the available objects that you can use to form a group.
Depending upon the type of group you are creating, the Object Type field may contain the following
choices:
AccessPort
TrunkPort
Interface
Cable
ContentNetworking
Device
DSLAndLRE
Group
InterfacesAndModules
NetworkManagement
Optical
Routers
SecurityAndVPN
ServerFabricSwitches
StorageNetworking
SwitchesAndHubs
UniversalGatewaysAndAccessServers
Unknown
VoiceAndTelephony
Wireless
Variable
The Variable field lists the possible attributes for the selected object type to be used for the rule. The list
of possible variables changes based on the object type that is selected. Some variables for port and
interface groups are described in Table 5-11.
Operator
The Operator field defines the operator to be used in the rule. The list of possible operators changes
based on the object type and the variable selected.
When using the equals operator, the rule is case-sensitive.
Value
The Value field describes the value of the rule expression. The possible values depend upon the object
type, variable, and operator selected. Depending on the operator selected, the value may be free-form
text or a list of values.
Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some
of the objects in the Variables field have special meanings or restrictions on how to enter the related
attribute in the Value field.
Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need
further explanation.
Variable Explanation
Description Interface or port description.
DuplexMode Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED).
InterfaceCode Interface types, protocols, or encapsulations.
MaxSpeed Maximum speed, in bits per second.
MaxTransferSpeed Speed of the largest datagram that can be sent or received, specified in
octets.
For interfaces that use transmitting network datagrams, this is the speed of
the largest network datagram that can be sent.
Mib2ifType Type of interface, distinguished according to the physical or link protocols
immediately below the network layer in the protocol stack, represented as
a digit.
Mode Intended purpose (for example, for interfaces, backup, dial-on-demand, and
so forth).
Name Name of object.
SystemModel Name of the system.
SystemName Name of system containing this element.
SystemObjectID System Object Identifier associated with vendor of system.
SystemVendor Name of system supplier.
Type Type of element (for example, interface), distinguished according to the
physical or link protocols immediately below the network layer in the
protocol stack.
Note After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page.
Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Field/Button Description
Add Rule Expression Used to add the rule expression to the group rules.
Rule Text Displays the rule. For complex rules (which contain both OR and AND
conditions), you must manually add parentheses in this field. (In Editing a
Fault Group, see Step 10 and Step 6.)
Field/Button Description
Check Syntax Verifies that the rule syntax is correct.
View Parent Rules Used to view the parent group rules.
All parent group rules apply to the subgroups.
Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location.
Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains “Dallas”
• Interface
• Variable—Duplex.Mode
• Operator—Contains
• Value—“FULLDUPLEX”
• Logical Operator—And
• Variable—Location
• Operator—contains
• Value—“Dallas”
You want to create a group that contains all of the security and VPN devices in the San Jose location.
Form the following rule:
SecurityAndVPN.Location contains "SanJose"
• Object Type—SecurityAndVPN
• Variable—Location
• Operator—Contains
• Value—“San Jose”
To understand the group rules, see the rules used for system defined groups. These rules appear in the
Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group
Details.
Heading/Button Description
Group Name Name of the group you are creating.
Parent Group Parent group of the group you are creating.
Description Text description of the group.
Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button).
Rules Rules used to filter group membership.
Visibility Scope Setting that determines whether all Cisco Prime users or only the created user
can view the group.
Polling Overriding Click to display the Preview page. This page displays the priorities of the
Group preview Polling Overriding Groups.
Threshold Click to display the Preview page. This page displays the priorities of the
Overriding Group Threshold Overriding Groups.
preview
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Step 2 In the Group Selector, select the group for which you want to view details.
Step 3 Click Details.
The Properties: Details page appears.
Heading/Button Description
Group Name Name of the group you are viewing.
Parent Group Parent group of the group you are viewing.
Type Type of the objects that belong to the group.
Description Text description of the group.
Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button)
Created By Person who created the group.
Last Modified By Last person to modify the group.
Rules Rules used to filter group membership.
View Parent Rules Used to view the parent group rules. All parent group rules apply to the
subgroups.
Membership Details Used to view the list of devices that belong to the group. Does not apply to
port and interface groups.
Cancel Closes the page and takes you back to the Group Administration and
Configuration page.
Procedure
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Step 2 In the Group Selector, select the group for which you want to view details.
Step 3 Click Details.
The Properties: Details page appears.
Step 4 Click Membership Details.
The Membership: Details page appears.
Heading/Button Description
Name Name of the device for which you want to view membership details.
Object Type Type of object for which you want to view details.
Property Details Takes you back to the Properties: Details page.
Cancel Closes the page and takes you back to the Group Administration and
Configuration page.
Procedure
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Step 2 In the Group Selector, select the group you want to refresh.
Step 3 Click Refresh.
Step 4 In the confirmation dialog box, click Yes.
Step 5 In the next dialog box, click OK.
Procedure
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Step 2 In the Group Selector, select the group you want to delete.
Step 3 Click Delete.
Step 4 In the confirmation dialog box, click Yes.
Step 5 In the next dialog box, click OK.
Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a
period of high CPU utilization after these processes are triggered.
Field/Button Description
OR, AND, EXCLUDE, Logical operators.
INCLUDE
• OR—Include objects that fulfill the requirements of either rule.
• AND—Include only objects that fulfill the requirements of both rules.
• EXCLUDE—Do not include these objects.
• INCLUDE— Include these objects
The Rule Text field appears only after a rule expression is added.
Object Type Type of object (collector) that is used to form a group.
Variable Collector components, based on which you can define the group.
For more information, see Collector Components.
Operator Operator to be used in the rule. The list of possible operators changes based on the Variable
selected.
When using the equals operator the rule is case-sensitive.
Field/Button Description
Value Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-from text or a list of
values.
Wildcard characters are not supported.
The following are the values for the corresponding operations:
• 1 = echo
• 2 = pathEcho
• 5 = udpEcho
• 6 = tcpConnect
• 7 = http
• 8 = dns
• 9 = jitter
• 10 = dlsw
• 11 = dhcp
• 12 = ftp
• 14 = RTP
• 16 = icmpjitter
• 18 = VoipCallSetupPostDialDelay
• 19 = VoipGKRegDelay
• 1019-Ethernetping
• 1020-Ethernetjitter
• 1119-EthernetPingAutoIPSLA
• 1120-EthernetJitterAutoIPSLA
Add Rule Expression Used to add the rule expression to the group rules.
Rule Text Displays the rule.
Check Syntax Verifies if the rule syntax is correct.
Use this button if you have entered the rules manually.
View Parent Rules Used to view the parent group rules.
All parent group rules apply to the subgroups.
Collector Components
Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Step 1 Select Admin > System > Server Monitoring > Processes.
The Process Management page appears with all Cisco Prime processes listed.
Step 2 Select IPM OGSServer in the Process Management dialog box.
Step 3 Click Start.
Step 1 Select Admin > System > Server Monitoring > Processes.
Step 2 Select CMFOGSServer in the Process Management dialog box.
Step 3 Click Start.
Field/Buttons Description
Group Selector Hierarchical display of all available groups.
Group Info Displays the following collector group information:
• Group Name—The name of the group you selected.
• Type—The type of objects in the selected group.
• Description—A text description of the group.
• Created By—The person who created the group. You can also view the time at which the
group was created.
• Last Modified By—The last person to modify the group settings. You can also view the time
at which the group was modified.
Create Starts the Group Creation Wizard for creating a group, as described in the Creating and
Modifying User-Defined Collector Groups.
Edit Starts the Group Edit Wizard for editing an existing group, as described in the Creating and
Modifying User-Defined Collector Groups.
Details Opens the Properties: Details page, as described in the Viewing Collector Group Details and
Viewing Membership Details.
Refresh Refreshes a group membership, as described in the Refreshing User-Defined Collector Group
Membership.
Delete Deletes a group, as described in the Deleting User-Defined Collector Groups.
Step 1 Either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group page appears.
Step 2 Select the required group from the Group Selector pane.
For example:
• If you want to create or edit a group, select the User Defined Group folder from the Group Selector
pane.
• If you want to create or edit a subgroup, select the required collector group under the User Defined
Groups folder.
Step 3 You can either:
• Click Create to create a group or subgroup.
Or
• Click Edit to edit a group or subgroup.
The Properties page appears.
Step 4 Specify the collector group name and description in the Group Name and Description fields.
The Group Name must be unique within the parent group. However, you can specify the same name in
some other groups.
For example, if you already have a group named ‘MyGroup’ in a group named ‘Views’ under
User-Defined Groups, you cannot use the same name for another subgroup in the group ‘Views’.
However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups.
After entering the group name and description, you can either copy the attributes of an existing group to
the new group or proceed to Step 5.
To copy the attributes of an existing group to the new group, do the following:
a. Click Select Group.
The Replicate Attributes window appears.
b. Select the required collector group from the User Defined Groups folder.
c. Click OK.
All attributes except the group name are copied to the new group.
The parent group you have selected for the group does not change even if you are copying attributes
from a group that belongs to a different parent group.
Field Description
Group Name Name of the group you are creating.
Copy Attributes from Copy the attributes of an existing group to your new group using Select Group.
Group
Parent Group Parent group of the group you are creating. You can change the parent group using Change
Parent.
Note All rules assigned to a parent group also apply to any of its subgroups.
In the Rules page, you can either enter the rules directly in the Rule Text field or select the components
of the rule from the Rule Expression fields and define a rule.
Table 5-20 lists the various Fields and Buttons available in the Rules page.
Field/Buttons Description
OR, AND, EXCLUDE Logical operators.
• OR—Include objects that fulfill the requirements of either rule.
• AND—Include only objects that fulfill the requirements of both rules.
• EXCLUDE—Do not include these objects.
The Rule Text field appears only after a rule expression is added.
Object Type Type of object (Collector) that is used to form a group. All IPSLA Collector group rule
expressions begin with the same Object Type, IPM:Collector Management: Collector.
Variable Collector attributes, based on which you can define the group.
For more information, see Collector Components.
Operator Operator to be used in the rule. The list of possible operators change based on the Variable
selected.
When using the Equals operator, the rule is case sensitive.
Value Value of the rule expression. The possible values depend upon the variable and operator selected.
Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.
Add Rule Expression Used to add the rule expression to the group rules.
Rule Text Displays the rule.
Check Syntax Verifies that the rule syntax is correct.
Use this button if you have entered the rules manually.
View Parent Rules Used to view the parent group rules.
All parent group rules apply to the subgroups.
For group rule restrictions and examples, see Understanding Collector Group Rules.
Step 1 Either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Step 2 Select the Object Type from the drop-down list.
Step 3 Select the required variables from the Variable drop-down list. You can select one or a combination of
variables.
The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target
Address.
For more information, see Table 5-20.
Step 4 Select the Boolean operator from the Operator drop-down list.
The Boolean operators change based on the variable you have selected.
For more information, see Table 5-20.
Step 5 Specify the Value for the variable you have selected.
Step 6 Click Add Rule Expression.
The IPSLA Collector Group Administration creates the rule based on the parameters you specified and
adds it to the rules already present in the Rules Text field. You can use the same procedure to add more
rules.
If you want to delete a rule expression, you have to select the complete expression including the logical
operator and press the Delete key on your keyboard.
Step 7 Click Check Syntax to validate the rules expression syntax.
If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is
incorrect, an error message appears with syntax error messages along with the line and column number.
Step 8 Click View Parent Rules to view the parent and group rules.
Step 9 Click Next.
The Membership page appears.
Step 1 Select the required collectors from the Objects From Parent Group pane.
Step 2 Click Add.
The selected collectors are added to the Objects Matching Membership pane.
Step 3 Click Next.
The Summary page appears with the User-Defined Group properties.
Step 1 Select the required collectors from Objects Matching Membership pane.
Step 2 Click Remove.
The selected collectors are removed from the Objects Matching Membership pane and added to the
Objects From Parent Group pane.
Step 3 Click Next.
The Summary page appears with the summary of the user-defined collector group.
Field Description
Group Name Name of the group you are creating.
Description Text description of the group.
Parent Group Parent group of the group you are creating. You can change the parent group using Change
Parent.
You can select only IPSLA Collector User-Defined groups.
You cannot edit this field in the Edit flow.
Membership Update Updates group membership.
Membership updates can be automatic (updated every time the group is accessed) or upon user
request only (updated only when you click Refresh).
Rules Rules used to filter group membership.
Visibility Scope Describes if the group is public (all users) or private (only for the group owner).
Step 1 Click Finish to complete the procedure for creating collector groups.
A confirmation message appears.
Step 2 Click OK.
You can view the newly created user-defined collector group in the Group Selector pane.
Or
Click Back to modify the group properties.
Step 1 Select the group for which you want to view details from the Group Selector pane.
Step 2 Click Delete.
A confirmation message appears.
Step 1 Either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Step 2 Select the group for which you want to view details from the Group Selector pane.
Step 3 Click Details.
The Property Details page appears. For more information, see Table 5-22.
Field/Button Description
Group Name Name of the group you are viewing.
Parent Group Parent group of the group you are viewing.
Type Type of the objects that belong to the group.
Description Text description of the group.
Membership Update How group membership is updated.
Created By Person who created the group. This also displays the time at which it was created.
Last Modified By Last person to modify the group. This also displays the time at which it was modified.
Rules Rules used to filter group membership.
Visibility Scope Indicates whether the group is Public (visible to all users) or Private (visible only for the group
owner).
View Parent Rules Allows you to view the parent group rules.
All parent group rules apply to the subgroups.
Membership Details Allows you to view the membership details.
Cancel Takes you back to the Group Administration page.
Step 1 Either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Step 2 Select the group for which you want to view details from the Group Selector pane.
Step 3 Click Details.
The Property Details page appears.
Field/Button Description
Name Name of the device.
Object Type Type of object.
Property Details Takes you back to the Property Details page.
Cancel Takes you back to the Group Administration page.
Step 1 Either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Step 2 Select the group for which you want to view details from the Group Selector pane.
Step 3 Click Refresh to refresh the membership of the selected group.
The Refresh Group Confirmation dialog box appears.
Step 4 Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.
Step 1 Either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Step 2 Select the default operation name from the Group Selector pane for which you want to view the collector
group details.
Step 3 Click Details.
The system-defined collector group details appear.
Step 4 Click Membership Details to know the membership details of this system-defined collector group.
The Membership Details page appears.
Step 1 Select the group for which you want to view details from the Group Selector pane.
Step 2 Click Refresh to refresh the membership of the selected group.
The Refresh Group Confirmation dialog box appears.
Step 3 Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.
Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
This section explains:
• Modifying Data Collection SNMP Timeouts and Retries.
• Scheduling Data Collection.
• Data Collection Critical Device Poller.
• Compliance and Audit Settings
Step 1 Select Admin > Network > Timeout and Retry Settings > Data Collection SNMP Timeouts and
Retries.
The SNMP Timeouts and Retries dialog box appears.
Step 2 Modify the SNMP settings as given in Table 6-1.
Field Description
Target Denotes the Target device.
You should enter IPv4 or IPv6 address of the target device in this field.
You can also use wildcard characters or range of numbers to specify the
target device.
For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB]
as the target device
Timeouts Time period after which the query times out.
This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If timeout is increased, discovery time could also increase. Enter the value in
seconds.
For every retry, the timeout value is doubled.
For example, If the timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which LMS stops
querying the device.
Retries Number of attempts made to query the device. The allowed range is 0-8.
Step 1 Select Admin > Collection Settings > Data Collection > Data Collection Schedule.
The Data Collection Schedule dialog box appears.
Step 2 Modify the data collection settings as described in Table 6-2.
Best Practices
Be cautious while scheduling Data Collection:
• Data Collection consumes significant resources on the network management system.
• Use the Polling option to see the device and link status without running data collection. For more
details on polling see, Data Collection Critical Device Poller
To add a device to the Critical Devices list from N-Hop View Portlet:
Caution If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle
will use a large amount of bandwidth.
Step 1 Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller.
The Device Poller screen appears.
Step 2 Configure the device poller options as specified in Table 6-3.
The Compliance Data Collection job runs daily by default. The user can schedule a Compliance Data
Collection Job.
To schedule a Compliance Data Collection System Job do the following:
Step 1 Select Admin > Compliance and Audit Settings > Compliance Data Collection > Compliance Data
Collection System Job Schedule.
The Compliance Data Collection System Job Schedule page appears.
Step 2 Enter the information required to scheule a Compliance Data Collection System Job
Field Description
Job Type Command Output Collection Job .
Scheduling
Run Type Specifies the type of schedule for the job:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
Date 1. Enter the start date in the dd mmm yyyy format, for example, 06 Oct 2011, or click on the
calendar icon and select the date.
2. Enter the start time by selecting the hours and minutes from the drop-down list.
Job Info
Job Description The default job description is, System-defined job for Compliance data Collection.
E-mail Enter e-mail addresses to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address,
Column Description
Job ID Unique number assigned to this task at scheduling time. This
number is never reused. There are two formats:
• Job ID:
Identifies the task. This does not maintain a history. For
Example:1002
• JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1002.1, 1002.2
Status Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Description Description of the job.
Owner Username of the job creator.
Job Type Type of job e.g. system compliance.
Scheduled At Date and time at which the job was scheduled.
Completed At Date and time at which the job was completed.
Schedule Type Frequency of the job. This can be:
• Daily
• Weekly
• Montly.
Work Order Displays information about the Job Description, Owner, Schedule
Type, Schedule Time, E-mail Notification, E-mail IDs and Devices
List.
Device Details Displays the Device IP, Job Status and Message Summary.
Job Summary Displays the Job Status, Job Message, Start Time, End Time and
Device Updates.
Import Contracts
The Import Contracts enables you to import customer contracts into the Compliance and Audit Manager
Database.
The contract summary report can be generated only after importing contracts into the Compliance and
Audit Manager Database.
The following steps should be performed for importing contracts into the Compliance and Audit
Manager Database:
Step 1 Go to
http://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do?method=viewContractMgr.
Note Open the link in Internet Explorer and use your Cisco.com credentials.
Step 2 A contract Manager screen listing the contracts associated with your Cisco.com ID appears.
Note If you do not see the contracts then there are no contracts associated with your Cisco.com ID.
Open a case with Cisco to get access to your contracts.
Step 3 Select Download Contract or Selected Data option from the Action drop-down menu.
Step 4 Select the contracts from the Contract Table.
Step 5 Click Go.
A Download Contract or Selected Data window appears
Step 6 In the Download Contract or Selected Data window, perform the following:
a. Select Products + Configurations.
b. Click Save Now radio button, to save a Zip file containing a CSV file in your local system.
c. Click Send by Email to radio buttion, to receive a zip file containing a CSV file by Email.
Step 7 Go to Import Contracts page and Click Browse to select the downloaded contract file from your local
system.
Step 8 Click Import Contracts File to import the contracts file into the Compliance Engine.
Step 1 Go to Admin > Compliance and Audit Settings > Import Policy Updates
Step 2 In Cisco.com, navigate to Home > Products > Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN
Management Solution 4.2 > Compliance Policy Updates.
Step 3 You will be prompted to enter your Cisco.com credentials.
Step 4 Login using your Cisco.com credentials to open the LMS Compliance Policy Updates page in the
browser.
Step 5 Download the CompliancePolicyUpdates.vX-y.jar patch file, where X is the major version and y is the
minor version.
Step 6 Save the CompliancePolicyUpdates.vX-y.jar patch file in your local system.
Step 7 Go to Import policy updates page and click Browse to select the downloaded
CompliancePolicyUpdates.vX-y.jar file from your local system
Step 8 Click Import Policy Updates to import the CompliancePolicyUpdates.vX-y.jar patch file into the
Compliance Engine.
A message appears indicating the successful importing of policy into the Compliance Engine.
Note Ensure that the CAAM Server process is re-started to effect the changes.
Note The policy updates patch file can be automatically downloaded and posted into the CAAM server by
scheduling a system defined job under Admin > Network > Compliance Policy/PSIRT/EOS/EOL
Settings.
User Tracking application of LMS allows you to track end stations. This chapter contains the following
sections:
• Understanding User Tracking
• Using User Tracking Administration
• Understanding Dynamic Updates
• Using User Tracking Utility
These reports give a clear picture of the switch port utilization in the network and help you in doing
capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from
the megamenu.
This topic covers:
• Using User Tracking
• Accessing UT Data
• Various Acquisitions in User Tracking
Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports
You can generate End hosts or IP Phones report based on the given filter criteria
For example, you can generate reports on end hosts that belong to a specific VLAN.
To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.
Scheduled Reports
You can schedule reports that run at the specified date and time. You can generate immediate reports or
schedule them to run once or at repetitive intervals.
Custom Reports
You can customize the layout and columns displayed in the reports to suit your needs. To generate these
reports select Reports > Report Designer > User Tracking > Custom Reports.
Minor acquisition updates the LMS database with just the changes that have happened in the network. It
is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the
interval at which the acquisition takes place.
For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
Step 1 Either:
• Select Admin > Collection Settings > User Tracking > Acquisitions Info.
Or
• Select Inventory > User Tracking Settings > Acquisition Summary.
The acquisition information appears with the following information:
Field Description
Acquisition status Status of the User Tracking Major Acquisition process. It can be
either Idle or Running.
Last acquisition type Type of User Tracking acquisition that you had performed last time.
Types of acquisition are:
• Major—User Tracking Major Acquisition
• Devices—User Tracking Acquisition for a device
• Subnets—User Tracking Acquisition for subnets
• IP Phones—User Tracking Acquisition for IP phones
Acquisition start time Date and time at which User Tracking started the Acquisition
process. This is displayed in the format dd mon yyyy hh:mm:ss.
Acquisition end time Date and time at which User Tracking stopped the Acquisition
process. This is displayed in the format dd mon yyyy, hh:mm:ss
time zone.
Number of acquisitions Number of major and minor acquisitions performed.
Number of host entries Number of hosts found after User Tracking acquisition.
Number of duplicate MAC Number of MAC addresses that have duplicate entries in the list of
hosts found.
Number of duplicate IP Number of IP addresses that have duplicate entries in the list of end
hosts found.
Number of CCM hosts Number of Cisco CallManagers in the list of devices found after
Data Collection.
Number of IP phone entries Number of IP phones available in the LMS managed network.
Last Campus data collection Date and time of the previous LMS Data Collection process. This
completed at is displayed in the following format: dd mon yyyy hh:mm:ss time
zone.
Data collection status Status of the LMS Data Collection process. It can be either Idle or
Running.
Step 1 Either:
• Select Admin > Collection Settings > User Tracking > Acquisition Action.
Or
• Select Inventory > User Tracking Settings > Acquisition Actions.
The Acquisition Actions dialog box appears.
Step 2 Configure Acquisition Actions as specified in Table 7-1.
You do not have to specify any details for the IP Phones option.
Step 3 Click Start Acquisition.
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The Acquisition Settings dialog box appears.
Step 2 Modify the acquisition settings as specified in Table 7-2.
Note The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User
Tracking for DHCP Environment property.
Property Description
UT.DuplicateMac.Include_SwitchPorts List of switchports connected to endhosts, for which
duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Exclude_SwitchPorts List of switchports connected to endhosts, for which
duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Include_Switches List of switches connected to end hosts, for which
duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Exclude_Switches List of switches connected to end hosts, for which
duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Include_Vlans List of VLANs associated with endhosts, for which
duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
Property Description
UT.DuplicateMac.Exclude_Vlans List of VLANs associated with endhosts, for which
duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Include_Subnets List of subnets associated with endhosts, for which
duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Exclude_Subnets List of subnets associated with endhosts, for which
duplicate MAC entries need to be excluded in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list.
For example, if you set
UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2
UT.DuplicateMac.Exclude_Switches=10.77.211.33
Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also
present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch.
Thus the SwitchPorts list has higher priority over the Switches list.
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The User Tracking Acquisition settings window appears.
Step 2 Click Define Rogue MACs.
The Rogue MAC Configuration window appears. The lists displayed in the window are:
– Rogue MAC/OUI List
– Acceptable MAC/OUI List
Step 3 Click Add MAC/OUI to add new entries to the list.
The Add MAC/OUI window appears.
The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely
identify the vendor, manufacturer, or a worldwide organization.
An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses,
and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC),
network protocol, or MAC addresses for Ethernet.
In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three
octets of the address are the OUI.
Property Description
Select Mode Provides the following options to add MAC addresses to
MAC/OUI List:
• Manual — Enables you to add MAC/OUI to either the
Acceptable MAC/OUI List or to the Rogue MAC/OUI
list. The Manual Add option is selected by default.
• Import from file — Enables you to import MAC
Addresses from a file to the Acceptable MAC/OUI List
• Import from UT — Enables you to import MAC
Addresses directly from UT to Acceptable MAC/OUI
List
Add MAC/OUI Enter the MAC Address or OUI in the text box provided.
The values should be separated by spaces, tabs, or commas.
You can also enter values on separate lines.
The address can have only hexa decimal numbers separated
by hyphen.
Example:
00-c0-1d-99-06-b6
OUI List Displays predefined values in LMS. You can select values
from the list, to add to the Rogue OUI or Acceptable OUI
list.
To add more values to the list, add them to the Property file:
NMSROOT/campus/etc/cwsi/OUI.properties
where NMSROOT is the directory where you installed
Cisco Prime.
To get the latest OUIs listed by IEEE, see
http://standards.ieee.org/regauth/oui/index.shtml
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Schedule.
The Acquisition Schedule dialog box appears.
Step 2 Start the user tracking major acquisition for all or failed devices as specified below:
• Select either All devices or Failed devices .
• Click Start to start the user tracking major acquisition immediately for the selected devices.
The UT Acquisition Confirmation pop up appears.
• Click OK to start user tracking acquisition. A success message appears. Click OK.
To cancel the user tracking acquisition process, click Cancel.
Step 3 Modify the acquisition schedule as specified in Table 7-7.
Step 1 Select Admin > Collection Settings > User Tracking > Ping Sweep.
The Ping Sweep dialog box appears.
Step 2 Choose any of the following:
• Disable Ping Sweep
• Perform Ping Sweep on all subnets
• Exclude subnets from Ping Sweep
When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude
from Ping Sweep. You can select subnets from the list of available subnets and add to the list of
subnets to be excluded.
Step 3 Specify the Wait Interval, if Ping Sweep is enabled.
Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not
flooded with ping packets.
For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10
seconds.
If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10
seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on
Device 1. Same happens with Device 2.
Step 4 Click Apply.
User Tracking does not perform Ping Sweep on large subnets.
For more details, see Notes on Ping Sweep Option.
User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A
and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not
display the IP addresses.
Ping Sweep will not refresh the ARP cache, if firewall or Access Control List is enabled to block the
ICMP packets to the network devices. Hence, User Tracking will not display the IP addresses of the
associated hosts.
In larger subnets, the Ping process leads to numerous ping responses that might increase the traffic on
your network and result in extensive use of network resources.
You can increase the value of the wait interval. Wait interval helps the ping response traffic to settle,
which may appear as Denial Of Service (DOS) or may affect the functioning of router by high CPU
usage.
To perform Ping Sweep on larger subnets, you can:
• Configure a higher value for the ARP cache time-out on the routers. To configure the value, you
must use the arp time-out interface configuration command on devices running Cisco IOS.
• Use any external software, that will enable you to ping the host IP addresses. This will ensure that
when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.
Step 1 Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration.
The Configure Subnet Acquisition dialog box appears.
Step 2 Select either of the following options:
• Perform acquisition on all subnets
All the subnets are included for User Tracking Major Acquisition. If you select this option do not
perform steps 4 and 5.
Or
• Perform Subnet-based acquisition
The action depends on the Filter value.
Step 3 Select either of the following Filter values:
• Perform major acquisition on selected subnets
All subnets added to the Selected Subnets list are included for User Tracking acquisition.
Or
• Do not perform major acquisition on selected subnets
All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.
Step 4 Select subnets from the list of Available Subnets and add them to the list of Selected Subnets.
In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking >
Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.
• If you select this check box, only the work stations associated to the VLANs that are mapped to the
selected subnets will be acquired.
• If you do not select this check box, work stations associated to all the available VLANs in the
selected subnets will be acquired.
For more information, see Configuring User Tracking Acquisition Actions.
Step 5 Click Apply.
Step 1 Select Admin > Network > Purge Settings > User Tracking Purge Policy.
The Delete Interval dialog box appears.
Step 2 Specify delete intervals for end host, IP phone and history tables.
Step 3 Either:
• Click Delete now to delete the entries immediately.
If you select this step do not perform Step 4.
Or
• Select Delete After Every Major Acquisition.
If you select this option, LMS will delete records older than the specified interval, after every UT
Major Acquisition.
Step 4 Click Apply.
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk.
The Configure Trunk for End Hosts Discovery page appears.
Step 2 You can:
– Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT
Major Acquisition. After choosing this option, go to Step 8.
– Select Enable End Host Discovery on selected Trunks to include only the required set of
non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
– Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the
end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing
this option, go to Step 8.
Step 3 Select the list of switches where end hosts are connected to trunk ports, from the device selector.
Step 4 Click Show Trunks.
This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down
state are also listed here.
If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the
same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display
the ports. Link ports are not listed here.
Step 5 Select the list of trunk ports where end hosts are connected from the Available Trunks list.
Step 6 Click Add.
The selected ports are displayed under the Selected Trunks list.
Step 1 Select Admin > Collection Settings > User Tracking > Table Import.
The End Host Table Import dialog box appears.
Step 2 Specify the name of the file from which you are importing the end host table data.
Step 3 Click Apply.
Note We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory
headers: MAC Address, User Name and Notes.
For example:
MAC1 Peter Finance department
Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from
the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts
coming into and moving out of the network.
Traps from suspended devices are not processed by LMS.
The difference between a UTMajor Acquisition and a Dynamic UT process is:
LMS collects data from the network at regular intervals for UTMajor Acquisition.
In Dynamic UT, the devices send traps to LMS as and when changes happen in the network.
This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have
happened in your network. This is an improvement over the earlier versions, where updates on endhost
information happened based on the polling cycle.
As a result of Dynamic updates, the following reports contain up-to-date information:
• End-Host Report
Contains information from UT Major Acquisition and the recently added end-hosts.
• History Report
Contains information from UT Major Acquisition and the recently disconnected end-hosts or
end-hosts that have moved between ports or VLANs.
• Switch Port reports
Contains information about the utilization of switch ports.
SNMP Traps are generated when a host is connected to the network, disconnected from the network or
when it moves between VLANs or ports in the network.
If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host
connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device
should be populated with the IP address, for UT Major Acquisition to discover it.
The User Tracking Dynamic Updates process includes:
• MAC User-Host Information Collector (MACUHIC) Process
• User Tracking Manager (UTManager) Process
• UTLite
UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
For complete information, see Understanding UTLite.
When an end-host is connected to your network, the following happens in the background.
1. The switch to which it is connected sends a MAC notification.
2. The MACUHIC process in LMS receives the MAC notification either directly from the switch or
through other applications like LMS Monitor and Troubleshoot module or HPOV.
3. After processing this MAC notification, MACUHIC informs the UTManager.
4. LMS updates the database with the username and IP Address received from the UTLite. Database
does not contain the complete information about the end host.
5. UTManager finds the following details:
– Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data
Collection.
– Hostname from DNS Server
LMS updates the database with the complete User Tracking information for the host.
The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients,
duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating
reports.
Step 1 Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status.
The Dynamic Updates Process Status window appears.
If you have started the process already, the status window shows Dynamic Updates Processes are
RUNNING.
Note LMS supports only those switches that contain the Management Information Base (MIB) named MAC
Notification, for enabling the SNMP traps.
Note LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic
Updates.
Step 1 Select Admin > Collection Settings > User Tracking > Device Trap Configuration.
The Configure Trap on Devices dialog box appears.
Step 2 Select the switches for which you want to enable the traps, from the Device Selector.
Step 3 Click Configure to see the devices that you have selected.
Step 4 Click Configure to configure MAC notification on the ports in the devices.
The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in
the Configure MAC-Notification Trap on Ports dialog box.
Field Description
Add LMS Server as Trap Check the check box to configure devices, to send SNMP traps to LMS.
Receiver To configure LMS to listen to traps sent from devices, see Configuring
SNMP Trap Listener.
Trap Community Set a community string for the SNMP traps sent by devices. This property
is enabled only when LMS is the Primary receiver for SNMP traps. This
string is added to the list of valid strings in the Dynamic User Tracking
Configuration screen.
Set as Dynamic User Check the check box to make this community string as the default for
Tracking Default future configurations, if LMS is the Primary Trap receiver.
Filter Allows you to filter the ports listed, based on port name, device name and
the device address (IP address of the device).
Trap Receiver Port Port number that you entered for receiving traps.
The default trap receiver port number of the LMS server is 1431.
Port Name of the port.
Access ports as well as Non-link Trunk ports are listed.
Field Description
Device Name Name corresponding to IP address of the switch.
Device Address IP address of the switch.
Rows per page Select to view 10 to 50 rows on a page.
Step 5 Check the check boxes to select the ports that you want to enable SNMP traps.
Step 6 Click Configure to enable the SNMP traps.
An Information window appears.
Step 7 Click OK.
Note Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
Step 1 Select Admin > Collection Settings > User Tracking > Trap Listener Configuration.
The Trap Listener Configuration dialog box appears.
Step 2 Check Listen traps from Device to configure the trap reception directly from the devices
This makes LMS as the primary listener for receiving SNMP traps from devices.
OR
Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications.
In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They
forward it to LMS which acts as the secondary listener for traps.
If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS
Fault Monitor module.
Step 3 Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port
field.
The default trap listener port number of the LMS server is 1431.
Step 4 Click Apply to save the details.
Note You must install the Integration Utility on the same machine on which you have installed HPOV.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
The Notification Services page appears.
Step 2 Enter the Hostname and the port number of the LMS server to which you want to forward the MAC
Notifications.
Step 3 Click Apply to configure.
The trapd.conf file is modified and the DFMServer process is restarted.
Note If you configure through Cisco Prime, LMS server receives all Traps including MAC Notification.
Step 2 Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server.
Step 3 Navigate to NMSROOT/object/smarts/conf/trapd directory.
Step 4 Edit the trapd.conf file in the directory to reflect the following changes.
Enter:
FORWARD: address OID generic type specific type \ host [:port] | [:port:community] [host [:port] |
[:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.
Step 5 Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.
Step 1 Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration.
The Dynamic User Tracking Configuration page appears.
Step 2 Select the Validate SNMP Community check box.
LMS validates the community string in SNMP traps, with the values you have set. You can add
community strings only after checking this check box.
• If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried
with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1.
• If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3.
However, if the query fails, the same device will not be queried with SNMP v2 or v1.
Step 3 Enter the community string in the Valid Community List text box and click Add.
You can add the community strings one at a time. You can use the Delete button to remove the extra or
erroneous strings.
The default Trap community string that you might have added in the Device Trap configuration screen
is also listed here.
Step 4 Select the Validate Trap Source check box.
LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking
this check box.
Step 5 Enter the IP Address in the text box provided and click Add.
You can use the Delete button to delete extra or erroneous entries.
Step 6 Click Apply to save changes to the server.
To revert to the default values, click Reset.
You can use any one of the options to filter SNMP traps.
For example:
To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box)
Community String = private, test
Validate Trap Source =false
then traps from all sources with community string private or test will be processed by LMS.
To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true
Community String = private, test
Validate Trap Source =true
Valid IP Addresses = 10.77.210.211, 10.77.210.212
then traps from the listed IP addresses, with the community string private or test will be processed by
LMS. In this case, LMS first validates the community string, and if it matches, validates the source
address.
Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones
discovered by LMS User Tracking application. UTU comprises a server-side component and a client
utility.
UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and
LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.2, Network Topology, Layer 2 Services and
User Tracking must be enabled and accessible through the network.
UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS
server in Secure Sockets Layer (SSL) mode.
The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:
Requirement
Type Minimum Requirements
System hardware IBM PC-compatible computer with Intel Pentium processor.
System software • Windows 2008
• Windows XP with SP2 or SP3
• Windows Vista
Memory (RAM) 512 MB
Additional • LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or
required software LMS 3.2 (Campus Manager 5.2.1), or LMS 4.2 (Network Topology, Layer 2
Services and User Tracking)
• Microsoft .Net Runtime 3.5 Service Pack 1
You can download Microsoft .Net Runtime 3.5 Service Pack 1 from
http://www.microsoft.com
Network LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS
Connectivity 3.2 (Campus Manager 5.2.1) or LMS 4.0 (Network Topology, Layer 2 Services and
User Tracking) must be running, and accessible through the network
Downloading UTU
UTU requires Cisco PrimeUserTrackingUtility2.0.exe file to be downloaded and installed.
To download UTU 2.0:
Step 5 Select a product release version from the Latest Releases folder and locate the software update to
download.
Step 6 Locate the file CiscoWorksUserTrackingUtility2.0.zip
This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent
installation).
Step 7 Click the Download Now button to download and save the device package file to any local directory on
LMS Server.
Step 8 Extract the file using any file extractor such as WinZip.
Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode.
Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware
and Software Requirements for UTU.
This section explains:
• Installing UTU in Silent Mode
• Installing UTU in Normal Mode
Setup.log File
The setup.log file is created during the installation in the same directory where you have extracted the
setup.iss file.
You should see the setup.log file to check the installation completion status.
The value of the ResultCode attribute in the setup.log informs you whether the installation has completed
successfully. The value 0 denotes that the UTU installation in silent mode is successful.
When the value of the ResultCode attribute is other than 0, you must install UTU again.
Step 1 Log into the system with local system administrator privileges.
Step 2 Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe.
Step 3 Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation.
The User Tracking Utility Welcome screen appears.
Step 4 Click Next.
A warning message appears if you have not installed .Net Framework 3.5 SP1.
You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before
completing the current UTU installation.
Step 5 Click Next.
A confirmation message appears.
Step 6 Click Yes.
The Choose Destination Location dialog box appears. By default, UTU is installed in the directory
C:\Program Files\CSCOutu2.0.
Note If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to
the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome
screen.
If you click No in the confirmation message, the warning message appears again stating that you have
not installed .Net Framework 3.5 SP1.
You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7 Click Next to install UTU in the default directory.
or
a. Click Browse to choose a different directory and click OK.
b. Click Next to continue with the installation.
The installation continues.
Step 8 Click Finish to complete the installation. User Tracking Utility is installed at the destination location
you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see
Accessing UTU.
Accessing UTU
To access UTU, click either:
• Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0
Or
• UTU 2.0 shortcut available on the desktop
The UTU band appears. See Figure 7-1 for UTU 2.0 band.
You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
After a system restart and during the startup, the system launches the UTU automatically.
Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2
server configurations.
To configure UTU:
Step 5 Enter a valid Cisco Prime Server user name and password.
This is used to verify the validity of the user when searching for users, hosts, or IP Phones.
Step 6 Confirm the password by re-entering it.
Step 7 Select the Remember me on this computer checkbox if you want the client system to remember your
credentials.
The credentials are preserved only for the current user of Windows system. The credentials are not
available when you log into the Windows system with a different user name.
You can click Summary to go back to the Certificate Viewer dialog box.
Step 6 Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the
certificate.
SSL connection is established with the server.
If you click No, the certificate is not stored and no connection is established with the server.
Note The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes
the first time, you are not prompted to store the certificate during subsequent sessions.
Step 7 Click the X Record(s) Found button to launch the results window.
X denotes the number of matches found.
For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See
Figure 7-4.
Figure 7-4 UTU Search Band displaying the number of matching records
UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your
search if you want better and more accurate results.
Step 8 Select an entry in the Results window.
UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC
Addresses, in a Results window.
The Results window has the following options:
• Copy to Clipboard, where you can copy the selected search result record.
• Copy All to Clipboard, where you can copy all the search result records.
• Close, which you can use to close the window.
For a selected search result record, the Results window displays the details as described in:
• Table 7-10 for all search criteria except Phone Number
• Table 7-11 for search based on Phone Number
See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results
window.
Table 7-10 Details for Each Entry in Results Window For a User or Host Search
Entry Description
User Name Name of the user logged in to the host.
MAC Address Media Access Control (MAC) address of network interface card in end-user
node.
Host IP Address IP Address of the host.
Host Name Name of the host discovered by User Tracking.
Subnet Subnet to which the host belongs.
Subnet Mask Subnet mask of the host
Device name Name of the switch.
Device IP Address IP Address of the switch
VLAN VLAN to which the port of the switch belongs.
Port Port number to which the host is connected.
Port Description Description of the port number to which the host is connected.
Port State State of the port: Static or Dynamic.
Port Speed Bandwidth of the port of the switch.
Table 7-10 Details for Each Entry in Results Window For a User or Host Search
Entry Description
Port Duplex Port Duplex configuration details on the device.
Last Seen Date and time when User Tracking last found an entry for this user or host
in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Table 7-11 Details for Each Entry in Results Window For a Phone Number Search
Entry Description
Phone Number IP Phone number
MAC Address Media Access Control (MAC) address of network interface card on the
phone.
Phone IP Address IP Address of the phone.
CCM Address IP Address of the Cisco Call Manager
Status Status of the phone, as known to Cisco Call Manager
Phone Type Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus,
30VIP, SoftPhone, or unknown.
Phone Description Description of the phone.
Device Name Name corresponding to IP Address of device.
Device IP Address IP Address of the device
Port Port number to which the phone is connected.
Table 7-11 Details for Each Entry in Results Window For a Phone Number Search
Entry Description
Port Description Description of the port to which the phone is connected.
Last Seen Date and time when User Tracking last found an entry. Last Seen is
displayed in the format yyyy/mm/dd hh:mm:ss.
Note The search results for the value you enter in the search field depends on the default search
criteria.
UTU searches for the users, hosts, or IP Phones that match the search criterion. See Searching for Users,
Hosts or IP Phones Using UTU for more information.
You can search for users, hosts, or IP Phones by entering a search pattern or substring of a search pattern.
For example, entering Cisco displays host names that start with, end with or contain Cisco for a search
on host names.
You do not have to use wildcard character * to match a pattern or substring of the pattern.
To search for a MAC Address, you can use one of the following MAC Address patterns or a substring of
these patterns:
• xxxx.xxxx.xxxx
• xx:xx:xx:xx:xx:xx
• xxxxxxxxxxxx
• xx-xx-xx-xx-xx-xx
Here x denotes a hexadecimal number.
Uninstalling UTU
Ensure that UTU is not running while uninstalling.
If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates.
To uninstall UTU:
Step 1 Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall Cisco Prime User Tracking Utility 2.0
from the windows task bar.
The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation.
Step 2 Click Yes.
The Uninstallation continues.
Step 3 Click Finish to exit the uninstallation wizard.
All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout
settings are grouped under the collection settings in the Admin tab in the menu.
This section contains:
• Using the Inventory Job Browser
• Timeout and Retry Settings
• Secondary Credentials
• Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and
PSIRT/EOX System
• PSIRT or End-of-Sale or End-of-Life Data Administration
• Administering VRF Lite
• Modifying Fault Management SNMP Timeout and Retries
• Configuring Fault Management Rediscovery Schedules
• Configuring Event Forensics
• Fault Monitoring Device Administration
• Device Management Functions
• Performance Management SNMP Timeouts and Retry Settings
• IPSLA Application Settings
• Setting Up Archive Management
• Defining the Configuration Collection Settings
• Configuring Transport Protocols
• Overview: Common Syslog Collector
• Viewing Status and Subscribing to a Common Syslog Collector
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
When you install LMS, a default job is defined for Inventory Collection and Inventory Polling.
When the default job runs, LMS evaluates the “all devices” group and executes the job. This way,
whenever new devices are added to the system, these devices are also included in the default
collection/polling job.
For the default system jobs, the device list cannot be edited. You can only change the schedule of those
jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the
scheduled job is not displayed in the Inventory Job Browser.
The default system jobs for Inventory Collection and Inventory Polling are created immediately after
installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers >
Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job
Browser (Admin > Jobs > Browser) only after some time has elapsed.
The jobs are displayed in the Job Browser when they are running, or after they are completed, with all
the details such as Job ID, Job Type, and Status.
User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are
running, and after they are completed.
You can do the following tasks from the Inventory Job Browser:
• Viewing Job Details
• Creating and Editing an Inventory Collection or Polling Job
• Stopping, Cancelling or Deleting an Inventory Collection or Polling Job
Column Description
Job ID Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the
Job details (see Viewing Job Details.)
Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the
number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that
this is the third instance of the job ID 1001.
Job Type Type of job—System Inventory Collection, System Inventory Polling, Inventory Collection and Inventory
Polling.
Status Status of the job—Scheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start.
The number, within brackets, next to Failed status indicates the count of the devices that had failed for that
job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions.
Description Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values.
The field is restricted to 256 characters.
Owner Username of the job creator.
Scheduled at Date and time at which the job was scheduled.
Completed at Date and time at which the job was completed.
Schedule Type Type of schedule for the job:
• Immediate—Runs the report immediately.
• 6 - hourly—Runs the report every 6 hours, starting from the specified time.
• 12 - hourly—Runs the report every 12 hours, starting from the specified time.
• Once—Runs the report once at the specified date and time.
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the specified day of the week and at the specified time.
• Monthly—Runs monthly on the specified day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will
start only at 10:00 a.m. on November 3.
Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.
You can filter the jobs using any of the following criteria and clicking Filter:
Filter
Criteria Description
All Select All to display all jobs in the Job Browser
Job ID Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display.
Job Type Select Job Type and then select any one of the following:
• Inventory Polling
• System Inventory Polling
• Inventory Collection
• System Inventory Collection
Status Select Status and then select any one of these:
• Schedule
• Successful
• Failed
• Cancelled
• Stopped
• Running
• Missed Start
Missed start is the status when the job could not run for some reason at the scheduled time.
For example, if the system was down when the job was scheduled to start, when the system comes up
again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the
specified job will be displayed as Missed Start.
Description Select Description and enter the first few letters or the complete description.
Owner Select Owner and enter the user ID or the beginning of the user ID.
Schedule Type Select the Schedule Type and select any one of these:
• Immediate
• Once
• 6-hourly
• 12-hourly
• Daily
• Weekly
• Monthly
Refresh Click on this icon to refresh the Inventory Job Browser.
(Icon)
To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.
Table 8-1 Inventory Browser Buttons, the Tasks they Perform and their Description
Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a
default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge
Settings.
Step 1 Either:
• Select Inventory > Job Browsers > Inventory Collection.
Or
• Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser appears.
Step 2 Select either:
• Click Create.
The Create Inventory Job dialog box appears.
Or
• Select a job and click Edit.
Step 3 Select either:
• Device Selector, if you want to schedule report generation for static set of devices
Or
• Group Selector, if you want to schedule report generation for dynamic group of devices.
Field Description
Job Type Select either Inventory Collection or Inventory Polling, as required.
Scheduling
Run Type Specifies the type of schedule for the job:
• Immediate—Runs the report immediately.
• 6 - hourly—Runs the report every 6 hours, starting from the specified time.
• 12 - hourly—Runs the report every 12 hours, starting from the specified time.
• Once—Runs the report once at the specified date and time.
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
If you select Immediate, the date field option will be disabled.
Date 1. Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the cal-
endar icon and select the date.
2. Enter the start time by selecting the hours and minutes from the drop-down list.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.
Job Info
Job Description Enter a description for the report that you are scheduling. This is a mandatory field. Accepts al-
phanumeric values. This field is restricted to 256 characters.
E-mail Enter e-mail addresses to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address,
• Transport Timeout—Amount of time the socket will be blocked for read operation.
The default value is 45000 milliseconds.
• Login Timeout—Amount of time in milliseconds after which it will start reading the user prompt.
The default value is 2000 milliseconds.
• Tune Sleep—Amount of sleep time in milliseconds after sending tune command 3 to 4 times.
The default value is 50 milliseconds.
• Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will
wait for the set time before doing the next operation.
The default value is 300 milliseconds.
To edit the Inventory, Config timeout and retry settings:
Step 1 Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings.
The Inventory, Config timeout and retry settings page appears.
Step 2 Enter the default values for:
• SNMP Retry
• SNMP Timeout
• Telnet Timeout
• Natted LMS IP Address
• TFTP Timeout
• Read Delay
• Transport Timeout
• Login Timeout
• Tune Sleep
• Delay After Connect
Step 3 Click Apply.
Note Modifying the default timeout values will apply to all the devices and impact the work flows of
all devices. To edit per device level attributes, go to Editing Device Attributes.
Note When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry
values will not be restored by default. To restore the values for all the devices, edit the default values in
Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection
Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings
Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device
Credential Repository (DCR).These credentials are:
• Primary Credentials
• Secondary Credentials
LMS uses either the primary or secondary credentials to access the devices using the following
protocols:
• Telnet
• SSH
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried
out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as
a fallback mechanism in LMS for connecting to devices.
For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to
failure.
You can add or edit the Secondary Credentials information through the DCR page (Select Inventory >
Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is
not available for a device.
Note The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials
fallback when the Primary Credentials for a device fails. This is a global option which you can use to
enable or disable the use of Secondary Credential fallback for all LMS applications.
To enable or disable the Secondary Credentials fallback:
Step 1 Select Admin > Collection Settings > Config > Secondary Credential Settings.
or
Select Admin > Collection Settings > Inventory > Secondary Credential Settings.
The Secondary Credentials dialog box appears.
Step 2 Do either of the following:
• Check Fallback to Secondary Credentials check box if you want to enable the Secondary
Credential fallback.
Or
• Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary
Credential fallback.
Step 3 Click either Apply to apply the option or click Cancel to discard the changes.
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
Step 1 Select Admin > Collection Settings > Inventory > Inventory System Job Schedule.
The System Job Schedule dialog box displays the current collection or polling schedule.
Step 2 Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2.
Inventory data does not change frequently, so infrequent collection is better. However, if you are
installing much new equipment, you may need more frequent collection.
Infrequent collection reduces the load on your network and managed devices. Collection is also best
done at night or when network activity is low.
Also, make sure your collections do not overlap, by checking their duration using the Inventory Job
Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Step 3 Click Apply.
The new schedule is saved.
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL
settings
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
Step 1 Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and
Psirt/Eox System Job Schedule.
The Compliance Policy and PSIRT/EOX System Job Schedule page appears.
Step 2 Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2.
Step 3 Click Apply.
The new schedule is saved.
Table 8-2 Details of Inventory system schedule and CAAM Policy and PSIRT/EOX System Job Schedule
Field Description
Scheduling
Run Type Select the run type or frequency for inventory collection or polling, CAAM Policy and PSIRT/EOX—Daily,
Weekly, or Monthly.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If
the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date Select the date for the collection or polling to begin, using the date picker.
at Enter the time for the collection or polling to begin, in the hh:mm:ss format.
Job Info
Job Descrip- Has a default Job Description:
tion
If the Job Type is Inventory Collection, the description is, System Inventory Collection Job.
If the Job Type is PSIRT and EOX Or Compliance Policy, the description is, System Compliance Policy and
PSIRT/EOX Job.
E-mail Enter e-mail addresses to which the job sends messages when the collection or polling job has run.
You can enter multiple e-mail addresses, separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin
> System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address.
Note System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or
End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the
selected devices.
The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1. If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not
configured the Cisco.com credentials.
2. If the system PSIRT job fails due to problems in the downloaded local XML file.
3. If there is no PSIRT/EoX data in the database for the selected devices.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and
End-of-Sale or End-of-Life (EOX) job runs.
LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You
can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see
Changing the Data Source for PSIRT/EOS/EOL Reports.
When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the
data either from Cisco.com or from a local text file with XML data, depending upon the option you have
set.
Step 1 Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option.
The PSIRT/EOX Reports dialog box appears.
Step 2 Either:
• Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data
from Cisco.com
Or
• Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from
local file.
The local file location is shown if you have selected Local.
Step 3 Click Apply
The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Note While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com
method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy
Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy
Password fields are also enabled.
Note You must not extract the EOX_SOFTWARE.zip file in the LMS Server.
Step 1 Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule.
The VRF Lite Collector Schedule dialog box appears.
Step 2 Enter the details as mentioned in Table 8-3.
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use
the filter to view VRF Lite Collector Schedule job.
Step 1 Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries.
The VRF Lite SNMP Timeouts and Retries dialog box appears.
Step 2 Modify the SNMP settings as given in Table 8-4.
Field Description
Target IP address of the target device. For example, 10.*.*.*
Timeouts Time period after which the query times out.
This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If Time out is increased, Discovery time could also increase. Enter the value
in seconds. The allowed range is 0-60.
For every retry, the Timeout value is doubled.
For example, If the Timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which Virtual
Network Manager stops querying the device.
Retries Number of attempts made to query the device. The allowed range is 0-8.
Note Changing the settings on this page will modify the settings on all devices managed by LMS.
Note Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
Step 1 Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and
Retries. The SNMP Configuration page appears.
Step 2 Select a new SNMP timeout setting.
Step 3 Select a new Number of Retries setting.
Step 4 Click Apply.
Step 5 In the confirmation box, click Yes.
LMS rediscovery probes the devices to discover their configuration and verify their manageable
elements in inventory.
LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you
cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional
schedules.
For more information, see
• Suspending and Resuming a Rediscovery Schedule
• Adding and Modifying a Rediscovery Schedule
Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
The Rediscovery Schedule page appears.
Step 2 You can either:
• Select a schedule that does not have a Suspended status, and click Suspend.
The status for the schedule changes to Suspended and the schedule does not run until you resume
the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it.
Or
• Select a schedule with a status of Suspended and click Resume.
The status for the schedule changes to Scheduled.
Configuration
Task Default Schedule Comments and Notes
Database purging Run daily at The amount of time it takes to purge the database
midnight. depends on the size of the database.
For more information on how to configure the Daily
Fault History Purging Schedule, see Configuring the
Daily Fault History Purging Schedule.
Rediscovery Run weekly on By default, rediscovery starts 2 hours after database
Monday at 2:00 a.m. purging.
In addition to configuring schedules, a system administrator can schedule database backups. Be careful
while coordinating the database backup schedule to avoid running concurrently with the tasks listed in
Table 8-5.
To add or edit a rediscovery schedule:
Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
Step 2 Select either:
• Click Add.
Or
• Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit
Default_Schedule.
Step 3 Enter a name for the schedule.
Step 4 Select how often the schedule should run:
• Once
• Daily
• Weekly (default)
• Monthly
Step 5 Select the date, hour, and minute on which to start the rediscovery schedule and click Next.
Step 6 Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule
page appears, listing the new schedule.
Step 2 Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job
Browser.
Step 1 Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event
Forensics Configuration page appears.
Step 2 Select the Event Forensics Enable check box to enable LMS to collect forensics data.
Step 3 Click Apply.
LMS polls for Event Forensics data for the following events only:
• Device unavailability or unresponsiveness
• Flapping
• Operationally Down
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see
the event forensics results when you move your mouse over the Annotations in the Faults table of Fault
Monitor Device Fault Summary view tab.
Note If the IP addresses of the device and its components such as interface or port are added separately in
DCR then only device IP will be managed in fault Management and the components IP will not be
managed separately as the components are already managed under the device IP.
The devices that appear in the device selector are organized in folders by device state as shown in the
Table 8-6. The folders appear only if there is a device to go in the folder.
Heading Description
Status Lists the state the devices are in, from the following possibilities:
Known The device has been successfully imported, and is fully managed by Fault
Management.
Learning Fault Management is discovering the device. This is the beginning state,
when the device is first added or is being rediscovered. Some of the data
collectors may still be gathering device information.
Questioned Fault Management cannot successfully manage the device.
Pending The device is being deleted. (Fault Management is waiting for
confirmation from all of its data collectors before purging the device and
its details.)
Unknown IPv6 device or the selected algorithm is not supported in Fault
Management.
Rediscovering Devices
When rediscovery takes place, if there are any changes to a device or group configuration, the new
settings will overwrite any previous settings.
Rediscovery occurs only for managed devices, and not suspended devices.
Rediscovery also occurs when:
• Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection
Settings > Fault > Fault Management Rediscovery Schedule)
• A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured
to import that device type (or LMS automatically imports all DCR devices). Such DCR changes
include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type)
changed in the DCR.
Note Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and
Rediscovery is a process that affects only the LMS inventory.
To rediscover devices:
Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2 Select the device or group that you want to rediscover.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the device selector.
Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed
after you select nearly any option. Do not proceed without viewing and installing the security
certificate. You should contact a user with System Administrator privileges to create a
self-signed security certificate, and then install it. If you do not install the self-signed security
certificate, you may not be able to access some LMS application pages.
Note If the number of components managed by fault management exceeds 40000/domain then the remaining
devices will be moved to Question State with the error message “Network Adapter Limit Exceeded”.
Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2 Click Question State Devie Report.
The question state device report containing the device name, device IP, discovery start time and error
details is displayed.
LMS 4.2 removes application boundaries and provides tighter integration among the components. It
groups all the related functionalities in one place, thus making the product more user friendly.
LMS 4.2 consists of the following five functionalities:
• Inventory, Config and Image Management
• Network Topology, Layer 2 Services and User Tracking
• Fault Management
• IPSLA Performance Management
• Device Performance Management
To view the functionality settings:
Select Admin > System > Device Management Functions.
By default, all the functions will be enabled.
If you have a 10K license, only Inventory, Config and Image Management will function. You should
disable all functions except Inventory, Config and Image Management from this page.
Note If you disable a function, the function will stop collecting device information. For IPSLA Management,
history data will be deleted.
Step 1 Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP
timeouts and retry settings.
The Poll Settings dialog box appears.
Table 8-7 describes the fields in the Poll Settings dialog box.
Field Description
Poll Details
SNMP Timeout Specify the SNMP timeout interval in seconds.
The default SNMP timeout value is 3 seconds. You can change the default
SNMP timeout value to a value between 1 to 15 seconds.
SNMP Retries Specify the SNMP retries count.
The default SNMP retry count value is 1. You can set the default SNMP retry
count to a value from 0 to 3.
Polling Failure
Notification Interval Specify the polling failure notification interval.
You can select any of these predefined values. The default option is 6 hours.
• 01 - Hour—Polling failures notified every 1 hour.
• 06 - Hours—Polling failures notified every 6 hours.
• 24 - Hours—Polling failures notified every 24 hours.
• 48 - Hours—Polling failures notified every 48 hours.
• Weekly—Polling failures notified every week.
Polling failure notification report is generated periodically based on
notification interval. This report contains information on the SNMP polling
failures with device details.
E-mail ID Enter the e-mail address.
The E-mail address must be in the format: user@domain.com.
The poll failure report is send to the E-mail address based on the Notification
Interval.
Note The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and
saved the IP SLA probes of the LMS collectors in the startup configuration.
Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings.
The IPSLA Application Settings page appears.
Step 2 Select the Copy IPSLA Configuration to Running-config check box.
Step 3 Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4 Click OK.
Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings.
The Application Settings page appears.
Step 2 Select the Use Managed Source Interface Address check box.
Step 3 Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4 Click OK.
For example, if you have configured username and password prompts as MyUserName: and
MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini
file must be configured as:
[TELNET]
USERNAME_PROMPT=MyUsername:, Secret Username:
PASSWORD_PROMPT=MyPassword:, Secret Password:
Note You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only
the custom prompts need to be added.
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your
device configurations.
Make sure the devices are rcp-enabled by entering the following commands in the device configurations:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
Where ip_address | host is the IP address/hostname of the machine where LMS is installed.
Alternatively, you can enter the hostname instead of the IP address. The default remote_username and
local_username are cwuser.
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS
server. To do this, use the command,
no ip rcmd domain-lookup for rcp to fetch the device configuration.
Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your
device configurations.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
ip ssh authentication-retries 4
ip scp server enable
User on the TACACS Server should be configured with priv level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify
your device configurations.
To modify the device configuration, follow the procedure as described in this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html
Router Commands
Command Description
terminal length 0 Sets the number of lines on the current terminal screen for the
current session
terminal width 0 Sets the number of character columns on the terminal screen for the
current line for a session
show privilege Displays your current level of privilege
Show running Gets running configuration.
Show startup Gets startup configuration
Show running-brief1 Gets the running configuration in brief by excluding the encryption
keys.
1. This is applicable for the IOS release 12.3(7)T release or later.
The commands in the above tables also apply to the following device types:
• Universal Gateways and Access Servers
• Universal Gateways and Access Servers
• Optical Networking
• Broadband Cable
• Voice and Telephony
• Wireless
• Storage Networking
Switches Commands
The switches commands are:
Command Description
set length 0 Configures the number of lines in the terminal display screen
set logging session Disables the sending of system logging messages to the current login
disable session.
write term Gets running configuration.
Command Description
no terminal more Disables support for more functions with the terminal.
show running-config Gets all components of the running configuration.
show startup-config Gets the CSS startup configuration (startup-config).
Command Description
terminal length 0 Sets the number of lines on the current terminal screen for the current
session
show run Gets running configuration.
show config Gets startup configuration.
Command Description
terminal length 0 Sets the number of lines on the current terminal screen for the current
session
show autostart Displays autostart collections
show configuration Gets startup configuration.
Command Description
terminal width 0 Sets the number of character columns on the terminal screen for the
current line for a session
show config Gets startup configuration.
show running Gets running configuration.
show curpriv View the current logged-in user.
no pager Removes paging control
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for moving the configuration archive location:
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
You can enable or disable the use of Shadow directory by following this workflow:
Example 1:
If you have specified these commands at,
• Routers (Device Category) level
end,exec-timeout,length,width,certificate,ntp clock-period
• Cisco 1000 Series Routers (Device Family) level
banner incoming,snmp-server location
• Cisco 1003 Router (Device Type) level
ip name-server,banner motd,snmp-server manager session-timeout
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are
excluded.
Example 2:
If you have specified these commands only at Device Family and Device Category,
• Routers (Device Category) level
end,exec-timeout,length,width,certificate,ntp clock-period
• Cisco 1000 Series Routers (Device Family) level
banner incoming,snmp-server location
• Cisco 1003 Router (Device Type) level
No commands specified.
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands
are excluded.
If the commands are specified only at the Device Category level, these commands are applicable to all
devices under that category.
To configure Exclude Commands:
Step 1 Select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
The Configure Exclude Commands dialog box appears.
Step 2 Select one of these from the Device Type Selector pane:
• Device Category (For example, Routers, Wireless, etc.)
• Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
• Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
Step 3 Enter the command in the Exclude Commands pane to add new commands.
You can enter multiple commands separated by commas.
You can also edit or delete the existing commands in the Exclude Commands pane.
Step 4 Click Apply.
A message appears, The commands to be excluded are saved successfully.
Step 1 Select Admin > Collection Settings > Config > Config Job Timeout Settings.
The Fetch Settings dialog box appears.
Step 2 Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device
(seconds) field.
Step 3 Click either of these:
• Click Apply, if you want to submit the Job Result Wait Time entered.
• Click Cancel if you want to cancel the changes made to the Job Result Wait Time.
Note The Syslog application triggers configuration fetch, if configuration change messages like
SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
Note Startup configurations are not ‘versioned’ and only one copy of the startup configuration of devices
(which supports startup configuration), is saved in the system. No change audit records are logged for
changes in the ‘Startup Configuration’ files.
LMS first compares the collected configuration file, with the latest configuration in the archive, and
checks to see if there are effective configurations changes from what was previously archived.
Periodic Polling
The configuration archive performs a SNMP query on the device. If there are no configuration changes
detected in the devices, no configuration is fetched.
Periodic Collection
The configuration is fetched without checking for any changes in the configuration.
By default, the Periodic Collection and Polling are disabled.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for defining the configuration collection setting:
Field Description
Scheduling
Run Type You can specify when you want to run the configuration polling job.
To do this, select one of these options from the drop-down menu:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date You can select the date and time (hours and minutes) to schedule.
Job Information
Job Description The system default job description, Default config polling job is displayed.
You cannot change this description.
E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d. Click OK.
Periodic Collection
a. Select Enable for Configuration archive to perform a periodic check on the device to retrieve
configuration.
b. Click Schedule.
The Config Collection Schedule dialog box appears.
Field Description
Scheduling
Run Type You can specify when you want to run the configuration collection job.
To do this, select one of these options from the drop-down menu:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date You can select the date and time (hours and minutes) to schedule.
Job Information
Job Description The system default job description, Default config collection job is displayed.
You cannot change this description.
E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d. Click OK.
VLAN config Collection
a. Check the Disable VLAN config collection check box.
b. Click Apply.
The VLAN config collection will be disabled for both manual and system config collection jobs. By
default the Disable VLAN Config collection checkbox is unchecked.
Step 3 Either click Apply to accept the new values provided.
Or
Click Cancel if you want to discard the changes and revert to previously saved values.
If you had clicked Apply, a message appears:
New settings saved successfully.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
To use this
Protocols You must...
Telnet Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authen-
tication, enter Primary Username and Primary Password.
TFTP Know read and write community strings for device.
RCP Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the
following commands in the device configuration:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default re-
mote_username and local_username are cwuser. For example, you can enter:
# ip rcmd remote-host cwuser 123.45.678.90 cwuser enable
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server.
To do this, use the command,
no ip rcmd domain-lookup for RCP to fetch the device configuration.
To use this
Protocols You must...
SSH Know the username and password for the device. If device is configured for TACACS authentication, enter the
Primary Username and Primary Password.
Know password for Enable modes.
When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor,
and NetShow) the underlying transport mechanism checks whether the device is running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2.
If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the
device that is being accessed.
Some useful URLs on configuring SSHv2 are:
• Configuring Secure Shell on Routers and Switches Running Cisco IOS:
http://www.cisco.com/warp/public/707/ssh.shtml
• How to Configure SSH on Catalyst Switches Running Catalyst OS:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml
• Configuring the Secure Shell Daemon Protocol on CSS:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/c
onfiguration/security/guide/sshd.html
• Configuration Examples and TechNotes:
– http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples
_list.html
– http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html
To use this
Protocols You must...
SCP Know the SSH username and password for the device.
To make sure the device is scp-enabled, enter the following commands in the device configuration.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
ip ssh authentication-retries 4
ip scp server enable
User on the TACACS Server should be configured with privilege level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
HTTPS Know the username and password for the device. Enter the Primary Username and Password in the Device and
Credential Repository.
To enable the configuration archive to gather the configurations using https protocol you must modify your
device configurations:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configura-
tion_guides_list.html
This is used for VPN 3000 device.
The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family
devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and
Enable passwords.
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you
may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom
Telnet Prompts.
For module configs, the passwords on the module must be same as the password on the supervisor.
This section also explains Supported Protocols for Configuration Management Applications.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Collection Settings > Config > Config Transport Settings.
The Config Transport Settings dialog box appears.
Step 2 Go to the first drop-down list box, select the application for which you want to define the protocol order.
Step 3 Select a protocol from the Available Protocols pane and click Add.
If you want to remove a protocol, select the protocol and click Remove.
The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of
protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons.
When a configuration fetch or update operation fails, an error message appears. This message displays
details about the supported protocol for the particular device and it modules, if there are any.
For the list of supported protocols, see Supported Device Table for Configuration Management
application on Cisco.com.
Step 4 Click Apply.
A message appears, New settings saved successfully.
Step 5 Click OK.
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Column Description
Name Hostname or the IP address of the host on which the Collector is installed.
Forwarded Number of forwarded Syslog messages
Invalid Number of invalid Syslog messages.
Filtered Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network >
Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.)
Dropped Number of Syslog messages dropped.
Received Number of Syslog messages received.
Up Time Time duration for which the Syslog Collector has been up.
Update Time Date and time of the last update.
Time and time zone are those of the LMS Server.
Test Click to test a Syslog collector that’s already subscribed or that’s going to be subscribed.
Collector
Subscription
Subscribe Click to subscribe a Syslog collector.
Unsubscribe Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector.
If you want to refresh the information in this dialog box, click Update.
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin >
Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze
processes come up. In this interval you may see the following message:
Collector Status is currently not available.
Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again.
To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common
Syslog Collector.
Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears. For the information in the columns in the dialog box, see
Viewing Common Syslog Collector Status:
If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and
click the Unsubscribe button.
If you want to test the Syslog collector subscription, select the collector and click Test Collector
Subscription. For more information see Testing Syslog Collector Subscription.
Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
Step 2 The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common
Syslog Collector Status.
Step 3 Either:
• Select a Syslog collector and click Test Collector Subscription.
• Test Collector Subscription popup window appears with the Syslog collector address.
Or
• Click Test Collector Subscription.
• Enter the Syslog collector in the Test Collector Subscription popup window.
Step 4 Click OK.
The Test Collector Subscription Status popup window appears, displaying the following status of the
Syslog collector:
• SSL certificate status—Status of the SSL Certificates. For example, SSL certificates are valid and
are properly imported. For more information see Syslog Collector Subscription Messages.
• Collector status—Status of the Syslog collector. For example, Collector is up and reachable. For
more information see Syslog Collector Subscription Messages.
Subscription
Status Problem/Info Message
SSL Certification When there is an SSL certificate issue occurred, check if:
issue with SSL 1. The Self-signed Certificates are valid. For
Certificate example, Check the certificate expiry date on the
servers.
2. The Self-signed Certificates of this server are
copied to the Syslog Collector server and
vice-versa.
To do this, go to Admin > System Administration >
Multiserver Management > Peer Server Certificate
Setup and add the certificate. See the
Administration User Guide for LMS for more
details.
3. The SyslogCollector process on Syslog Collector
server and the SyslogAnalyzer process in the
current working server are restarted after Step
2.
4. Both hosts are reachable by hostname.
When the SSL SSL certificates are valid and properly imported.
certificates are
valid
Collector When the Unknown host address. Check if the host is DNS
hostname is not resolvable.
DNS resolvable
If the SyslogCollector process is down. Check if the
SyslogCollector SyslogCollector process is running on the port
<<port number>>.
process is down
If the Syslog Cannot check SSL connectivity because the Syslog
Collector is down Collector is down.
If the Syslog Syslog Collector <<collector name> is up and
Collector is reachable.
reachable
Monitoring and Troubleshooting Settings in the Admin menu groups all the administrative tasks that you
need to perform to monitor and troubleshoot your network using LMS.
This section contains:
• Configuring Fault Poller Settings For Topology
• Loading MIB Files
• Configuring RMON
• Configuring Topology Settings
Step 1 Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology.
The Fault Monitor Poller Settings page appears.
Step 2 Select the Poll Fault Monitor Server for alerts check box.
If you try to apply the settings when Fault Monitor module is not installed on a local or remote server,
you will get an error message indicating the same.
If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.
Step 1 Select Admin > Network > Monitor / Troubleshoot > Load MIB.
The Load MIB dialog box appears.
Table 9-1 describes the field in the Load MIB dialog box.
Field Description
MIB file Use the Browse button to load a MIB file from a directory location.
For example, RFC1213-MIB.my
You are allowed to load a MIB file only from the following directory path:
• In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs
• In Solaris/Soft Appliance, $NMSROOT/hum/mibmanager/mibcompil-
er/mibs
$NMSROOT is the default Cisco Prime LMS installation directory.
Step 2 Click Browse to select the MIB file from a directory location.
The Server Side File Browser dialog box appears.
Step 3 Double-click the MIB file from the directory location.
Step 4 Click Apply to load the MIB file into LMS or Cancel to cancel the operation.
You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are
available in the directory location.
For example,
To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and
RFC-1212) must also be available at the same directory location. If the dependent MIB files are not
available, an appropriate error message is displayed and RFC1213-MIB does not compile.
The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same
as the MIB files names present in the definition files. Load only version2 MIB.
The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:
• RMON2-MIB.my
• BRIDGE-MIB.my
• RFC-1215.my
• INET-ADDRESS-MIB.my
• P-BRIDGE-MIB.my
• Q-BRIDGE-MIB.my
• CISCO-NETFLOW-MIB.my
• CISCO-STACK-MIB.my
• TOKEN-RING-RMON-MIB.my
• RFC-1212.my
• RMOM-MIB.my
• RFC1155-SMI.my
• RFC1213-MIB.my
• SNMP-FRAMEWORK-MIB.my
• CISCO-SMI.my
• ENTITY-MIB.my
• FDDI-SMT73-MIB.my
• CISCO-VTP-MIB.my
• SNMPv2-TC.my
• SNMPv2-SMI.my
• SNMPv2-MIB.my
• SNMPv2-CONF.my
• IF-MIB.my
• IANAifType-MIB.my
• EXPRESSION-MIB
• CISCO-CLASS-BASED-QOS-MIB
• CISCO-VOICE-DIAL-CONTROL-MIB
• CISCO-IPSEC-MIB
• HOST-RESOURCES-MIB
• CISCO-POP-MGMT-MIB
• RMON-MIB
• CISCO-PORT-QOS-MIB
• DIAL-CONTROL-MIB
• CISCO-DIAL-CONTROL-MIB
• CISCO-VOICE-COMMON-DIAL-CONTROL-MIB
• CISCO-VOICE-DNIS-MIB
• PerfHist-TC-MIB
• CISCO-QOS-PIB-MIB
• INT-SERV-MIB
• CISCO-ENERGYWISE-MIB
• CISCO-FRAME-RELAY-MIB
• CISCO-POWER-ETHERNET-EXT-MIB
• CISCO-TC
• CISCO-VTP-MIB
• DS1-MIB
• RFC1271-MIB
To view the list of more dependent MIBs go to:
http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file
appears in the Show MIB drop-down list in Select MIB Variables page.
Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology.
Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth
utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best
estimate of the mean physical layer network utilization on the links, during the sampling time interval.
In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them.
You can customize the filters to display bandwidth utilization.
For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting
Online Help.
This section contains:
• Modifying the Parameters
• Enabling RMON on All Ports in Selected Devices
• Enabling RMON on Selected Ports in Selected Devices
• Disabling RMON
Note LMS computes bandwidth utilization only on ethernet links, and not on any other type of link.
To compute bandwidth utilization in Campus Manager , you must enable Remote Monitoring (RMON).
Enabling RMON depends on two parameters.
Note You must configure the same value for Interval across the devices.
Step 1 Enter pdterm ANIServer at the command line to stop the ANI server.
Step 2 Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 3 Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket
Size.
The maximum value that you can enter for RMON.interval is 3600 seconds (One hour).
Step 4 Enter pdexec ANIServer at the command line to start the ANI server.
After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON
on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices.
You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for
the Interval in a range. This is a hidden property that creates a range for the Interval value.
The property adds a value to the current interval that forms the upper limit and subtracts a value from
the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the
interval.
For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330.
Thus, the samples are collected for the range of 270 to 330 seconds.
If you want to change this default value, you must:
Step 1 Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices.
Step 2 Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization
across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3 Check the Configure on all links check box to configure all the ports of the selected devices in the
Device Selector.
Step 4 Click Configure to enable RMON on all the ports in the selected devices.
The following command is configured on the selected ports:
rmon collection history integer owner ownername buckets bucket-number interval seconds
Example:
rmon collection history 4 owner campusmanager buckets 10 interval 300
Step 1 Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays the list of devices.
Step 2 Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, Campus Manager collects 10 samples of bandwidth
utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3 Uncheck the Configure on all Links check box since it is checked by default.
Step 4 Click Select links to select the ports for which you want to enable RMON.
It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2.
The Select Links check box is enabled only when you uncheck the Configure on all links check box.
Column Description
Port Name of the port.
Device Name Name of the device where the port is connected.
Device Address The IP address of the device.
isLink True is displayed for link ports and False for a non-link port.
Step 5 Select check boxes corresponding to the ports for which you want to enable RMON.
Step 6 Click Configure to enable RMON on the selected ports.
The following command is configured on the selected ports:
rmon collection history integer owner ownername buckets bucket-number interval seconds
Example:
rmon collection history 4 owner campusmanager buckets 10 interval 300
Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line
Interface (CLI) only.
For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable
Step 1 Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View.
The configuration screen is displayed.
Step 2 Select Display Only the Authorized devices in Topology Maps.
Step 3 Click Apply.
Topology Maps display only the devices you are authorized to view. If Topology Services is already
launched, close it and relaunch for the change to take effect.
Important Notes
If you change the management IP address of an authorized device:
• It becomes an unauthorized device.
• The device is not shown in Topology maps in the consecutive relaunches.
• When the changed IP address is given as root in N-hop view portlet, it results in an error.
The Notification and Action Settings groups all the administrative tasks involved in setting up
notification, syslog settings. You can also customize the names and event severity, create and activate a
notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs.
This section contains:
• Understanding Notifications and Subscriptions
• Customizing LMS Events
• Configuring Event Sets and Notification Groups for Subscriptions
• Managing Fault SNMP Trap Notifications
• Managing Fault E-Mail Configurations
• Managing Fault Syslog Notifications
• Configuring Fault SNMP Trap Receiving and Forwarding
• Performance SNMP Trap Notification Groups
• Performance Syslog Notification Groups
• Defining Automated Actions
• Defining Syslog Message Filters
• Inventory and Config Collection Failure Notification
• IPSLA Syslog Configuration
Note If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
Notification Types
The Fault Management module in LMS 4.2 provides three types of notifications:
• SNMP Trap Notification—Fault Management module generates traps with information about the
events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For
more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can
also generate SNMP trap notifications for specified events.
Using SNMP trap notification is different from forwarding raw traps to another server before they
have been processed by LMS.
• E-mail Notification—LMS generates e-mail messages containing information about the events that
caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail
in text format. You can specify that you want the e-mail to only contain an informational subject line
or can customize the e-mail subject. For information on the customizing the e-mail subject, see
Managing Fault E-Mail Subject Customization.
• Syslog Notification—LMS generates Syslog messages that can be forwarded to Syslog daemons on
remote systems.
All notifications have a default maximum message size of 250 characters. You can reset this variable to
any value between 250 and 1024 characters by editing the notification properties file.
To do this:
Procedure
Step 3 Stop and restart the Cisco Prime daemon manager on the LMS server.
a. Stop the daemon manager:
On Windows:
net stop crmdmgmt
On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop
On Solaris/Soft Appliance:
/etc/init.d/dmgtd stop
Notification Replay
You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file
/opt/CSCOpx/objects/nos/config/nos.properties as follows:
To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to
the default value (0), the notifications will not be replayed.
Subscriptions
LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification
subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following
common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:
• Devices—The devices or device groups of importance to the recipients.
• Event severity and status—One or more event severity levels and status. You can also customize the
names of the events used by Notification Services, and Fault History. See Customizing LMS Events.
• Recipients—One or more hosts to receive SNMP traps or users to receive e-mail. For Syslog
notifications, the recipient would be the remote host containing a Syslog daemon configured to
listen for Syslog messages.
• Name—A user-defined name to identify the subscription.
Subscriptions are based on user-configured event sets and notification groups. See Configuring Event
Sets and Notification Groups for Subscriptions for more information.
Events
LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS
compares the device, severity, and state against subscriptions and sends a notification when there is a
match. Matches can be determined by user-configured event sets and notification groups.
The procedure for configuring notification groups is described in Configuring Event Sets and
Notification Groups for Subscriptions.
LMS assigns one severity to each event and changes the state of an event over time, responding to user
input and changes on the device. Table 10-1 lists values for severity and explains how the state of an
event changes over time.
Note You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Step 1 Select Admin > Network > Notification and Action Settings > Fault Notification Customization.
The Notification Customization page appears.
Step 2 Select the event names you want to customize by clicking the check box beside each event name.
Step 3 Enter your new names in the New Event Description fields.
Step 4 Select the event severity from the New Event Severity drop-down list.
You can select Critical or Informational.
Step 5 Enter any notes for information in the Troubleshooting Information field.
Step 6 Click Save to save your changes locally.
Step 7 Click Apply for the saved settings to take effect.
The confirmation window appears.
Note If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
Step 1 Select Admin > Network > Notification and Action Settings > Event Sets:
The Event Sets page appears. The page contains the following information:
Field Description
Select/Unselect All for Event Set Select an Event Set from the drop-down list.
Event Code Notification Services code for the event. This number cannot be
changed and is used to map default names to customized names.
Description Event description (user-defined or default).
Severity Event severity.
A-I Event set label. If an X appears in this column, the corresponding
event belongs to that event set.
Step 2 For each event set you want to configure, select events by doing either of the following:
• Select specific events by clicking the editable field under the label, and selecting X.
• Select or deselect all events for an event set using the Select or the Deselect button.
Step 3 Click Apply.
If you want to create a notification subscription, first create a notification group that uses your event set.
See Configuring Fault Notification Groups.
Note You cannot delete a notification group that is being used by a running subscription.
Step 1 Select Admin > Network > Notification and Action Settings > Fault Notification Group.
Step 2 Click Add to create a notification group.
The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click
the appropriate button and follow the instructions.)
Step 3 Specify the devices, event sets (if desired), and event severity and status. Click Next.
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the mega menu.
Step 4 Specify the notification group name, and enter any desired identifying information in the Customer ID
and Customer Revision fields.
• For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the
notification.
• For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any
notifications:
Customer ID: -
Customer Revision: *
Note Notification groups can be static or dynamic; you cannot have a mix of group types.
Note Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2 Click Add.
Step 3 Complete the Trap Subscription Save: Add window:
a. Enter a subscription name.
b. Select a notification group.
If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)
c. Click Next.
Step 4 Enter one or more hosts as recipients for traps:
a. For each host, enter:
• An IP address or DNS name for the hostname.
Restart the NOSServer to pick up the change in the host name when host name is used for the
trap server and there is a change in that host name.
• A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 5.)
• A comment. (This is optional).
b. Click Next.
Step 5 Review the information that you entered and click Finish.
The SNMP Trap Notifications page is displayed, showing the new subscription.
Note Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2 Select the subscription you want to edit by clicking the radio button beside it.
Step 3 Click Edit.
No information is saved until you complete Step 5.
Step 4 Edit the Trap Subscription Save: Edit window:
a. Change the subscription name.
b. Select another notification group.
If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)
c. Click Next.
Step 5 Add or delete a recipient host or change the port number for a host:
a. To add one or more recipients, for each host, enter:
• An IP address or DNS name for the hostname.
• A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 6.)
• A comment. This is optional.
b. To delete a recipient, delete the hostname, port number, and comment, if any.
c. Click Next.
Step 6 Review the information that you entered and click the Finish.
The SNMP Trap Notifications page is displayed.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2 Select the subscription you want to suspend by clicking the radio button beside it.
Step 3 Click Suspend.
Step 4 Click OK in the confirmation dialog box.
The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2 Select the subscription you want to resume by clicking the radio button beside it.
Step 3 Click Resume.
Step 4 Click OK in the confirmation dialog box.
The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Running.
Note You can also suspend a subscription. Suspending a subscription causes the subscription to not be used
until a user resumes it.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
Step 2 Select the subscription you want to delete by clicking the radio button beside it.
Step 3 Click Delete.
Step 4 Click OK in the confirmation dialog box.
The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.
Note You may not be able to use some of these functions if you do not have the required privileges.
Note Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Email notification.
The E-Mail Notification Subscriptions page appears.
Step 2 You can do one of the following:
• Click Add.
• Click Edit.
You can edit an e-mail notification subscription regardless of its status (Running or Suspended).
After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is
forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.
• Click Delete.
Click OK in the confirmation dialog box.
The E-Mail Subscriptions page appears. The subscription is no longer displayed.
• Select the subscription you want to suspend by clicking the radio button beside it and click Suspend.
Click OK in the confirmation dialog box.
The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended.
After you suspend an e-mail notification subscription, LMS stops using the subscription to send
e-mail notification.
• Select the subscription you want to resume by clicking the radio button beside it and click Resume.
Click OK in the confirmation dialog box.
The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After
you resume an e-mail notification subscription, LMS starts using the subscription to determine when
e-mail notification should be sent in response to an event.
Step 3 When you add or edit a subscription for e-mail notification, a page appears with the following fields:
Field Description
Subscription Name Enter a subscription names.
Notification Group Select a notification group.
If you are upgrading LMS and want to use the
e-mail recipients from an earlier configuration,
activate the Recipients from Upgrade check box.
(This choice is only available for systems that
have been upgraded from earlier versions of
LMS.)
Field Description
SMTP Server The name of the default Simple Mail Transfer Protocol (SMTP) server
may already be displayed. The server is specified using Admin >
System > SMTP Default Server. You may also enter a fully qualified
DNS name or IP address for an SMTP server.
To select from any non-default SMTP servers in use by existing
subscriptions, click the SMTP Servers button.
Sender Address Enter the e-mail address that notifications should be sent from. If the
sender’s e-mail service is hosted on the SMTP server specified, you need
enter only the username. You do not need to enter the domain name.
Recipient Addresses Enter one or more e-mail addresses that notifications should be sent to,
separating multiple addresses with either a comma or a semicolon. If a
recipient’s e-mail service is hosted on the SMTP server specified, you
need to enter only the username. You do not need to enter the domain
name.
Headers Only (check box) By default, e-mail notification supplies a fully detailed e-mail message.
To omit the message body and send only a subject line, select the
Headers Only check box.
Step 6 Click the Next button located at the bottom of the page.
Step 7 Review the information that you entered and click Finish.
The E-Mail Notification Subscriptions page is displayed, showing the new subscription.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Email subject customization.
The available and selected lists of the subject attributes for e-mail are displayed.
To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list.
By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail
box.
• Event ID
• Device Name
• Time
• Severity
• Event Name
• Status
To add a subject:
a. Select the subject attribute from Available Subjects for E-Mail.
b. Click Add.
The selected subject attribute is added to the Selected Subjects for E-Mail list.
You can add a subject attribute only from the Available Subjects list to the Selected Subjects list.
You cannot add a subject attribute from the Selected subject list to the Available Subject list.
Note Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2 Click Add.
a. Enter a subscription name.
b. Select a notification group.
c. Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity are used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
• Critical = 2
• Information = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d. Click Next.
Step 3 Enter one or more hosts as recipients for Syslog notifications.
a. For each host, enter:
• An IP address or DNS name for the hostname.
• A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 5.)
• A comment. This is optional.
b. Click Next.
Step 4 Enter the name of the subscription in the Save As field and click Next.
Step 5 Review the information that you entered and click Finish.
The Syslog Notification Subscriptions page is displayed with the new subscription.
Note Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2 Select the subscription you want to edit by clicking the radio button beside it.
Step 3 Click Edit.
Step 4 Edit the Syslog Subscription Save: Edit window:
a. Change the subscription name.
b. Select a different notification group.
c. Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity is used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
• Critical = 2
• Informational = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d. Click Next.
Step 5 Add or delete a recipient host or change the port number for a host:
a. To add one or more recipients, for each host, enter:
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2 Select the subscription you want to suspend by clicking the radio button beside it.
Step 3 Click Suspend.
Step 4 Click OK in the confirmation dialog box.
The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2 Select the subscription you want to resume by clicking the radio button beside it.
Step 3 Click Resume.
Step 4 Click OK in the confirmation dialog box.
The Syslog Notification Subscriptions page is displayed. The subscription status is Running.
Note You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes
it.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
Step 2 Select the subscription you want to delete by clicking the radio button beside it.
Step 3 Click Delete.
Step 4 Click OK in the confirmation dialog box.
The Syslog Subscriptions page appears. The subscription is no longer displayed.
Note The ports and protocols used by Cisco Prime are listed in Installing and Migrating to Cisco Prime LAN
Management Solution 4.2.
Note If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs.
Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your
devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must
be enabled and the device must be configured to send SNMP traps to the LMS server.
Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface
appropriate for your device:
• Enabling Cisco IOS-Based Devices to Send Traps to LMS
• Enabling Catalyst Devices to Send SNMP Traps to LMS
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
To enable Cisco IOS-Based devices to send traps to LMS:
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
Scenario Advantages
Network devices send traps to port 162 of the host where • No reconfiguration of the NMS is required.
LMS is running. LMS receives the traps and forwards
• No reconfiguration of network devices is required.
them to the NMS.
• LMS provides a reliable trap reception and forwarding
mechanism.
• NMS continues to receive traps on port 162.
• Network devices continue to send traps to port 162.
NMS receives traps on default port 162 and forwards • No reconfiguration of the NMS is required.
them to port 162 on the host where LMS is running.
• No reconfiguration of network devices is required.
• LMS does not receive traps dropped by the NMS.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings.
Step 2 Enter the port number in the Receiving Port text box.
Step 3 Click Apply.
For a list of ports that are already in use, see Installing and Migrating to Cisco Prime LAN Management
Solution 4.2. If you have two instances of the DfmServer process running, traps will be forwarded from
the first instance to the second instance.
Note Your login determines whether or not you can perform this task. View the Cisco Prime Permission
Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user
role.
LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap
format—it will forward the raw trap in the format in which it was received from the device. All traps are
forwarded in V1 (SNMP Version) format. In LMS 4.2, trap support is provided for SNMPv3 configured
devices, unknown devices and non-Cisco devices.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
Step 2 For each host, enter:
• An IP address or DNS name for the hostname.
• A port number on which the host can receive traps.
Step 3 Click Apply.
Field Description
Trap Group Name Name of the Trap Receiver Group.
Click on the Name hyperlink to view the details of the Trap Receiver Group
created.
Number of Receivers Number of Trap Receivers added to the Trap Receiver Group.
Create Creates a Trap Receiver Group. See Creating a Trap Receiver Group.
(button)
Edit Modifies an existing Trap Receiver group. See Editing a Trap Receiver
(button) Group.
Field Description
Delete Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver
Group.
(button)
Filter Filters information based on the criteria that you select from the drop-down
(button) list. The drop-down list contains the following criteria:
• All
• Group Name
See Filtering Trap Receiver Groups
You can perform the following tasks from the Trap Receiver Groups dialog box:
• Creating a Trap Receiver Group
• Editing a Trap Receiver Group
• Deleting a Trap Receiver Group
• Filtering Trap Receiver Groups
Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups page appears.
Step 2 Click Create.
The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box.
Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Field Description
Group Name Enter the name of the Trap Receiver Group. For example, Trap Receiver
Group 1.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host Enter the host name or IP address. For example 10.77.201.52
Enter the IP address or hostname of the destination to which the trap message
should be delivered.
Port Enter the Port Number on which Trap Receiver is listening for traps.
The default port value is 162. This field is optional.
Field Description
Community Enter the community string that appears in the trap message.
The default community string is public. This field is optional.
Create Creates the Trap Receiver Group.
(button)
Add More Adds more hosts to the present Group.
(button)
Cancel Cancels the creation of Trap Receiver Group.
(Button)
Step 3 Enter a descriptive name for the Trap Group name in the GroupName field.
Step 4 Enter the IP address or hostname of the destination to which the trap should be delivered in the Host
field.
Step 5 Enter the Port Number on which Trap Receiver is listening for traps in the Port field.
Step 6 Enter the community string that appears in the trap message in Community field.
The community string will be displayed as asterisks.
Note You can add as many as five hosts or devices to the Trap Group by default.
Step 1 Click Add More to add another host information to the Trap Group. Go to Step 4 to continue.
Step 2 Click Create to create the Trap Group.
Or
Click Cancel to cancel the operation.
The Trap Receiver Group dialog box appears, displaying the Trap Groups.
Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups dialog box appears.
Step 2 Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver
Group Name.
Step 3 Click Edit.
The Edit Trap Receiver Group dialog box appears, displaying the earlier settings.
Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Field Description
Group Name Name of the Trap Receiver Group.
For example, Trap Receiver
Receiver Details
Host Enter the host name or IP address. For example 10.77.201.52
Enter the IP address or hostname of the destination to which the trap message
should be delivered.
Port Enter the Port Number on which Trap Receiver is listening for traps.
For example, 162
Community Enter the community string that appears in the trap message.
The default community string is public.
Update Updates the Trap Receiver Group.
(button)
Add More Adds more hosts to the present Group.
(button)
Cancel Cancels the modification of the Trap Receiver Group.
(Button)
Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The List of Trap Receiver Groups dialog box appears.
Step 2 Select the Trap Group Name by checking the appropriate check box.
You can select multiple Trap Receiver Groups by checking their respective check boxes.
Step 3 Click Delete.
A message appears, prompting you to confirm the deletion,
Step 4 Click OK to delete the Trap Receiver Groups.
Or
Click Cancel to cancel the operation.
If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully.
The Trap Receiver Groups dialog box appears.
Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The List of Trap Receiver Group dialog box appears.
Step 2 Select a criteria for filtering from the drop-down list.
Step 3 Enter the data to be filtered.
Step 4 Click Show.
The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information
based on the filter criteria.
Table 10-9 describes the criteria to filter.
Field Description
Syslog Group Name Name of the Syslog Receiver Group.
For example, Syslog Group
Number of Receivers Number of Syslog Receivers added to the Syslog Receiver Group.
Create Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group.
(button)
Edit Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver
Group.
(button)
Delete Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver
(button) Group.
Filter Filters information based on the criteria that you select from the drop-down
(button) list. The drop-down list contains the following criteria:
• All
• Group Name
See Filtering Trap Receiver Groups
Update Facility Sends the Syslog message to the receiver, based on the facility level selected
in the drop-down list. The drop-down list contains the following criteria:
(button)
• local 0
• local 1
• local 2
• local 3
• local 4
• local 5
• local 6
• local 7
You can perform the following tasks from the Syslog Receiver Groups dialog box:
• Creating a Syslog Receiver Group
• Editing a Syslog Receiver Group
• Deleting a Syslog Receiver Group
• Filtering Syslog Receiver Groups
Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog appears.
Step 2 Click Create.
The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Field Description
Group Name Enter the name of the Syslog Group name. For example, Syslog Group.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host Enter the host name or IP address. For example 10.77.201.52
Enter the IP address or hostname of the destination to which the syslog
message should be delivered. This IP address should be DNS resolvable.
Port Enter the Port Number on which Syslog Receiver is listening for syslog
messages.
The default port value is 514. This field is optional.
Create Creates the Syslog Receiver Group
(button)
Add More Adds more hosts to the present Group
(button)
Cancel Cancels the creation of Syslog Receiver Group
(Button)
Step 3 Enter a descriptive name for the Syslog Group name in the GroupName field.
Step 4 Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in
the Host field.
Step 5 Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.
Note You can add as many as five hosts or devices to the Syslog Group by default.
Step 1 Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue.
Step 2 Click Create to create the Syslog Group.
Or
Click Cancel to cancel the operation.
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog box appears.
Step 2 Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver
Group Name.
Step 3 Click Edit.
The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Field Description
Group Name Name of the Syslog Group name.
For example, Syslog Group.
Receiver Details
Host Enter the host name or IP address. for example 10.77.201.52
Enter the IP address or hostname of the destination to which the Syslog
message should be delivered.
Port Enter the Port Number on which Syslog Receiver is listening for Syslog
messages.
The default port number is 512.
Field Description
Update Updates the Syslog Receiver Group.
(button)
Add More Adds more hosts to the present Group.
(button)
Cancel Cancels the modification of the Syslog Receiver Group.
(Button)
Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog box appears.
Step 2 Select the Syslog Group Name by checking the appropriate check box.
You can select multiple Syslog Receiver Groups by checking their respective check boxes.
Step 3 Click Delete.
A message appears, prompting you to confirm the deletion.
Step 4 Click OK to delete the Syslog Receiver Groups.
Or
Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The List of Syslog Receiver Group dialog box appears.
Step 2 Select a criteria for filtering from the drop-down list.
Step 3 Enter the data to be filtered.
Step 4 Click Show.
The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information
based on the filter criteria.
Table 10-13 describes the criteria to filter.
Column Description
Name Name of the automated action.
Status Status of the automated action at creation time—Enabled, or disabled
Type Type of automated action—E-mail, script or URL.
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Using the automated actions dialog box, you can do the following tasks:
Task Button
Create an automated action (see Creating an Automated Action). Create
Edit an automated action (see Editing an Automated Action). Edit
Enable or Disable an automated action (see Enabling or Disabling an Automated Action) Enable/Disable
Import or Export an automated action (see Exporting or Importing an Automated Action) Import/Export
Delete an automated action (see Deleting an Automated Action). Delete
If you are creating an automated action, see the example (Automated Action: An Example) of how to set
up an automated action that sends an e-mail when a specific Syslog message is received.
On Windows, you cannot set up an automated action to execute an.exe file that interacts with the
Windows desktop. For example, you cannot make a window pop up on the desktop.
Related Topics
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can
choose whether to include interfaces of selected devices or not. For the description of the columns in the
Automated Actions dialog box, see Defining Automated Actions.
Step 2 Click Create.
A dialog box appears for device selection.
Step 3 Select All Managed Devices or Choose Devices.
If you select the All Managed Devices option:
• You cannot select the individual devices or device categories from the device selector.
• All managed devices are considered.
• The syslog messages from the various device interfaces are considered for creating automated
actions.
If you select Choose Devices option, you must select the required devices.
Step 4 Click Next.
A dialog box appears in the Define Message Type page.
Step 5 Enter a unique name for the automated action that you are creating.
Step 6 Select either Enabled or Disabled as the status for the action at creation time.
Step 7 Select the Syslog message types for which you want to trigger the automated action from the Define New
Message Type section of the dialog box.
Step 8 Click Next.
The Automated Action Type dialog box appears.
Step 9 Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.
• If you select E-mail, enter the following information in the Automated Action Type dialog box:
Field Description
Send to List of comma separated e-mail addresses. Mandatory field.
Subject Subject of the e-mail.
Content Content that you want the e-mail to contain.
• If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action
type dialog box. In the URL, you can use the following parameters:
– $D (for the device)
– $M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
• If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
The script files must be available at this location:
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
If the executable program produces any errors or writes to the console, the errors will be logged as Info
messages in the SyslogAnalyzer.log.
This file is available at:
On UNIX,
/opt/CSCOpx/log directory
On Windows,
NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Actions page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2 Select an automated action from the drop-down list and click Edit.
The Select Devices dialog box appears.
Step 3 Select the required devices and click Next.
A dialog box appears in the Define Message Type page.
This dialog box allows you to:
• Change the Message Filter Type—From Enabled to Disabled, or vice, versa.
• Add a message type
• Edit a message type
• Delete a message type
• Select a message type from system-defined message types
Step 4 Click Next.
Step 5 The Automated Action Type dialog box appears.
This dialog box allows you to change the type of action. For example, you can change from E-mail to
URL or Script.
• For E-mail, enter or change the following information in the Automated Action type dialog box:
Field Description
Send to List of comma separated e-mail addresses.
Subject Subject of the e-mail (optional).
Content Content that you want the e-mail to contain.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent with the
E-mail ID as the sender's address
• For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you
select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type
dialog box. In the URL, you can use the following parameters:
– $D (for the device)
– $M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
• If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
The script files must be available at this location:
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
To select the script file:
a. Click Browse.
The External Config Selector dialog box appears.
b. Select the file (*.sh on Unix and *.bat on Windows).
Step 6 Click Finish.
The edited automated action appears in the dialog box on the Automated Action page.
Step 1 Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.2 server and put this file in:
For Solaris/Soft Appliance:
/var/adm/CSCOpx/files/scripts/syslog directory
For Windows:
NSMROOT/files/scripts/syslog
Step 2 Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory.
Here is an example shell script (called syslog-email.sh) for UNIX:
#!/bin/sh
/opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl
-text_message "MEssage:
$2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from
nobody@nowhere.com -smtp mail-server-name.nowhere.com
For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the
description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2 Select the required automated action from the list in the dialog box.
Step 3 Click Enable/Disable to toggle its status.
The dialog box in the Automated Action page is refreshed and it displays the changed state for the
specified automated action.
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Action page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2 Select an automated action. You can select more than one automated action.
If you do not select an automated action before clicking the Export/Import button, then only the Import
option will be available. The Export option will be disabled
Step 3 Click Export/Import.
The Export/Import Automated Actions dialog box appears with the Export or Import options.
Step 4 Select either Export or Import.
Step 5 Either:
• Enter the location of the file to be exported or imported.
Or
• Click Browse.
The Server Side File Browser appears. You can select a valid file, and click OK.
The file location appears in the Export/Import dialog box.
Step 6 Click OK.
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, displaying the list of automated actions, appears in the Automated Action page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2 Select the required automated action from the list in the dialog box.
Step 3 Click Delete.
You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, with a list of automated actions, appears in the Automated Action page. For the description
of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2 Click Create.
The Devices Selection dialog box appears.
Step 3 Select the required devices and click Next.
The Define Message Type dialog box appears.
Step 4 Enter a unique name for the automated action that you are creating.
Step 5 Select either Enabled, or Disabled as the status for the action at creation time.
Step 6 Click Select.
The Select System Defined Message Types dialog box appears.
Step 7 Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined
Message Types list, and click OK.
The dialog box on the Define Message Type page appears.
Step 8 Click Next.
The Automated Action Type dialog box appears.
Step 9 Select the type of action—E-mail, Script, or URL.
If you had selected Email in Step 9: Enter the following information:
Field Description
Send to List of comma-separated e-mail addresses.
Subject Subject of the e-mail (optional).
Content Content that you want the e-mail to contain.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). If a syslog is found with the matching type for managed
(normal) devices, an e-mail is sent with the E-mail ID as the sender's address. Then go to Step 10.
If you had selected Script in Step 9: Choose the appropriate bat file for Windows, or shell script for
Solaris, from the File Selector. For details about these files, see the topic Creating an Automated Action.
Then go to Step 10.
If you had selected URL in Step 9: Enter the URL to be invoked. If you select URL, enter the URL to
be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can
use the following parameters:
– $D (for the device)
– $M (for the complete syslog message).
When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and
$M is replaced with the URL-encoded syslog message.
Step 10 Click Finish.
Also see Verifying the Automated Action.
Step 1 Select a managed router that is already sending Syslog messages to the LMS server and generate a
SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:
a. Connect to the managed router using Telnet and log in.
b. In enable mode enter enable, then enter a password.
c. At the config prompt enter configure terminal.
d. Change the banner by entering:
banner motd z
This is a test banner z
end
e. Exit the Telnet session.
Step 2 Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows:
• On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has
been configured to receive Syslog messages.
• On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory.
Where NMSROOT is the LMS installation directory.
Step 3 Verify that there is a message from the managed router whose banner-of-the-day was changed.
This message appears at the bottom of the log.
• If the message is in the file, an e-mail is mailed to the e-mail ID specified.
• If the message is not in the file, the router has not been configured properly to send Syslog messages
to the LMS Server.
• Deleting a Filter
You can exclude messages from Syslog Analyzer by creating filters.
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box appears in the Message Filters page.
A list of all message filters is displayed in this dialog box, along with the names, and the status of each
filter—Enabled, or Disabled.
Step 2 Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either
Drop or Keep.
• If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop
filters from further processing.
• If you select Keep, Collector allows only the syslogs that match any of the “Keep” filters, for further
processing.
Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Task Button
Create a filter (see Creating a Filter). Create
Edit a filter (see Editing a Filter). Edit
Enable or disable a filter (see Enabling or Disabling a Filter). Enable/Disable
Export or import a filter. (see Exporting or Importing a Filter). Export/Import
Delete a filter (see Deleting a Filter). Delete
Creating a Filter
You can create a filter for Syslog messages by:
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box with a list of filters, appears in the Message Filter page.
Step 2 Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.
• If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop
filters from further processing.
• If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further
processing.
Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Editing a Filter
To edit a filter:
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2 Select a filter by clicking on its check box, and click Edit.
The Select Devices dialog box appears.
Step 3 Select the required devices and click Next.
A dialog box appears in the Define Message Type page.
This dialog box allows you to:
• Change the filter Status—From Enabled to Disabled, or vice, versa.
• Add a message type
• Edit a message type
• Delete a message type
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2 Select the required filter from the list in the dialog box.
Step 3 Click Enable/Disable to toggle its status.
The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified
filter.
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2 Select a filter. You can select more than one filter.
Step 3 Click Export/Import.
The Export/Import dialog box appears with the Export or Import options.
Step 4 Select either Export or Import.
Step 5 Either:
• Enter the location of the file to be exported or imported.
Or
a. Click Browse.
The Server Side File Browser appears.
b. Select a valid file location, and click OK.
The file location appears in the Export/Import dialog box.
Step 6 Click OK.
Deleting a Filter
To delete a filter:
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2 Select the required filter from the list in the dialog box.
Step 3 Click Delete.
When you confirm the deletion, the filter is deleted.
Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:
Field Description
All Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap
notification to be sent to the listed servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Config Collection Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed
servers.
Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed
servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Inventory Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed
Collection servers.
Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to
the listed servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Trap Destination Information
Server The name or IP address of the destination server.
Port The port number of the destination server.
List of The names of the destination servers along with their ports which are configured to receive the trap
Destinations notifications.
Buttons
Add Use the Add button to add the destination server and port information. On clicking Add, the server and
port information get reflected in the List of Destinations list.
Delete Use the Delete button to remove server and port information from the List of Destinations. To do so,
select one or more server and port entry from the list of Destinations list and click on Delete to remove
the entries from the list.
Apply Click to accept the changes made.
Step 1 Select Admin > Network > Notification and Action Settings > Inventory and Config collection
failure notification.
The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog
box.
Step 2 Click Apply to accept the changes made.
Step 1 Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration.
The IPSLA Syslog Configuration page appears.
Step 2 Click Enable
If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server. This enables the generation of the IPSLAs specific traps through the system
logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking
the link will display the Syslog details.
Or
If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server.
(LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS
server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display
the Syslog details.
Note In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be
greater than LMS 4.2
Change Audit tracks and reports changes made in the network. Change Audit allows other LMS to log
change information to a central repository. Device Configuration, Inventory, and Software Management
changes can be logged and viewed using Change Audit.
LMS writes change records to Change Audit. Change Audit stores these records in the log tables
(summary and details) for later use with reports.
For example, Software Management records a change for each completed device upgrade. If a job has
ten devices, then Software Management writes ten entries to the Change Audit log, but the Change Audit
report shows only one job with ten devices. You can then access individual device information.
Each application writes its own change records to Change Audit. For example, in Inventory you can set
inventory change filters to filter out all kinds of information for different device types. Change Audit
record maintenance is controlled by the Change Audit Delete Change History option.
You can convert change records into SNMP V1 traps and forward them to a destination of your choice.
This allows system administrators to forward critical network change data to their own NMS.
You can define automated actions (e-mail and automated scripts) on creation of change audit record. The
automated action gets triggered on creation of the change audit record.
This section contains:
• Setting Up Preferences
• Performing Change Audit Tasks
• Performing Maintenance Tasks
• Defining Exception Periods
• Defining Change Audit Automated Actions
• Software Management Administration Tasks
• Setting Change Report Filters
Setting Up Preferences
You can use this feature to set up your editing preferences. Config Editor remembers your preferred
mode, even across different invocations of the application.
You can change the mode using the Device and Version, Pattern Search, Baseline or External
Configuration option but the changes do not affect the default settings.
To set up preferences:
Step 1 Select Configuration > Tools > Config Editor > Edit Mode Preference.
The User Preferences dialog box appears.
Step 2 Set the default edit mode:
• Select Processed to display the file in the Processed mode.
The configuration file appears at the configlet level (a set of related configuration commands). The
default is Processed.
• Select Raw to display the file in the Raw mode.
The entire file appears as shown in the device.
Step 3 Click Apply to apply the set preferences.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Purge Settings > ChangeAudit Purge Policy.
The Purge Policy dialog box appears in the Periodic Purge Settings pane.
Step 2 Enter the following information:
Field Description
Purge change audit Enter the number of days. Only Change Audit records older than the number of days that you
records older than specify here, will be purged.
The default is 180 days.
Purge audit trail records Enter the number of days. Only Audit Trail records older than the number of days that you
older than specify here, will be purged.
The default is 180 days.
Scheduling
Run Type You can specify when you want to run the Purge job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is
complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
Date You can select the date and time (hours and minutes) to schedule.
at Enter the start time, in the hh:mm:ss format (23:00:00).
Field Description
Job Info
Job Description The system default job description, ChangeAudit Records - default purge job is displayed.
You cannot change this description.
E-mail Enter e-mail addresses to which the job sends messages at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences). When the job starts or completes, an e-mail is
sent with the E-mail ID as the sender's address.
Caution You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
Step 3 Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes
made to a Purge policy.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Purge Settings > ChangeAudit Force Purge.
The Purge Policy dialog box appears.
Step 2 Enter the information required to perform a Forced Purge:
Field Description
Purge change audit Enter the number of days. Only Change Audit records older than the number of days that you specify
records older than here, will be purged.
Purge audit trail Enter the number of days. Only Audit Trail records older than the number of days that you specify
records older than here, will be purged.
Field Description
Scheduling
Run Type You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
• Immediate—Runs this task immediately.
• Once—Runs this task once at the specified date and time.
Date Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar
icon and select the date.
The Date field is enabled only if you have selected Once as the Run Type.
at Enter the start time, in the hh:mm:ss format (23:00:00).
The At field is enabled only if you have selected Once as the Run Type
Job Info
Job Description Enter a description for the job. This is mandatory.
E-mail Enter e-mail addresses to which the job sends messages at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
Step 1 Select Admin > Network > Change Audit Settings > Config Change Filter.
The Config Change Filter dialog box appears.
Step 2 Check or uncheck the Enable VLAN Change Audit Filter option.
• Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created
for devices that have a VLAN configuration. By default, this option is checked.
• Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for
devices that have VLAN configuration.
Step 3 Click either Apply to apply the option or click Cancel to discard the changes.
Tasks Description
Creating an Exception Period Creating an exception profile.
Enabling and Disabling an Enabling and disabling a set of exception profiles.
Exception Period
Editing an Exception Period Editing an exception profile.
Deleting an Exception Period Deleting a set of exception profiles.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2 Select:
• Days of the week from the Day drop-down list box
• Start and end times from the Start Time and the End Time drop-down list box.
Step 3 Click Add.
The defined exception profile appears in the List of Defined Exception Periods pane.
To enable the exception period, see Enabling and Disabling an Exception Period.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2 Select one or more exception profiles in the List of Defined Exception Periods pane.
Step 3 Click Enable/Disable.
• If you have selected Enabled, then the exception period report is generated for that specified time
frame.
• If you have selected Disabled, then the exception period report is not generated for that whole day.
For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then
there will not be any exception period report generated for Monday.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2 Select a day from the Day drop-down list box for which you want to change the exception period.
Step 3 Change the start and end times in the Start Time and the End Time drop-down list box.
If required you can also enable or disable the status for the exception period.
Step 4 Click Add.
The edited exception profile appears in the List of Defined Exception Period dialog box. This will
overwrite the existing exception profile for that day.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2 Select one or more exception profiles in the List of defined Exception Periods pane.
Step 3 Click Delete.
Field Description
Name Name of the automated action.
Status Status of the automated action—Enabled, or disabled.
Type Type of automated action—Email, Script or Trap.
Tasks Description
Creating an Automated Action Creating an automated action.
Enabling and Disabling an Enabling and disabling a set of automated actions.
Automated Action
This button gets activated only after selecting an automated
action.
Editing an Automated Action Editing an automated action.
This button gets activated only after selecting an automated
action.
Exporting and Importing an Exporting and importing a set of automated actions.
Automated Action
Deleting an Automated Action Deleting a set of automated actions.
This button gets activated only after selecting an automated
action.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions.
The Automated Action dialog box appears.
Step 2 Click Create.
The Define Automated Action dialog box appears.
Step 3 Enter the following:
Field Description
Name Name for the automated action.
Status Select either Enabled or Disabled For the automated action to trigger.
Application Select the name of the application on which the automated action has to
be triggered.
Category Select the types of the changes, for example, configuration, inventory, or
software on which the automated action has to be triggered.
Mode Select the connection mode on connection modes on which the
automated action has to be triggered.
User Select the user name on which the automated action has to be triggered.
Field Description
If you have selected E-mail, enter:
Send To Enter the E-mail ID for which the trigger has to be notified.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). You will receive the e-mail with the E-mail ID as the
sender's address.
Subject Enter the subject of the e-mail.
Content Enter the content of the e-mail.
Field Description
If you have selected Trap, perform:
Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit.
Ensure that you have copied these files:
• CISCO-ENCASE-MIB.my
• CISCO-ENCASE-APP-NAME-MIB.my
into the destination system to receive the traps.
These files are available in the following directories on LMS server:
On UNIX:
/opt/CSCOpx/objects/share/mibs
On Windows:
NMSROOT\objects\share\mibs. Where NMSROOT is the root directory of the LMS Server.
a. Enter the Server and Port details in the Define Trap field.
b. Click Add.
The server and port information appears in the List of Destinations text box.
If you want delete, the server and port information, select the server and port information from the List of Destinations
text box and click Delete.
If you have selected Script, enter...
You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have
only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The
other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute
from within the casuser account.
The following are the parameters for change audit automated action that will appear in the script:
– Application Name
– Category
– User Name
– Description
– Connection Mode
– Host Name
The script files must be available at this location:
On UNIX:
/var/adm/CSCOpx/files/scripts/changeaudit
On Windows:
NMSROOT/files/scripts/changeaudit
To select the script file:
a. Click Browse.
The Server Side File Browser dialog box appears with the predefined location.
b. Select the script file (*.sh on Unix and *.bat on Windows)
c. Click OK.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2 Select an Automated Action.
Step 3 Click Edit. (See step 3 to step 5 in Creating an Automated Action.).
Step 4 Click Finish.
The Automated Action window appears with the updated data.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2 Select one or more Automated actions.
Step 3 Click Enable/Disable.
The Automated Action window appears with the updated data.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2 If you want to export an Automated action, then select the automated actions else go to next step.
Step 3 Click Export/Import.
The Export/Import dialog box appears.
Step 4 Select the task to be performed—Export or Import.
Step 5 Either:
• Enter the filename along with the absolute path.
Or
• Click Browse,
The Server Side File Browser dialog box appears.
a. Select a folder.
b. Click OK.
c. Enter the filename.
Step 6 Click OK.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
The Automated Action dialog box appears.
Step 2 Select a or a set of Automated actions.
Step 3 Click Delete.
The Automated Action window appears with the updated data.
Viewing/Editing Preferences
Edit Preferences helps you to set or change your Software Management preferences.
The options you specify here are applicable to Software Management tasks such as image distribution,
image import, etc.
This section contains:
• Selecting and Ordering Protocol Order
• How Recommendation Filters Work for an IOS Image
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Software Image Management > View/Edit Preferences.
The View/Edit Preferences dialog box appears.
Step 2 Enter the following:
Step 3 Either:
• Click Apply to save your changes.
• Click Defaults to display the default configuration.
• Click Cancel to discard the values entered and revert to previously saved values.
Step 1 Select the protocol from the Selected Protocol Order pane.
Step 2 Click Up or Down to reorder the protocols.
Include Include
Latest Same
Mainten Include Image
Include ance Images Feature
General Release Higher Subset
Deploy- (of Each Than as
Option ment Major Running Running
Number Images Release) Image Image Recommendation
1 Not Not Not Not The recommendation image list includes:
selected selected selected selected
• All available images.
• In case of,
– Multiple images with the same version as that of the running
image version are present, the image with a higher compatible
feature than the running image is recommended.
– Similar images in Cisco.com and Software Management
repository, the image from the repository is recommended.
• The image feature can be the same or a superset of the running
image.
If a higher version is not available, then no recommendation is made.
2 Not Not Not Selected The recommended list contains images that have the same feature set
selected selected selected as that of the running image.
The images with the highest version among the recommended image
list are recommended.
3 Not Not Selected Not The recommend list contains all types of releases (deployment status).
selected selected selected
The images with the highest version among recommended image list
are recommended.
The feature set of the recommended image may be superior than the
running image.
4 Not Selected Not Not The latest maintenance version in each release is available in the
selected selected selected recommend image list. The latest image version is recommended.
Include Include
Latest Same
Mainten Include Image
Include ance Images Feature
General Release Higher Subset
Deploy- (of Each Than as
Option ment Major Running Running
Number Images Release) Image Image Recommendation
5 Selected Not Not Not The images with deployment status identified as GD are available in
selected selected selected the recommended image list and other recommendation flow remains
the same as the option 1.
6 Selected Not Not Selected Same as option5. However, the recommended list contains images that
selected selected have the same feature set as that of running image.
7 Selected Not Selected Not Same as option 5. However, the image with the highest version in the
selected selected recommended image list is recommended.
The feature set of the recommended image may be superior than the
running image.
8 Selected Not Selected Selected Same as option 6. However, the image with the highest version in the
selected recommended image list is recommended.
All recommend images will have the same feature subset as the
running image.
9 Selected Selected Not Not The images with the highest version among recommended image list
selected selected are recommended.
The images of GD types of releases are available in the recommended
image list.
10 Selected Selected Not Selected The images with the same feature as that of running image is available
selected in the recommended list and the latest maintenance version of all
release is available in the recommended list.
Only an image with higher version than running image is
recommended. The recommended images can have only GD status.
11 Selected Selected Selected Not Same as option 9. In addition to this, an image with the higher version
selected than running image is also recommended.
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task.
Step 1 Select Admin > Network > Change Audit Settings > Inventory Change Filter.
The Inventory Change Filter dialog box appears.
Step 2 Select a group from the Select a Group drop-down list. See Table 11-2.
The dialog box refreshes to display the filters available for the attribute group that you selected.
Step 3 Select the attributes that you do not want to monitor for changes.
Step 4 Click Save.
A confirmation dialog box appears.
Step 5 Click OK to save the details.
You can use Reset All to reset your selections for all groups. This resets all previous values to blanks.
In LMS, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs.
LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management
allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group
of users designated as job Approvers approves each job before it can run.
This section contains the following:
• Using Job Browser
• Configuring Default Job Policies
• Configuring NetShow Job Policies
• Enabling Approval and Approving Jobs Using Job Approval
• Job Approval Workflow
• Using Device Selector
Column Description
Job ID Unique number assigned to this task at creation time. This number
is never reused. There are two formats:
• Job ID:
Identifies the task. This does not maintain a history. For
Example:1001
• JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1001.1, 1001.2
Type Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Run Status Job states include:
• Running
• Waiting for approval
• Scheduled (pending)
• Succeeded
• Succeeded with Info
• Failed
• Crashed
• Cancelled
• Suspended
• Rejected
• Missed Start
• Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type Frequency of the job. This can be:
• Once
• Immediate
• Periodic (calendar/time based).
Description Description of the job.
Run Sched Schedule details of the job.
Column Description
Status Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Owner Username of the job creator.
Scheduled At Date and time at which the job was scheduled.
Completed At Date and time at which the job was completed.
Filtering Jobs
You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria,
enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs
pertaining to that category are displayed.
Column Description
All Displays all jobs in Job Browser.
This is the default filter type.
Job ID Unique ID of the job. For example, 1007.0.
Job IDs have N.x format, where x stands for the number of instances
of that job.
For example, 1007.4 indicates that the Job ID is 1007 and it is the
fifth instance of that job.
You should enter a valid Job ID as filter value. You can also:
• Enter multiple Job IDs separated by commas
• Include the wildcard character * (asterisk) in the Job ID value
• Enter a range of Job IDs
Examples of valid Job IDs are:
• 1002
• 1010.5
• 1004,1008.8, 1004
• 1007*
• 1001-1010
• 1019.20-1019.100
Type Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Filters and displays all jobs that match a job type value in Job
Browser.
You must select a job type from the list of available types.
Column Description
Run Status Job states include:
• Running
• Waiting for approval
• Scheduled (pending)
• Succeeded
• Succeeded with Info
• Failed
• Crashed
• Cancelled
• Suspended
• Rejected
• Missed Start
• Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type Frequency of the job. This can be:
• Once
• Immediate
• Periodic (calendar/time based).
Description Description of the job.
Filters and displays all jobs with a specified description.
You cannot leave the description field blank when you select this
filter type.
Owner Username of the job creator.
Filters and displays all jobs that are scheduled by a user.
You can select a user from the drop-down list of users as a filter
value.
Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs:
• Stop button—Stops or cancels a running job. You will be prompted to confirm the cancellation of
the job. However, the job is stopped only after the devices currently being processed are successfully
completed. This is to ensure that no device is left in an inconsistent state.
• Delete button—Deletes the selected job from the job browser. You can select more than one job to
delete. You will be asked to confirm the deletion.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Config Job Policies dialog box appears.
Step 2 Select one application from the drop-down list. You can select one of the following options:
• NetConfig
• ArchiveMgmt
• ConfigEditor
• Netshow
Step 3 Based on your selection, enter the following information:
Table 12-2 When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP
(Read or Write)
Table 12-3 When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)
Table 12-3 When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write) (continued)
Table 12-4 When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP
Table 12-5 When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only
Through SNMP (Read or Write)
Table 12-5 When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only
Through SNMP (Read or Write) (continued)
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Job Policy dialog box appears.
Step 2 Select NetShow from the Application drop-down list:
Step 3 Enter the following information in the Job Policy dialog box:
Column Description
Application Lists the application for which the purge is applicable.
Status Whether a purge job is enabled or disabled.
Policy This value is in days. Data older than the specified value, will be purged. You can change this
value as required. This is a mandatory field. The default is 180 days.
Job ID Unique ID assigned to the job by the system, when the purge job was created. This Job ID does
not change even if you disable or enable or change the schedule of the purge job.
For the Purge Now task, a Job ID is not assigned. Also, if a Job ID already exists for that
application, this Job ID is not updated for the Purge Now tasks. That is, the job scheduled for
purging is not affected by the Purge Now task.
Scheduled At Date and time that the job was scheduled at. For example: Nov 17 2004 13:25:00.
Schedule Type Specifies the type of schedule for the purge job:
• Daily—Daily at the specified time.
• Weekly—Weekly on the day of the week and at the specified time.
• Monthly— Monthly on the day of the month and at the specified time. (A month comprises
30 days).
Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:
Button Description
Schedule Schedule a job purging.
Enable Enable a job for purging after you schedule it.
Disable Disable the purge after enabling a job for purging.
Purge Now Purge a job immediately.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Collection Settings > Config > Config Transport Settings.
The Transport Settings dialog box appears.
Step 2 Select NetShow from the Application drop-down list:
Step 3 Select a protocol from the Available Protocols pane and click Add.
NetShow supports only Telnet and SSH.
If you want to remove a protocol or change the protocol order, you can remove the protocol using the
Remove button and then add it again.
The protocols that you have selected appear in the Selected Protocol Order pane.
Step 4 Click Apply.
A message appears, New settings saved successfully.
Step 5 Click OK.
The protocol used for communicating with the device is based on the order in which the protocols are
listed here.
Masking Credentials
You can mask the credentials shown in the output of show commands. If you want to mask the credentials
of a particular command, you must specify the command in the
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre
dCmds.properties file.
In this file you can specify all the commands whose output should be processed to mask the credentials.
We recommend that you enter the complete command in the file. For example, you must enter show
running-config, not show run. This file contains some default commands like show running-config.
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform job approval tasks.
Role Responsibilities
System Administrator Creates and maintains the Approver lists
Approver Approves/rejects a job, or changes the schedule for a job.
To select the log level settings for the Job Approval application, select Admin > System > Debug
Settings > Config and Image Management Debugging settings.
Job Approval is also referred to as Maker Checker in a few places within LMS. For example, in Loglevel
Settings and Permission Report (Reports > System > Users > Permission) it is mentioned as Maker
Checker.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Configuration Job Settings > Approver Details.
The Approver Details dialog box appears.
Step 2 Click Synchronize with Local User Database.
All the approvers in with valid E-mail IDs, will appear in theApprovers list. The E-mails of the approvers
will be the same as that added in LMS.
(You can create a valid Cisco Prime user using the Local User Setup option under Admin > System >
User Management > Local User Setup).
If you want to change the E-mail ID of any of the Approvers, select the Approver from the Approvers
list, and change specifying the new e-mail ID in the E-mail Address field. You can add more than one
e-mail, separated by commas
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists.
The Create/Edit Approver List dialog box appears.
Step 2 Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an
alphanumeric name.
Step 3 Click Add.
A message appears:
List Listname has no users. To save the list successfully, add users and click Save.
Step 4 Click OK to proceed.
The newly-created list appears in the lists box.
(If previously-created lists exist, you can highlight a list to see the List Members in the Users group of
fields.)
Step 5 Add users to the newly-created list, by highlighting the list.
In the Users group of fields, the Available Users box lists users who have Approver permissions. Only
these users can be added to Approver lists to approve jobs.
• To add a user to the Approver List, select the name from the Available Users list box, and click Add.
The name appears in the List Members list box.
• To remove a user from the Approver list, select the name from the List Members list box, then click
Remove.
The name is removed from the List Members list box.
Step 6 Click Save.
The Approver Lists box displays the name of the new Approver list and the users on this list appear in
the box below Approver Lists.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Configuration Job Settings > Assign Approver Lists.
The Assign Approver Lists dialog box appears.
Step 2 Select the required Approver list from the drop-down list box for that application. Repeat this for each
of the applications listed here.
Step 3 Click Assign.
The selected Approver lists are assigned to the applications.
Prerequisite
Make sure the approver list is assigned to the application, before you enable approval for the application.
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task.
Step 1 Select Admin > Network > Configuration Job Settings > Approval Policies.
The Approval Policies dialog box appears. You can enable or disable Job Approval for the following
applications:
• NetConfig
• NetShow
• Config Editor
• Archive Management.
• Software Management.
Step 2 Set up Job Approval for the various applications that support job approval, by doing one of the following:
• Select the Enable check box that corresponds to an application, to enable Job Approval.
• Deselect the Enable check box that corresponds to an application, to disable Job Approval.
• Select the All check box to enable Job Approval, for all applications to which it is applicable.
• Deselect the All check box to disable Job Approval, for all applications to which it is applicable.
Step 3 Click Apply to apply your changes.
After you enable Job Approval, two additional fields appear in the job schedule wizard of the
applications. These are:
• Maker Comments—Job creator’s comments.
• Maker E-mail—Job creator’s e-mail address.
If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule
and Options dialog box:
• Approval Comment—Approval comments for the job approver.
• Maker E-Mail—E-mail-ID of the job creator.
Details Description
Job ID ID of the job that has been put up for approval.
Job Description Description of the job.
Job Schedule Date and time for which the job has been scheduled.
Server Name Name of the server.
Server Time-zone: Time zone of the server.
Maker Comments Comments for the Approver, entered by the job creator.
URLS Two URLs to launch dialog boxes for:
• Viewing job details.
• Approving or rejecting jobs.
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task. You need to be a user with an Approver role.
Note You will be able to select only those jobs for which you are a part of the Approver List. The other jobs,
for which you are not a part of the Approver List, will be disabled.
Column Description
Job ID Unique number assigned to the job when it is created.
For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x
represents the number of instances of the job. For example, 1001.3 indicates that this is the third
instance of the job ID 1001.
Click the Job ID hyperlink to view the details of the job.
Owner Job owner.
Job Type Application that registered job.
Scheduled to Run at When job is scheduled to run.
Approver List Name of Approver list whose members can approve job.
Description Job description, entered by job creator.
You can filter the pending jobs by any specified criteria using the Filter By drop-down list. Select your
criteria and click Filter.
Step 2 Either:
• Select the job and click Approve to approve the job.
The job is approved.
Or
• Select Next.
The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then
the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details
before approving or rejecting it.
Fields in the Job Details box are:
Field Description
Job
ID ID of the job (display only).
To see the detailed description of the job, click the View Job Details hyperlink.
Schedule Options
Run Type Select the frequency at which the job should be run:
• Immediate—Runs the report immediately.
• 6 - hourly—Runs the report every 6 hours, starting from the specified time.
• 12 - hourly—Runs the report every 12 hours, starting from the specified time.
• Once—Runs the report once at the specified date and time.
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the
next job will start only at 10:00 a.m. on November 3.
To change, select the required run type from the drop-down list.
Field Description
Current Schedule
Date Scheduled date and time of the job. Click Change Schedule to change the schedule of the job.
You must click the Change Schedule button for the changed schedule to take effect. If you do not click
this button, the changed schedule will not be set.
Approver
Comments Enter your comments. This field is mandatory only if you are rejecting a job.
Note If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you
while performing the tasks are based on your role and associated privileges that are defined in Cisco
Secure ACS.
Field/Button Description
Search Input Enter the search expression in this field.
You can enter single device names or multiple device names. If you are
entering multiple device names, separate them with a comma. You can
also enter the wildcard characters “*” amd "?".
For example: 192.168.10.1*, 192.168.20.*
Search Use this icon to perform a simple search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Search, see Using Simple Search.
Field/Button Description
Advanced Search Use this icon to perform an advanced search of devices based on the
search criteria you have specified in the Search Input text field.
For information on Advanced Search, see Using Advanced Search.
All Lists all User-defined and System-defined groups for all applications that
are installed on LMS Server.
For more information, see Using the All Tab.
Search Results Displays all the search results from Search or Advanced Search.
For more information, see Using the Search Results Tab.
Selection Lists all the devices that you have selected in the Search Results or All
tab.
Using this tab, you can deselect devices from the list.
For more information, see Using the Selection Tab.
Tool-tips are provided for long device names so that you do not have to scroll to see the complete device
name.
Usage Notes
The following are the usage notes for Simple Search:
• You can enter multiple device names separated with a comma. You can also enter wildcard character,
“*” or “?” for selecting multiple devices.
For example:
You can enter device names in these many ways to select multiple devices:
– 192.168.80.140, 192.168.135.101, rtr805
– 192.168.80.*, 192.168.*
– 192.168.22.?
You cannot enter multiple wildcard characters for selecting the devices
For example, 192.*.80.*. This is not allowed.
• You must enter either the complete device name or enter the partial device name appended with
wildcard character *. That is,
– No devices are selected, if you enter only 192.168 in the Device Name text box.
– You have to enter either 192.168* or 192.168.10.10.
• The search is not case-sensitive.
• The devices that are selected is a unique list. There are no duplicate entries of devices.
For example:
If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20,
192.168.10.21, 192.168.10.30, and 192.168.10.31 then,
a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices
node.
b. Enter the search criteria 192.168.10.2*
c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30
in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node.
However, the selected devices count that is displayed in the Device Selector is only three and
not five.
• The All Devices node is expanded without selecting any devices, if the search criteria is not
satisfied. The objects selected text displays 0 (zero) device selected.
This dialog box contains the following fields and buttons (See Table 12-6):
Field/Buttons Description
OR, AND, EXCLUDE Logical operators.
• OR—Include objects that fulfill the requirements of either
rule.
• AND—Include only objects that fulfill the requirements of
both rules.
• EXCLUDE—Do not include these objects.
This field appears only after a rule expression is added in the Rule
Text box.
Object Type Type of object (device) that is used to form a group.
All rule expressions begin with the same Object Type,
RME:INVENTORY:Device.
Variable Device attributes, based on which you can define the group.
See Advanced Search Rule Attribute.
Operator Operator to be used in the rule. The list of possible operators
changes based on the Variable selected.
Value The value of the rule expression. The possible values depend upon
the variable and operator selected. Depending on the operator
selected, the value may be free-form text or a list of values.
The wildcard characters are not supported.
Add Rule Expression Used to add the rule expression to the group rules.
Rule Text Displays the rule.
Field/Buttons Description
Check Syntax Verifies that the rule syntax is correct.
Use this button if you have entered the rules manually.
Search Used to search for devices based on the defined rule.
Usage Notes
The following are the usage notes for Advanced Search:
• If you have not selected any device nodes, then advanced search is applied only for All Devices
node.
• You can either enter the rules directly in the Rule Text field, or select the components of the rule
from the Rule Expression fields, and form a rule.
Each rule expression contains the following:
object type.variable operator value
Object Type—The type of object (device) that is used to form a group. All rule expressions begin
with the same Object Type, RME:INVENTORY:Device.
Variable—Device attributes, based on which you can define the group. See the Advanced Search
Rule Attribute.
Operator—Operator to be used in the rule. The list of possible operators changes based on the
Variable selected.
Value—Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-form text or a list of values.
• If you are entering the rule expressions manually, the rule expression must follow this syntax:
object type.variable operator value
• If you are entering more than one rule expression, you must enter logical operators OR, AND or
EXCLUDE after every rule expression.
You must use Check Syntax button only when you add a rule manually or when you modify a rule
expressions in the Rule Text.
• The advanced search operation is not case-sensitive.
• To delete the rules in the Rule Text box, select the complete rule including the logical operator and
press the Delete key on your keyboard.
• If you want to perform a new search, click Clear All before selecting any new devices.
Step 1 Click the Advanced Search icon in the Device Selector pane.
The Define Advanced Search Rule dialog box appears.
Step 2 Select,
a. State as Variable
b. = as Operator
c. Normal as Value
Step 3 Click Add Rule Expression.
The rule is added into the Rule Text.
Step 4 Select,
a. And as Logical Operator
b. IP.Address as Variable
c. Contains as Operator
d. Enter 192.168.101 for Value.
Step 5 Click Add Rule Expression.
The rule is added into the Rule Text.
Step 6 Select,
a. OR as Logical Operator
b. IP.Network_Mask as Variable
c. Equals as Operator
d. Enter 255.255.255.0 for Value.
Step 7 Click Add Rule Expression.
The rule is added into the Rule Text.
Step 8 Click Search.
The Device Selection dialog box appears.
The devices that satisfied the search condition are selected. That is these two devices are selected.
• 192.168.101.200 with network mask 255.255.255.128
• 192.168.101.201 with network mask 255.255.255.0
• 192.168.102.251 with network mask 255.255.255.0
Only one Saved device list is created within the device selector. If concurrent users have created
Saved device list, only the last created Saved device list appears in the Device Selector. The previous
Saved device list is overwritten with the latest.
Note You can use the Previous selection and Saved device groups only when you are working on a application.
You cannot use these device groups when you are working on another Cisco Prime application. That is,
if you are working on the Campus Manager application, these groups must not be used.
• The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined
by you at the time of creating the User-defined groups.
• Based on the applications that are installed on your LMS Server, you will also view device folders
related to other Cisco Prime applications:
CiscoWorks_ApplicationName@CiscoWorks_ServerHostName
For example: For Cisco Prime Common Services, you will see:
CS@CiscoWorks_ServerHostName.
In a stand-alone system, server name is not appended. For example, for Common Services, you will
see CS.
• Other application folders are displayed in LMS based on the settings. For more details, see Common
Services Online Help.
• In Device Selector, the other Cisco Prime application device folders will list only devices.
For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have
devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you
will view on device list, A, B, and C.
• The device appears in a disabled (greyed out) state when:
– Device type is Unknown in Device and Credential Repository. In all applications device is
shown as disabled except in Inventory job creation and reports.
– Device type is known and correct in Device and Credentials (that is, the SysObjectID is correct
and is available in Device and Credentials). However, that device is not supported by
applications. (Inventory, Software Management, and Configuration Management).
There are two types of device selectors in LMS:
• Single Device Selector
• Multiple Device Selector
Note The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of
devices you have selected. It launches the Selection tab when you click on it.
Step 1 Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
or
Select Admin > Collection Settings > Config > Edit the Inventory, Config Timeout, and Retry
settings.
The Edit Devices dialog box appears.
Step 2 Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information.
Step 3 Click Edit Device Attributes.
The Device Attributes dialog box appears.
Step 4 Click Inline Edit.
The Device Attributes Information dialog box appears.
Step 5 Select a device from the Devices pane.
Step 6 Edit the device attributes in the Device Information pane.
You can check the Apply to all Devices checkbox to apply the device attributes of one device to all other
devices that are listed in the Devices pane.
Step 7 Click Modify in the Device Attributes Information dialog box.
Step 8 Click Apply in the Device Attributes dialog box.
Step 1 Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
The Devices dialog box appears.
Step 2 Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information
Step 3 Click Edit Device Attributes.
The Device Attributes dialog box appears.
Step 4 Click Export.
The Export Device Attributes to File dialog box appears.
a. Enter the folder name and the filename on the server.
or
– Browse to select a folder on the server.
The Server Side File Browser dialog box appears.
– Select a folder and enter the filename on the server.
– Click OK in the Server Side File Browser dialog box.
b. Click OK in the Export Device Attributes to File dialog box.
The notification window displays Data exported successfully.
c. Click OK in the notification window.
Step 5 Edit the exported file.
You can edit only the device attributes, Serial Number, SNMP Retry, SNMP Timeout, Telnet Timeout,
and Natted IP Address. You cannot edit the Device Name (device_identity) and add new device entries.
See Device Attributes Export File Format for more information.
Step 6 Click Import in the Device Attributes dialog box.
The Import Device Attributes to File dialog box appears.
We recommend that you import the same file that you have exported after editing. If any new device
entries are added, these device entries are ignored. Only device entries that match the existing device
entries are imported.
a. Enter the folder name and the filename on the server.
or
– Browse to select a folder on the server.
The Server Side File Browser dialog box appears.
– Select a folder and file on the server.
– Click OK in the Server Side File Browser dialog box.
b. Click OK in the Import Device Attributes to File dialog box.
The notification window displays Data imported successfully.
c. Click OK in the notification window.
The Device Attributes window refreshes to display the updated device attributes.
While importing the edited device attributes file an error message may appear,
Attribute values for some selected devices are invalid. See Attribute Error Report for
details.
See Editing Device Attributes section to know the minimum and maximum values for the device
attributes. Also see Attribute Error Report for more information.
Step 7 Click Apply.
Note The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH
Timeout.
• Natted IP Address
The server ID. This is the translated address of server as seen from the network where the device
resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to
enable support for NAT. The default value is Default Not Defined.
• TFTP Timeout
Duration of time that the system should wait for a device to respond before it tries to access it again.
The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value
limit. This attribute is available only when you edit the device attributes from the Device Attributes
window.
• Read Delay—Amount of time the system will sleep in between each read iteration. Read Delay sets
the client to sleep for few milliseconds. During the delay time, the client accumulates the device
content in buffer and keeps it ready to be read. The default read delay is 10 milliseconds.
• Transport Timeout—Amount of time the socket will be blocked for read operation. The client waits
for a response from the device after which it will get timed out. The default value is 45000
milliseconds.
• Login Timeout—Amount of time the system should wait for a client’s input after which the client
gets disconnected from the device. The default value is 2000 milliseconds.
• Tune Sleep—Amount of sleep time in milliseconds set before and after sending a new line to the
device. The default value is 50 milliseconds.
• Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will
wait for the set time before doing the next operation. The default value is 300 milliseconds.
Do any one of the following to edit the device attributes:
• Set the device attributes value for a single device using Admin > Collection Settings > Inventory
> Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline
Edit. See To edit the device attributes for a single device
• Set the device attributes value for the bulk of devices using Admin > Collection Settings >
Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes >
Export. See To edit the device attributes for the bulk of devices
Note View Permission Report to check if you have the required privileges to perform this task.
Note The Attribute Error Report link is available only if importing of device attributes causes error.
;
;Start of section 0 - DM Export
;
;HEADER:
device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,TFTPTimeout,Natt
edIPAddress,ReadDelay,TransportTimeout,LoginTimeout,TuneSleep,DelayAfter Connect
;
192.168.8.4,Default Not Defined,2,2,36,5,Default Not Defined,10,45000,2000,50,300
Software Center helps you to check for software and device support updates, download them to their
server file system along with the related dependent packages, and install the device updates.
Software Center allows you to look for software and device updates from Cisco.com, and download them
to a server location. You can install the updates from this location. In the case of device updates,
Software Center helps you to install the updates using a web based user interface, and command line
interface, wherever possible.
Most of the device family-based packages can be installed directly from the web interface while the
device support packages such as IDU have to be installed based on the installation instructions in the
respective Readme files.
You may also uninstall a device support package. Software Center does not support installation and
uninstallation of software updates.
To backup what is installed on the server, Software Center maintains a package and device map in the
installed packages directory of the respective applications. The package map is a list of all device
packages installed on the server and device map is a list of all the supported devices on the server.
Software Center also provides a Command Line Interface to download device updates and software
updates, and install or uninstall device packages.
This chapter explains the following:
• Performing Software Updates
• Performing Device Update
• Scheduling Device Package Downloads
• Point Patch Update
• Using the Software Center CLI Utility
Step 1 Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2 Go to the Products Installed dialog box and click the link provided on a product.
A new window displays the details of:
• Patches Installed—Provides details about the patches installed on the product, the patch version and
the date on which the patches were installed.
• Application Installed—Provides details of the applications installed, the application version, and the
date on which the applications were installed.
• Packages Installed—Provides details about the packages installed on the product, the package
version with patch level, and the date on which the packages were installed.
Step 1 Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2 Go to the Products Installed dialog box and select the check box corresponding to the product for which
you want to select update.
You can select multiple products by selecting the corresponding check boxes.
Step 3 Click Select Updates.
The Cisco.com and Proxy Server Credentials dialog box appears.
Step 4 Enter your Cisco.com username and password to connect to Cisco.com, for software updates.
If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server
Setup, you must enter the Proxy server username and password.
Step 5 Click Next.
A list of available Software Updates for the selected product appears.
Step 6 Select the Software Update you need to download and click Next.
You can filter the required images based on Type, Package Name, Product Name, and Available Version
With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the
filter pattern in the text box.
For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 7 Select a destination location or browse to the location and click Next.
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub-directories.
By default, the destination location is:
• /opt/psu_download (On Solaris/Soft Appliance)
• System Drive:\psu_download (On Windows)
The Download Summary window appears.
Step 8 Click Finish to confirm download of the selected packages.
If you do not want to add the selected packages, click Back to reselect packages or click Cancel to exit.
Note The support for downloading LMS software and device packages from Admin > System > Software
Center > Software Update is not currently available. You must manually download the LMS software
and packages from the Software download page.
Step 1 Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2 Go to the Products Installed table and select the check box corresponding to the product for which you
want to download the update.
You can select multiple products by selecting the corresponding check boxes.
Step 3 Click Download Updates.
The Cisco.com and Proxy Server Credentials dialog box appears.
Step 4 Enter your Cisco.com username and password. Both are mandatory.
If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server
Setup, you must enter Proxy server username and password.
Step 5 Select a destination location or browse to the location and click Next.
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub- directories.
By default, the destination location is:
• /opt/psu_download (On Solaris/Soft Appliance)
• System Drive:\psu_download (On Windows)
Step 6 Click Finish to confirm the download operation.
To return to the Software Update page, click Cancel.
You can also check for the device updates and delete the device packages using the Device Update page.
This section contains the following:
• Viewing Package Map
• Viewing Device Map
• Checking for Updates
• Deleting Packages
Step 1 Select Admin > System > Software Center > Device Update.
The Device Updates page appears.
Step 2 Select the check box corresponding to the product for which you want to check for updates and click
Check for Updates.
The Source Location page appears. You can check for updates at Cisco.com or a server.
• To check for updates at Cisco.com, select the Cisco.com radio button.
• To check for updates from a server, select the Enter Server Path radio button and enter the path or
browse to the location using the Browse tab.
Step 3 Click Next.
The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for
updates at Cisco.com.
Step 4 Enter your Cisco.com username and password.
If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server
Setup, you must enter Proxy server username and password.
Step 5 Click Next.
The Available Packages and Installed Packages page appears. It displays:
• Package Name: Name of the package.
• Type: Type of the update. For example, whether the update is a device package or IDU package.
• Product Name: Product for which the update is available.
• Installed Version: Current version of that product installed in the server.
• Available version: Version of the product that is available (Other than the installed version).
• Readme Details: Links to the Readme files associated with the update.
• Posted date: Date on which the update was posted on Cisco.com.
• Size: Size of the update.
Step 6 Select the check box corresponding to the package that you wish to update and click Next.
The Device Update page appears. You can either install the device packages or download them.
• To install device packages, select the Install Device Packages radio button.
• To download device packages, select the Download Device Packages radio button.
Deleting Packages
You can also delete packages that are outdated or you no longer use.
To delete a package:
Step 1 Select Admin > System > Software Center > Device Update.
The Device Update page appears.
Step 2 Select the check box corresponding to the product and click Delete Packages.
The wizard displays a window that has the Package name, the Product name, and the Installed version
details.
Step 3 Select the check box corresponding to the Package you want to delete.
You can filter the available device packages based on Package Name, Product Name, Installed Version.
To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in
the text box.
For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 4 Click Next.
The Summary window appears with the details of the Product and the Packages selected.
Step 5 Click Finish to confirm deletion.
• To make changes in the previous windows, click Back.
• To cancel the operation, click Cancel.
After you have confirmed the Delete Packages operation, a message that the daemons are restarted
appears.
Step 6 Click OK to continue.
Step 1 Select Admin > System > Software Center > Schedule Device Downloads.
The Schedule Device Downloads dialog box appears.
Step 2 Enter your Cisco.com username and password.
Enter the Proxy server username and password only if you have configured proxy settings under Admin
> System > Cisco.com Settings > Proxy Server Setup.
Step 3 Enter the destination location, or browse to the location using the Browse tab.
By default, the destination location is:
• /opt/psu_download (On Solaris/Soft Appliance)
• System Drive:\psu_download (On Windows)
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
Step 5 Select the run type from the Run Type drop-down list, to set the frequency of downloads.
Step 6 Select the date from the drop-down calendar, and specify the time using the drop-down lists.
The calendar displays the date from the client system.
Step 7 Enter a description for the download job in the Job Description field. This is mandatory.
Step 8 Enter an e-mail ID in the E-mail field.
You can enter multiple e-mail addresses separated by comma.
Step 9 Click Apply to apply the changes.
Or
Click Cancel to exit without saving changes.
You can view the scheduled job status and details from the Job Browser window (Admin > Jobs >
Browser).
Scheduled Job
The Scheduled Job Details page displays the activities that are performed using Software Center. The
Scheduled Job table records and displays the downloads to the server. You can view the log from the
server or any client workstation.
To view Scheduled Job Details:
Select Admin > System > Software Center > Scheduled Job Details.
The Scheduled Job Details page appears with the following information:
• Job—Job ID of the job that is scheduled by Cisco Prime user.
• Date—Time and the date on which the job was run.
• Applicable Products—Products to which the download is applicable.
Event Log
The Event log page displays the activities that are performed using Software Center. The Event Log table
shows the list of immediate downloads, installations and un-installations of device packages carried out.
You can view the log from the server or any client workstation.
To view the Event Log:
Select Admin > System > Software Center > Event Log.
The Event Log page appears with the following information:
• Product Name—Name of the product.
• Description—Summary of the activity.
• Date—Date and time when the operations were carried out.
• Event Type—Shows one of the following:
– Device Package Downloads
– Software Download
– Install Device Packages / Uninstall Device Packages
• Status—Status of the event (Completed Successfully, Failed or Executed). Click on the Status link
to get more details on the operation.
You can delete either all the event logs or specific event logs from the list.
Select the log entries and click Delete to delete the selected entries.
Step 1 Select Admin > System > Software Center > Point Patch Update.
The Point Patch Update page appears.
Step 2 Enter your Cisco.com username and password.
Enter the Proxy server username and password only if you have configured proxy settings under Admin
> System > Cisco.com Settings > Proxy Server Setup.
Note The Download option in the Point Patch Update page will be enabled only after entering the
Cisco.com username and password.
Step 3 Enter the download location, or browse to the location using the Browse tab.
By default, the download location is:
• /opt/psu_download (On Solaris/Soft Appliance)
• System Drive:\psu_download (On Windows)
Step 4 Select Download Patches radio button.
or
Select View the list of available point patches to download radio button.
A point patch list containing the defect ID, point patch revision number and patch description is
displayed.
Step 5 Click Download to download all the latest point patch versions that are not installed in your system.
Related Topics
• Downloading Point Patch Updates
• Installing Point Patch Updates
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -q -all
This lists all the installed packages for LMS in the installed repository for LMS.
To list all packages in the specified directory for LMS, enter:
NMSROOT\bin\PSUCli.bat -p rme -src dir -q
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
• -noprompt—Flag to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -i -src dir Cat6000 Cat4000
This installs the specified packages (Cat6000, Cat4000) for LMS, from the specified directory.
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
• -noprompt—Flag to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -u -all
This uninstalls all packages of LMS, from the installed repository.
• -p product—Specify the Product for which you want to download the Software Update. Invoking
CLI with -h option lists the valid product names.
• -software (-s) —Download Software packages for the specified product or products.
• -dst download directory—Specify the directory to which you want to download the Software
Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
• -all—Selects all the available software updates on Cisco.com for download.
• PackageNames—Names of the software update package available on Cisco.com, for example,
cwcs3_0_4_win, cwcs3_0_6_sol_k9.
Note You must enter the software update package name without any extension. The package name is
case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any one of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub- directories.
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub- directories.
Note You must enter the point patch update name without any filename extension and revision
number. The point patch update name is case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device, point patch or software updates in
the same directory where you have installed Cisco Prime LMS, or any of its sub-directories.
The downloaded point patch revisions that are not installed in your system are installed and an
installation successful message is displayed.
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pdep Cat5000
This lists all dependent packages of LMS Cat5000 device package installed.
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pver Cat5000
This lists the version of the LMS Cat5000 device package installed.
The Discrepancies Reporting module of LMS allows you to view the discrepancies and best practices
deviations in your network. This chapter contains the following:
• Understanding Discrepancies and Best Practices Deviations
• Interpreting Discrepancies
• Interpreting Best Practices Deviations
• Customizing Discrepancies Reporting and Syslog Generation
Interpreting Discrepancies
This section contains information on each of the discrepancy reported in LMS. It describes the
discrepancy, the impact it has on the network, and ways to resolve it.
The user interface in LMS displays commands you can use to make configuration changes on devices to
resolve discrepancies.
This section contains:
• Trunking Related Discrepancies
• VLAN-VTP Related Discrepancies
• Link Related Discrepancies
• Port Related Discrepancy
• Device Related Discrepancy
• Spanning Tree Related Discrepancy
Impact
Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of
different VTP domains) fails.
Fix
You cannot fix this discrepancy using LMS.
To fix the discrepancy on switches using Cisco IOS:
Step 1 Make sure that the Trunk mode is ON, on both sides of the link.
Step 2 Enter the following command:
switchport trunk encapsulation dot1q | isl
switchport mode trunk
end
Step 3 Enter the following command to check the status:
show interfaces trunk
Or
show interface mod interface_id trunk
Step 1 Make sure that the Trunk mode is ON, on both sides of the link.
Step 2 .Enter the following command:
set trunk mod/port on Dot1Q | ISL
Step 3 Enter the following command to check the status:
show trunk mod/port
Note This discrepancy is applicable only for trunks that use 802.1q encapsulation.
Impact
The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link
is affected. The trunk continues to remain operational.
Fix
If you have altered the default native VLAN configuration, ensure that all trunks have the same native
VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport
trunk native vlan command for Cisco IOS switches to specify the native VLAN.
Impact
The trunk remains operational but the network traffic across the link is affected.
Fix
You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and
ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.
Impact
The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching
encapsulation types. However, the network traffic across the link is affected because of the mismatch.
Fix
Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy
through LMS.
Impact
The VLAN information is not dynamically shared across the VTP domain.
Fix
Ensure that you configure VTP Configuration Revision number consistently across devices of the same
VTP domain. You cannot fix this discrepancy through LMS.
Impact
LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no
alternative or backup server.
This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when
the existing primary server or server mode device has gone down temporarily and if the server mode
device does not come up.
If you do not configure at least one server, the devices become unreachable. LMS discovers only the
client-mode devices in the domain and ignores the rest.
Fix
Configure at least one device as server in a VTP domain. If the device you have configured as server is
temporarily down, configure another device as server. You cannot fix this discrepancy through LMS.
For more information on VTP domain, see the document Configuring VTP at the following location:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html
Impact
Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a
full-duplex device transmits whenever it has something to send, regardless of other devices.
If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will
consider this either a collision (during the slot time), or a late collision (after the slot time). Since the
full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet.
A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch
port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.
A (root)
Half-Duplex
Half-Duplex: Still
runs carrier sense Does not do
and collision carrier sense
detection
Collision
A
C BPDU lost Full-Duplex
to be retransmitted
130876
Fix
LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port
speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated
between devices.
To fix the discrepancy on switches using Cisco IOS:
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
duplex auto
end
where auto enables the autonegotiation capability.
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set port speed mod/port auto
where:
• mod/port refers to the number of the module and the port on the module
• auto specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Impact
Link speed mismatch results in reduced performance of the link.
Fix
LMS displays commands to resolve link speed mismatch.
To fix the discrepancy on switches using Cisco IOS:
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
speed auto
end
where auto enables the autonegotiation capability.
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set port speed mod/port auto
where:
• mod/port refers to the number of the module and the port on the module
• auto specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Impact
This results in the trunk not coming up, and there would be no traffic flow across the link.
Fix
LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode.
To fix the discrepancy on switches using the Catalyst operating system:
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set trunk mod/port desirable
where:
• desirable causes the port to negotiate actively with the neighboring port to become a trunk link
• mod/port specifies the number of the module and the port or ports on the module
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
switchport mode dynamic desirable
end
where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link.
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Causes of errDisable
A port enters errdisable state for any of the following reasons:
• Channel misconfiguration
• Duplex mismatch
• BPDU port-guard
• UDLD
Impact
When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port.
The port LED is set to the color orange and when you enter the show port command, the port status
shows errdisable.
Fix
To recover from errDisable:
Step 1 Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so
on).
Step 2 Re-enable the port.
Impact
LMS manages only one of these devices.
Fix
Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.
Impact
If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge
Protocol Data Units (BPDUs) are being transmitted and received on those ports.
Fix
LMS provides commands for disabling PortFast on ports.
To fix the discrepancy on switches using the Catalyst operating system:
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
set spantree portfast mod/port disable
where disable disables the spanning tree PortFast-start feature on the port.
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
no spanning-tree portfast
end
This command disables PortFast on the given port.
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.
Impact
When a non-channel port is in the Desirable mode, the links will not be efficiently used.
Fix
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1 Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel mod/port mode auto
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 1 Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode auto
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
• A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since
neither port initiates negotiation.
• A port in On mode can form a channel only with another port also in On mode, because ports in this
mode do not exchange PAgP packets.
• A port in Off mode cannot form a channel with any port.
Impact
Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended
configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious
impact on the network.
Fix
To fix the Best Practise Deviation on switches using the Catalyst operating system:
Step 1 Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel mod/port mode desirable
which sets the port to desirable mode.
Step 2 Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Step 1 Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode desirable
which sets the port to desirable mode.
Step 2 Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Impact
BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to
an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding
state immediately, instead of going through the listening, learning, and forwarding states.
By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled.
BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies
to all PortFast-enabled ports on the switch.
When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled
port is also disabled.
Fix
LMS provides commands for enabling BPDU Filter on access ports.
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree bpdu-filter mod/port enable
where:
• mod/port specifies the number of the module and the port on the module
• enable enables BPDU packet filtering
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
spanning-tree bpdufilter enable
end
where enable enables BPDU Filtering on the particular interface.
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Impact
Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts).
The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU
is received on those ports.
BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies
to all PortFast-enabled ports on the switch.
Fix
LMS displays commands for enabling BPDU Filter on access ports.
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree bpdu-guard mod/port enable
where:
• mod/port specifies the number of the module and the port on the module
• enable enables BPDUGuard
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
spanning-tree bpduguard enable
end
where enable enables BPDUGuard on the particular interface.
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Impact
If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning
tree operation.
BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP,
you can reduce convergence times from the default of 50 seconds to 30 seconds.
Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects
directly to Switch B is in the blocking state.
Switch A
Switch(Root)
A Switch B
(Root) L1 Switch B
L1
L2 L3
L2 L3
Blocked port
Blocked port
11241
Switch C
11241
Switch C
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to
link L1.
Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to
move immediately to the listening state without waiting for the maximum aging time for the port to
expire.
BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch
B to Switch A.
This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the
topology to account for the failure of link L1.
Switch A
(Root) Switch B
L1
Link failure
L2 L3
11244
states to forwarding state
Switch C
Fix
Enable BackboneFast on all switches in a switch cloud.
To enable BackboneFast Globally on a Catalyst operating system:
Note This Best Practice Deviation is not applicable if the device is not an access layer switch.
Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access
layer. Do not use on switches without the implied topology knowledge of a backup root link—typically,
distribution and core switches in Cisco's multilayer design. It can be added without disruption to a
production network.
Impact
UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It
operates without modifying STP, and its purpose is to speed up convergence time in a specific
circumstance to less than three seconds, rather than the typical 30-second delay.
Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected
directly to Switch B is in the blocking state.
Switch A
(Root) Switch B
L1
L2 L3
Blocked port
11241
Switch C
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast
unblocks the blocked port on Switch C and transitions it to the forwarding state without going through
the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5
seconds.
Switch A
(Root) Switch B
L1
L2 L3
Link failure
UplinkFast transitions port
directly to forwarding state
11242
Switch C
Fix
Enable UplinkFast on all access layer switches.
To enable Uplink Fast on Catalyst operating system:
STP PortFast
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes
up, STP calculation occurs on that port. The result of the calculation is the transition of the port into
forwarding or blocking state. The result depends on the position of the port in the network and the STP
parameters.
This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data
passes through the port. Owing to this, some user applications can time out during the period.
To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast
immediately transitions the port into STP forwarding mode upon linkup. This way the port still
participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP
blocking mode.
Impact
Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best
Practice Deviation.
Fix
If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port.
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree portfast disable
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Impact
Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted
negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to
become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the
intended behavior.
Fix
To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports.
To fix it through LMS, on switches using the Catalyst operating system:
Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best
Practice Deviation.
Impact
Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static
property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1
for different trunk mode combinations.
Fix
To fix the Best Practice Deviation on switches using the Catalyst operating system:
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names in
transparent and server mode devices.
Fix
Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain.
You cannot fix this Best Practice Deviation through LMS.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode
device in the domain has the same name as VLAN part of the server mode device in the domain.
Fix
Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the
server mode devices. You cannot fix this Best Practice Deviation through LMS.
Impact
If you disable UDLD, it could result in Spanning Tree loops.
Unidirectional links are often caused by a failure not detected on a fiber link, or by a problem with a
transceiver.
B
A Blocking
X
X
BPDU lost this way B unblocks its port and can forward
130877
traffic this way......
In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while
transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a
port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these
BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop.
To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented
the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or
unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports.
For maximum protection against symptoms resulting from uni-directional links, we recommend that you
enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the
message interval to the default 15 seconds.
Fix
LMS provides commands to enable UDLD on link ports.
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set udld enable mod/port
where enable enables the UDLD information display.
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
Impact
In parts of the network where a high level of security is required (such as Internet-facing de-militarized
zones), you should turn off CDP.
Fix
LMS provides commands to disable CDP on switches.
To fix the Best Practice Deviation on switches running Catalyst operating system:
Impact
High Availability:
• Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum
productivity in a network.
• Allows you to minimize the switch-over time from active supervisor engine to the standby
supervisor engine, if the active supervisor engine fails.
• Allows the active supervisor engine to communicate with the standby supervisor engine, keeping
feature protocol states synchronized.
• Provides a versioning option that allows you to run different software images on the active and
standby supervisor engines.
You can enable High Availability using Command Line Interface (CLI).
Fix
As a general practice with redundant supervisors, we recommend that you enable High Availability
feature for normal operation.
LMS provides commands for enabling High Availability.
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set system highavailability enable
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
For more information on Supervisor engines and High Availability, see the document Configuring
Redundancy at the following location:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html
Step 1 Select Admin > Network > Best Practices Deviation Settings.
The discrepancies page appears. You can view the list of Network discrepancies, and Discrepancies
configured to send Syslog messages by clicking the corresponding View Details link.
Step 2 Click Configure.
The Configuring Discrepancies dialog box appears.
• To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it.
Checking all the check boxes results in a report displaying all discrepancies and Best Practice
Deviations in the network.
• To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding
check box.
Step 3 Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check
Configure Syslog and click Next.
A list of the selected Discrepancies and Best Practice Deviations appears.
Step 4 Check Send Syslogs and enter the name of the server in the Syslog Server field.
Step 5 Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages
and click Next.
A summary of the selected Discrepancies and Best Practice Deviations appears.
Step 6 Click Finish.
You can use the filters to display discrepancy reports for specific devices, link or network types. This
makes it easy to find a particular discrepancy for a particular type.
You can use more than one filter at the same time, but results will vary.
• If you select more than one filter in the same top-level category, Boolean OR is used.
For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter
criteria will be displayed in the report.
• If you select more than one filter from different top-level categories, Boolean AND is used.
For example, if you select both a Link type and a Port type filter from the discrepancy filter, any link
that fulfils both filter criteria will appear in the report.
Describes how to configure some settings for generating reports and set a report publish location.
This section contains the following sections:
• Specifying User Tracking Report Purge Policy
• Specifying Domain Name Display
• Set Report Publish Location
Step 1 Select Admin > Network > Purge Settings > User Tracking Report Purge Policy.
The Report Settings dialog box appears.
Step 2 Check the relevant check box:
• Purge Archives Older than
• Purge Jobs Older than
You must specify in days, or weeks, or months the period for which you want to retain the report archives
or jobs.
Step 3 Click Save.
Step 1 Select Admin > Network > Display Settings > Domain Name Display.
The Domain Name Display window appears.
Step 2 Select the format for displaying the domain names in User Tracking Reports. You can:
• Show full domain name suffix
• Hide full domain name suffix
• Hide specified domain name suffix
If you want to hide the specified domain name suffix, enter the domain name suffix in the field.
Step 3 Click Save.
Note Ensure that the casuser is assigned the required write permission to publish the PDF format of the report
to the directory path.
Step 1 Select Reports > Report Settings > Report Publish Path.
Step 2 Select Report Location.
The Default Report Publish Location page appears, displaying Default Location Settings dialog box.
Table 15-1 describes the field in the Default Location Settings dialog box.
Field/Button Description
Report Location Directory path where the PDF format of the reports are published.
Use the Browse button to select a directory path.
The Server Side File Browser dialog box is launched. You can select the
directory path in this dialog box.
Step 4 Select the directory path from the Server Side File Browser dialog box.
Step 5 Click OK.
The directory path is displayed in the Report Location field.
Step 6 Click Apply to save the default directory path settings or Cancel to reset the directory path.
Step 1 Select Admin > Network > Purge Settings > Layer2 Services Purge Settings.
The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the
Purge Policy for archives or jobs here.
Step 2 Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives.
For instance, if you select 44 days, LMS purges archives that are older than 44 days.
Step 3 Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks.
Step 4 Click Save.
Step 1 Select Admin > Network > Purge Settings > VRF Lite Purge Settings.
The Purge Settings dialog box appears.
Step 2 Specify the Purge Policy for archives or jobs.
Step 3 Check the Purge Archives Older Than to specify the periodicity at which to purge archives.
For instance, if you select 44 days, VRF Management purges archives that are older than 44 days.
Step 4 Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks.
Step 5 Click Save.
Caution Ensure that the configuration change detection schedule does not conflict with purging, since both
processes are database-intensive. Also backup your system frequently to prevent losing versions.
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Step 1 Select Admin > Network > Purge Settings > Config Archive Purge Settings.
The Archive Purge Setup dialog box appears.
Step 2 Select Enable.
Step 3 Click Change to schedule a Purge job.
The Config Purge Job Schedule dialog box appears.
Step 4 Enter the following information:
Field Description
Scheduling
Run Type You can specify when you want to purge the configuration archive files.
To do this, select one of these options from the drop-down menu:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the specified day of the week and at the specified time.
• Monthly—Runs monthly on the specified day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job
will start only at 10:00 a.m. on November 3.
Date You can select the date and time (hours and minutes) to schedule the job.
Job Information
Job Description The system default job description, Default archive purge job is displayed.
You cannot change this description.
E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from
the E-mail ID.
Step 5 Specify when to purge configuration files from the archive by selecting one or all of the following purge
policies:
• Click Maximum versions to retain and enter the number of configurations to be retained.
• Click Purge versions older than and enter the number of days, weeks, or months.
• Click Purge labeled files to delete the labeled configuration files.
The Purge labeled files option must be used either with the Maximum versions to retain or Purge
versions older than options. You cannot use this option without enabling either Maximum versions
to retain or Purge versions older than options.
The labeled files are purged only if they satisfy the conditions given in the Maximum versions to
retain and Purge versions older than options.
The Labeled configuration files are not deleted even if they satisfy either of the purge conditions
(Maximum versions to retain and Purge versions older than) unless you enable the Purge labeled
files option.
These purge policies are applied sequentially. That is, if you have enabled all the three purge
policies, LMS applies the Purge policies in this sequence:
a. Maximum versions to retain
b. Purge versions older than
c. Purge labeled files
Archive Management does not purge the configuration files, if there are only two versions of these files
in the archive.
Step 6 Click Apply.
A message appears, New settings saved successfully.
Step 7 Click OK.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform these tasks.
Step 1 Select Admin > Network > Purge Settings > Syslog Backup Settings.
The Backup Policy dialog box appears.
By default, the backup policy is set to disabled.
Step 2 Select Enable to enable the backup process for Syslog messages, after configuring backup.
Step 3 Click Browse to select the backup file location.
The Server Side File Browser dialog box appears.
In the Server Side File Browser dialog box:
a. Specify the external directory.
The external directory must be under the syslog directory, or a sub-directory within the syslog
directory. For example, $NMSROOT/files/rme/syslog/sysbackup.
The external directory cannot be outside the syslog directory. If you attempt to navigate outside the
syslog directory, an error message appears.
b. Select Directory Content,
c. Click OK.
Step 4 Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB.
Step 5 Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter
multiple e-mail addresses separated with commas. This is a mandatory field.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail
ID.)
If you also want a notification to be sent when the backup is a success, select Also Notify on Success.
Step 6 Either click Save to save the backup configuration details that you have specified or click Reset to clear
the values that you specified and reset to the previously saved values in the dialog box.
If you have clicked Save, the backup will continue to save the data even after the data has exceeded the
specified size of the backup file. However, the system will send an e-mail asking you to cleanup the
backup file.
Step 1 Select Admin > Network > Purge Settings > Syslog Purge Settings.
The Purge Policy dialog box appears.
Step 2 Specify the number of days in the Purge records older than field.
Only the records older than the number of days that you specify here, will be purged. The default value
is 7 days. This is a mandatory field.
Caution You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any
other means, it will not be purged. However, during the successive purge operations this data will be
purged.
Step 3 Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly.
Step 4 Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For
example, 02-Dec-2004). This is a mandatory field.
Step 5 Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field.
The Job Description field has a default description—Syslog Records - default purge job.
Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can
enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP
server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System
Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 6 Either click Save to save the purge policy that you have specified or click Reset. to clear the values that
you specified and reset the defaults in the dialog box.
You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).
Step 1 Select Admin > Network > Purge Settings > Syslog Force Purge.
The Force Purge dialog box appears.
Step 2 Enter the information required to perform a Forced Purge:
Field Description
Purge records older than Enter the number of days. Only the records older than the number of days that you specify here,
will be purged. This is a mandatory field.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or
by any other means, it will not be purged. However, during the successive purge operations this
data will be purged.
Scheduling
Run Type Specify whether the purge is to be Immediate or Once.
• If you select Immediate, all the other options will be disabled for you.
• If you select Once, you can specify the start date and time and also provide the job
description (mandatory) and the e-mail ID for the notification after the scheduled purge is
complete.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences
dialog box (Admin > System > System Preferences). When the job completes, an e-mail is
sent from E-mail ID.
Date Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy
format, for example, 02-Dec-2004. This is a mandatory field.
The Date field is enabled only if you have selected Once as the Run Type.
at Enter the start time, in the hh:mm:ss format (23:00:00).
The at field is enabled only if you have selected Once as the Run Type.
Field Description
Job Info
Job Description Enter a description for the forced purge job.
The Job Description field is enabled only if you have selected Once as the Run Type. This is a
mandatory field.
E-mail Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You
can enter more than one e-mail ID separated by commas.
The e-mail field is enabled only if you have selected Once as the Run Type.
Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from
E-mail ID.
You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).
Note TrustSec was known as Identity in the versions of LMS earlier than 4.2. Identity jobs will be
available for purging only if they have been backed up from the versions of LMS earlier than 4.2
and restored.
Column Description
Application Lists the application for which the Purge is applicable.
Status Whether a Purge job is enabled or disabled.
Policy This value is in days. Data older than the specified value, will be purged. You can change this value
as required. This is a mandatory field. The default is 180 days.
Job ID Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not
change even when you disable or enable or change the schedule of the Purge job.
For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the
job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge
Now task.
Scheduled At Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00.
Schedule Type Specifies the type of schedule for the Purge job:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the specified day of the week and at the specified time.
• Monthly—Runs monthly on the specified day of the month and at the specified time. (A month
comprises 30 days).
You can select the applications by checking the check boxes next to the application to perform the
following tasks using the Job Purge window:
Button Description
Schedule Schedules a Purge job.
Enable After you schedule a job, you can enable Purge.
Button Description
Disable After you schedule a job, if you have enabled the Purge job, you can choose to disable it.
Purge Now Perform Immediate Purge.
You can select more than one application to purge in a single step. After selecting the applications,
click on this button to purge jobs.
Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
To create a Purge job,
Step 2 Select Schedule.
The Purge Schedule dialog box appears for the selected application.
Field Description
Scheduling
Run Type Select the frequency at which the job should be run:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the specified day of the week and at the specified time.
• Monthly—Runs monthly on the specified day of the month and at the specified time. (A month comprises
30 days).
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will
run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the
10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date 1. Click on the date picker icon and select the date, month and year.
Your selection appears in the Date field in this format:
dd Mmm yyyy (example: 14 Nov 2004).
2. Select the time (hh and mm) from the drop-down lists in the at fields.
Job Info
Days The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged.
You can change this value as required. This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of days.
Job Based on the option that you selected, you see a default job description.
Description
For example, for Software Management Purge jobs the default description is:
Purge - Software Management Jobs.
For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.
Step 3 Click Done. The Purge job appears in the Job Purge dialog box.
Note You cannot purge the jobs that are in the running state.
Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
Step 2 Click Enable.
A confirmation message appears:
There is a purge schedule and it is enabled.
Step 3 Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
Step 2 Click Disable.
A confirmation message appears:
There is a purge schedule and it is disabled.
Step 3 Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears.
Step 2 Click Purge Now.
The Explorer User Prompt dialog box appears.
Step 3 Enter the number of days jobs that have to be purged.
The default setting for purging archived data is 180 days. That is, data older than 180 days will be
purged. You can change this value as required.
You can enter only whole numbers for days. You cannot enter fractions of days.
Step 4 Click OK.
The Purge Job Details window appears displaying the purged job details.
Note You cannot purge the jobs that are in the running state.
• Job Purge jobs—Purge all Job Purge jobs older than the specified number of days.
• Maintenance jobs—Purge all Maintenance jobs older than the specified number of days.
To schedule Job Purge:
Step 1 Select Admin > Network > Purge Settings > Performance Job Purge Settings.
Step 2 Select Job Purge.
The Job Purge Settings page appears, displaying Job Purge Schedule dialog box.
Table 16-1 describes the fields in the Job Purge Schedule dialog box.
Field/Button Description
Scheduling
Run Type Specify the type of schedule for job purge:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the specified day of the week and at the
specified time.
• Monthly—Runs monthly on the specified day of the month and at the
specified time. (A month comprises 30 days).
For Daily jobs, the subsequent instances of jobs will run only after the earlier
instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November
1, the next instance of this job will run at 10:00 a.m. on November 2, only if
the earlier instance of the November 1 job has completed. If the 10.00 a.m.
November 1 job has not been completed before 10:00 a.m. November 2, then
the next job will start only at 10:00 a.m. on November 3.
Date Specify the date and time for which the purge is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.
Purge Policy
Days The default setting for purging archived job data is 30 days. That is, job data
older than 30 days will be deleted. You can change this value as required.
This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of
days.
Apply Job purge is scheduled at the specified Run Type and Date for the job data
older than the days specified in the Days field.
(button)
Purge Now Job purge is done immediately for the job data older than the days specified
in the Days field.
(button)
Note We recommend that you wait for any activity currently running in the system to stop before purging jobs.
By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.
Note It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running.
Step 1 Select Admin > Network > Purge Settings > Performance data purge settings.
Step 2 Select Data Purge.
The Data Purge Settings page appears, displaying the Data Purge Schedule dialog box.
Table 16-2 describes the fields in the Data Purge Schedule dialog box.
Field/Button Description
Purge Schedule
Run Type Specify the type of schedule to perform Data Purge:
• Hourly—Runs hourly.
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the specified day of the week and at the
specified time.
• Monthly—Runs monthly on the specified day of the month and at the
specified time. (A month comprises 30 days).
By default, Daily is set as the default Run Type schedule for Data Purge.
For example, if you have scheduled Run Type as Daily for Data Purge job at
10:00 a.m. on November 1, the next instance of this Data Purge job will run
at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed.
If the 10.00 a.m. November 1 Data Purge job has not been completed before
10:00 a.m. November 2, then the next Data Purge job will start only at 10:00
a.m. on November 3.
Date Specify the date and time for which the Data Purge job is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.
Field/Button Description
Purge Policy
Days The following are the default settings for purging the following data:
• 5 Minute's Summarization records—3 days
• 30 Minute's Summarization records—15 days
• 3 Hour Summarization records—90 days
• 12 Hour Summarization records—365 days
• Poller failure records—1 day
• Threshold violation records—180 days
• Audit trail records—90 days
• TrendWatch violation records—180 days
• Status change details records—15 days
The default data purge settings provides optimal performance of Cisco Prime
LMS. You can also change the default purge settings as required. However,
the performance of Cisco Prime LMS may not be as expected.
You can enter only whole numbers for days. You cannot enter fractions of
days.
This is a mandatory field.
Apply Data purge is scheduled at the specified Run Type and Date for the data older
than the days specified in the Days field.
(button)
Purge Now Data purge is done immediately for the data older than the days specified in
(button) the Days field.
Note By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.
Step 1 Select Admin > Network > Purge Settings > Performance Data Purge Summary.
Step 2 Select Purge Details.
The Purge Details page appears, displaying Show Purge Details dialog box.
Table 16-3 describes the fields in the Show Purge Details dialog box.
Field Description
Details Displays the purge details of the Data Purge job.
The following purge information is displayed:
• Next Data Purge Job scheduled at
• No. of Poll Failure records purged
• No. of Audit Trail records purged
• No. of Threshold Violation records purged
• No. of Polled records purged
• Last Job Purge completed at
• No. of TrendWatch violation records purged
Value Details the number of records purged and purge schedule.
Step 1 Select Admin > Network > Purge Settings > IPSLA data Purge Settings.
The Purge Settings page appears.
Step 2 Specify the Purge period. For more information, see Table 16-4.
Step 3 Click Apply.
A message appears that the Purge settings are updated successfully.
Step 4 Click OK.
Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain
only 31 days of data. You can select the time of day that purging begins. By default, purging begins at
00:00.
Step 1 Select Admin > Network > Purge Settings > Fault History Purging Schedule.
Step 2 Select the Purge Time:
• Hour—From 0 to 23
• Minute—From 0 to 50 in ten-minute intervals
The default purge time is 00:00.
Step 3 Click Apply.
You can check the status of the Fault History data purge job from the Job Manager page each day after
the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type.
For more information, see Configuring Fault Management Rediscovery Schedules.
Debugging Settings menu allows the administrator to set the debugging settings of various modules in
LMS.
This section contains:
• Configuring Discovery Logging
• Maintaining Log Files
• Performance Debugging Settings
• Config and Image Management Debugging Settings
• Configuring Logging
• Fault Debugging Settings
• Setting Debugging Options for Topology and User Tracking
• Setting VRF Lite Debugging Options
• Neighbor Module
• Pingsweep Module
• RouterPeer Module
• RT Module
• CSDiscoveryAdaptor
• Discovery DeviceInfo
The debugging option for all the Device Discovery components is disabled by default.
To enable the debugging option for the LMS Device Discovery components:
Step 1 Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery
Logging Configuration page appears.
Step 2 Select one or more Discovery modules or components from the Disabled Modules list box.
Step 3 Click Add to add the components to the Enabled Modules list box.
Step 4 Click Apply.
Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will
come into effect after 60 seconds.
To disable the debugging option, move the selected component from the Enabled Modules list box to
Disabled Modules list box using the Remove button.
Caution As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To
prevent loss of data, make sure you are not running any critical tasks.
Step 1 Make sure the new location has sufficient disk space.
Step 2 Log in as the superuser, and enter the root password.
Step 3 Stop all processes, and enter /etc/init.d/dmgtd stop.
Step 4 Perform log maintenance by running logrot.
See Configuring Logrot Utility and Running Logrot Script for more information.
Step 5 Verify the procedure was successful by examining the contents of the log files in this location:
/var/adm/CSCOpx/log/*.log
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6 Restart the system, and enter /etc/init.d/dmgtd start
Step 7 Select Reports > System > Status > Log File to view your log changes.
Step 1 Make sure the new location has sufficient disk space.
Step 2 Go to the command line and make sure you have the correct permissions.
Step 3 Stop all processes by entering:
net stop crmdmgtd
Step 4 Perform log maintenance by running logrot.
See Configuring Logrot Utility and Running Logrot Script for more information.
Step 5 Verify the procedure was successful by examining the contents of the log files in the following location:
NMSROOT\log\
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6 Restart the system by entering:
net start crmdmgtd
Step 7 Select Reports > System > Status > Log File to view your log changes.
Component
/Module Directory Path File Description
AAA Serivces /MDC/log/ core* Logs for Authentication,
Authorization and
Accounting process
Backup and Normal top-level log directories dbbackup.log, Backup and restore logs
Restore restorebackup.log,
restorebackup.log.old
Cico Prime /MDC/Apache/logs/ error.log Log for General Cisco Prime
LMS General LMS errors
Log Files Normal top-level log directories perlerr.log Log for Perl interpreter errors
Normal top-level log directories Proxy.log Log for Proxy activity
Normal top-level log directories event.log Log for Cisco Prime LMS
events
Normal top-level Solaris/Soft Appliance log daemons.log Log for all Daemon
directory only Manager-controlled
processes (On Solaris/Soft
Appliance only).
Cisco Prime Normal top-level Windows log directory syslog.log Syslogs received from
Syslog Service only device/machine (On
Windows only).
Normal top-level Windows log directory syslog_debug.log CRMLogger debugging
only information and messages
from device/machine (On
Windows only).
Database Normal top-level log directories CmfDbMonitor.log Log for Sybase database
Services operations
Normal top-level log directories dbpwdChange.log Log for Database password
changes
Normal top-level log directories dbrestoreorig.log Log to restore the database to
factory settings
Normal top-level log directories dmgtDbg.log Log for Daemon Manager
interactions with Sybase
database
/objects/db/win32/ dbcond8.log Database condition log
Component
/Module Directory Path File Description
Device and Normal top-level log directories dcr.log Logs for Device and
Credentials Credentials Administration
Administration activities
Normal top-level log directories DCRDevPoll.log Logs to detect and delete
Unreachable devices
Device and Normal top-level log directories dcrimpexp.log, Logs to import and export
Credentials DCRServer.log (Windows Device and Credentials
Administration Only), Administration
— Import and daemons.log (Solaris/Soft
Export Module Appliance Only)
Device Center Normal top-level log directories SnmpWalk* Log for SNMP Walk
Normal top-level log directories SnmpSet* Log for SNMP Set
Device Normal top-level log directories CSDiscovery.log, Device discovery logs
Discovery ngdiscovery.log
Device Selector Normal top-level log directories CSDeviceSelector.log Device Selector log file
Role /MDC/log/ cam.log Role Management log file
Management
Disk Space Normal top-level log directories diskWatcher.log Logs storing the disk space
Monitoring information
Services
Event Normal top-level log directories EDS-GCF.log, EDS.log Logs for Event Distribution
Distribution Services activities
Services
Event Services Normal top-level log directories ESS.log, JavaDebug.log Logs for Event Services
Grouping Normal top-level log directories CMFOGSClient.log Log for Grouping Service
Service client
Normal top-level log directories CMFOGSServer.log Log for Grouping Service
server
JacORB Normal top-level Windows log directory NameServiceMonitor.log, Logs for
only NameServer.log NameServiceMonitor from
JacORB package
(On Windows only)
Job Services Normal top-level Windows log directory daemons.log (Solaris/Soft Logs for various Jobs
only Appliance Only), jrm.log
(Windows Only)
Licensing Normal top-level log directories LicenseServer.log License Server activity
Normal top-level log directories license.log Product license changes
Messaging Normal top-level log directories lwms.log Lightweight Messaging
Service Service activity
Software Center Normal top-level log directories psu.log Log for Software Center
related activities
Component
/Module Directory Path File Description
Web Services /MDC/Apache/logs/ access.log, error.log, Logs for Apache activity
mod_jk.log
Normal top-level log directories ssl.log Log for Apache activity
/MDC/tomcat/logs/ jasper-YYYYMMDD.log, Logs for all Tomcat activities
servlet-YYYYMMDD.log,
stderr.log, stdout.log,
Normal top-level log directories changeport.log Port change information
Logs for Normal top-level log directories CSRegistryServer.log Log for CSRegistryServer
Common process
Services Normal top-level log directories TomcatMonitor.log Log for TomcatMonitor
backend process
processes
Table 17-1 List of Topology and Identity Services Log File Details
Location in
Location in Solaris/Soft
Log File Module Windows Appliance Purpose
ani.log Data Collection NMSROOT/log/ani. /var/adm/CSCOpx/l Debugs Data
log og/ani.log Collection
process.
AniServer.log ANIServer NMSROOT/log/AN /var/adm/CSCOpx/l Debugs
IServer.log og/dmgtd.log ANIServer
process
Campus.log LMS NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
Configuration mpus.log og/Campus.log Topology and
and reports Layer 2 Services
module of LMS
CampusOGSSer Topology and NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
ver.log Layer 2 Services mpusOGSServer.log og/CampusOGSSer Topology and
OGSServer ver.log Layer 2 Services
OGSServer
process
CampusOGSCli OGS client NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
ent.log mpusOGSClient.log og/CampusOGSClie Topology and
nt.log Layer 2 Services
OGSClient
Table 17-1 List of Topology and Identity Services Log File Details (continued)
Location in
Location in Solaris/Soft
Log File Module Windows Appliance Purpose
campusportal.lo Portal NMSROOT/log/cam /var/adm/CSCOpx/l Debugs the
g pusportla.log og/campusportal.lo Topology and
g Layer 2 Services
portlets.
Cmapps.log User Tracking NMSROOT/log/Cm /var/adm/CSCOpx/l Debugs all the
UI apps.log og/Cmpapps.log UI pages for
User Tracking
macuhic.log MACUHIC NMSROOT/log/mac /var/adm/CSCOpx/l Debugs
uhic.log og/macuhic.log MACUHIC
process for
Dynamic UT
ut.log User Tracking NMSROOT/log/ut.l /var/adm/CSCOpx/l Debugs the User
og og/ut.log Tracking module
utlite.log UTLITE NMSROOT/log/utlit /var/adm/CSCOpx/l Debugs UTLite
e.log og/utlite.log.log Server.
UTMajorAcquis User Tracking NMSROOT/log/ /var/adm/CSCOpx/l Debugs
ition.log UTMajorAcquisitio og/dmgtd.log UTMajorAcquisi
n.log tion process.
utm.log UTManager NMSROOT/log/ /var/adm/CSCOpx/l Debugs
Utm.log og/utm.log UTManager
process of
Dynamic UT
Vnmclient.log VRF Lite UI NMSROOT/log/ /var/adm/CSCOpx/l Debugs VRF
Vnmclient.log og/Vnmclient.log Lite UI
Vnmcollector.lo VRF Lite NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs VRF
g Collector mCollector.log og/Vnmcollector.lo Lite Collector
g process.
VNMDeviceSel VRF Lite NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs the
ector.log Device selector mDeviceSelector.lo og/VNMDeviceSele device selector
g ctor.log provided by VRF
Lite.
Vnmserver.log VRF Lite Server NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs VRF
merver.log og/Vnmserver.log Lite Server
process
Vnmutils.log VRF Lite UI and NMSROOT/log/Vn /var/adm/CSCOpx/ Debugs utility
Server mutils.log Vnmutils.log classes used by
VRF Lite client
and server.
Note NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during
installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx.
When a log file reaches its maximum size, the module backs up the file and starts writing to a new log
file. The module appends a number to the backup file, until it reaches the maximum allowed backups.
In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file.
02:42 PM 4,481,607 TISServer.log
10:22 AM 5,120,447 TISServer.log.1
03:17 AM 5,120,105 TISServer.log.2
By default, Fault Management writes error messages only to log files. You can change the logging level
and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings.
If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.
Folder in No. of
NMSROOT\log\dfmLo Maximum Backu
Function/Module gs Log Files Size (KB) p Files
Alerts and Activities Display AAD AAD.log 1000 3
Inventory Interactor cfi Interactor.log/Interactor1.log 1000 5
Inventory Collector cfi InventoryCollector.log/Inventory 35000 5
Collector1.log
Polling and Threshold Adapter cfi PollingThresholdAdapter.log/Poll 10000 5
ingThresholdAdapter1.log
Detailed Device View DDV DDV.log 1000 2
Daily Purging Schedule DPS DPS.log 100 2
Event Processing Adapters epa adapterServer.log/adapterServer1. 1000 5
log
dfmEvents.log/dfmEvents1.log
Event Promulgation Module EPM EPM.log 15000 5
Fault History FH FHCollector.log 1000 2
FHUI.log
Logging Services LogService DfmLogService.log 500 2
Processes with multiple threads LogService MultiProcLogger.log 10000 5
License (device limit) license licenseCheck.log 100 2
Notification Services NOS nos.log 5000 2
1 2
Fault Management Object Grouping N/A DFMOGSServer.log 30000 152
Service Server
Folder in No. of
NMSROOT\log\dfmLo Maximum Backu
Function/Module gs Log Files Size (KB) p Files
Polling and Threshold Manager PTM PTMClient.log 1000 5
PTMServer.log
Polling and Threshold Manager PTM PTMDB.log 1000 5
(database)
Polling and Threshold Manager PTM PTMOGS.log 1000 5
(grouping services)
Polling and Threshold Manager (Polling PTM PTMPTA.log 1000 5
and Threshold Adapter)
Rediscovery Schedule Rediscovery Rediscovery.log 100 2
Device and Credentials Repository TIS DCRAdapter.log 1000 2
Adapter
Device Management TIS DeviceManagement.log 1000 2
Inventory Service TIS TISServer.log 1000 2
View Group Management VGM vgm.log 1000 3
1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on
Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance.
2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.
Step 1 Select Admin > System > Debug Settings > Performance Debugging Settings.
Step 2 Select Log Level Settings.
The Set Application Logging Levels dialog box appears.
Step 3 Select the application module from the drop-down list.
The sub-module for the selected application module appear in the Module field.
Step 4 Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance
Management modules are logged with appropriate log level message. The logging levels are:
• Fatal
• Error
• Warn
• Info
• Debug
The logging level is set as Info, by default.
Table 17-4 describes the fields in the Set Application Logging Levels dialog box and also provides
information on the files to which these logs are stored.
Step 5 Click Apply to set the logging level or Reset to apply the default logging level.
A message appears confirming that the logging levels are successfully updated.
Step 1 Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The Log Level Settings page appears.
Step 2 Select either All or Module Level from the Application drop-down list.
Step 3 Select the appropriate log level from the Logging Level drop-down list.
For more information, see Table 17-5.
Step 4 Click Apply to set the log levels.
A message appears that the log levels have been successfully updated.
To clear the settings, click Cancel.
Step 5 Click OK.
Field Description
Set Application Logging Levels
Module Select one of the following from the drop-down list.
• All
• Module Level
Logging Level Select one of the following logging levels from the drop-down list.
• FATAL
• ERROR
• WARN
• INFO
• DEBUG
Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.
Step 1 Select Admin > System > Debug Settings > Config and Image Management Debugging settings.
The Set Application Logging Levels dialog box appears.
Step 2 Select the Application from the drop-down list.
Step 3 Select the appropriate log level from the Logging Level drop-down list.
The fields in the Set Application Logging Levels dialog box are:
BugToolkit Bug Toolkit bugtoolkit.log Changes the logging level for Bug
Toolkit.
ChangeAudit • Change Audit ChangeAudit.log Changes the logging level for Change
Audit.
• Change Audit User ChangeAuditUI.log Changes the logging level for Change
Interface Audit UI.
CLIFramework CLI Framework cli.log Changes the logging level for CLI
Framework.
ConfigCLI • Config CLI ConfigCLI.log Changes the logging level for Config
CLI.
• Netconfig CLI netcfgcli.log Changes the logging level for
NetConfig CLI.
ConfigEditor Config Editor CfgEdit.log Changes the logging level for Config
Editor.
ConfigJob Config Jobs logs under Changes the logging level for
%NMSROOT%\files\rme\jobs\Net Configuration Jobs.
ConfigJob
ConfigJobManager Config Job Manager cjp.log Changes the logging level for
Configuration Job Browser.
This log file is used for config purge
jobs
• crijobpurge.log
DeviceManagement • Device • EssentialsDM.log Changes the logging level for Device
Management User Management.
Interface
• Check Device • cda.log Changes the logging level for Check
Attributes User Device Attributes User Interface
Interface
• Device Credential • log files under Changes the logging level for Device
Verification Jobs %NMSROOT%\files\rme\jobs\ Credential Verification jobs.
cda\
• Device • EssentialsDM_Server.log Changes the logging level for Device
Management Management Operations.
Operations
DeviceSelector Device Selector RMEDeviceSelector.log Changes the logging level for Device
Selector.
ICServer • Inventory IC_Server.log Changes the logging level for the IC
Collection Service Server.
• Inventory ICServerUI.log Changes the logging level for
Collection User Inventory Collection User Interface.
Interface
• Inventory Creates job logs under Changes the logging level for
Collection Jobs %NMSROOT%\files\rme\jobs\ICSe Inventory Collection jobs.
rver
Install • Restore Config and CCRImport.log Changes the logging level for the
Image Management Installation modules.
CCR
• Config and Image
Management PSU
Adapter
• Migration
InventoryPoller Inventory Poller Creates job logs under Changes the logging level for
%NMSROOT%\files\rme\jobs\InvP Inventory Poller.
oller
InvReports Inventory Reports invreports.log Changes the logging level for
Inventory Reports.
MakerChecker Maker Checker MakerChecker.log Changes the logging level for the Job
Approval module.
To track the port and module group backend evaluation exceptions and changes, the following logs are
maintained:
• PMCOGSServer.log
• PMCOGSClient.log
Step 4 Click Reset to apply the default logging levels.
Step 5 Click Apply after you set the log levels,
A message appears, that the log levels have been successfully updated.
Configuring Logging
You can enable the debugging option LMS components without restarting the services. When you enable
the debugging option for the selected component, the log levels in the respective properties file is
changed to DEBUG and the debug messages are recorded in the corresponding log files
You can only enable or disable the debugging option. You cannot choose to set different log levels such
as INFO,WARNING, FATAL and ERROR.
To debug Faults, see Fault Debugging Settings
To enable the debugging option for the Common Services components:
Step 1 Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box displays the following details:
Item Description
Component List of components for which you can enable or disable the debug option
Log File(s) Location Directory of the log files for the selected application
Description Brief description about the selected application
Debug Mode Option to enable or disable the debug mode
Step 2 Select the component from the Component drop-down list box.
You can select to enable the debugging option for the available Common Services components. The
available components include:
• CS Device Groups
• CS Device Selector
• CS Home
• CS Portlets
This component is listed in the drop-down list box only when you have installed the LMS Portal
application in LMS Server.
• Core Admin Module
• DCR Bulk Import and Export
• Device Center
• Device and Credentials Repository
• Home Page Admin
• Licensing
• LMS Setup Center
• Getting Started
This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS
Server.
• Product Instance Device Mapping
• SMTP
• Software Center
Step 3 Select the Enable option to enable debugging for the selected application. By default, the Debug Mode
is set to disabled.
Note You can only choose the enable or disable option. You cannot change the log levels to some other
value.
To disable the debug mode for all the Common Services components:
Step 1 Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box appears.
Step 2 Click Reset All to disable the debug mode for all the Common Services components.
The log levels are restored as they are before enabling the debugging option.
Note You cannot disable logging. Fault Management will always write error and fatal messages to application
log files.
For each Fault Management functional module, the Error check box is always selected; you cannot
deselect it.
Step 1 For each module that you want to change, select one (or deselect all) of the following logging levels:
• Warning—Log error messages and warning messages
• Informational—Log error, warning, and informational messages
• Debug—Log error, warning, informational, and debug messages
Note Deselecting all check boxes for a module returns it to Error, the default logging level.
Step 1 Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging
Settings page.
The Incharge Command Execution page appears.
Step 2 Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module
in LMS.
The logs are available at:
• On Windows:
– NMSROOT\objects\smarts\local\logs\DFM.log
– NMSROOT\objects\smarts\local\logs\DFM1.log
• On Solaris/Soft Appliance:
– /opt/CSCOpx/objects/smarts/local/logs/DFM.log
– /opt/CSCOpx/objects/smarts/local/logs/DFM1.log
Step 3 You can execute any Incharge command in the Command text box, click Run and view the results in the
Result column.
Some sample commands that you can exceute are:
• sm_server
• brcontrol
• dmctl –s <domain name> geti Routers
Step 1 Select Admin > System > Debug Settings > Data Collection.
The Debugging Options dialog box appears.
Step 2 Modify the debugging options as specified in Table 17-7.
Table 17-7 Data Collection Debugging Options (continued) for Data Collection
Table 17-8 describes the debug modules available for Data Collection in LMS.
Module Description
framework • Constructs and maintains data in the memory.
• Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
topo Provides network topology computation and layouts.
Enable debugging for this module if you have problems with Topology
computation of devices.
vlad • Discovers VTP domains, VLANs, port-in-VLAN configurations
• Performs VLAN configuration tasks
• Determines Spanning Tree state
Enable debugging for this module if you have problems with VTP, VLAN
reports, and configuration.
ccm Discovers Cisco CallManager (CCM).
Enable debugging for this module if you encounter issues with data collected for
CCM.
vmpsadmin • Discovers end-user hosts on the network
• Records end-user host information in the ANI database
• Manages requests for scheduling user and host discoveries, ping sweeps,
database queries, and updates to user and notes information
Enable debugging for this module if you have problems with User Tracking.
dcrp Provides computation of network discrepancies.
Enable debugging for this module if you have problems in Discrepancy reports.
status Enables status polling on previously discovered devices.
Enable debugging for this module if you have problems with device and link
status polling.
apps Discovers application hosts such as MCS.
Enable debugging for this module if you encounter issues with data collected on
application hosts.
stp Discovers all STP related information from the network.
Enable debugging for this module if you have problems with STP reports and
configuration.
Module Description
stpeng • Performs STP configuration tasks
• Provides basic STP analysis for migration from one STP type to another
Enable debugging for this module if you have problems with STP reports and
configuration.
devices Provides specific information, if any, available for device categories.
Enable debugging for this module if you have problems specific to a particular
device type.
Step 1 Select Admin > System > Debug Settings > Layer2 Configuration and Reports
The debugging page appears.
Step 2 Select the level of debugging. It can be any one of the following:
• INFO
Only informational messages are recorded in the log file.
• DEBUG
All messages related to Configuration and Reports are recorded in the log file.
• FATAL
Messages related to fatal errors are recorded in the log file. This is the default option.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\Campus.log
Step 3 Click Apply.
Step 1 Select Admin > System Administration > Debug Settings > Device Groups.
The debugging page appears.
Step 2 Select the level of debugging. It can be any one of the following:
• INFO
Only informational messages are recorded in the log file. This is the default option.
• DEBUG
All client side messages are recorded in the log file.
• FATAL
Messages related to fatal errors are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\CampusDeviceSelector.log
Step 3 Click Apply.
Step 1 Select Start > Settings > Control Panel > Java.
Step 2 Select the Advanced tab.
The corresponding tree structure is displayed.
Step 3 Go to the tree and select Java Console > Show Console.
Step 4 Click Apply and then OK.
The Java console is displayed when you launch Topology Services.
Note In case you close the Java Console, to reopen it, close the Topology window and relaunch it.
To enable debugging:
Step 1 Select Admin > System > Debug Settings > Topology.
The debugging page appears.
Step 2 Select the level of debugging. It can be any one of the following:
• TRACE
Only informational messages are displayed in the Java Console.
• DEBUG
All Topology Services client side messages are displayed in the Java Console.
• ERROR
Messages related to all errors are displayed in the Java Console. This is the default option.
Step 3 Click Apply.
Step 1 Select Admin > System > Debug Settings > User Tracking Server.
The debugging page appears. See Table 17-9 for a description of the fields:
Table 17-8 describes the debug modules available for User Tracking Server in LMS.
Module Description
user tracking Provides user tracking functionality. Enable debugging for this if user tracking
fails to discover end hosts as expected.
framework • Constructs and maintains data in the memory.
• Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
devices Provides specific information, if any, available for device categories.
Enable debugging for this module if you encounter issues specific to a particular
device type.
Step 1 Select Admin > System > Debug Settings > Dynamic User Tracking.
The debugging page appears.
Step 2 Check Enable Debug to set the options.
Step 3 Select the Service Name from the drop down list in the Service Name field.
The framework modules appear in the Module Name column. The framework modules depend on the
service that you select.
Step 4 Select the debug level for each module.
The debug level options are INFO, DEBUG, and TRACE.
INFO logs minimum information required for debugging and is the default option. DEBUG is the next
level of debugging. TRACE provides complete debugging information and creates huge logs.
Step 5 Enter the filename for the log file in the Log Filename field.
• The default log file for UT LITE is NMSROOT\log\utlite.log
• The default log file for MACUHIC is NMSROOT\log\macuhic.log
• The default log file for UTManager is NMSROOT\log\utm.log
The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647.
Giving zero or negative values or alphabets results in errors.
Step 6 Click Apply to save the settings.
Dynamic User Tracking modules available for debugging are explained in Table 17-11:
Note Enabling debugging for these modules creates huge logs, which interferes with the Trap processing
capability of LMS. We recommend that you enable debugging for this module only when requested by
TAC.
Module Description
UT Lite
control plane Handles configuration events related to:
• Log level Settings
• Log file
• Port number
For example:
If you changed the log file from X to Y, but logging still happens in X , enable debugging
for this module.
listener Listens to data sent by the UTLite script installed in the Windows or Novell server.
Checks for the integrity of the data received.
execution framework Handles code level execution of the data received.
Enable debugging for this module to debug Java related errors.
execution Processes and validates the data received.
UTLite receives MACAddress, IPAddress and User logged in for the end host. This
information is updated to the database only if the endhost has been discovered in last UT
Major Acquisition cycle or through Dynamic User Tracking.
Module Description
MACUHIC
control plane Handles configuration events related to:
• Log level Settings
• Log file
• Port number
listener Listens to SNMP traps sent by devices.
Checks for the integrity of the data received.
execution framework Handles code level execution of data received by MACUHIC.
Enable debugging for this module to debug Java related errors.
decoder Validates the traps sent by devices by checking whether:
• The trap is sent by a device managed by LMS.
• The SNMP version is correct
execution Checks whether:
• The data received is duplicate data
• If the data is sent by a Link port or Access port.
Dynamic UT does not process traps sent from link ports.
Updates the database with information received and forwards it to UTManager for further
processing.
UTManager
control plane Handles configuration events related to:
• Log level Settings
• Log file
• Port number
listener Listens to data sent by UTLite and MACUHIC.
Checks for the integrity of the data received.
execution framework Handles code level execution of data received by UTManager.
Enable debugging for this module to debug Java related errors.
decoder Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping
MIB and the other data sent by external systems.
execution Processes the data received and updates the database.
es framework Handles queries sent to External Systems.
es.snmp Handles SNMP queries sent to External Systems.
es.subnet Performs subnet calculation based on the information sent by External Systems.
es.db Handles database operations.
Step 1 Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears.
Step 2 Select the level of debugging. It can be any one of the following:
• INFO
Only informational messages are recorded in the log file. This is the default option.
• FATAL
Messages related to fatal errors are recorded in the log file.
• DEBUG
All User Tracking client side messages are recorded in the log file.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\Cmapps.log
Step 3 Click Apply.
Debugging is enabled for UT client side activities and the messages are recorded in the corresponding
log file.
Step 1 Select Admin > System > Debug Settings > Dynamic User Tracking Console.
The debugging page appears.
Step 2 Select the Service name from one of the following:
• UTLite
• UTM
• MACUHIC
The error conditions related to that process are listed under the Error Details section.
Step 3 Select the error condition for which you need details and click Generate.
A new file is generated with all the error details and stored in the LMS server. It is also listed under the
File list pane.
Step 4 Select a file and:
• Click View to see the file contents.
• Click Download to save the file in your local machine.
• Click Delete to delete the file from the server. You can delete multiple files at the same time.
Step 1 Select Admin > System > Debug Settings > VRF Lite Server Debugging.
The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite
Server Debugging Settings is NMSROOT\log\Vnmserver.log.
The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.
Field Description
Debug Level
INFO Only informational messages are recorded in the log file.
DEBUG All messages related to VRF Lite Server are recorded in the log file.
ERROR Error is the default logging level. Messages related to fatal errors
are recorded in the log file. This is the default option.
Reset Click Reset to reset the debug levels applied to VRF Lite Server, to
default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.
Step 1 Select Admin > System > Debug Settings > VRF Lite Collector Debugging.
The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for
VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log.
The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:
Field Description
Debug Level
INFO Only informational messages are recorded in the log file.
DEBUG All messages related to VRF Lite Collector are recorded in the log
file.
ERROR Error is the default logging level. Messages related to fatal errors
are recorded in the log file.
Reset Click Reset to reset the debug levels applied to VRF Lite Collector,
to default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.
Step 1 Select Admin > System > Debug Settings > VRF Lite Client Debugging.
The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log.
The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:
Field Description
Debug Level
INFO Only informational messages are recorded in the log file.
DEBUG All messages related to VRF Lite Client are recorded in the log file.
ERROR Error is the default logging level. Messages related to fatal errors
are recorded in the log file. This is the default option.
Reset Click Reset to reset the debug levels applied to VRF Lite Client, to
default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.
Step 1 Select Admin > System > Debug Settings > VRF Lite Utility Debugging.
The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log.
The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:
Field Description
Debug Level
INFO Only informational messages are recorded in the log file.
Field Description
DEBUG All messages related to VRF Lite Utility are recorded in the log file.
ERROR Error is the default logging level. Messages related to fatal errors
are recorded in the log file. This is the default option.
Reset Click Reset to reset the debug levels applied to VRF Lite Utility, to
default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.
This section briefly describes all the LMS tasks. See the Online help for further details.
This section explains the following LMS task groups:
• Understanding Admin Tasks
• Understanding Report Tasks
• Understanding Configuration Tasks
• Understanding Monitor Tasks
• Understanding Inventory Tasks
• Understanding Work Center Tasks
Note You should enable the Browse Jobs task to schedule any job across LMS.
Log Rotation
You can configure log rotation settings and schedule log rotation jobs.
Cisco.com Settings
You can configure Cisco.com Settings like:
• Proxy Server Setup
You can update the proxy server configuration.
– Apply Proxy Server Settings:
You can set up the proxy server details.
– Remove Proxy Server Settings:
You can remove the proxy server settings that are already set up.
• Cisco.com User Account Setup
You can add and modify Cisco.com user login names and password.
Licensing
You can register your software and obtain a product license.
Software Center
This section explains the following Software Center task groups:
• Schedule Device Downloads
You can schedule device package downloads and specify the time, frequency of the downloads, and
specify download policies if you have permissions.
• Device Update
You can view a list of all Cisco Prime related devices packages on your system, and the count of
devices supported. The source location could be Cisco.com or the Server Side Directory.
– Check For Updates
You can check for new device updates.
– Delete Device Packages
You can delete packages that are outdated or no longer used.
• Software Update
You can perform the following tasks:
– Download Updates
You can download the selected updates from Software Center.
– Select Updates
You can select new software packages to update the product.
Debug Settings
This section explains the following Debug Settings tasks:
• Layer2 Configuration/Reports and User Tracking Debug Options
You can configure the debug options for Layer2 Configuration and Reports and User Tracking.
• Config and Image Management debugging settings
– Loglevel Settings - Defaults/Apply
You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual
Config and Image Management packages.
• IPSLA Debugging Settings
You can view, set or reset the log levels for all the modules of IPSLA Performance Management.
User Management
This section explains the following User Management tasks:
• Local User Setup
– Edit User
You can modify a local user in LMS Server, assign roles, and specify the authorization type.
– Delete User
You can delete a local user profile from the LMS Server.
– Modify My Profile
You can modify your local user profile in LMS Server.
– Add User
You can add a local user in LMS Server.
– Import/Export Users
You can import local users from the client or from ACS. You can import local users from ACS
only through CLI and not from the UI.
You can export the local users.
• Notify Users
You can broadcast messages to online users.
• Local User Policy Setup
You can setup username and password policies for local authentication users in LMS.
• Role Management Setup
The Role Management tasks are listed below:
– Delete Role
You can delete user-defined roles.
– Add Role
You can add user-defined roles.
– Edit Role
You can edit user-defined roles.
– Import/ Export Roles
You can import roles in the XML format from the client.You can export roles in the XML
format. The file will be saved in the client.
– Copy Role
You can use this option to copy a role.
– Default Role
You can set a role as a default role. When multiple roles are set as default role, the user will be
assigned with all the roles selected as default roles.
Server Monitoring
This section explains the following Server Monitoring task groups:
• Process
– Start Processes
You can start the Cisco Prime processes.
– Stop Processes
You can stop the Cisco Prime processes.
• Collect Server Information
– Create Collect Server Information
You can get the required information about the server.
This includes system information, environment, configuration, logs, web server information,
device and credentials administration information, and grouping services information.
– Delete Collect Server Information
You can delete the collected server information.
• DiskWatcher Configuration
You can configure disk space threshold level.
• Selftest
You can view self test reports to test some basic functions of the server.
– Create Self test
You can test the basic functions of server.
– Delete Self test
You can delete the collected self test information.
DBReader Access
You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot
database issues.
Group Management
The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share
groups of devices. This section explains the following Group Management task groups:
• Device Groups
– Delete Group
You can delete a group from the Group Selector.
When you delete a group, all the child groups under the group are also deleted. You can also
delete the stale groups (groups that are belonging to users removed from Cisco Prime).
– Edit Group
You can modify some of the device groups.
– Export Group
You can export a selected group or all user-defined groups from all applications, to an output
file.
– Group Refresh
You can recompute the membership of a group by re-evaluating the group's rule. The
membership of Automatic groups is recomputed dynamically.
– Create Group
You can create device groups.
– Import Group
You can import user-defined device groups from an input XML file.
– Group Details
You can view the details of a group.
Backup
Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or
monthly automatic database backups.
Multi Server
You can perform the following multi-server management tasks:
• Peer Server Certificate Setup
You can add the certificate of another LMS Server into its trusted store. This allows LMS Servers
to communicate with one another using SSL.
– Delete Peer Certificate
You can delete the peer certificate.
– View Peer Certificate
You can view the details of an existing peer certificate.
– Add Peer Certificate
You can add the certificate of a peer LMS Server into its trusted store.
• System Identity Setup
You can setup a System Identity user on servers that are part of a multi-server setup. This user
enables communication among servers that are part of a domain.
• Peer Server Account Setup
You can create users who can log into LMS Servers and perform certain tasks.
– Peer Server Accounts Delete
You can delete a secret user set up in the LMS Servers.
– Peer Server Accounts Add
You can add a secret user who can programmatically login to multiple LMS Servers and perform
certain tasks.
– Peer Server Accounts Edit
You can edit a secret user setup in the LMS Servers.
• Single Sign-On Setup
You can use your browser session to transparently navigate to multiple LMS Servers without
authenticating to each server.
Local Server
• Certificate Setup
You can create a self-signed certificate from the user interface.
• Browser-Server Security Mode Setup
You can enable browser-server security.
Monitor/ Troubleshoot
This section explains the following Monitor and Troubleshoot tasks:
• NAM Configuration
You can view, add, edit, or delete the NAM configuration details.
• Load MIB
You can load a MIB file.
• RMON Configuration
You can enable RMON on all ports in selected devices.
• Fault Poller settings for topology
You can configure fault poller settings for Topology.
Discovery Settings
This section explains the following Discovery Settings tasks:
• Settings
You can:
– View Discovery Settings
You can view the summary of device discovery settings.
– Configure Discovery Settings
You can configure the settings required to run a discovery job.
– Discovery Status
You can view the status of device discovery.
– Start Stop Discovery
You can also start or stop a device discovery.
• Schedule
You can add a device discovery schedule.
Purge Settings
This section explains the following Purge Settings tasks:
• Config Job purge settings
You can configure the following config job settings:
– Job Purge - Schedule/Enable/Disable/Purge Now
You can schedule, enable, or disable purging of configuration management jobs.
You can also immediately purge the jobs.
– Job Purge
You can purge the config jobs.
• Syslog Backup Settings
You can set the syslog backup policy.
• IPSLA data Purge Settings
You can set the purge period for IPSLA historical data and for audit reports. You can configure the
following IPSLA data Purge settings:
– Apply IPSLA Purge Settings
You can apply IPSLA purge settings.
– IPSLA Purge Settings
You can view IPSLA purge settings
– Default IPSLA Purge Settings
You can apply default IPSLA purge settings.
• Syslog Force Purge
You can perform a forced purge of syslog messages
• Performance Job Purge Settings
You can configure the following performance Job purge settings:
– Do Immediate Job Purge
You can immediately purge the performance jobs.
– Schedule Job Purge
You can schedule a performance job purge.
• Fault History Purging Schedule
Configure the daily fault history purging schedule.
• VRF Lite Purge Settings
You can purge VRF Lite jobs or report archives.
• ChangeAudit Force Purge
You can perform a forced purge of change audit.
• Config Archive Purge Settings
You can define the configuration archive purge policy.
• ChangeAudit Purge Policy
You can set the change audit purge policy.
• Performance data purge settings
You can configure the following performance data purge settings:
– Do Immediate Data Purge
You can immediately purge the performance data .
– Schedule Data Purge
You can schedule a performance data purge.
• Syslog Purge Settings
You can specify a default policy for the periodic purging of syslog messages.
• Layer2 Services and User Tracking Report Purge
You can purge Layer2 services jobs or report archives.
Resource Browser
This section explains the following Resource Browser tasks:
• Browse Resources
You can view the details of resources and manage resources.
• Free Resources
You can free-up locked resources.
Jobs
You can perform the following Job tasks:
• Browse Jobs
You can use the job browser and view the details of individual jobs.
Note You should enable the Browse Jobs task to schedule any job across LMS.
• Delete Job
You can use the job browser to delete the jobs.
• Stop Job
You can stop the jobs using the job browser.
Getting Started
You can perform the Getting Started tasks.
Manage Portal
You can manage all the portlets.
Threshold Violation
You can generate this report which displays threshold violations details for each device based on the
polled data.
• Thresholds
You can create reports based on the threshold configured for the MIB variable. You can create, or
view reports for specific threshold MIB variables. These reports are called IPSLA Threshold
Violation reports.
• TrendWatch Summary
You can create consolidated reports based on the TrendWatches configured for the MIB variable.
You can create, view summary reports of TrendWatch MIB variables.
Best Practices
You can generate the following Best Practices and Discrepancy reports:
• Acknowledge/Unacknowledge Discrepancy
You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices.
You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best
Practise Deviations Report.
• Discrepancies
You can fix the discrepancies detected in the network.
• Fix Best Practice Deviation
You can the fix Best Practice Deviation detected in the network.
• Fix Discrepancy
You can the fix discrepancies detected in the network.
• Deviation
You can view best practice deviation report.
Syslogs
You can use Custom Reports along with Syslogs to generate GOLD test reports.
You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.
History
You can search fault history database for device issues.
• Event History
You can view the fault history report for a given event ID.
• Event Monitor/ Device Fault
You can view information on events in device for the past 31 days.
Event Monitor is a centralized place where in you can view the event details of all devices and device
groups.
IPSLA
You can manage IPSLA archived reports. You can perform the following tasks:
• List Report Archives
You can list the IPSLA report archives.
• Delete Report
You can delete the IPSLA report archives.
User Tracking
• Custom Layouts
You can view the list of Custom layouts.
• Custom Reports
You can customize the layout and columns displayed in the UT reports to suit your needs.
Device Attributes
You can view device attributes report.
User Tracking
You can create, schedule, and view various UT reports like:
• End Host History
You can view the login and logout information of the endhosts
• User Tracking System and Custom Reports
You can view User Tracking system and custom reports
Management Status
You can generate device credentials, device and credentials admin reports, and inventory and config
Collection Status report.
• Inventory and Config Collection Status
You can generate the Inventory and Config Collection Status Report which helps you to identify
possible causes for Inventory and Configuration collection failure and take timely corrective action.
System
You can generate system audit report.
Performance
You can generate performance audit report.
VLAN
You can generate VLAN reports for devices, switch clouds, or VTP domains.
VRF Lite
You can generate the following VRF Lite Reports:
• VRF Lite and VRF Lite Readiness report
You can generate Device Based VRF-Lite reports and VRF Based reports. You can also generate the
VRF Lite Readiness report which provides the devices details that comply with the basic hardware
and software support available, in contrast to the required support on the devices to configure VRF.
Poller
You can:
• View Poller Report
You can view Poller Reports based on the template added in a given Poller.
• Create Poller Job
You can create Poller Reports based on the template added in a given Poller.
Device
You can view device availability and performance parameters of a device.
• Device Performance
You can view performance parameters of a device.
Custom
You can create, or view custom reports.
Users
You can view information about users currently logged into LMS.
• Who is Logged on
You can view information on users currently logged into LMS.
• Permission Report
You can view information on roles and privileges.
Status
You can view the status of the processes running on the LMS Server.
• Log File
You can view information on log file size and file system utilization.
• Process
You can view the status of the processes running on the LMS Server.
Ports
You can view status of the ports.
• Port Attributes
You can view information about the status of ports in the network
Label Configs
You can select configuration files from different devices, group and label them. You can manage Label
Configs.
Summary
You can view the configuration archival status and summary.
Views
You can search archives using version tree and version summary. The tasks in Views are the following:
• Custom Queries
You can create a custom configuration query that searches information about the specified
configuration files.
• Search Archive
You can search the archive for configuration containing text patterns for selected devices.
• Version Summary
You can view all archived configurations for selected devices.
NetConfig/Template Center
This section explains the following NetConfig and Template Center tasks:
• Assign Tasks
You can assign tasks to a valid Cisco Prime user.
• User Defined Tasks
You can create and edit user-defined tasks.
• Adhoc Configuration-Template Center
You can deploy and import Adhoc Configuration template.
• Jobs
– View
You can view all NetConfig and Template Center jobs.
– Create/Configure/Deploy/Import
You can deploy and import configuration templates in LMS. You can also create NetConfig
jobs.
Config Editor
This section explains the following Config Editor tasks:
• Private Configs
You can view changes made to a configuration file in the private work area.
• Edit Private Configs
You can save an edited configuration file in the private work area on the server and retrieve the saved
file when required.
• Edit Public Configs
You can save an edited configuration file in the public work area on the server and retrieve the saved
file when required.
• Delete Private Configs
You can remove a configuration file from the private work area on the server.
• Delete Public Configs
You can remove a configuration file from the public work area on the server.
• Public Configs
You can view changes made to a configuration file in the public work area.
• Edit Mode Preference
You can set up the default editing mode.
• Config Editor
You can open, edit, or print configuration files.
• Jobs
You can create, edit, delete, copy, or stop Config Editor jobs.
Delete
You can delete configurations older than a specified date from the configuration archive.
List Version
Lists the different versions of configuration files archived in the archival system.
Deploy Baseline
You can deploy the given Baseline template to a device.
Reload
You can reboot the devices, to load the running configuration with their startup configuration.
Get Configuration
You can retrieve the running configuration from the devices and push it to the configuration archive if
the running configuration is different than the latest version in the archive.
Run2Start
You can create a job that overwrites the startup configuration of device with running configuration.
Write2Run
You can compare the latest running configuration for the device in the configuration archive with the
configuration in the file, to generate a new configuration that is downloaded to the device, so that the
configuration specified in the file is available on the running configuration of the device.
Export Configuration
You can retrieve the configuration for a device from the archive and write it to a specific file.
Compare
You can list the difference between versions of a device configuration.
write2Start
You can erase the contents of the device's startup configuration and then write the contents of the given
file as the device's new startup configuration.
Export Configuration-xml
You can retrieve the configuration for a device from the archive and write it to a XML file.
Import Configuration
You can retrieve the configuration from a file, and push it to the device, adding to the device's running
configuration.
Start2Run
You can merge the running configuration of any devices with their startup configuration to give a new
running configuration.
Put Configuration
You can retrieve the configuration from the configuration archive and push it to the device.
VLAN
This section explains the following VLAN Workflows tasks:
• Configure Port Assignment
You can manage ports on your network VLAN.
• Create/Delete Private VLAN
You can create and delete private VLANs
• Configure Promiscuous Ports
You can configure a promiscuous port
• Create/ Modify Trunk
You can create a trunk for a port, or modify trunk attributes.
• Configure/ Delete VLAN
You can create and delete VLANs configured on the devices in the network.
VRF Lite
This section explains the following VRF Lite Workflows tasks:
• VRF Configuration
You can create, edit, extend, delete and assign Edge VLAN to VRF.
Job Approval
You can approve or reject a job for which you are an Approver. The job will not run until you or another
Approver approves it.
NetConfig
You can manage NetConfig jobs.
Config Editor
You can manage Config Editor jobs.
Out-of-Sync Summary
You can generate Out-of-Sync report for device groups.
Compliance Templates
This section explains the following Compliance Templates tasks:
• Compliance Check
You can run a compliance check.
• Direct Deploy
You can deploy a baseline template using a file system or UI.
• Templates
You can manage a baseline template.
IPSLA
You can manage IPSLA devices, collectors, operations and outage settings
• Devices
You can add devices to manage IPSLA functionality. You can:
– Enable IPSLA Responder
You can enable IPSLA responder for the selected devices.
– Update IPSLA Config
You can update the IPSLA responder enable or disable status. You can also save the latest
information configured in a device to the database.
– View Devices
You can view all the IPSLA devices managed by LMS.
– Edit Device Attributes
You can edit the device attributes like SNMP Retry and SNMP Timeout.
– Delete devices
You can delete Adhoc target devices.
– Add Adhoc Target
You can add adhoc target devices to the IPSLA Performance Management function in LMS if
you want to manage devices from an external source. The Adhoc devices may be either Cisco
devices or devices with a unique IP address.
• Collectors
You can create, edit, delete, monitor, start, list, view, or stop collectors.
When you have the authorization to create collectors you can import, export and reconfigure
collectors.
• Operations
You can analyze IP service levels for IP applications and services. You can view operation details,
list, create, edit, or delete operations.
• Outage Settings
You can view, list, create, edit, or delete planned outages.
Setup
You can setup auto monitoring, poller and template management
• Automonitor
You can change the polling intervals.
• Pollers
You can create and manage pollers. You can:
– Edit Poller
You can edit pollers.
– Clear Failures
You can clear all the failures recorded in the database for a Poller.
– Clear Missed Cycle
You can clear all the polling interval cycles missed for a Poller.
– Activate and Deactivate Poller
You can activate an inactive Poller to poll, or stops a Poller from polling.
– View Failures
You can view failures that occurred during polling.
– Create Poller
You can create a Poller.
– List Performance Devices
You can view performance devices.
– Delete Poller
You can delete a Poller.
– Debug Performance Polling Engine
You can debug performance polling engine.
– List / View Pollers
You can list or view Pollers.
• Templates
You can create, copy, edit, list, delete, export, or import templates to monitor performance
parameter.
• Device Performance Management Summary
You can view the Device Performance Management Summary portlet details. To access any custom
role, you should select Device Performance Management Summary.
TrendWatch
You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.
Performance
You can create, edit, delete, access, or, list and view thresholds for a MIB variable.
Fault
You can view the thresholds that are associated with device groups, trunk port groups, access port
groups, and interface groups.
VRF Lite
• Ping and Traceroute/Show Commands
You can troubleshoot VRFs using Ping or Traceroute, or view the result of the VRF-specific show
commands
NetShow
• Job Operations
You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying
failed jobs, stopping jobs, and deleting jobs.
• Command Set Operations
You can create, edit, or delete user-defined Command Sets.
• Assigning Command Sets
You can assign command sets to network operators.
• Command Sets
You can view the details of an existing Command Set.
• NetShow Jobs/Show Commands
You can run NetShow commands and view NetShow jobs.
Connectivity Tools
You can use the following tools:
• Device Center
You can launch the troubleshooting page by clicking device IPs.
• Packet Capture
You can capture live data from the Cisco Prime machine to aid in troubleshooting.
• SNMP Walk
You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering
information about a certain device.
• SNMP Set
You can set an SNMP object or multiple objects on a device for controlling the device.
Troubleshooting Workflows
You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network
connectivity problems, or diagnose devices.
Fault Monitor
You can view all the faults in a common place. It collects information of fault in devices in real-time and
display the information by a selected group of devices. You can clear or annotate faults.
It allows you to own the fault or clear them.
Configure EtherChannel
You can configure EtherChannel.
Topology Services
You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains
discovered in your network, and you can filter, access, or view network information or status.
• Add Devices
You can add devices, device properties or attributes, and device credentials to the DCR.
• View Devices
You can view devices in DCR.
• Delete Devices
You can delete devices from DCR. You can also schedule device polling job and view the
Unreachable device report.
• Bulk import
You can import multiple devices into DCR. You can also view the Imported device report.
• Edit Devices
You can edit device information for a single device or for multiple devices.
This section explains all the CLI utilities that are available for the administrator in LMS 4.2.
This section contains:
• Setting Up Local Users Through CLI
• Changing Cisco Prime User Password Through CLI
• Managing Processes Through CLI
• Working With Third Party Security Certificates
• Setting up Browser-Server Security
• Backing up Data Using CLI
• Using LMS Server Hostname Change Scripts
• Using DCR Features Through CLI
• Using Group Administration Features Through CLI
• Deleting Stale Groups Using CLI
• User Tracking Command Line Interface
• Using Lookup Analyzer Utility
• Understanding UTLite
• User Tracking Debugger Utility
• Configuring Switches to Send MAC Notifications to LMS Server
• Administration Command Line Interface
Note You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
• Username — Local username. The local username is case-insensitive.
• Password — Password for the local user account name.
You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.
• E-mail — E-mail address of the local user.
This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.
• Roles — Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
– Help Desk
– Approver
– System Administrator
– Network Administrator
– Network Operator
– Super Admin
• DeviceUname—Device login username
• DevicePassword—Device login password
• DeviceEnPassword —Device enable password.
The following is an example of local user information to be represented in input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
For Windows:
/NMSROOT/lib/jre/bin/java -cp
/NMSROOT/lib/classpath;/NMSROOT/www/classpath;/NMSROOT/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar;/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration <cwpass file location> <output file name with .xml
extension>
where, NMSROOT is the directory where you have installed Cisco Prime.
Example:
C:/Progra~1/CSCOpx/lib/jre/bin/java -cp
C:/Progra~1/CSCOpx/lib/classpath;C:/Progra~1/CSCOpx/www/classpath;C:/Progra~1/CSCOpx/MD
C/tomcat/shared/lib/castor-0.9.5-xml.jar;C:/Progra~1/CSCOpx/MDC/tomcat/shared/lib/
castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration C:/cwpass C:/output.xml
Step 2 Move the output file to the client machine to import the user details.
Step 3 Go to Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 4 Click Import Users.
Step 5 Click Browse and select the output file from the client machine.
Step 6 Click Submit.
Step 1 Take selective backup from LMS 3.2 using the command given below:
NMSROOT\bin>perl NMSROOT\bin\backup.pl -dest= <Backup Directory> –system
where, NMSROOT is the directory where you have installed Cisco Prime.
Step 2 Move the backup to LMS 4.x server where data has to be restored.
Step 3 Stop the daemons on 4.x server
Step 4 Restore backup using the command given below:
NMSROOT\bin>perl NMSROOT\bin\restorebackup.pl -d <Backup Directory>
Step 5 Check for any errors on Restorebackup.log
Step 6 Start the daemons and check the user details once all the processes are up.
Note Selective backup includes system settings, user details and jobs.
Now, you can change the password using the Cisco Prime user password recovery utility.
Step 3 Enter NMSROOT/bin/resetpasswd username at the command prompt.
Here NMSROOT refers to the Cisco Prime Installation directory.
A message appears:
Enter new password for username:
Step 4 Enter the new password.
Step 5 Enter /etc/init.d/dmgtd start to start the Daemon Manager.
During the startup of Daemon Manager, sometimes the pdshow command may display information
message requesting you to wait and enter the command again.
This happens particularly when the Daemon Manager is busy in running the tasks one by one in the
queue. You must enter the command again to view the process details.
Starting a Process
You must enter the following commands to start a process through CLI:
• /opt/CSCOpx/bin/pdexec ProcessName (on Solaris/Soft Appliance)
• pdexec ProcessName (on Windows)
The dependent processes are started first before the specified process is started.
If the process is being restarted after a shutdown, any dependent processes registered with the Daemon
Manager is not automatically restarted. Dependent processes are automatically restarted only when the
Daemon Manager itself is restarted.
Stopping a Process
You must enter the following commands to stop a process through CLI:
• /opt/CSCOpx/bin/pdterm ProcessName (on Solaris/Soft Appliance)
• pdterm ProcessName (on Windows)
The dependent processes are also shut down using this CLI command.
Note Cisco Prime does not support third-party certificates with “Subject Alternative Names”.
Numbe
r Option What it Does...
1 Display LMS Server • Displays the Certificate details of the LMS Server.
certificate
For third party issued certificates, this option displays the details
information
of the server certificate, the intermediate certificates, if any, and
the Root CA certificate.
• Verifies if the certificate is valid.
2 Display the input This option accepts a certificate as an input and:
certificate
• Verifies whether the certificate is in encoded X.509 certificate
information
format.
• Displays the subject of the certificate and the details of the
issuing certificate.
• Verifies whether the certificate is valid on the server.
3 Display Root CA Generates a list of all Root CA Certificates.
certificates trusted by
LMS Server
Numbe
r Option What it Does... (continued)
4 Verify the input Verifies whether the server certificate issued by third party CAs, can
certificate or be uploaded.
certificate chain
When you choose this option, the utility:
• Verifies if the certificate is in Base64 Encoded X.509Certificate
format.
• Verifies if the certificate is valid on the server
• Verifies if the server private key and input server certificate
match.
• Verifies if the server certificate can be traced to the required
Root CA certificate using which it was signed.
• Constructs the certificate chain, if the intermediate chains are
also given, and verifies if the chain ends with the proper Root
CA certificate.
After the verification is successfully completed, you are prompted to
upload the certificates to LMS Server.
The utility displays an error:
• If the input certificates are not in required format
• If the certificate date is not valid or if the certificate has already
expired.
• If the server certificate could not be verified or traced to a root
CA certificate.
• If any of the intermediate Certificates were not given as input.
• If the server private key is missing or if the server certificate that
is being uploaded could not be verified with the server private
key.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates to Cisco Prime.
Numbe
r Option What it Does... (continued)
5 Upload single server You must verify the certificates using option 4 before you select this
certificate to LMS option.
Server
Select this option, only if there are no intermediate certificates and
there is only the server certificate signed by a prominent Root CA
certificate.
If the Root CA is not one trusted by Cisco Prime, do not select this
option.
In such cases, you must obtain a Root CA certificate used for signing
the certificate from the CA and upload both the certificates using
option 6.
When you select this option, and provide the location of the
certificate, the utility:
• Verifies whether the certificate is in Base64 Encoded X.509
certificate format.
• Displays the subject of the certificate and the details of the
issuing certificate.
• Verifies whether the certificate is valid on the server.
• Verifies whether the server private key and input server
certificate match.
• Verifies whether the server certificate can be traced to the
required Root CA certificate that was used for signing.
After the verification is successfully completed, the utility uploads
the certificate to LMS Server.
The utility displays an error:
• If the input certificates are not in required format
• If the certificate date is not valid or if the certificate has already
expired.
• If the server certificate could not be verified or traced to a root
CA certificate.
• If the server private key is missing or if the server certificate that
is being uploaded could not be verified with the server private
key.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates in Cisco Prime again.
Numbe
r Option What it Does... (continued)
6 Upload a certificate You must verify the certificates using option 4 before you select this
chain to LMS Server option.
Select this option, if you are uploading a certificate chain. If you are
also uploading the root CA certificate also, you must include it as
one of the certificates in the chain.
When you select this option and provide the location of the
certificates, the utility:
• Verifies whether the certificate is in Base64 Encoded X.509
Certificate format.
• Displays the subject of the certificate and the details of the
issuing certificate.
• Verifies whether the certificate is valid on the server
• Verifies whether server private key and the server certificate
match.
• Verifies whether the server certificate can be traced to the root
CA certificate that was used for signing.
• Constructs the certificate chain, if intermediate chains are given
and verifies if the chain ends with the proper root CA certificate.
After the verification is successfully completed, the server certificate
is uploaded to LMS Server.
All the intermediate certificates and the Root CA certificate are
uploaded and copied to the Cisco Prime TrustStore.
The utility displays an error:
• If the input certificates are not in required format.
• If the certificate date is not valid or if the certificate has already
expired.
• If the server certificate could not be verified or traced to a root
CA certificate.
• If any of the intermediate certificates were not given as input.
• If the server private key is missing or if the server certificate that
is being uploaded could not be verified with the server private
key.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates in Cisco Prime again.
7 Modify Certificate This option allows you to modify the Host Name entry in the LMS
Certificate.
You can enter an alternate Hostname if you wish to change the
existing Host Name entry.
Using the SSL Utility Script to Upload Third Party Security Certificates
To upload the certificates:
Step 1 Stop the Daemon Manager from the Cisco Prime CLI:
On Windows:
• Enter net stop crmdmgtd
On Solaris/Soft Appliance:
• Enter /etc/init.d/dmgtd stop
Step 2 Navigate to the directory where the SSL Utility script is located.
On Windows:
a. Go to NMSROOT\MDC\Apache
b. Enter NMSROOT\bin\perl SSLUtil.pl
On Solaris/Soft Appliance:
a. Go to NMSROOT/MDC/Apache/bin
b. Enter NMSROOT/bin/perl SSLUtil.pl
Step 3 Select option 4, Verify the input Certificate or Certificate Chain.
Step 4 Enter the location of the certificates (server certificate and intermediate certificate).
The script verifies if the server certificate is valid. After the verification is complete, the utility displays
the options.
If the script reports errors during validation and verification, the SSL Utility displays instructions to
correct these errors. Follow the instructions to correct those errors and then try to upload the certificates.
Step 5 Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed
by a Root CA certificate.
Or
Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and
intermediate certificates.
Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime
Daemon Manager.
The utility displays a warning message if there are hostname mismatches detected in the server
certificate being uploaded, but you can continue to upload the certificate.
Step 6 Enter the following required details:
• Location of the certificate
• Location of intermediate certificates, if any.
SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime
requirements for security certificates.
Step 7 Restart the Daemon Manager for the new security certificate to take effect.
Enable SSL to establish a secured connection between LMS Server and your client browser, if you have
not enabled already.
Note Cisco Prime does not support third-party certificates with “Subject Alternative Names”.
When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following
changes:
• The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
• Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see Integration Utility Online Help.
Caution Make sure that you run this command after you have changed your hostname and the appropriate entries
specific to the operating system are updated.
Prerequisites
Before running the hostname change script, you should do the following:
Step 1 Update the hostname entries specific to operating system in your machine.
On Solaris:
• /etc/hosts - Modify loghost to the new hostname.
• /etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname.
• /etc/nodename or the appropriate interface file - Modify nodename to the new hostname.
For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses
pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you
through the server-renaming process. You can also do this when you change the hostname in the
hosts, hostname.hme0, and nodename files in the /etc directory.
On Soft Appliance:
To change the hostname in Soft Appliance operating system:
a. Login to vSphere client.
b. Select the server where you want to Run hostnamechange.pl.
c. Login to the selected server as system admin.
d. Stop the daemons before changing the hostname in CARS CLI, by runing the command
/etc/init.d/dmgtd stop in shell mode.
Step 1 Go to NMSROOT/bin
Step 2 Enter dcrcli -u Username cmd=lsmode
Step 1 Go to NMSROOT/bin
Step 2 Enter dcrcli -u Username cmd=detail id=DeviceID
Step 1 Go to NMSROOT/bin
Step 2 Enter dcrcli -u Username cmd=setmaster
Step 1 Go to NMSROOT/bin
Step 2 Enter dcrcli -u Username cmd=setstand
Step 1 Go to NMSROOT/bin
Step 2 Enter dcrcli -u Username cmd=setslave master=value
On Solaris/Soft Appliance:
• The -host option is required when you run the CLI command on a remote LMS Server.
For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility
Purpose Command
Switch Port Capacity Report
To generate reports where the utilization is NMSROOT/campus/bin ut -cli
less than the specified percentage (for all -switchPortCapacity lessthan 60 -devices all
devices managed by LMS) -export c:/sample -u username -p password
To generate reports where the utilization is NMSROOT/campus/bin ut -cli
less than the specified percentage (for -switchPortCapacity lessthan 60 -devices
specific devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
username -p password
To generate reports where the utilization is NMSROOT/campus/bin ut -cli
greater than the specified percentage (for all -switchPortCapacity greaterthan 60 -devices all
devices managed by LMS) -export c:/sample -u username -p password
To generate reports where the utilization is NMSROOT/campus/bin ut -cli
greater than the specified percentage (for -switchPortCapacity greaterthan 60 -devices
specific devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
username -p password
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli
between the specified range (for all devices -switchPortCapacity between 10 60 -devices all
managed by LMS) -export c:/sample -u username -p password
Purpose Command
Switch Port Reclaim Report Generates reports for unused ports that are in up or
down state.
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli
(for all devices managed by LMS) -switchPortReclaimReport type up days 2
-devices all -export c:/sample -u username -p
password
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli
(for specific devices) -switchPortReclaimReport type up days 2
-devices 10.77.1.2,10.77.3.4 -export c:/sample -u
username -p password
To generate Reclaim Unused Down Ports NMSROOT/campus/bin ut -cli
report (for all devices managed by LMS) -switchPortReclaimReport type down days 2
-devices all -export c:/sample -u username -p
password
To generate Reclaim Unused Down Ports NMSROOT/campus/bin ut -cli
report (for specific devices) -switchPortReclaimReport type down days 2
-devices 10.77.1.2,10.77.3.4 -export c:/sample -u
username -p password
Switch Port Summary Report Generates reports that gives the number of Connected,
Free, and Free down ports in each switch.
To generate Switch Port Summary report for NMSROOT/campus/bin ut -cli
all devices -switchPortSummary -devices all -export
c:/sample -u username -p password
To generate Switch Port Summary report for NMSROOT/campus/bin ut -cli
select devices -switchPortSummary -devices 10.77.1.2,10.77.3.4
-export c:/sample -u username -p password
Note The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in
Windows, replace all forward slash (/) with reverse slash (\).
The report generated by the above options is saved as a file in the CSV format, at the specified location.
You can generate various Switch Port Usage reports, select Reports > Switch Port.
UT.nameResolution.threadCount: 1
UT.nameResolution.winsTimeout: 2000
UT.nameResolution.threadThresholdPercentage: 10
UT.nameResolution.dnsTimeout: 2000
UTMajorUseDNSCache: false
nameserver.usednsForUT: true
DB.dsn: ani
---------------------------------
ISSUES/RECOMMENDATIONS
-----------------------
Issue #1: Failure Percent is greater than 20%
Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured
Other Recommendations:
* If hostnames in your network are less likely to change often, set
UTMajorUseDNSCache=true
* If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout,
UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage
* Optimal timeout values are: UT.nameResolution.winsTimeout=0,
UT.nameResolution.dnsTimeout=48
The script can also be run by setting properties in the ut.properties file.
Understanding UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at
the rate of 150 traps per second, with a default buffer size of 76800.
If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400.
To increase the buffer size:
Step 1 Enter pdterm UTLITE at the command line to stop the UTLite process.
Step 2 Open utliteuhic.properties located at
NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\
Step 3 Set Socket.portbuffersize=102400
Step 4 Enter pdexec UTLITE at the command line to start the UTLite process.
Caution Increasing the buffer size beyond 102400 results in performance degradation of UTLite.
Note The servers should be DNS resolvable to get the events from the clients. Else we have to make entry in
%WINDIR%\system32\drivers\etc\hosts.
You must have Administrator privileges on the Active Directory server to install the UTLite logon script.
To install the script:
Note For Windows 2000 and NT servers, the NETLOGON folder is located at:
%SYSTEMROOT%\system32\Repl\Import\Scripts
Here, in the User profile section of the window, the Profile path is set to be:
C:\windows\sysvol\sysvol\domain\scripts
The Logon script is set to be:
UTLiteNT.bat
Step 4 Update the domain controller logon script for each Windows domain that you add.
The first time users log into the network after you edit this script, UTLite33.exe is copied to the local
WINDIR directory on their Windows client system.
Step 1 Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller.
Step 2 Remove the call to run UTliteNT.bat from users' logon scripts.
Step 3 Delete UTLite33.exe from the WINDIR directory of all Windows clients.
To quickly locate the WINDIR directory, enter set windir from a command prompt window on each
client.
Step 1 Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server.
Step 2 Remove the call to run UTliteNT.bat from users' logon scripts.
Step 3 Delete UTLite33.exe from the WINDIR directory of all Windows clients.
To quickly locate the WINDIR directory, enter set windir from a command prompt window on each
client.
Step 1 Remove UTLiteNDS.bat and UTLite33.exe files from the Novell Server.
Step 2 Remove the line added to the login scripts for all users and organizational units.
Step 3 Delete UTLite33.exe from the WINDIR directory of all clients.
To quickly locate the WINDIR directory, enter set windir from a command prompt window on each
client.
Caution If you re-initialize the database, information from discovered devices will be lost. However, user and
host information is retained. Replace the database only if recommended by a Cisco technical
representative.
Note Your login determines whether you can use this option.
If you enter y, it erases all data (database tables Wbu*...) from the server.
Deleting all Active Entries from User Tracking, and Restarting Servers
From the command prompt or shell window, enter:
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -active
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -active
where active entries are hosts that are currently logged in
Deleting all Inactive Entries from User Tracking, and Restarting Servers
From the command prompt or shell window, enter:
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -inactive
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -inactive
where inactive entries are hosts that are currently not logged in
Deleting all History Entries from User Tracking, and Restarting Servers
From the command prompt or shell window, enter:
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -history
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -history
where history entries are complete entries. That is, hosts that have a login and logout in the past.
Note Before executing the -restore command, you should stop the daemon manager and start again
manually. For details, see Using Daemon Manager.
IOS image versions prior to12.4 support only exact context name.
IOS image versions 12.4 or higher, support both exact or prefix context names.
You need to configure the device with and without context name, since Data Collection manages the
device without context name and User Tracking requires context name to contact the device.
Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs
Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for
fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In
order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device,
associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS.
You can enable it by creating a view and by including and excluding MIBs. To create a SNMP view:
Note During data collection LMS is quering vacmContextName variable of SNMP-VACAM-MIB. From this
MIB variable LMS can find out which vlans are in shut down state so that LMS will try to connect to
that vlan context. This MIB will be not supported by the device by default.
Note The device side configuration has to be done on all the devices in the network before changing the
property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.
This section provides the following information for the Administration module of LMS:
• Troubleshooting Guidelines
• Frequently Asked Questions
Troubleshooting Guidelines
This section provides guidelines on the following:
• Troubleshooting User Tracking
• Troubleshooting the Cisco Prime LMS Server
Troubleshooting Suggestions
Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.
User has forgotten LMS cannot recover A system administrator-level user must either change the password or
his password. forgotten passwords. delete the user account and add it again.
You are logged out of Changes in the login 1. Log into Cisco Prime LMS Server.
the Cisco Prime module configuration file
2. Enter the following commands:
Server. might not be correct.
– NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl
Authentication server
(on Windows)
might be down and there
were no fallback logins – NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl
set. (on Solaris/Soft Appliance)
3. Restart Daemon Manager.
The Log File Status Files need to be backed up 1. Stop all processes.
window displays so that file size will be
2. Enter the log file maintenance commands:
files that exceed their reset to zero.
limit. – NMSROOT\cgi-bin\admin\ (on Windows)
– NMSROOT/cgi-bin/admin/ (on Solaris/Soft Appliance)
3. Restart all processes.
Error message in the Device is not SSH enabled 1. Check whether the device is up or not.
logfile: Connection or the server is not
2. Try connecting to the device with a commercial SSH client.
Refused. Check the authorized to initiate SSH
Device is SSH connection. If you are able to connect, go to step 3.
supported or not. If you are not able to connect, check whether the device is running
SSH enabled (K2 or K9) image.
• If it is not the correct image, download the appropriate image to
the device.
• If you have the correct image, check whether you have created
RSA key pairs in the device. Creating RSA keys will enable SSH
in the device.
3. Check whether your server or network is authorized to initiate SSH
connections to device.
See Installing and Migrating to Cisco Prime LAN Management Solution 4.2 for troubleshooting tips on
Cisco Prime installation.
Q. How does User Tracking acquisition process differ from that of the LMS Server?
A. User Tracking is a LMS client application. The LMS Server provides several types of global
discoveries, including:
– Device and physical topology acquisition, resulting in baseline network information such as
device identity, module and port information, and physical topology. This type of acquisition is
required for logical, user, and path acquisition.
– User acquisition, resulting in information about users and hosts on the network.
The LMS Server stores this information in the database. User Tracking discovers the host and user
information in the LMS server database, correlates this information, and displays it in the User
Tracking Reports.
For more information about the various acquisition processes, see Various Acquisitions in User
Tracking.
Q. How does User Tracking user and host acquisition process work?
A. Before collecting user and host information, LMS must complete Data Collection. After the
completion of Data Collection User Tracking performs steps described in Table B-4.
Table B-4 User Tracking User and Host Acquisition Process
Process Description
Performs Ping Sweeps Pings all IP addresses on all known subnets, if you have Ping Sweeps
enabled (the default).
This process updates the switch and router tables before User Tracking
reads those tables. This ensures that User Tracking displays the most
recent information about users and hosts.
Obtains MAC addresses from Reads the switch's bridge forwarding table.
switches
The bridge forwarding table provides the MAC addresses of end
stations, and maps these MAC addresses to the switch port on which
each workstation resides.
Obtains IP and MAC Reads the Address Resolution Protocol (ARP) table in routers to
addresses from routers obtain the IP and corresponding MAC addresses.
Obtains hostnames Performs a Domain Name Service (DNS) lookup to obtain the
hostname for every IP address.
Obtains usernames Attempts to locate the users currently logged in to the hosts and tries
to obtain their username or login ID.
Records discovered Records the discovered information in the LMS database.
information
Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in
the network connected to non-CDP devices.
Q. Why am I getting a parse error when trying to parse some of the output files?
A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most
of the XML parsers do not support these characters and hence fail to parse them.
To overcome this, you have to manually search for those elements with special characters and
append CDATA as given in the example below:
If there is an element
<checksum> ¢Úo </checksum>
Change it to:
<checksum> <![CDATA[¢Úo ]]> </checksum>
Q. Why is user tracking not discovering end hosts that are connected to port-channels?
A. LMS supports only PAgP protocol configured ether-channel ports. User tracking discovers only
those end hosts that are connected to port-channels which are configured with PAgP protocol. LMS
does not support LACP protocol for IOS devices.
Nexus devices do not support the PAgP protocol. Hence LMS supports LACP protocol only for
Nexus devices. Devices using LACP protocol ether channel do not support topology view and user
tracking end discovery and other LMS features.
• Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in
the Create VRF Lite and Extend VRF Lite workflows ?
• Q.How do I enable the debug messages for Virtual Network Manager?
• Q.Why are some port-channels not discovered in VRF Lite?
• Q.What are the processes newly introduced for VRF Lite ?
• Q.What is tested number of devices support in VRF Lite?
• Q.What are the property files associated with VRF Lite?
• Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow,
why are values for the IP Address and SubnetMask fields empty?
• Q.What is protocol order for configuration workflows?
• Q.What is protocol ordering for troubleshooting?
• Q.If you configure commands to be deployed to two different devices, will the commands be
deployed parallelly or serially?
• Q.Which VRF Lite configuration jobs that are failed can be retried?
• Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
• Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?
5. VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB,
VRF Lite will not manage VTP Clients.
Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN
Configuration.
A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as
mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management
with Cisco Prime LAN Management Solution 4.2.
If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN
Configuration then a device will not be listed in the Device Selector, if a device is not participating
in the selected VRF Lite.
In the Readiness Report, a device listed as a supported device may be because it is not managed by
LMS. You can check if a device is managed by using the Device Management State Summary
(Inventory > Device Administration > Manage Device State).
In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not
participating in the selected VRF Lite.
In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3
devices that are not participating in the selected VRF Lite.
Q. What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
A. Virtual Network Manager identifies the devices based on the minimum hardware and software
support required to configure VRF Lite on the devices.
Based on the available hardware and software support in the devices, Virtual Network Manager
classifies the devices into following categories:
– VRF Lite Supported Devices– Represents the devices with required hardware and software
support available to configure VRF Lite on the devices.
– VRF Lite Capable Devices – Represents the devices with required hardware support available.
But the device software must be upgraded to support MPLS VPN MIB. For information on the
IOS version that supports MPLS VPN MIB, refer
http://tools.cisco.com/ITDIT/MIBS/MainServlet.
VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite
Capable devices as these devices do not have the required MPLS VPN MIB support.
– Other – Represents the devices without required hardware support to configure VRF Lite.
SysOID of the device needs to be checked.
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with device name(s) are already locked as they are used by configuration workflows.
You cannot configure these devices. Wait for some time Or Ensure the devices are not used by
configuration workflows and free the devices from Admin > Network > Resource Browser.
Or
Selected Device(s) are locked as they are used by configuration workflows. You cannot configure
these devices. Wait for some time OR Ensure the devices are not used by configuration workflows
and free the devices from Admin > Network > Resource Browser.
Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations.
Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located?
A. The following are the details of the VRF Lite log files:
1. Vnmserver.log – This log file logs the messages pertaining to the VRF Lite Server process.
2. Vnmcollector.log – This log file logs the messages pertaining to the VRF Lite collection.
3. Vnmclient.log – This log file logs the messages related to the User Interface.
4. Vnmutils.log – This log file logs the messages pertaining to the utility classes used by VRF Lite
client and server.
The above-mentioned VRF Lite log files are located in the following location:
In Solaris/Soft Appliance : /var/adm/CSCOpx/log/
In Windows: NMSROOT\logs
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?
A. Check if the Run VRF Lite Collector After Every Data Collection option is enabled in the VRF
Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin >
Network > VRF Lite Collection Settings page.
Q. How can I configure SNMP timeout and retries details for VRF Lite?
A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF
Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six
seconds and retry attempt of 1 second.
Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the
Create VRF Lite and Extend VRF Lite workflows ?
A. The VLAN to VRF Lite Mapping page lists the links connecting the source and the destination
device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping
page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the
following procedure
1. An SVI, VRF Lite searches for free VLANs in the range 1- 1005
2. An SI, VRF Lite searches for free VLANs in the range 1006-4005
Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why
are values for the IP Address and SubnetMask fields empty?
A. If the physical interface that links two devices is not configured with an IP Address, then the IP
Address and the SubnetMask fields are empty.
Q. If you configure commands to be deployed to two different devices, will the commands be deployed
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
with-in a single device, will be deployed in serial manner.
Q. Which VRF Lite configuration jobs that are failed can be retried?
A. You can retry all the VRF Lite Configuration jobs which are failed. VRF Lite Configuration jobs are
the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration
workflow.
Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management.
This button is enabled only when IPSLA Performance Management is enabled in the local server.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite?
A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF
Lite won’t put the list of VLANs allowed on a trunk
The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the
selected devices.
General
The section lists you the general FAQs on LMS:
• Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly?
• Q.Why cannot I start my Cisco Prime application?
• Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
• Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
• Q.Do I need to change the Cisco Prime configuration after changing the IP address?
• Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running
it for a while?
• Q.How do I change the port for osagent in Windows?
• Q.How do I change port for osagent in Solaris?
• Q.How do I ensure that jrm is running fine?
• Q.How do I change the casuser password in Windows?
• Q.How do I change the Cisco Prime user password?
• Q.How do I enable debugging for Session Management Services?
• Q.What does a diskWatcher process do?
• Q.Cisco Prime Time is not synchronized with System time. What should I do?
• Q.How do I change the configuration details of the server after installing LMS Soft Appliance?
• Q.How can I increase the timeout value of Cisco Prime LMS user interface?
• Q.How should I change the syslog port of Cisco Prime from 514 to another number?
• Q.What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
• Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
• Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
• Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
• Q.What are the specific ports required for Internet HTTP features?
• Q.Why is the device name not available in the home page after importing?
• Q.How do you ensure to register using a template and launch the links properly?
• Q.I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
• Q.What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC
tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
• Q.I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?
Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
A. You can change the IP address on the server, and then access it using the new IP address.
Step 1 Click Start > Settings > Network and Dial-up Connections > Local Area Connection.
The Local Area Connection Status dialog box appears.
Step 2 Click Properties.
The Local Area Connection Properties dialog box appears.
Step 3 Select Internet Protocol (TCP/IP) and click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears.
Step 4 Select the radio button Use the following IP address.
Step 5 Change the IP address as required, in the IP address field.
For the subnet mask and default gateway values, enter the ipconfig command at the command prompt.
The subnet mask and default gateway values appear.
Step 6 Enter these values in the Subnet mask and Default gateway fields.
Step 7 Click OK to go back to Local Area Connection Status dialog box.
Step 8 Click OK.
Step 9 Restart the server.
To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP
address of the required interface.
For example, at the command prompt, you can enter:
ifconfig interfacename inet ipv4address
where the variable interfacename represents the name of the interface and ipv4address represents the
new IP address.
Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE.
To do so:
Step 1 Launch Internet Explorer and click Tools > Internet Options.
Step 2 Click the Security tab and select Trusted Sites.
Step 3 Add the Cisco Prime LMS Server to the trusted zone.
Step 4 Clear the selection in Require server verification for all sites in this zone.
Step 5 Click OK to return to the Security tab.
Step 6 Click the Custom level button from the Security level for this zone panel.
Step 7 Select the Enable option for scripting of Java applets.
Step 8 Click OK to return to the Security tab.
Step 9 Click Apply.
Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by
default. To re-enable the Telnet protocol:
Step 1 Click Start > Run. The Run dialog box opens.
Step 2 In the Open box, enter: Regedit, then click OK. The Registry Editor opens.
Step 3 Go to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl.
Step 4 Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl, create a new key named
FEATURE_DISABLE_TELNET_PROTOCOL.
Step 5 Add a DWORD value named iexplore.exe and set the value to 0 (decimal).
Step 6 Close the Registry Editor.
Step 7 Restart the browser, the Telnet protocol is enabled
Q. What are the specific ports required for Internet HTTP features?
A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and
Cisco.com, including the Software Center interactions.
Q. Why is the device name not available in the home page after importing?
A. The probable causes for this problem could be:
– There is a mismatch between the hostname in the template imported and the hostname specified
in the UI during importing.
– The application imported from a remote server does not belong to the server from which it is
imported.
Q. How do you ensure to register using a template and launch the links properly?
A. Before you register through a template, you should ensure that:
– The host is reachable.
– Port information specified is correct and reflects the current port of the bundle.
– The application is available and can be launched by entering the application URL in the browser.
Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly?
A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We
recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function
properly.
Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH
tag is disabled in the browser.
To enable the META-REFRESH tag in the browser:
Step 1 Click Tools > Internet Options. The Internet Options dialog box opens.
Step 2 Click the Security tab.
Step 3 Select the Internet zone.
Step 4 Click Custom level... The Security Settings dialog box opens.
Step 5 In the Miscellaneous options, select the Enable option for Allow Meta Refresh field.
Step 6 Click OK, and then Apply to update the settings.
Step 7 Close the IE 7 or IE 8 open windows.
Step 8 Launch a new IE 7 or IE 8 window and login into LMS.
Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
A. There are several reasons why you are locked out. It is probably caused by the changes made using
the Select Login Module option. You must replace the incorrect login module with a default
configuration, log into Cisco Prime, and return to the login module to correct one or more of the
following:
– Session Time out
– Change from SSL mode to non-SSL mode
– Change from non-SSL mode to SSL mode
– Log out from any other Cisco Prime application
– Visit other sites and then return to Cisco Prime
Do not alter the existing technologies in the default configuration file.
If all of the parameters listed are correct, see Troubleshooting Suggestions.
Q. Do I need to change the Cisco Prime configuration after changing the IP address?
A. You need not change the Cisco Prime configuration whenever you change the IP address. Cisco
Prime uses hostname for most of the communication. Only devices need to point to the new IP
address. However, after changing the IP address, you must reboot the system on a Solaris server and
restart the Daemon Manager on a Windows server. This is to make the changes effective.
Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it
for a while?
A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and
windows registry entries.
You can use the hostnamechange.pl CLI utility to update the new host name information in files and
windows registry entries.
See Using LMS Server Hostname Change Scripts for more information.
– If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are
running.
– If you do not get the above message, contact the technical assistance center with the error
message.
– If your jrm in down or inaccessible, you’ll get a message while accessing the UIs.
Note You must know the password policy. If the password entered does not match the password policy,
it exits.
Step 1 Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml.
You should edit the following section of the file:
<context-param>
<param-name>DEBUG</param-name>
<param-value>false</param-value>
<description>mice debug enabling</description>
</context-param>
Step 2 Change <param-value>false</param-value> to <param-value>true</param-value>.
Q. Cisco Prime Time is not synchronized with System time. What should I do?
A. You should complete the following:
a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine.
b. Set the TZ=standard_timezone. For example, you can specify TZ=MET.
c. Save the TIMEZONE file.
d. Reboot the machine.
Now the system displays the modified time zone information. If you need to change the time zone
to daylight, you change only the time and date but not the TIMEZONE.
Q. How can I increase the timeout value of Cisco Prime LMS user interface?
A. You can configure the timeout value in the following file.
NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml
where NMSROOT is your Cisco Prime Installation directory.
You should change the value of an XML tag by name session-timeout. You should specify the value
in minutes. The default timeout value is set to 2 hours.
You cannot disable this option as this may increase the load in the server.
Q. How do I change the configuration details of the server after installing LMS Soft Appliance?
A. To change the configuration details of the server after installation:
Note You should reboot the server only if you change the following configuration details:
• Hostname
• Default DNS Domain
• IP Address, IP Netmask
• IP Default Gateway
• Primary Name Server
• Primary NTP Server
• Time Zone
Note You should execute this command only when you change the hostname. Each time you change the
hostnameof the server, you must perform, steps 1 to 9 to reflect the hostname changes in LMS.
Note You must restart the Daemon Manager before and after you change the hostname.
Note You must change the server configuration details only through Soft Appliance admin console.
Table B-5 lists the examples of how to change the Soft Appliance server configuration details.
Q. How should I change the syslog port of Cisco Prime from 514 to another number?
A. You can change the syslog port by modifying the value of CrmLogPort registry key located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters.
After you have changed the syslog port, you need to restart the syslog service.
Q. What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
A. Sometimes, Windows may prevent to run some processes for security reasons.
You should do the following on a Windows 2003 Operating system:
Step 1 Right-click the My Computer icon on your desktop and click Properties to open the System Properties
dialog box.
Step 2 Click the Advanced tab.
Step 3 Click Settings from the Performance panel to open the Performance Options dialog box.
Step 4 Click the Data Execution Prevention tab.
Step 5 Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove
the programs from the blocked list.
Step 6 Click OK to close the Performance Options dialog box.
Step 7 Click OK to close the System Properties dialog box.
Step 8 Reboot the server.
Q. What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC
tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
A. Check whether the following production urls are reachable in the server, where product is installed.
• SASI_SERVER—https://wsgx.cisco.com
• RSR_SERVER—https://wsgx.cisco.com
• CSC_SERVER—https://supportforums.cisco.com
• CCOLOGINURL—https://sso.cisco.com/autho/apps/nmtgSSapp/index.html
• CCOLOGOUTURL—https://sso.cisco.com/autho/logout.html
• CASE_QUERY_URL—https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest&method=doQueryByCase&SRNumber=
• LOGIN_REDIRECT_URL—https://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.c
om&TargetResource=
• CSC_REDIRECT_URL—https://supportforums.cisco.com
Q. I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?
A. You are not able to access LMS in IE because of the cache issue. Clear the browser cookies and
cache from IE.
Important URLs
Q. What are the URLs that are most commonly used in LMS?
A. The following URLs are most commonly used in LMS and should be added in the proxy server:
General
http://www.cisco.com
Device update/Software update/Point Patch update
• https://tools.cisco.com/software/catalog/swcs/softwaremetadata
• https://tools.cisco.com/software/catalog/swcs/image
• https://www.cco.cisco.com
IOS image download
• http://www.cisco.com/cgi-bin/smarts/swim/crmiosbridge.pl
• http://www.cisco.com/techsupport
Smart Services
• SASI_SERVER—https://wsgx.cisco.com
• RSR_SERVER— https://wsgx.cisco.com
• CSC_SERVER—https://supportforums.cisco.com
• CCOLOGINURL—https://sso.cisco.com/autho/apps/nmtgSSapp/index.html
• CCOLOGOUTURL— https://sso.cisco.com/autho/logout.html
• CASE_QUERY_URL—https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest
• LOGIN_REDIRECT_URL—https://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.c
om
• CSC_REDIRECT_URL—https://supportforums.cisco.com
PSIRT
• EoS/EoL Hardware Report—http://www.cisco.com/cisco/software/release.html?mdfid=282253606
&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE
&rellifecycle=&reltype=latest#
• EoS/EoL Software Report—http://www.cisco.com/cisco/software/release.html?mdfid=282253606
&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&
rellifecycle=&reltype=latest#
Bug Toolkit
• http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
• http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do??method=getAllBugs
• http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getAffectedBugdata&bu
gid=
• http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getBugsReport
Contract Connection
• http://www.cisco.com/cgi-bin/front.x/cconx/conx_userinfo.pl
• https://www.cisco.com/cgi-bin/front.x/cconx/conx_recv_data.pl
• https://www.cisco.com/cgi-bin/front.x/cconx/conx_sortdetail_js.pl
Compliance and Audit Management
• Download Contracts—https://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do
?method=viewContractMgr
• Download Compliance Policy Updates—http://www.cisco.com/cisco/software/release.html?mdfid
=284259296&flowid=31102&softwareid=284270571&release=1.0.0&relind=AVAILABLE&
rellifecycle=&reltype=latest
Security
The following are the FAQs on LMS Security:
• Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
• Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
• Q.My server certificate for Cisco Prime has expired. What should I do?
• Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
• Q.What are the minimum and maximum length of user account names? How do I control them?
• Q.What are the rules to enter a valid username and password?
• Q.Where is the SSL log present?
• Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
A. Yes. You have the following options:
– If you are using Self-signed certificates in Internet Explorer, install the certificate in the
browser’s trusted certificate stores, if you are confident about the identity of the server.
– Use a server certificate issued by a prominent third party certificate authority (CA).
– Configure the hostname in your server certificate properly, and use the same hostname to invoke
Cisco Prime.
Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior
(Microsoft Internet Explorer or Mozilla Firefox), to ensure proper security.
This appears if any of the following conditions is not satisfied:
– The certificate of the server (Cisco Prime Server in this case) must be issued by trusted
Certificate Authority.
– The date of the certificate must be valid. (Each certificate is assigned a validity period. It can
range from 21 days to 5 years).
– The name of the certificate and name of the page (or the name typed in the address bar of the
browser) are the same.
To view the certificate information:
– Click View Certificate, in the alert box for Internet Explorer.
– Click Examine Certificate in the alert box for Mozilla Firefox.
The server should be invoked with the name same as the Issued to' field of the certificate.
To install the certificate in Internet Explorer:
Q. My server certificate for Cisco Prime has expired. What should I do?
A. If you are using a self-signed certificate, you can create a new certificate using the Create Self
Signed Certificate option. For more information, see Creating Self Signed Certificates.
If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew
the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.
Note Before you perform any certificate management operations—creating or modifying certificates, back up
the certificate files, the server private key in particular, and keep them in a safe location.
Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this:
NMSROOT/MDC/Tomcat/logs/stdout.log
For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the
failure.
For example, if the Usersroot configuration is incorrect, then the login module cannot match the
complete DN string with any entries in the Active Directory database.
It indicates which portion of the DN matched and which portion did not match. You can verify your
Active Directory setup and the entries for the Usersroot.
In some cases, the log file contains error messages with NameError. This indicates that either you
entered a wrong user ID or there is some spelling error in the Usersroot configuration.
Q. What are the minimum and maximum length of user account names? How do I control them?
A. The minimum length of a user account name is 5 characters. The maximum length of a user account
name is 255 characters.
You can control the length of user account names using the Local User Policy Setup page. See
Setting up Local User Policy for more information.
Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
A. You should check whether the casuser is assigned with the required local security policies.
To check whether the casuser is assigned with the required policies:
Step 1 Click Start > Settings > Control Panel> Administrative Tools.
Step 2 Click the Local Security Policy shortcut from the Administrative Tools folder.
The Local Security Policy window opens.
Step 3 Click Local policies > User Rights Assignment in the Local Security Policy window.
Step 4 Check whether the casuser is assigned with the following privileges:
• Access this computer from the network
• Log on as a batch job
If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again.
Enter the following commands to run the resetCasuser utility:
• NMSROOT/CSCOpx/setup/support/resetCasuser (On Solaris/Soft Appliance)
• NMSROOT\CSCOpx\setup\support\resetCasuser.exe (On Windows)
where NMSROOT refers to the Cisco Prime Installation directory.
The other possible solutions are:
• Remove or disable the anti-virus software
• Restart Daemon Manager
• Uninstall or disable IIS
• Log on as a batch job
• Disable Cisco Security Agent
• Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so,
kill the stray processes from the Task Manager or stop them from the Services panel.
• Ensure that the casuser or administrator has the read permission for the CSCOpx,
CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.
Software Center
The following are the FAQs on Software Center:
• Q.How do I find out which devices are supported by a particular application?
• Q.What are the prerequisites for downloading Software Updates from Cisco.com?
• Q.Does the Software Center list only the software updates that are not installed in this machine?
• Q.What should I do if I see errors when using Software Center or having issues with LMS not
correctly working with supported devices?
Q. What are the prerequisites for downloading Software Updates from Cisco.com?
A. You should check for the following:
– Valid Cisco.com credentials are configured during Server administration
– Valid proxy details are configured and Cisco Prime support basic authentication of proxy server.
See Downloading Software Updates for more information.
Q. Does the Software Center list only the software updates that are not installed in this machine?
A. The Software Center module lists all software updates including those that are installed. However,
it performs the filtering for device updates.
Q. What should I do if I see errors when using Software Center or having issues with LMS not correctly
working with supported devices?
A. Under rare circumstances, internal LMS files that contain information on which device support
packages are installed and which devices are supported, become corrupted.
If such files become corrupted, you may notice one or more of the following symptoms:
– "HTTP 500" error occurs while trying to view package information from Admin > System >
Software Center > Device Update. One possible exception is:
java.util.NoSuchElementException at
java.util.StringTokenizer.nextToken(StringTokenizer.java:259) at
com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.getPackageMap(Unknown Source) at
com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.perform(Unknown Source)
– The following errors will be seen in NMSROOT\log\psu.log:
[ <date time > ] ERROR [CreateMaps : removeDupEntries] :String index out of
range: -1
– Devices shown as supported in "Supported Devices Table for Cisco Prime LAN Management
Solution" and may have been working previously, show as not supported/unknown and displays
device icons in Device Selectors with a question mark (?) in one or more areas of LMS.
– Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards
> Device Status > Collection Summary) fails for all devices of a particular model, but
succeeds for other devices with identical configuration, yet different models.
– Specific models of devices are not available in Device Selectors to have reports, jobs or other
functionality run on them, however Inventory Collection and/or Config Archive has succeeded
for them. This is frequently seen with Configuration related functionality.
To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files
which store information on which device support packages are installed and devices they support.
Run the following script:
NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance)
or
NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)
Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other
network?
A. This could because the domain name of the Cisco Prime LMS server may not be resolved.
To access the CORBA services in a server that is not DNS resolvable, you must:
Step 1 Change the value of attribute jacorb.dns.enable in orb.properties file from on to off.
Step 2 Regenerate the self-signed certificate with IP address instead of hostname.
Step 3 Restart the Daemon Manager.
Q. What kind of directory structure does Cisco Prime use when backing up data?
A. Cisco Prime uses a standard database structure for backing up all suites and applications. See
Table B-6 for a sample directory structure on Cisco Prime LMS Server.
Q. What should I do when backup fails and displays a Backup.LOCK file exists error message?
A. You should try removing the Backup.LOCK file from the Cisco Prime installation directory and start
backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI for
more information.
Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the
Daemon Manager to run the backup.pl scripts.
See Backing up Data Using CLI and Restoring Data for more information.
Database
The following are the FAQs on Database:
• Q.How can I find the version of a Sybase Database?
• Q.What if the database is inaccessible?
Step 4 Select Admin > System > Server Monitoring > Collect Server Information.
Step 5 Click Product Database Status to get detailed database status.
Step 6 Contact the Cisco TAC or your customer support to get the information you need to access the database
and find out details about the problem.
After you have the required information, perform the following tasks for detecting and fixing database
errors.
Depending upon the degree of corruption, the database engine may or may not start. For certain
corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed.
Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires
the database engine to be running.
To detect database corruption:
Step 1 Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows).
Step 2 Stop the Daemon manager if it is already running:
• /etc/init.d/dmgtd stop (on Solaris/Soft Appliance)
• net stop crmdmgtd (on Windows)
Step 3 Make sure no database processes are running and there is no database log file.
For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is
/opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Step 4 Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris
machines. If not, change the ownership of these files to user casuser and group casusers.
Step 5 Run the commands on the command prompt:
cd NMSROOT/objects/db/conf
The dbvalid command displays a list of tables being validated. The Validation utility scans the entire
table, and looks up each record in every index and key, defined on the table. If there are errors, the utility
displays a message such as:
Validating DBA.xxxx
run time SQL error -- Foreign key parent_is has invalid or duplicate index
entries 1 error reported
Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
A. The new installer detects IIS web server running on the machine and prompts you to enter a different
port number for Cisco Prime LMS Server to avoid the conflict.
Q. Why does the Apache process not come up after installation or why does the process go down
suddenly?
A. This could be a problem with the Apache configuration syntax or the validity of the server
certificate. You should first check the Apache configuration syntax.
To do this:
On Windows:
Go to NMSROOT\MDC\Apache\bin and run the command Apache.exe -t -d .
On Solaris/Soft Appliance:
Go to NMSROOT/MDC/Apache/bin and run the command ./web_server –t
If the Apache configuration syntax is correct, a message appears:
Syntax OK
If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL
Utility Script.
Note Do not use this option by default. Use it only when Cisco Prime instructs you to.
This utility lists all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed
port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
• If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.
This utility lists out all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file index.txt. This text file contains information about the changed port and a
list of all files that are backed up and their actual location in the Cisco Prime directory.
A sample backup maybe similar to:
/opt
|
`--/CSCOpx
|
`--/conf
|
`--/backup
|
|--README.txt (Note the purpose of this directory as it is initially empty)
|
`--/AAAtpaG03_Ciscobak (Autogenerated unique backup directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml (Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
|--rootapps.conf (CiscoWorks daemons using privileged ports)
|--services (The system /etc/services file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note All of the above files and the unique directories are stored with read only permission to casuser:casusers.
To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write
permissions.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
/var/adm/CSCOpx/log/changeport.log
This file contains the date and time stamps to indicate when the log entries were created.
On Windows:
You can change the web server port numbers for the LMS Webserver. You can also change both the
HTTP and HTTPS port numbers.
To change the port numbers you must have administrative privileges. Run the following command at the
prompt:
NMSROOT\MDC\Apache\changeport.exe
If you run this utility without any command line parameter, Cisco Prime displays the following usage
text:
*** Common Services Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where:
port number—The new port number that should be used
-s—Change the SSL port instead of the default HTTP port
-f—Force port change even if Daemon Manager detection fails.
Note Do not use this option by default. Use it only when Cisco Prime instructs you to.
`--\backup
|
|--README.txt (Notes the purpose of this dir as it is initially empty)
|
`--\skc03._Ciscobak (Autogenerated unique backup directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml (Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note All the above files and the unique directories are stored with read only permissions. Only the
administrator and casuser have write permissions, to ensure the security of the backup files.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
NMSROOT\log\changeport.log
This log file contains the date and time stamps to indicate when the log entries were created.
Q. How should I enable or disable web server SSL mode from the command line?
A. To enable or disable the web server SSL mode:
If Tomcat is already configured for higher memory than what you specify when you run the command,
the following message is displayed:
INFO: Tomcat is already configured with a higher heap value.
Step 1 Navigate to the directory where the SSL Utility Script is located.
On Windows:
a. Go to NMSROOT\MDC\Apache
b. Enter NMSROOT\bin\perl SSLUtil.pl
On Solaris/Soft Appliance:
a. Go to NMSROOT/MDC/Apache/bin
b. Enter NMSROOT/bin/perl SSLUtil.pl
After you have entered this command, the system displays a set of options.
Step 2 Select the fourth option Verify the input Certificate/Certificate Chain by entering 4.
Step 3 Enter the location of the server certificate NMSROOT/MDC/Apache/conf/ssl/server.crt
The script verifies if the server certificate is valid. If the script reports errors during validation and
verification, you have to regenerate the certificate by running SignTool.pl from the above directory.
Step 4 Enter NMSROOT/bin/perl SignTool.pl [-SSL=true | -SSL=false]
Q. What is the maximum number of connections allowed by Cisco Prime to access the web interface?
A. Tomcat, the servlet engine, shipped with Cisco Prime handles a maximum of 500 connections or http
requests.
Q. Why does Apache server does not start during reboot process?
Anti-virus causes the processes to come up slowly after reboot. Delay the anti-virus during startup to
solve the issue. Ensure that the NMSROOT folder is excluded correctly from anti-virus and reboot the
server after shutting down the anti-virus completely.
Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event
Trap Forwarding? Does LMS support both of these methods?
A. Yes, LMS supports both ways of Trap forwarding.
Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process
it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action
Settings > Fault - SNMP trap forwarding.
When LMS receives certain SNMP traps, it analyzes the data found in fields such as
Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap
message.
If needed, LMS changes the property value of the object property. These are Processed Traps. To
configure Processed event/alert trap forwarding, select Admin > Network > Notification and
Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap
notifications if there is a threshold violation in the LMS managed devices.
For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN
Management Solution 4.2
Step 1 Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog
notification
Step 2 Point it to any Solaris machine and run the following:
• /etc/init.d/syslog start
• tail -f /var/adm/messages
Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla
Plugins directory. To create the link, go to the command prompt and enter:
Step 1 cd /plugins
Step 2 ln -s /plugin/sparc/ns610/libjavaplugin_oji.so .
Step 1 Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The IPSLA Debugging Settings page appears.
Step 2 Select the module and log level from the Module and Logging Level drop-down lists.
The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG.
Step 3 Click Apply.
Q. I have problems while migrating the IPSLA Performance Management data. What should I do?
A. Check the following log files for information:
– restorebackup.log
– migration.log
– ipmclient.log
– ipmserver.log
Cisco Prime Data Extraction Engine (DEE) is a utility to export User Tracking, Topology, and
Discrepancy application data.
This utility provides servlet and command line access to User Tracking, Topology and Discrepancy) and
allows you to extract data in Extensible Markup Language (XML) format.
This appendix contains:
• Overview of Data Extraction Engine
• The cmexport Command
• cmexport User Tracking
• cmexport Topology Command
• cmexport Discrepancy Command
• cmexport Manpage
For… Location
User Tracking PX_DATADIR/cmexport/ut/timestamput.xml
Layer 2 Topology PX_DATADIR/cmexport/L2Topology/
timestampL2Topology.xml
Discrepancy PX_DATADIR/cmexport/Discrepancy/
timestampDiscrepancy.xml
where:
• cmexport is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
• command specifies the core operation that is to be performed.
• arguments are the additional parameters required for each core command.
• options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options are not important. However, you must enter the core command
immediately after cmexport.
Commands
Table C-2 lists the command part of the cmexport syntax.
You must invoke the cmexport command with one of the core commands specified in the above table. If
you do not specify any core commands, cmexport can only execute the -v or -h options:
• Option -v displays the version of the cmexport utility
• Option -h (or null option) lists the usage information for this utility.
Mandatory Arguments
The arguments that must be specified with all functions are:
• -u userid: Specifies the Cisco Prime userid.
• -p password: Specifies the password for Cisco Prime userid.
– If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must
store your userid and password in a file and set a variable CMEXPORTFILE which points to this
file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
– If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we
recommend that you do not use this option.
You must enter the password in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password.
The password file can contain multiple entries with different user names. If there are duplicate
entries the password that matches the first user name is considered.
Note If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Optional Arguments
The arguments you can specify with any function are:
• -d debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debugging—TRACE and DEBUG. If you do not specify the -d option, logging will not occur.
• -l logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output is displayed in the standard output.
Function-Specific Options
DEE supports the following function-specific option:
-f filename
If used with:
• User Tracking function
Specifies the name of the file to which the user tracking information is to be exported.
• Topology function
Specifies the name of the file to which the layer 2 topology information is to be exported.
• Discrepancy function
Specifies the name of the file to which the discrepancy information is to be exported.
Displaying Help
To display help for cm export Enter the following at a CLI prompt: cmexport -h.
This displays a list of options for cmexport.
On Solaris, you can also enter the following at a CLI prompt:
man cmexport
Uses of cmexport
If you enter:
cmexport ut {–u userid} –p password –host -f filename.xml
User Tracking XML output for host will be generated and it is stored in the file filename.xml.
If you want to export the latest topology details for all Layer 2 devices enter:
cmexport L2Topology {–u userid} –p password -f filename.xml
If you want to export the latest discrepancy details, enter:
cmexport Discrepancy { –u userid} –p password -f filename.xml
Notations
The notations followed in describing the command line arguments are explained below:
{argument}—Argument is a mandatory parameter.
[argument]—Argument is an optional parameter.
argument—Argument is a variable.
argument 1 | argument 2—Either argument 1 or argument 2 may be specified but not both.
Table C-3 lists the notations part of the cmexport syntax.
Command Description
ut cmexport ut {-u userid} [ -p password ] -host [
host-options ] | -phone [ phone-options ] [ options ]
l2topology {-u userid} [-p password] [-f filename]
discrepancy {-u userid} [-p password] [-f filename]
empty [-v | -h]
Name
cmexport ut: CiscoWorks cmexport user tracking function
Synopsis
cmexport ut: { -u userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ]
Table C-4 lists the command part of the cmexport syntax.
Description
User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined
schema.
Mandatory Arguments
The options that must be specified with the cmexport ut function are:
• -u userid: Specifies the Cisco Prime userid.
• -p password: Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend
that you do not use this option.
The password must be provided in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
Note If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Options
The options you can specify with the ut function are:
• -d debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur.
• -l logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
output will be displayed in the standard output.
• -f filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option, an XML file of the format timestamput.xml is stored in the following
directory: PX_DATADIR/cmexport/ut
• -view
Specifies the format in which the user tracking XML data is to be presented. It supports two optional
arguments:
a. switch: User Tracking data is displayed based on the type of switch.
b. subnet: User Tracking data is displayed based on the subnet in which they are present.
The -view options are not case sensitive.
• -query queryname
User Tracking host data is exported in XML format for the query provided in queryname. This
option must be used with the -host argument. For this option:
– Create a Custom report for end hosts from the mega menu:
Reports > Report Designer > User Tracking > Custom Reports.
– Use the Custom report name as a value here.
• -layout layoutname
User Tracking host data is exported in XML format for the layout provided in layoutname. This
option must be used with the -host argument. For this option:
– Create a Custom layout for end hosts in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
– Use the Custom layout name as a value here.
Note The Custom layouts are defined per user. An invalid layout name error message will be
displayed if layout name created by another user is entered as custom layout name.
• -queryPhone queryname
User Tracking phone data is exported in XML format for the query given in queryname. This option
must be used with the -phone argument. For this option:
– Create a Custom report for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Reports.
– Use the Custom report name as a value here.
• -layoutPhone layoutPhone
User Tracking phone data is exported in XML format for the layout given in layoutPhone. This
option must be used with the -phone argument. For this option:
– Create a Custom layout for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
– Use the Custom layout name as a value here.
Accessing Help
Enter the following in the CLI:
• cmexport -h: Displays a list of options for cmexport.
• cmexport ut -h: Displays a list of options for the cmexport ut command.
On Solaris, you can also enter the following in the CLI:
man cmexport
Examples
Considering userid: admin, password: admin, queryname: host1Query, layoutname: host1Layout,
queryphone: phone1Query, layoutphone: phone1Layout, filename: file1.xml, we can have the following:
cmexport ut -u admin -p admin -host
cmexport ut -u admin -p admin -phone
cmexport ut -u admin -p admin -host -query host1Query -layout all
cmexport ut -u admin -p admin -host -query host1Query -layout layoutname
cmexport ut -u admin -p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout
cmexport ut -u admin -p admin -host -f file1.xml
cmexport ut -u admin -view switch -host
• Examples
Name
cmexport L2Topology: Cisco Prime cmexport layer 2 topology function
Synopsis
cmexport l2topology {-u userid} [ -p password ] [ options ]
where cmexport l2topology -h lists the options available and function of each option.
Description
Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based
on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport L2Topology function are:
The options that you must specify with the cmexport L2Topology function are:
• -u userid: Specifies the Cisco Prime user ID.
• -p password
Specifies the password for Cisco Prime user ID.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend
that you do not use this option.
The password must be provided in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
Note If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Options
The options you can specify with the layer 2 topology function are:
• -d debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur.
• -l logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
output will be displayed in the standard output.
• -f filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option an XML file of the format timestampL2Topology.xml is stored in the
following directory: PX_DATADIR/cmexport/L2Topology
Accessing Help
Enter the following in the CLI:
cmexport -h: Displays a list of options for cmexport.
cmexport l2topology -h: Displays a list of options for the cmexport l2topology command.
On Solaris, you can also enter the following at a CLI:
man cmexport
Examples
Considering userid: admin, password: admin, filename: file1.xml, you can have the following:
cmexport L2Topology -u admin -p admin
cmexport L2Topology -u admin -p admin -f file1.xml
cmexport L2Topology -u admin -l file.log
Name
cmexport Discrepancy: Cisco Prime cmexport Discrepancy function.
Synopsis
cmexport discrepancy {-u userid} [ -p password ] [ options ]
where
cmexport discrepancy -help lists the options available and the function of each option.
Description
Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a
predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport Discrepancy function are:
• -u userid: Specifies the Cisco Prime userid.
• -p password
Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from
the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you
do not use this option.
Note If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Options
The options you can specify with the Discrepancy function are:
• -d debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur.
• -l logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output will be displayed in the standard output.
• -f filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the
following directory: PX_DATADIR/cmexport/Discrepancy
Accessing Help
Enter the following in the CLI:
cmexport -h: Displays a list of options for cmexport.
cmexport discrepancy -h: Displays a list of options for the cmexport discrepancy command.
On Solaris, you can also enter the following in the CLI:
man cmexport
Examples
Considering userid: admin, password:admin, filename: file1.xml, you can have the following:
cmexport Discrepancy -u admin -p admin
cmexport Discrepancy -u admin -p admin -f file1.xml
cmexport Discrepancy -u admin -d 2
cmexport Manpage
This sections contains:
• Command Line Syntax
• Commands
• Arguments and Options
• Accessing Help
Commands
Table C-7 lists the command part of the cmexport syntax.
You must invoke the cmexport command with one of the core commands specified in the above table. If
no core command is specified, cmexport can execute the -v or -h options only:
• Option -v displays the version of the cmexport utility.
• Option -h (or null option) lists the usage information of this utility.
Mandatory Arguments
The options that must be specified with all functions are:
-u userid: Specifies the Cisco Prime userid.
Optional Arguments
The options you can specify with any function are:
• -p password
Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend
that you do not use this option.
The password must be provided in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
Note If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
• -d debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur.
• -l logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output will be displayed in the standard output.
Function-Specific Options
The following function-specific option is supported
-f filename
If used with the:
• User Tracking function—Specifies the name of the file to which the user tracking information is to
be exported.
• Topology function—Specifies the name of the file to which the layer 2 topology information is to
be exported.
• Discrepancy function—Specifies the name of the file to which the discrepancy information is to be
exported.
Accessing Help
Enter the following in the CLI:
• cmexport -h: Displays a list of options for cmexport.
• cmexport command -h: Displays a list of options for the cmexport command.
On Solaris, you can also enter the following in the CLI:
man cmexport
<xs:complexType>
<xs:sequence>
<xs:element name="SubnetId" type="xs:string"/>
<xs:element name="UTData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="UTData">
<xs:complexType>
<xs:sequence>
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PrefixLength" type="xs:string" minOccurs="0"
maxOccurs="1"/>
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Device">
<xs:complexType>
<xs:sequence>
<xs:element name="DeviceName" type="xs:string"/>
<xs:element name="IPAddress" type="xs:string"/>
<xs:element name="DeviceState">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="Reachable"/>
<xs:pattern value="UnReachable"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="DeviceType" type="xs:string"/>
<xs:element ref="Neighbors" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbors">
<xs:complexType>
<xs:sequence>
<xs:element ref="Neighbor" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbor">
<xs:complexType>
<xs:sequence>
<xs:element name="NeighborIPAddress" type="xs:string"/>
<xs:element name="NeighborDeviceType" type="xs:string"/>
<xs:element name="Link" type="xs:string"/>
<xs:element name="LocalPort" type="xs:string"/>
<xs:element name="RemotePort" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
• To invoke cmexport and utexport commands, the servlet requires a payload file that contains details
such as:
– User credentials
– The command you want to execute.
– Optional details such as log and debug options as inputs in XML format.
The servlet then parses the payload file encoded in XML, performs the operations, and returns the results
in XML format. You must create the payload file to include the input details and submit it when you ask
for servlet access.
Typically, servlet access is used when you need to use the data export feature from a client system.
To use DEE export features, you can write a script to upload the payload file and perform the data export
functions.
See the following sample scripts:
• Sample Perl Script (test.pl) to Access the Servlet
• Sample Java Code to Access the Servlet
For example, if you are using the script test.pl, you can invoke the servlet in either of these modes:
• HTTP Mode
• HTTPS Mode
HTTP Mode
• For Discrepancy and Layer 2 topology data export, enter:
perl test.pl http://campus-server:1741/campus/servlet/CMExportServlet payload.xml
HTTPS Mode
• For Discrepancy and Layer 2 topology data export, enter:
perl test.pl https://campus-server/campus/servlet/CMExportServlet payload.xml
use LWP::UserAgent;
$| = 1;
$temp = $ARGV[0] ;
$fname = $ARGV[1] ;
if ( -f $fname ) {
open (FILE,"$fname") || die "File open Failed $!";
while ( <FILE> )
{
$str .= $_ ;
}
close(FILE);
}
url_call($temp);
}
}
class CMExportServletRun {
HttpURLConnection con;
InputStream is;
//opens connection to servlet
con = (HttpURLConnection)url.openConnection();
con.setRequestMethod("POST");
con.setRequestProperty("Content-type", "text/xml");
con.setDoOutput(true);
con.setUseCaches(false);
is = con.getInputStream();
Payload File
The payload file is an XML file that contains inputs required for the DEE servlet to process requests for
data export. Schema for the payload XML file is given in Schema for Payload File.
Table C-8 describes the elements in the schema.
Element Description
username Cisco Prime user name.
password Password for Cisco Prime username.
command Command inside this tag can be ut_host, ut_phone, l2topology or
discrepancy.
view Use this option when you specify ut_host. This is optional.
This specifies the presentation of the User Tracking data in the
hierarchical format with either switch or subnet as the root.
queryname User Tracking host data is exported in XML format for the query provided
in queryname.
You can use this option when you specify ut_host
layoutname User Tracking host data is exported in XML format for the layout provided
in layoutname.
You can use this option when you specify ut_host
queryphone User Tracking phone data is exported in XML format for the query given
in queryphone.
You can use this option when you specify ut_phone
Element Description
layoutphone User Tracking phone data is exported in XML format for the layout given
in layoutPhone.
You can use this option when you specify ut_phone
debug Optional. Debug messages can be collected only if log file is specified in
the log option. The debug level could be 1 or 2. You can set the value to:
1—For basic debug information.
2—For detailed debug information.
This is optional.
The Cisco Prime LMS Server provides some of the security controls necessary for a web-based network
management system. It also relies heavily on the end user’s own security measures and controls to
provide a secure computing environment for Cisco Prime applications.
The Cisco Prime LMS Server provides and requires three levels of security to be implemented to ensure
a secure environment:
• General Security—Partially implemented by the client components of Cisco Prime and by the
system administrator.
• Server Security—Partially implemented by the server components of Cisco Prime and by the system
administrator.
• Application Security—Implemented by the client and server components of the Cisco Prime
applications.
For more information on security related features, see Setting up Security.
The following sections describe the general and server security levels.
General Security
The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network
management applications.
Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure
than the standard computing model that only requires a system login to execute applications.
The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used
to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco
Prime applications and data.
However, Cisco Prime applications can change the behavior and security of your network devices.
Therefore, it is critical to limit access to applications and servers as follows:
• Limit access to personnel who need access to applications or the data that the applications provide.
• Limit Cisco Prime LMS Server logins to just the systems administrator.
• Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.
Server Security
The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the
code and data files that reside on the server. The following Cisco Prime LMS Server security control
elements apply:
• Server–Imposed Security
• System Administrator-Imposed Security
Server–Imposed Security
The Cisco Prime LMS Server has many dimensions, such as:
• Files, File Ownership, and Permissions
• Runtimer
• Remote Connectivity
• Access to Systems Other Than the Cisco Prime LMS Server
• Access Control
Runtimer
This describes the runtime activities.
• UNIX Systems—Typically Cisco Prime back-end processes are run with permissions set to the user
ID of the binary file.
For example, if user “Joe” owns an executable file, it will be run by the Cisco Prime daemon
manager under the user ID of “Joe”).
The exception are files owned by the root user ID. To prevent a potentially harmful program from
being run by the daemon manager with root permissions, the daemon manager will run only a
limited set of Cisco Prime programs that need root privilege.
This list is not documented to preclude any user from trying to impersonate these programs.
All back-end processes are run with a umask value of 027. This means that all files created by these
programs are created with permissions equal to “rwxr-x,” with an owner and group of the user ID
and group of the program that created it. Typically this will be “casuser” and “group=casusers.”
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the
control of the web server’s child processes or the servlet engine, which all run as the user casuser.
Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser
have access to the directories that these services read and write to.
The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the
Resource Manager Essentials Software Management application to run image download jobs.
• Windows—Cisco Prime back-end processes are run with permissions set to the user casuser. Some
of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID.
These processes include:
– Daemon manager
– Web server
– Servlet engine
– Rcp/rsh service
– TFTP service
– Corba service
– Database engine
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control
of the web server and the servlet engine that run as the user localsystem.
The local system user has special permissions on the local system but does not have network
permissions.
Cisco Prime provides several services for RCP, TFTP communication with devices. These services
are targeted for use by Cisco Prime applications, but can be used for purposes other than network
management.
The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager
Essentials Software Image Manager application. Jobs run by the at command, run with system level
privileges.
Remote Connectivity
The remote connectivity details for Windows and Solaris are:
• UNIX Systems—The Cisco Prime daemon manager only responds to requests to start, stop, register,
or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
• Windows Systems—The Cisco Prime daemon manager only responds to requests to start, stop,
register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
Access Control
The access control details are:
• UNIX Systems—The UNIX user casuser is a user ID that is not typically enabled for login.
Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies
the installation process and ensures limited access to the Cisco Prime Server. This is because casuser
is not a valid login ID as there is no password assigned to it.
However, the casuser user on UNIX systems can perform system and possibly network-wide
operations that could be harmful to the system or the network.
• Windows Systems—The user casuser, created as part of the install process, has no special
permissions or considerations on a system so it is a “safe” user ID under which to run the Cisco
Prime Server and application code. The localsystem user can perform harmful system operations.
Therefore, consider that by using the localsystem user ID to run some of the backend processes, the
localsystem user ID cannot perform network operations.
Note The system administrator should review and adopt the security recommendations in System
Administrator-Imposed Security.
Connection Security
The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection
between the client browser and management server, and Secure Shell (SSH) to provide secure access
between the management server and devices.
Security Certificates
Security certificates are similar to digital ID cards. They prove the identity of the server to clients.
Certificates are issued by Certificate Authorities (CAs) such as VeriSign® or Thawte.
A certificate vouches for the identity and key ownership of an individual, a computer system (or a
specific server running on that system), or an organization. It is a general term for a signed document.
Typically, certificates contain the following information:
• Subject public key value.
• Subject identifier information (such as the name and e-mail address).
• Validity period (the length of time that the certificate is considered valid).
• Issuer identifier information.
• The digital signature of the issuer. This attests to the validity of the binding between the subject
public key and the subject identifier information.
A certificate is valid only for the period of time specified within it. Every certificate contains Valid From
and Valid To dates, which are the boundaries of the validity period.
For example, a user's certificate verifies that the user owns a particular public key. The server certificate
for the server named myserver.cisco.com verifies that a specific public key belongs to this server.
Certificates can be issued for a variety of functions such as web user authentication, web server
authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code
signing.
Cisco Prime LMS Server supports security certificates for authenticating secure access between client
browser and management server.
Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates.
For more information, see Creating Self Signed Certificates.
Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data
through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private
keys.
Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is
shared quite freely, the private key is never given out. Each public-private key pair works together. Data
encrypted with the public key can only be decrypted with the private key.
Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley
r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application
can be used similarly to the Berkeley rexec and rsh tools.
Two versions of SSH are currently available: SSH Version 1 and SSH Version 2.
PKCS#8
Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography,
developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple,
Microsoft, DEC, Lotus, Sun and MIT.
The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation
of OSI standards.
The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509
standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13
and #14 are currently being developed.
PKCS #8 describes a format for private key information. This information includes a private key for
some public-key algorithm, and optionally a set of attributes.
X.509 certificate format is an emerging certificate standard. It is part of the OSI group of standards.
X.509 certificates are very clearly defined using a notation called ASN.1 (Abstract Syntax Notation 1)
which specifies the precise kinds of binary data that make up the certificate.
ASN.1 can be encoded in many ways, but the emerging standard is an encoding called DER
(Distinguished Encoding Rules), which results in a compact binary certificate.
For e-mail exchange purposes the binary certificate is often Base64 encoded, resulting in an ASCII text
document that looks like the following:
-----BEGIN CERTIFICATE-----
MIIC4jCCAkugAwIBAgIEA0E1UDANBgkqhkiG9w0BAQBhMC
VVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYNQ2lz
Y28gU3lzdGVtczENMAsGA1UECxMERU1CVTEqMCgG0ZXN0
MiBDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTAyMDas3DA4
NTgwOVowgYIxCzAJBgNVBAYTAklOMQswCQYDVQQIQ2hl
bm5haTEMMAoGA1UEChMDSENMMQ0wCwYDVQQLEtzZGlu
YWthci1wYzEhMB8GCSqGSIb3DQEJARYSc2RpbmFrYXfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV1o9PyO7txr5vme
FU/f9tp5To/HaLIWHVx9zpihPnVuKaepp8kcEXO8Sed8crXeU8BP
9qHoIswGn1oJEGFXm9gs5uupJyAgeDd6O9eCuQbiSKgE1sFGFSL
xNGQJZbCrQIDAQABo2UwYzARBglghkgBhvhCAQEEB/BAQD
-----END CERTIFICATE-----
Note Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you
confirm with the CA the format of the certificate, and request specifically for Base64 Encoded
X.509Certificates formats.
Certificate Authority
A certificate authority (CA) is an authority in a network that issues and manages security credentials and
public keys for message encryption.
As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify
information provided by the requestor of a digital certificate. If the RA verifies the requestor's
information, the CA then issues a certificate.
Cisco Prime TrustStore or KeyStore is the location where Cisco Prime maintains the list of Certificates
that it trusts.
The KeyStore location is:
• NMSROOT\MDC\Apache\conf\ssl (on Windows)
• NMSROOT/MDC/Apache/conf/ssl (on Solaris/Soft Appliance)
This appendix provides information on the list of commands that needs to run on each device to enable
MAC Notification traps.
This appendix contains the following:
• Overview of Dynamic Updates
• Configuring Switches With MAC Notification Commands
• Device Operating System Version-Specific Commands
• List of Commands to Enable MAC Notification Traps on Devices
Step 1 Choose Admin > Trust Management > Multi Server > System Identity Setup.
Step 2 Renter the password for the System Indentity user.
Ensure that the System Indentity User user name and password are are valid, also under Admin >
System > User Management > Local User Setup.
See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more
information.
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
default - - mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK - - mac address-table snmp trap -
notification change:mac mac-notification
address-table notification added:snmp trap
change interval mac-notification
15:snmp-server enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750-STACK 1.3.6.1.4.1.9.1.516 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap 12.2(52)SE
notification change:mac mac-notification
address-table notification change
change interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser change removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notificatio
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK NME16ES1GP 1.3.6.1.4.1.9.1.663 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
NME16ES1GP 1.3.6.1.4.1.9.1.702 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK NMEX23ES1 1.3.6.1.4.1.9.1.664 mac-address-table snmp trap [,12.1(19)EA1)
GP notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
NMEXD24ES 1.3.6.1.4.1.9.1.665 mac-address-table snmp trap [,12.1(19)EA1)
1SP notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK NMEXD48ES 1.3.6.1.4.1.9.1.666 mac-address-table snmp trap [,12.1(19)EA1)
2SP notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24ME 1.3.6.1.4.1.9.1.574 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3550-24ME 1.3.6.1.4.1.9.1.589 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24ME 1.3.6.1.4.1.9.1.590 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3550-24ME 1.3.6.1.4.1.9.1.591 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24ME 1.3.6.1.4.1.9.1.592 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3550-24ME 1.3.6.1.4.1.9.1.688 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750-24P 1.3.6.1.4.1.9.1.536 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac-address-table snmp trap [12.1(19)EA1,12
notification:mac-address-tabl mac-notification .2(46)SE)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3750 1.3.6.1.4.1.9.1.530 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750 1.3.6.1.4.1.9.1.511 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3750 1.3.6.1.4.1.9.1.512 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750 1.3.6.1.4.1.9.1.513 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3750 1.3.6.1.4.1.9.1.514 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750 1.3.6.1.4.1.9.1.535 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3750 1.3.6.1.4.1.9.1.602 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750 1.3.6.1.4.1.9.1.603 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3750P 1.3.6.1.4.1.9.1.604 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3750 1.3.6.1.4.1.9.1.624 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3750-STACK C3750 1.3.6.1.4.1.9.1.656 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550 - - mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24 1.3.6.1.4.1.9.1.366 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-48 1.3.6.1.4.1.9.1.367 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 C3550-12T 1.3.6.1.4.1.9.1.368 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-12G 1.3.6.1.4.1.9.1.431 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24FX 1.3.6.1.4.1.9.1.453 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24DC 1.3.6.1.4.1.9.1.452 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3550-24PWR 1.3.6.1.4.1.9.1.485 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 C3560-24PS 1.3.6.1.4.1.9.1.563 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560-48PS 1.3.6.1.4.1.9.1.564 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560G-24PS 1.3.6.1.4.1.9.1.614 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560G-24TS 1.3.6.1.4.1.9.1.615 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560G-48PS 1.3.6.1.4.1.9.1.616 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 C3560G-48TS 1.3.6.1.4.1.9.1.617 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560E 1.3.6.1.4.1.9.1.930 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560E 1.3.6.1.4.1.9.1.956 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3560E 1.3.6.1.4.1.9.1.1015 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 3000 1.3.6.1.4.1.9.1.909 mac address-table snmp trap -
notification:mac mac-notification
(continued)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.910 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.911 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.912 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 3000 1.3.6.1.4.1.9.1.918 mac address-table snmp trap -
notification:mac mac-notification
(continued)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.919 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.920 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.921 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 3000 1.3.6.1.4.1.9.1.922 mac address-table snmp trap -
notification:mac mac-notification
(continued)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.947 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.948 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.949 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 3000 1.3.6.1.4.1.9.1.999 mac address-table snmp trap -
notification:mac mac-notification
(continued)
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.1000 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.1001 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
3000 1.3.6.1.4.1.9.1.1002 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C3550 C3000IE 1.3.6.1.4.1.9.1.958 mac address-table snmp trap -
notification:mac mac-notification
(continued)
address-table notification added:snmp trap
- interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3000IE 1.3.6.1.4.1.9.1.959 mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3500XL - - mac-address-table snmp trap -
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C3508GXL 1.3.6.1.4.1.9.1.246 - - -
C3512XL 1.3.6.1.4.1.9.1.247 - - -
C3524XL 1.3.6.1.4.1.9.1.248 - - -
C3548XL 1.3.6.1.4.1.9.1.278 - - -
C3524PWRXL 1.3.6.1.4.1.9.1.287 - - -
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2970 - - mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2970G-24T 1.3.6.1.4.1.9.1.527 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2970G-24TS 1.3.6.1.4.1.9.1.561 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
371098-001 1.3.6.1.4.1.11.2.3.7. mac-address-table snmp trap [,12.1(19)EA1)
11.33.3.1.1 notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
ME-3400G-12 1.3.6.1.4.1.9.1.781 mac-address-table snmp trap [,12.1(19)EA1)
CS-D notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2970 ME-3400G-12 1.3.6.1.4.1.9.1.780 mac-address-table snmp trap [,12.1(19)EA1)
CS-A notification:mac-address-tabl mac-notification
(continued)
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2960-24TC-S 1.3.6.1.4.1.9.1.928 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
ME-3400G-2C 1.3.6.1.4.1.9.1.825 mac-address-table snmp trap [,12.1(19)EA1)
S-A notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2960G-48TC 1.3.6.1.4.1.9.1.697 mac-address-table snmp trap 12.2(35)SE5
-L notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2970 ME-3400 1.3.6.1.4.1.9.1.1007 - - -
(continued) ME-3400 1.3.6.1.4.1.9.1.1008 - - -
ME-3400 1.3.6.1.4.1.9.1.1009 - - -
C2960 1.3.6.1.4.1.9.1.929 - - -
C2960 1.3.6.1.4.1.9.1.927 - - -
C2960 1.3.6.1.4.1.9.1.1005 - - -
C2960 1.3.6.1.4.1.9.1.1006 - - -
C2960 1.3.6.1.4.1.9.1.950 - - -
C2960 1.3.6.1.4.1.9.1.951 - - -
C2960 1.3.6.1.4.1.9.1.952 - - -
C2975 1.3.6.1.4.1.9.1.1067 - - -
C2975 1.3.6.1.4.1.9.1.1068 - - -
C2900XL - - mac-address-table snmp trap -
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2908XL 1.3.6.1.4.1.9.1.170 - - -
C2900XL C2924XL 1.3.6.1.4.1.9.1.183 - - -
(continued) C2924CXL 1.3.6.1.4.1.9.1.184 - - -
C2924XLV 1.3.6.1.4.1.9.1.217 - - -
C2924CXLV 1.3.6.1.4.1.9.1.218 - - -
C2912XL 1.3.6.1.4.1.9.1.219 - - -
C2924MXL 1.3.6.1.4.1.9.1.220 - - -
C2912MFXL 1.3.6.1.4.1.9.1.221 - - -
C2924XL-LRE 1.3.6.1.4.1.9.1.369 - - -
C2912XL-LRE 1.3.6.1.4.1.9.1.370 - - -
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2950 - - mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950-12 1.3.6.1.4.1.9.1.323 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950-24 1.3.6.1.4.1.9.1.324 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2950 C2950C-24 1.3.6.1.4.1.9.1.325 mac-address-table snmp trap [,12.1(11)EA1)
(continued) notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950T-24 1.3.6.1.4.1.9.1.359 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950G-24 1.3.6.1.4.1.9.1.428 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950G-12 1.3.6.1.4.1.9.1.427 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950G-48 1.3.6.1.4.1.9.1.429 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2950 C2950G-24DC 1.3.6.1.4.1.9.1.472 mac-address-table snmp trap [,12.1(11)EA1)
(continued) notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950-24SX 1.3.6.1.4.1.9.1.480 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2955C-12 1.3.6.1.4.1.9.1.489 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2955S-12 1.3.6.1.4.1.9.1.508 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2955T-12 1.3.6.1.4.1.9.1.488 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2950 C2950ST-8LR 1.3.6.1.4.1.9.1.483 mac-address-table snmp trap [,12.1(11)EA1)
(continued) E notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950ST-24L 1.3.6.1.4.1.9.1.482 mac-address-table snmp trap [,12.1(11)EA1)
RE notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2940-8TT 1.3.6.1.4.1.9.1.540 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2940-8TF 1.3.6.1.4.1.9.1.542 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2950-48SX 1.3.6.1.4.1.9.1.560 mac-address-table snmp trap [,12.1(11)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2950 CIGESM-18T 1.3.6.1.4.1.9.1.592 mac-address-table snmp trap [,12.1(11)EA1)
(continued) T notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C6000 - - set cam notification set cam -
enable:set snmp trap enable notification
macnotification:set snmp trap added enable
HOST COMMUNITY INTERFACE:set
version TRAPVERSION port cam notification
PORT removed enable
INTERFACE
C6006 1.3.6.1.4.1.9.5.38 - - -
C6009 1.3.6.1.4.1.9.5.39 - - -
C6509 1.3.6.1.4.1.9.5.44 - - -
C6506 1.3.6.1.4.1.9.5.45 - - -
C6509SP 1.3.6.1.4.1.9.5.47 - - -
C6513 1.3.6.1.4.1.9.5.50 - - -
C6503 1.3.6.1.4.1.9.5.56 - - -
C6000-IOS - - mac-address-table snmp trap -
notification mac-notification
change:mac-address-table change
notification change interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser change removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C6000-IOS catalyst6000IO 1.3.6.1.4.1.9.1.657 - - -
(continued) S
catalyst6006IO 1.3.6.1.4.1.9.1.280 - - -
S
catalyst6009IO 1.3.6.1.4.1.9.1.281 - - -
S
Cisco 1.3.6.1.4.1.9.1.282 - - -
C6506-IOS
catalyst6509IO 1.3.6.1.4.1.9.1.283 - - -
S
catalyst6509sp 1.3.6.1.4.1.9.1.310 - - -
IOS
catalyst6513IO 1.3.6.1.4.1.9.1.400 - - -
S
ciscoWSC6503 1.3.6.1.4.1.9.1.449 - - -
ciscoWSC6509 1.3.6.1.4.1.9.1.534 - - -
neba
catalyst6509V 1.3.6.1.4.1.9.1.832 - - -
E
Cisco 1.3.6.1.4.1.9.1.449 - - -
C6503-IOS
C4000 - - set cam notification set cam -
enable:set snmp trap enable notification
macnotification:set snmp trap added enable
HOST COMMUNITY port INTERFACE:set
PORT cam notification
removed enable
INTERFACE
C4003 1.3.6.1.4.1.9.5.40 - - -
C4912G 1.3.6.1.4.1.9.5.41 - - -
C2948G 1.3.6.1.4.1.9.5.42 - - -
C4006 1.3.6.1.4.1.9.5.46 - - -
C2980G 1.3.6.1.4.1.9.5.49 - - -
C2980G-A 1.3.6.1.4.1.9.5.51 - - -
C4503 1.3.6.1.4.1.9.5.58 - - -
C4506 1.3.6.1.4.1.9.5.59 - - -
C2948G-GE-T 1.3.6.1.4.1.9.5.62 - - -
X
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C4000-IOS - - mac-address-table snmp trap -
notification mac-notification
change:mac-address-table change
notification change interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser change removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
cisco4000 1.3.6.1.4.1.9.1.448 - - -
cisco4900M 1.3.6.1.4.1.9.1.917 - - -
cisco4948 1.3.6.1.4.1.9.1.626 - - -
cisco4948-10G 1.3.6.1.4.1.9.1.659 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.875 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.877 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.874 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.876 - - -
E
C4506-IOS 1.3.6.1.4.1.9.1.502 mac address-table snmp trap 12.2(53)SG
notification change:mac mac-notification
address-table notification change
change interval added:snmp trap
15:snmp-server enable traps mac-notification
mac-notification:snmp-serve change removed
r host HOST version 1
COMMUNITY udp-port
1431 mac-notification
C4900ME mac-address-table snmp trap
notification:mac-address-tabl mac-notification
-
e notification interval change
15:snmp-server enable traps added:snmp trap
MAC-Notification:snmp-ser mac-notification
ver host HOST version change removed
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C4900ME 1.3.6.1.4.1.9.1.788 - - -
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
C2400ME - - mac address-table snmp trap -
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification
C2400ME 1.3.6.1.4.1.9.1.735 - - -
C2350 1.3.6.1.4.1.9.1.1104 - - -
This appendix provides the recommended best practices for increasing the disk space and system
performance. It contains the following topics:
• Basic Server and Client Requirements
• Best Practices to Reclaim Disk Space Using Purging Method
• Best Practices for Improving System Performance
• Best Practices for Performing Server Reboot
• Backing Up Data
• Handling Custom Telnet Prompts
• Best Practices for Software Image Upgrade
• FAQ
Note To avoid restarting daemons, you must ensure that device packages, point patches and software updates
are updated (up-to-date) before network is down during planned network downtime.
Purging Databases
To reclaim disk space by purging your system’s database:
• Set the Syslog Purge Settings in such a way that syslog records do not pile up in the database. The
following steps should be performed to set the Syslog Purge Settings:
– Enable the Syslog Backup Settings by navigating to Admin > Network > Purge Settings >
Syslog Backup Settings.
– Set the purge policy date and schedule a job on daily/weekly basis by navigating to Admin >
Network > Purge Settings > Syslog Purge Settings.
– Perform a force purge job by navigating to Admin > Network > Purge Settings > Syslog Force
Purge.
• Run the DBSpaceReclaimer tool after performing force purge job to reclaim disk space to a greater
extent. The following steps should be performed:
– Open RMEDebugToolsReadme.txt from
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools, where NMSROOT is the
Cisco Prime installation directory.
– Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and
execute the perl script DBSpaceReclaimer.pl. For more details, refer Syslog Administrative
Tasks.
In Device Performance Management, if the size of the database remains the same after purging, the
following steps should be performed to reclaim disk space:
• For Windows:
– Stop the daemon using the net stop crmdmgtd command.
– Enter dbunload -c "uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>> " -ar
For example: dbunload -c
"uid=DBA;pwd=admin;dbf=C:\Progra~2\CSCOpx\databases\upm\upm.db" -ar
Note Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
• chmod 600 upm.db
• chown casuser:casusers upm.db
Note Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
• chmod 600 upm.db
• chown casuser:casusers upm.db
Purging Jobs
You can configure LMS to periodically purge job data that you no longer need. This is done using Job
Purge. For more details, refer Performance Purge Jobs.
Refer the following links to configure the purge settings for all modules in LMS:
• Purging Reports Jobs and Archived Reports
• Purging VRF Management Reports Jobs and Archived Reports
Note You can view the status of all the LMS admin-related Jobs in Job Browser. For more details, refer Using
Job Browser.
Purging Archives
Purging archives frees disk space and maintains your archive at a manageable size. For more details,
refer Purging Configurations from the Configuration Archive.
Note Log files can expand and fill up disk space. Log files disk space usage can be maintained by deleting the
unwanted log files from the Cisco Prime installation directory. For more details, refer Maintaining Log
Files. Log Files can also be maintained by using the logrot functionality. For more details, refer
Configuring Log Files Rotation. Log files rotation can be also be scheduled. For more details, refer
Scheduling Log Files Rotation.
Note All collection must be scheduled in a way that it does not conflict with each other.
Note The UI performance of the application client can be improved by using device groups when executing
application tasks, especially when a single server is managing a large number of devices.
Step 2 Change the startup type of the Daemon Manager to manual in Windows Services Control Panel.
Step 3 Update the software on server or reload the server.
Step 4 Change the startup type of the Daemon manager to automatic once the server comes up.
Step 5 Enter the following command to start the Daemon manager and wait till all the services comes up.
net start crmdmgtd
Note Don't restart the Daemon Manager when major collections like DC, UT, Inventory, Config is running to
avoid database corruption problem.
Note If you want to reboot the Windows, Solaris or VM server, you must do so only after stopping the
daemons. You must not reboot the server while the daemons are running.
Backing Up Data
Regular backup of data should be practiced on a daily/weekly basis to avoid data loss. To schedule
system backups at regular intervals, select Admin > System > Backup. For more details, refer Backing
Up Data.
Consider the following points when backing up data:
• While scheduling or triggering a backup, if the backup time conflicts with any JRM job time (Jobs
that is scheduled between backup time +/- one hr), then an error pops up displaying a list of job IDs.
Similarly, when scheduling or triggering a JRM job, if the JRM job schedule time conflicts with any
backup time (Backup time that is scheduled between JRM job time +/- one hr), then an error pops
up displaying a list of backup time that runs around the same schedule as the JRM job.
• If you want to backup Config on a daily basis, the shadow directory option can be used.
Note DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file. For
more details, refer Configuring Disk Space Threshold Limit.
Note You should never backup data on the Cisco Prime Installation directories, such as, NMSROOT for
Windows and /opt/CSCOpx for Soft Appliance and Solaris; as well on /var/adm/CSCOpx.
FAQ
Q. How can I exclude messages from Syslog Analyzer instead of performing a force purge?
A. Instead of reclaiming the disc space by performing a force purge, you can create Filters to either
drop or keep the syslog messages. For a detailed procedure, go to
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guid
e/admin/useNotif.html#wp1074735
Example:
CSCOpx/objects/smarts/bin/sm_tpmgr --server=DFM --sizes
To control the CPU or Memory usage by sm_server processes refer the below approaches:
• Unmanage the components that need not be monitored by DFM from Detailed Device View. To
manage or unmanage an interface or a port in DFM refer the steps given below:
Step 6 To manage the Interface or Port, set the Managed State to True, and to unmanage the Interface or Port,
set it to False.
Step 7 Click Submit.
Step 8 Go to Monitor > Fault Settings > Setup > Apply Changes and click Yes apply change to fault engine.
• Reduce the number of network adapters being discovered in DFM by filtering the components which
need not be monitored.
We can avoid DFM discovery process to discover a particular type of interface or port by adding an
IFDescrPattern or IFTypePattern in CSCOpx\objects\smarts\conf\discovery\tpmgr-param.conf. You
can find the instructions to create patterns in this file. After modifying tpmgr-param.conf file,we
need to restart the daemon manager and rediscover the devices in DFM.
Examples:
IFDescrPattern-.1.3.6.1.4.1.9.1.110
~EFXS*|~*POTS*|~*Bearer*|~FXO*|~FXS*|~Voice*|~Foreign*
In this example, DFM discovery will not discover interfaces with description starting with EFXS,
containing POTS,containing Bearer, starting with FXO, starting with FXS, starting with Voice or
starting with Foreign for device having sysObjectId .1.3.6.1.4.1.9.1.110.
IFTypePattern-.1.3.6.1.4.1.164.6.1.3.83 ~80~81~82
In this example, DFM discovery will not discover ATMLogica(80), DS0 (81) and DS0Bundle(82)
for device having sysObjectId .1.3.6.1.4.1.164.6.1.3.83
IFTypePattern-SwitchPort.1.3.6.1.4.1.9.12.3.1.3.380 ~56
In this example, DFM discovery will not discover Fibre channel (56) ports for device having
sysObjectId .1.3.6.1.4.1.9.12.3.1.3.380
• Adjust the polling interval with proper values from LMS Polling Parameter Settings Screen.
• To reduce the number of traps received in LMS server, fine tune the trap configuration in devices
such a way that the traps which need to be monitored alone are sent to the LMS server.
system defined groups 5-51 default credential set policies, host name policy
type example 4-32
ACS
default credential set policies, IP range policy type
roles on NDG basis, assigning 2-13 example 4-30
admin default credential set policies, ordering 4-33
application settings 8-28 default credential sets 4-24
purge settings 16-18 device polling settings 4-18
setting log level 17-11 Master-Slave configuration, prerequisites 4-16
administering mode, changing 4-15
Common Services 3-1 unreachable devices deletion 4-20
Daemon Manager, using 3-2 user-defined fields, adding 4-21
database password, changing 3-22 user-defined fields, deleting 4-22
processes, back-end processes 3-6 user-defined fields, renaming 4-21
processes, managing 3-3 Display Settings and DCR 4-1
processes, managing through CLI A-5 administering Campus Manager
processes, starting 3-5 ANI data collection, using
processes, stopping 3-5 best practices in discovery scheduling 6-3
processes, viewing 3-4 data collection, scheduling 6-3
processes, viewing specific state processes 3-5 debugging options 17-20
restoring data 3-20 user and host acquisition, using
DCR delete interval, modifying 7-22
default credentials 4-22 end host user information, importing 7-24
default credentials,using 4-22 purge policy, specifying 15-1
default credentials,using in multi-server schedule, modifying 7-19
setup 4-23
subnet discovery, configuring 7-21
default credential set,configuring 4-24
Administering Virtual Network Manager
default credential set,deleting 4-27
Setting VNM Debugging Options 17-30
J
H
Java Plug-in, version to use B-17
HP OpenView 10-24 Job Approval, using 12-15
HPOV as primary listener 7-30 approver details, specifying 12-16
approver lists
assigning 12-18
I
creating, editing 12-17
images jobs, approving and rejecting 12-20
IOS images, and recommendation filters 11-20 setting up 12-18
importing automated actions in Syslog Analysis 11-14 task workflow 12-16
importing devices and credentials Job Browser (see under Inventory) 8-2
using CLI A-24 Job Browser, using 12-1
interfaces jrm, checking B-20
customizable groups 5-52
system defined groups 5-51
K
Inventory
change report filters, setting 11-22 Known device state 8-25
inventory
effect of DCR changes 8-25
L
log files
Inventory Collector 17-8 Learning device state 8-25
Inventory Interactor 17-8 licensing CiscoWorks applications
Inventory Service 17-9 license information, viewing 3-29
Inventory, using licensing procedure 3-29
collection or polling schedule, changing 8-12 obtaining a license 3-29
Inventory Job Browser 8-2 updating licenses 3-29
collection jobs, creating and editing 8-7 local user policy setup 2-4
job details, viewing 8-6 locked out of CiscoWorks Server, troubleshooting B-18
polling jobs, creating and editing 8-7 log files, maintaining
inventory collection on UNIX 17-3
log file 17-9 on Windows 17-3
overview 8-25 logrot utility, configuring 3-40
(see also discovery) logrot utility, running 3-41
IOS login module
CiscoWorks 3-16
P
log file for multiple thread 17-8
peer server certificates processes, managing A-5
setting up 2-19 protocols, used by CiscoWorks 10-21
Pending device state 8-25 PSUCLI 13-11
physical discrepancy reports 14-2 device packages, installing 13-12
ping sweep options, modifying 7-20 device packages, listing dependents 13-16
PKCS#8, definition D-6 device packages, listing device packages 13-17
polling device packages, uninstalling 13-13
log files device updates, downloading 13-14
adapter 17-8 software updates, downloading 13-13
database 17-9 software updates, querying 13-12
grouping services 17-9 public key, definition D-6
manager 17-9 purge settings 16-18
polling and thresholds historical data 16-18
log files purging messages
adapter 17-8 cautions regarding changing purge values
database 17-9 in Change Audit 11-5
grouping services 17-9 in Syslog Analyzer 16-6
manager 17-9 forced purges
port and module groups in Change Audit 11-5
Administration 5-35 in Syslog Analyzer 16-7
Creating Groups 5-37 purge policies, setting
Defining Rule Expression 5-39 in Change Audit 11-4
Attributes 5-41 in Syslog Analyzer 16-6
Examples 5-42
Properties 5-37
Selecting Group Source 5-38
Q
Deleting Groups 5-49 Questioned device state 8-25
Editing Groups 5-48
Viewing Group Details 5-47
Viewing Membership Details 5-47 R
ports Radius, changing login module to 2-32
access ports 5-51, 5-52 range operator 5-11
occupied by CiscoWorks 10-21 rediscovery
trunk ports 5-51, 5-52 DCR synchronization and 8-26
preferences for system, modifying 3-35 events that trigger 8-25
private key, definition D-6 log file 17-9
processes
properties that support duplicate MAC address 7-12 jrm, running B-20